astatin3/syscall-stream-rs
1
0
Fork 0
mirror of https://github.com/Astatin3/syscall-stream-rs.git synced 2026-06-09 00:18:01 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add proxy list, git submodule for intercept

Browse Source
This commit is contained in:
Michael Mikovsky
2025-08-12 17:48:34 -06:00
parent 4757240463
commit 8b2a596b9a
9 changed files with 3373 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitmodules
+3
View File
@@ -0,0 +1,3 @@
[submodule "syscall_intercept"]
path = syscall_intercept
url = https://github.com/pmem/syscall_intercept
Cargo.toml
+16
View File
@@ -0,0 +1,16 @@
[package]
name = "sysintercept"
version = "0.1.0"
edition = "2024"
[dependencies]
bincode = "2.0.1"
ctor = "0.5.0"
libc = "0.2.175"
[build-dependencies]
cmake = "0.1"
[lib]
name = "intercept"
crate-type = ["rlib", "cdylib"]
LICENSE
-21
View File
@@ -1,21 +0,0 @@
MIT License
Copyright (c) 2025 Michael Mikovsky
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
README.md
-2
View File
@@ -1,2 +0,0 @@
# syscall-stream-rs
AV evasion using system calls streamed over the network!
build.rs
+7
View File
@@ -0,0 +1,7 @@
fn main() {
let dst = cmake::build("syscall_intercept");
println!("cargo:rustc-link-search=native={}/lib", dst.display());
println!("cargo:rustc-link-lib=static=syscall_intercept");
println!("cargo:rustc-link-lib=capstone");
}
src/lib.rs
+130
View File
@@ -0,0 +1,130 @@
#[allow(dead_code)]
mod syscall_intercept;
mod syscalls;
use libc::exit;
use std::{
cell::Cell,
io::{BufWriter, Write},
net::TcpStream,
sync::Mutex,
};
use syscall_intercept::*;
static mut STREAM: Option<Mutex<TcpStream>> = None;
static mut WRITER: Option<Mutex<BufWriter<TcpStream>>> = None;
#[ctor::ctor]
fn start() {
unsafe {
STREAM = Some({
match TcpStream::connect("127.0.0.1:1234") {
Ok(stream) => Mutex::new(stream),
Err(e) => {
eprintln!("Failed to connect to server: {}", e);
exit(1);
}
}
});
WRITER = Some(Mutex::new(BufWriter::new(
#[allow(static_mut_refs)]
STREAM
.as_ref()
.unwrap()
.lock()
.unwrap()
.try_clone()
.unwrap(),
)));
}
unsafe { set_hook_fn(hook) };
}
// fn print_direct(str: &str)
thread_local! {
/// A flag indicating whether the current thread is in an intercept context.
static INTERCEPTED: Cell<bool> = Cell::new(false);
}
// lazy_static! {
// }
struct InterceptGuard;
impl InterceptGuard {
fn try_lock() -> Option<Self> {
INTERCEPTED.with(|x| {
if x.get() {
None
} else {
x.set(true);
Some(InterceptGuard)
}
})
}
}
impl Drop for InterceptGuard {
fn drop(&mut self) {
INTERCEPTED.with(|x| x.set(false));
}
}
extern "C" fn hook(
syscall_num: isize,
arg0: isize,
arg1: isize,
arg2: isize,
arg3: isize,
arg4: isize,
arg5: isize,
_result: &mut isize,
) -> InterceptResult {
// detect and avoid recursive interception
let _guard = match InterceptGuard::try_lock() {
Some(g) => g,
None => return InterceptResult::Forward,
};
if !syscalls::syscall_should_proxy(syscall_num) {
return InterceptResult::Forward;
}
unsafe {
unset_hook_fn();
}
// Return if is print
// if syscall_num == libc::SYS_write as _ && arg0 == 1 {
// return InterceptResult::Forward;
// }
// let args = [arg0, arg1, arg2, arg3, arg4, arg5];
// let desc = if let Some(desc) = syscalls::get_syscall_desc(syscall_num, args) {
// "test"
// } else {
// "test"
// };
unsafe {
#[allow(static_mut_refs)]
if let Some(client) = WRITER.as_ref() {
client
.lock()
.unwrap()
.write_all(&format!("Data: {:?}\n", syscall_num).as_bytes())
.unwrap();
client.lock().unwrap().flush().unwrap();
}
}
unsafe {
set_hook_fn(hook);
}
InterceptResult::Forward
}
src/syscall_intercept.rs
+49
View File
@@ -0,0 +1,49 @@
#[link(name = "syscall_intercept")]
unsafe extern "C" {
static mut intercept_hook_point: Option<HookFn>;
pub fn syscall_no_intercept(num: isize, ...) -> isize;
}
/// Set syscall intercept hook function.
///
/// # Safety
///
/// This function will change all syscall behavior!
pub unsafe fn set_hook_fn(f: HookFn) {
unsafe {
intercept_hook_point = Some(f);
}
}
/// Clear syscall intercept hook function.
///
/// # Safety
///
/// This function will change all syscall behavior!
pub unsafe fn unset_hook_fn() {
unsafe {
intercept_hook_point = None;
}
}
/// The type of hook function.
pub type HookFn = extern "C" fn(
num: isize,
a0: isize,
a1: isize,
a2: isize,
a3: isize,
a4: isize,
a5: isize,
result: &mut isize,
) -> InterceptResult;
/// The return value of hook function.
#[repr(i32)]
pub enum InterceptResult {
/// The user takes over the system call. The return value should be set via `result`.
Hook = 0,
/// The specific system call was ignored by the user and the original syscall should be executed.
Forward = 1,
}
src/syscalls.rs
+3167
View File
File diff suppressed because it is too large Load Diff
syscall_intercept
Submodule
+1
Submodule syscall_intercept added at b1b9bedcc8