svc-hook is a system call hook mechanism for ARM64, achieving speeds about 2,000 times faster than ptrace. It utilizes binary rewriting, replacing every svc instruction with a b instruction in the loaded target binary code before the main function starts.
Inspired by zpoline for x86_64 Linux, svc-hook adapts its concepts for ARM64, offering significant speed advantage without the need for target source code or kernel feature dependencies.
- Performance: 2,000 times faster than ptrace
- Independence: No need for target source code
- Simplicity: Works without relying on kernel features
Read my blog post (ja) for more details.
svc-hook supports ARM64 Linux.
svc-hook has no external dependencies.
To build libsvchook.so, run the following command in the root directory:
makeTo build a simple hook application libsvchook_basic.so, use:
make -C apps/basicYou need to set two environment variables:
LIBSVCHOOK: Path to the hook application e.g.,apps/basic/libsvchook_basic.soLD_PRELOAD: Path tolibsvchook.so
LIBSVCHOOK=./apps/basic/libsvchook_basic.so LD_PRELOAD=./libsvchook.so [target]Replace [target] with the binary you wish to hook system call.
LIBSVCHOOK=./apps/basic/libsvchook_basic.so LD_PRELOAD=./libsvchook.so /bin/ls
output from __hook_init: we can do some init work here
output from hook_function: syscall number 56
output from hook_function: syscall number 56
output from hook_function: syscall number 79
output from hook_function: syscall number 63
output from hook_function: syscall number 63
output from hook_function: syscall number 57
output from hook_function: syscall number 56
output from hook_function: syscall number 56
output from hook_function: syscall number 56
output from hook_function: syscall number 56
output from hook_function: syscall number 56
output from hook_function: syscall number 56
output from hook_function: syscall number 29
output from hook_function: syscall number 29
output from hook_function: syscall number 56
output from hook_function: syscall number 79
output from hook_function: syscall number 61
output from hook_function: syscall number 61
output from hook_function: syscall number 57
output from hook_function: syscall number 79
output from hook_function: syscall number 64
Documentation LICENSE Makefile README.md apps libsvchook.so main.c main.o
output from hook_function: syscall number 57svc-hook has three stages during initialization:
- It records the addresses of
svcinstructions in the target code and computes the range abinstruction can branch to (frompc - 0x8000000topc + 0x7fffffc). - A custom trampoline is set within the calculated range.
- The target code is rewritten accordingly.
svc-hook is released under the Apache license version 2.0.