seehwan
diff --git a/‎jit_poc/0. check_security_env.py‎
Lines changed: 0 additions & 63 deletions b/‎jit_poc/0. check_security_env.py‎
Lines changed: 0 additions & 63 deletions
diff --git a/‎jit_poc/00.check_security_env.py‎
Lines changed: 93 additions & 0 deletions b/‎jit_poc/00.check_security_env.py‎
Lines changed: 93 additions & 0 deletions
diff --git a/‎jit_poc/38.trampoline_overwrite_exec.py‎
Lines changed: 37 additions & 0 deletions b/‎jit_poc/38.trampoline_overwrite_exec.py‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎jit_poc/39.trampoline_overwrite_batch.py‎
Lines changed: 66 additions & 0 deletions b/‎jit_poc/39.trampoline_overwrite_batch.py‎
Lines changed: 66 additions & 0 deletions
diff --git a/‎jit_poc/40.trampoline_single_process_test.py‎
Lines changed: 67 additions & 0 deletions b/‎jit_poc/40.trampoline_single_process_test.py‎
Lines changed: 67 additions & 0 deletions
diff --git a/‎jit_poc/40a.trampoline_overwrite_test.py‎
Lines changed: 48 additions & 0 deletions b/‎jit_poc/40a.trampoline_overwrite_test.py‎
Lines changed: 48 additions & 0 deletions
@@ -0,0 +1,93 @@
+import subprocess
+import os
+import re
+
+SYSCALLS = ["mprotect", "mmap", "execve", "execveat", "mremap", "ptrace"]
+
+def run_command(cmd, require_sudo=False):
+    """Run command, adding sudo only if required and not already root"""
+    if require_sudo and os.geteuid() != 0 and cmd[0] != "sudo":
+        cmd.insert(0, "sudo")
+    return subprocess.check_output(cmd, stderr=subprocess.STDOUT).decode()
+
+def check_apparmor():
+    print("[AppArmor       ] Checking AppArmor status...")
+    try:
+        output = run_command(["aa-status"])  # no sudo needed
+        enforce_profiles = re.search(r"(\d+)\s+profiles are in enforce mode", output)
+        python_profile = "/usr/local/bin/python3.14" in output
+        if enforce_profiles:
+            print(f"[AppArmor       ] ✅ {enforce_profiles.group(1)} profiles in enforce mode")
+        else:
+            print("[AppArmor       ] ❌ Not in enforce mode")
+        print("[AppArmor profile] ✅ Loaded for Python3.14"
+              if python_profile else "[AppArmor profile] ❌ Not loaded for Python3.14")
+    except Exception as e:
+        print(f"[AppArmor       ] ❌ Error: {e}")
+
+def check_seccomp():
+    print("[Seccomp         ] Checking seccomp mode...")
+    try:
+        with open("/proc/self/status") as f:
+            for line in f:
+                if line.startswith("Seccomp:"):
+                    mode = int(line.strip().split()[1])
+                    if mode == 0:
+                        print("[Seccomp         ] ✅ Disabled (mode 0)")
+                    elif mode == 1:
+                        print("[Seccomp         ] ⚠️  Strict mode (1)")
+                    elif mode == 2:
+                        print("[Seccomp         ] ⚠️  Filter mode (2)")
+                    else:
+                        print(f"[Seccomp         ] ❓ Unknown mode: {mode}")
+                    return
+        print("[Seccomp         ] ❌ Not found")
+    except Exception as e:
+        print(f"[Seccomp         ] ❌ Error: {e}")
+
+def check_auditd():
+    print("[Auditd          ] Checking auditd status...")
+    try:
+        status = subprocess.check_output(["systemctl", "is-active", "auditd"],
+                                         stderr=subprocess.STDOUT).decode().strip()
+        if status == "active":
+            print("[Auditd          ] ✅ Running (systemd)")
+        else:
+            print(f"[Auditd          ] ❌ Status: {status}")
+    except subprocess.CalledProcessError:
+        print("[Auditd          ] ❌ Not running or not installed")
+
+def apply_syscall_rules():
+    print("[Auditd rules    ] ➕ Applying missing syscall rules...")
+    for syscall in SYSCALLS:
+        try:
+            run_command(["auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", syscall], require_sudo=True)
+            print(f"✅ Rule added for: {syscall}")
+        except subprocess.CalledProcessError as e:
+            print(f"❌ Failed to add rule for {syscall}: {e}")
+        except Exception as e:
+            print(f"❌ Exception adding rule for {syscall}: {e}")
+
+def check_auditd_rules():
+    print("[Auditd rules    ] Checking syscall audit rules...")
+    try:
+        rules_output = run_command(["auditctl", "-l"], require_sudo=True)
+        syscall_rules = [line for line in rules_output.splitlines() if re.search(r"-S\s+\w+", line)]
+
+        if syscall_rules:
+            print(f"[Auditd rules    ] ✅ Found {len(syscall_rules)} syscall rules")
+        else:
+            print("[Auditd rules    ] ❌ No syscall rules — applying now")
+            apply_syscall_rules()
+
+    except subprocess.CalledProcessError as e:
+        print(f"[Auditd rules    ] ❌ Error: {e.output.decode().strip()}")
+    except Exception as e:
+        print(f"[Auditd rules    ] ❌ Exception: {e}")
+
+if __name__ == "__main__":
+    print("=== [ Trampoline Overwrite Experiment Pre-Check + Auto Patch ] ===")
+    check_apparmor()
+    check_seccomp()
+    check_auditd()
+    check_auditd_rules()
@@ -0,0 +1,37 @@
+import ctypes
+import mmap
+import struct
+import os
+
+# Load shellcode (base64로 인코딩된 binary 파일)
+with open("shellcode.bin", "rb") as f:
+    shellcode = f.read()
+print(f"[+] Loaded shellcode: {len(shellcode)} bytes")
+
+# Allocate RWX memory using mmap
+libc = ctypes.CDLL("libc.so.6")
+libc.mmap.restype = ctypes.c_void_p
+sc_addr = libc.mmap(None, 0x1000, 7, 0x22, -1, 0)
+ctypes.memmove(sc_addr, shellcode, len(shellcode))
+print(f"[+] Shellcode mmap @ 0x{sc_addr:x}")
+
+# Allocate trampoline region (RWX도 가능, shellcode 앞에 위치)
+tramp_addr = libc.mmap(None, 0x1000, 7, 0x22, -1, 0)
+print(f"[+] Trampoline mmap @ 0x{tramp_addr:x} (→ shellcode)")
+
+# Create trampoline code:
+# ldr x16, [pc, #8]
+# br  x16
+# .quad shellcode address
+trampoline = (
+    b"\x50\x00\x00\x58" +         # ldr x16, [pc, #8]
+    b"\x00\x02\x1f\xd6" +         # br x16
+    struct.pack("<Q", sc_addr)    # target shellcode address
+)
+ctypes.memmove(tramp_addr, trampoline, len(trampoline))
+
+# Execute the trampoline using function cast
+print("[*] Jumping to trampoline (via overwrite)...")
+shell_func_type = ctypes.CFUNCTYPE(None)
+shell_func = shell_func_type(tramp_addr)
+shell_func()  # 실제 실행
@@ -0,0 +1,66 @@
+#!/usr/bin/env python3
+import ctypes
+import mmap
+import multiprocessing
+import json
+import time
+import os
+import struct
+import traceback
+import fcntl
+
+# Lightweight shellcode: write "OK" then exit(0)
+OK_EXIT_CODE = (
+    b"\x20\x00\x80\xd2"  # movz x0, #1
+    b"\xe1\x00\x00\x10"  # adr x1, #0x20
+    b"\x42\x00\x80\xd2"  # movz x2, #2
+    b"\x08\x08\x80\xd2"  # movz x8, #8 (write)
+    b"\x01\x00\x00\xd4"  # svc #0
+    b"\x00\x00\x80\xd2"  # movz x0, #0
+    b"\xa8\x0b\x80\xd2"  # movz x8, #93 (exit)
+    b"\x01\x00\x00\xd4"  # svc #0
+    b"OK"
+)
+
+def execute_once(run_id):
+    libc = ctypes.CDLL("libc.so.6")
+    libc.mmap.restype = ctypes.c_void_p
+    sc_addr = libc.mmap(None, 0x1000, 7, 0x22, -1, 0)  # PROT_RWX, MAP_PRIVATE|MAP_ANON
+    ctypes.memmove(sc_addr, OK_EXIT_CODE, len(OK_EXIT_CODE))
+
+    tramp = (
+        b"\x50\x00\x00\x58" +  # ldr x16, #8
+        b"\x00\x02\x1f\xd6" +  # br x16
+        struct.pack("<Q", sc_addr)
+    )
+    tramp_buf = ctypes.create_string_buffer(tramp)
+    tramp_addr = ctypes.addressof(tramp_buf)
+
+    log = {
+        "pid": os.getpid(),
+        "run_id": run_id,
+        "trampoline_addr": hex(tramp_addr),
+        "shellcode_addr": hex(sc_addr),
+        "status": "unknown",
+        "timestamp": time.time()
+    }
+
+    try:
+        fn = ctypes.CFUNCTYPE(None)(tramp_addr)
+        fn()
+        log["status"] = "success"
+    except Exception as e:
+        log["status"] = "fail"
+        log["error"] = str(e)
+        log["traceback"] = traceback.format_exc()
+
+    # Safe concurrent file write using fcntl lock
+    with open("trampoline_overwrite_results.jsonl", "a") as f:
+        fcntl.flock(f, fcntl.LOCK_EX)
+        f.write(json.dumps(log) + "\n")
+        fcntl.flock(f, fcntl.LOCK_UN)
+
+if __name__ == "__main__":
+    multiprocessing.set_start_method("spawn")
+    pool = multiprocessing.Pool(processes=8)
+    pool.map(execute_once, list(range(100)))
@@ -0,0 +1,67 @@
+#!/usr/bin/env python3
+import ctypes
+import mmap
+import json
+import time
+import os
+import struct
+import traceback
+import fcntl
+
+OK_EXIT_CODE = (
+    b"\x20\x00\x80\xd2"      # 0x00: movz x0, #1        ; stdout
+    b"\xe1\x00\x00\x10"      # 0x04: adr x1, #0x20      ; → 0x28
+    b"\x82\x00\x80\xd2"      # 0x08: movz x2, #2        ; length
+    b"\x08\x08\x80\xd2"      # 0x0c: movz x8, #8        ; sys_write
+    b"\x01\x00\x00\xd4"      # 0x10: svc #0
+    b"\xc0\x03\x5f\xd6"      # 0x14: ret
+    b"\x1f\x20\x03\xd5"      # 0x18: nop
+    b"\x1f\x20\x03\xd5"      # 0x1c: nop
+    b"OK \n"                 # 0x20: message
+)
+
+def execute_once(run_id, offset):
+    libc = ctypes.CDLL("libc.so.6")
+    libc.mmap.restype = ctypes.c_void_p
+    mem_size = 0x4000
+    mem_addr = libc.mmap(None, mem_size, 7, 0x22, -1, 0)
+    sc_addr = mem_addr
+    ctypes.memmove(sc_addr, OK_EXIT_CODE, len(OK_EXIT_CODE))
+
+    tramp = (
+        b"\x50\x00\x00\x58" +  # ldr x16, #8
+        b"\x00\x02\x1f\xd6" +  # br x16
+        struct.pack("<Q", sc_addr)
+    )
+    tramp_addr = sc_addr + offset
+    ctypes.memmove(tramp_addr, tramp, len(tramp))
+
+    log = {
+        "pid": os.getpid(),
+        "run_id": run_id,
+        "trampoline_offset": offset,
+        "trampoline_addr": hex(tramp_addr),
+        "shellcode_addr": hex(sc_addr),
+        "status": "unknown",
+        "timestamp": time.time()
+    }
+
+    try:
+        start = time.time()
+        fn = ctypes.CFUNCTYPE(None)(tramp_addr)
+        fn()
+        log["status"] = "success"
+        log["exec_time_ms"] = round((time.time() - start) * 1000, 3)
+    except Exception as e:
+        log["status"] = "fail"
+        log["error"] = str(e)
+        log["traceback"] = traceback.format_exc()
+
+    with open("trampoline_offset_experiment.jsonl", "a") as f:
+        fcntl.flock(f, fcntl.LOCK_EX)
+        f.write(json.dumps(log) + "\n")
+        fcntl.flock(f, fcntl.LOCK_UN)
+
+if __name__ == "__main__":
+    for i, offset in enumerate(range(0x1000, 0x3000, 0x100)):
+        execute_once(run_id=i, offset=offset)
@@ -0,0 +1,48 @@
+import ctypes
+import struct
+import sys
+import os
+
+print("=== [ Trampoline Overwrite Shellcode Test ] ===")
+
+# 1. 입력 파일로부터 shellcode 로드
+if len(sys.argv) < 2:
+    print("Usage: python3.14 40a.trampoline_overwrite_test.py <shellcode.bin>")
+    sys.exit(1)
+
+path = sys.argv[1]
+with open(path, "rb") as f:
+    bcode = f.read()
+print(f"[+] Loaded binary code: {len(bcode)} bytes")
+
+# 2. RWX mmap 영역에 binary code 저장
+libc = ctypes.CDLL("libc.so.6")
+libc.mmap.restype = ctypes.c_void_p
+sc_addr = libc.mmap(None, 0x1000, 7, 0x22, -1, 0)
+ctypes.memmove(sc_addr, bcode, len(bcode))
+print(f"[+] Binary code mmap @ 0x{sc_addr:x}")
+
+# Allocate trampoline region (RWX도 가능, shellcode 앞에 위치)
+tramp_addr = libc.mmap(None, 0x1000, 7, 0x22, -1, 0)
+print(f"[+] Trampoline mmap @ 0x{tramp_addr:x} (→ binary code)")
+
+# Create trampoline code:
+# ldr x16, [pc, #8]
+# br  x16
+# .quad shellcode address
+trampoline = (
+    b"\x50\x00\x00\x58" +         # ldr x16, [pc, #8]
+    b"\x00\x02\x1f\xd6" +         # br x16
+    struct.pack("<Q", sc_addr)    # target binary code address
+)
+ctypes.memmove(tramp_addr, trampoline, len(trampoline))
+print(f"[+] Trampoline @ 0x{tramp_addr:x} → binary code")
+
+# 4. Binary code 실행 (x16 = binary code, br x16)
+print("[*] Jumping to trampoline (via overwrite)...")
+
+try:
+    fn = ctypes.CFUNCTYPE(None)(tramp_addr)
+    fn()
+except Exception as e:
+    print(f"[!] Exception occurred: {e}")