| 20 Aug 2021 |
 baloo | :D | 03:36:31 |
| baloo | prctl(PR_SET_MM, PR_SET_MM_AUXV, ...) | 03:54:28 |
| baloo | this is cursed | 04:01:50 |
| baloo | we could throw a linux module that would hook on finalize_exec, and provide a custom vdso for our hierarchy | 15:57:20 |
| baloo | or something | 15:57:22 |
| baloo | hooking a syscall is ~easy hook a https://gist.github.com/baloo/d1394dacb4049fc76ee935f686eaca5c#file-nosync-c-L67-L75 | 16:00:32 |
| baloo | * hooking a syscall is ~easy https://gist.github.com/baloo/d1394dacb4049fc76ee935f686eaca5c#file-nosync-c-L67-L75 | 16:00:44 |
| baloo | not sure about hooking a symbol | 16:00:50 |
| baloo | should not be all that hard | 16:00:56 |
| baloo | huuum | 16:07:41 |
| baloo | it's already a thread a that point. | 16:07:50 |
| baloo | so ... we could ... seccomp-ebpf and return seccomp_ret_trace, and inject the vdso with ptrace | 16:08:18 |
| baloo | the target wouldn't even know, as he has not started yet, and he didn't call ptrace(PTRACE_SETOPTIONS) yet | 16:09:05 |
| baloo | and that's without a kernel module, or all too much privileges. | 16:11:15 |
