iOS ARM64系统调用 [英] iOS ARM64 Syscalls

问题描述

我正在学习有关Shellcode的更多信息，并在iOS设备上的arm64中进行系统调用.我正在测试的设备是iPhone 6S.

我从此链接中获得了系统调用列表( https://azeria-labs.com/writing-arm-shellcode/.

我用Xcode编写了内联汇编，这里有一些代码片段

//exit syscall
__asm__ volatile("mov x8, #1");
__asm__ volatile("mov x0, #0");
__asm__ volatile("svc 0x80");

但是，当我跳过这些代码时，应用程序不会终止.

char write_buffer[]="console_text";
int write_buffer_size = sizeof(write_buffer);

__asm__ volatile("mov x8,#4;"     //arm64 uses x8 for syscall number
                 "mov x0,#1;"     //1 for stdout file descriptor
                 "mov x1,%0;"    //the buffer to display
                 "mov x2,%1;"    //buffer size
                 "svc 0x80;"
                 :
                 :"r"(write_buffer),"r"(write_buffer_size)
                 :"x0","x1","x2","x8"
                 );

如果此系统调用有效，则应在Xcode的控制台输出屏幕中打印出一些文本.但是，什么都没有打印出来.

关于ARM汇编的在线文章很多，有些使用svc 0x80，有些使用svc 0等，因此可能会有一些变化.我尝试了各种方法，但无法使两个代码段正常工作.

有人可以提供一些指导吗?

这是我编写C函数syscall int return_value=syscall(1,0);

时Xcode在其Assembly视图中显示的内容.

    mov x1, sp
    mov x30, #0
    str x30, [x1]
    orr w8, wzr, #0x1
    stur    x0, [x29, #-32]         ; 8-byte Folded Spill
    mov x0, x8
    bl  _syscall

我不确定为什么会发出此代码.

解决方案

用于syscall的寄存器是完全任意的，并且您选择的资源对于XNU肯定是错误的.

据我所知，arm64的XNU syscall ABI是完全私有的，如有更改，恕不另行通知，因此没有遵循的发布标准，但是您可以通过获取XNU的副本来了解其工作原理来源(如 tarballs 或bsd/kern/syscalls.master.在最新的iOS 13 beta中，这些系统调用的系统调用编号从0到大约540.

"Mach系统调用"的规范源是XNU源树中的文件osfmk/kern/syscall_sw.c.这些系统调用使用-10和-100之间的负编号进行调用(例如，-28将为task_self_trap).

与最后一点无关，可以分别使用两个系统调用编号-3和-4调用两个系统调用mach_absolute_time和mach_continuous_time.

可以通过platform_syscall使用系统调用号0x80000000进行一些低级操作.

I am learning more about shellcode and making syscalls in arm64 on iOS devices. The device I am testing on is iPhone 6S.

I got the list of syscalls from this link (https://github.com/radare/radare2/blob/master/libr/include/sflib/darwin-arm-64/ios-syscalls.txt).

I learnt that x8 is used for putting the syscall number for arm64 from here (http://arm.ninja/2016/03/07/decoding-syscalls-in-arm64/).

I figured the various registers used to pass in parameters for arm64 should be the same as arm so I referred to this link (https://w3challs.com/syscalls/?arch=arm_strong), taken from https://azeria-labs.com/writing-arm-shellcode/.

I wrote inline assembly in Xcode and here are some snippets

//exit syscall
__asm__ volatile("mov x8, #1");
__asm__ volatile("mov x0, #0");
__asm__ volatile("svc 0x80");

However, the application does not terminate when I stepped over these codes.

char write_buffer[]="console_text";
int write_buffer_size = sizeof(write_buffer);

__asm__ volatile("mov x8,#4;"     //arm64 uses x8 for syscall number
                 "mov x0,#1;"     //1 for stdout file descriptor
                 "mov x1,%0;"    //the buffer to display
                 "mov x2,%1;"    //buffer size
                 "svc 0x80;"
                 :
                 :"r"(write_buffer),"r"(write_buffer_size)
                 :"x0","x1","x2","x8"
                 );

If this syscall works, it should print out some text in Xcode's console output screen. However, nothing gets printed.

There are many online articles for ARM assembly, some use svc 0x80 and some use svc 0 etc and so there can be a few variations. I tried various methods but I could not get the two code snippets to work.

Can someone provide some guidance?

EDIT: This is what Xcode shows in its Assembly view when I wrote a C function syscall int return_value=syscall(1,0);

    mov x1, sp
    mov x30, #0
    str x30, [x1]
    orr w8, wzr, #0x1
    stur    x0, [x29, #-32]         ; 8-byte Folded Spill
    mov x0, x8
    bl  _syscall

I am not sure why this code was emitted.

解决方案

The registers used for syscalls are completely arbitrary, and the resources you've picked are certainly wrong for XNU.

As far as I'm aware, the XNU syscall ABI for arm64 is entirely private and subject to change without notice so there's no published standard that it follows, but you can scrape together how it works by getting a copy of the XNU source (as tarballs, or viewing it online if you prefer that), grep for the handle_svc function, and just following the code.
I'm not gonna go into detail on where exactly you find which bits, but the end result is:

• The immediate passed to svc is ignored, but the standard library uses svc 0x80.
• x16 holds the syscall number
• x0 through x8 hold up to 9 arguments*
• There are no arguments on the stack
• x0 and x1 hold up to 2 return values (e.g. in the case of fork)
• The carry bit is used to report an error, in which case x0 holds the error code

* This is used only in the case of an indirect syscall (x16 = 0) with 8 arguments.
* Comments in the XNU source also mention x9, but it seems the engineer who wrote that should brush up on off-by-one errors.

And then it comes to the actual syscall numbers available:

• The canonical source for "UNIX syscalls" is the file bsd/kern/syscalls.master in the XNU source tree. Those take syscall numbers from 0 up to about 540 in the latest iOS 13 beta.
• The canonical source for "Mach syscalls" is the file osfmk/kern/syscall_sw.c in the XNU source tree. Those syscalls are invoked with negative numbers between -10 and -100 (e.g. -28 would be task_self_trap).
• Unrelated to the last point, two syscalls mach_absolute_time and mach_continuous_time can be invoked with syscall numbers -3 and -4 respectively.
• A few low-level operations are available through platform_syscall with the syscall number 0x80000000.

这篇关于iOS ARM64系统调用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！