Added support for reading TLS

Your Name · Your Name · commit 5590fbcbbc3f · 2024-12-04T16:33:37.000Z
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "frida-cshell",
-  "version": "1.8.3",
+  "version": "1.8.4",
   "description": "Frida's CShell",
   "scripts": {
     "prepare": "npm run version && npm run build && npm run package && npm run copy",
diff --git a/src/breakpoints/code.ts b/src/breakpoints/code.ts
@@ -4,6 +4,7 @@ import { Regs } from './regs.js';
 import { Format } from '../misc/format.js';
 import { Var } from '../vars/var.js';
 import { Bp, BpKind, BpType } from './bp.js';
+import { Tls } from '../tls/tls.js';
 
 export abstract class BpCode extends Bp {
   public kind: BpKind = BpKind.Code;
@@ -53,6 +54,7 @@ export abstract class BpCode extends Bp {
     Regs.setContext(ctx);
     Regs.setReturnAddress(returnAddress);
     Regs.setBreakpointId(this.index);
+    Regs.setTls(Tls.getTls());
     if (retVal !== null) Regs.setRetVal(retVal);
 
     try {
diff --git a/src/breakpoints/memory.ts b/src/breakpoints/memory.ts
@@ -1,6 +1,7 @@
 import { Output } from '../io/output.js';
 import { Mem } from '../memory/mem.js';
 import { Format } from '../misc/format.js';
+import { Tls } from '../tls/tls.js';
 import { Var } from '../vars/var.js';
 import { Bp, BpKind, BpType } from './bp.js';
 import { Regs } from './regs.js';
@@ -94,6 +95,7 @@ export abstract class BpMemory extends Bp {
     Regs.setAddress(details.address);
     Regs.setPc(details.from);
     Regs.setBreakpointId(this.index);
+    Regs.setTls(Tls.getTls());
 
     try {
       if (this.runConditions()) {
diff --git a/src/breakpoints/regs.ts b/src/breakpoints/regs.ts
@@ -5,6 +5,7 @@ enum PseudoRegNames {
   RA = 'ra',
   ADDRESS = 'addr',
   BP = 'bp',
+  TLS = 'tls',
 }
 
 type PseudoRegs = {
@@ -23,6 +24,7 @@ export class Regs {
     [PseudoRegNames.RA]: null,
     [PseudoRegNames.ADDRESS]: null,
     [PseudoRegNames.BP]: null,
+    [PseudoRegNames.TLS]: null,
   };
 
   private constructor() {}
@@ -60,6 +62,13 @@ export class Regs {
     this.pseudoRegs[PseudoRegNames.BP] = Var.fromId(breakpointId);
   }
 
+  public static setTls(tls: NativePointer) {
+    this.pseudoRegs[PseudoRegNames.TLS] = new Var(
+      uint64(tls.toString()),
+      PseudoRegNames.TLS,
+    );
+  }
+
   public static get(name: string): Var {
     if (name in this.pseudoRegs) {
       const key = name as PseudoRegNames;
diff --git a/src/cmdlets/development/js.ts b/src/cmdlets/development/js.ts
@@ -84,6 +84,7 @@ import { EchoCmdLet } from '../misc/echo.js';
 import { CorpseCmdLet } from '../misc/corpse/corpse.js';
 import { ErrnoCmdLet } from '../misc/errno.js';
 import { SzCmdLet } from '../files/sz.js';
+import { TlsCmdLet } from '../thread/tls.js';
 
 export class JsCmdLet extends CmdLetBase {
   name = 'js';
@@ -168,6 +169,7 @@ js path - load commandlet JS script
       SubCmdLet: SubCmdLet,
       SymCmdLet: SymCmdLet,
       ThreadCmdLet: ThreadCmdLet,
+      TlsCmdLet: TlsCmdLet,
       TraceBlockCmdLet: TraceBlockCmdLet,
       TraceCallCmdLet: TraceCallCmdLet,
       TraceCoverageCmdLet: TraceCoverageCmdLet,
diff --git a/src/cmdlets/thread/tls.ts b/src/cmdlets/thread/tls.ts
@@ -0,0 +1,33 @@
+import { CmdLetBase } from '../../commands/cmdlet.js';
+import { Output } from '../../io/output.js';
+import { Token } from '../../io/token.js';
+import { Var } from '../../vars/var.js';
+import { Tls } from '../../tls/tls.js';
+
+export class TlsCmdLet extends CmdLetBase {
+  name = 'tls';
+  category = 'thread';
+  help = 'read the TLS pointer';
+
+  private static readonly USAGE: string = `Usage: tls
+tls - get the tls pointer`;
+
+  public runSync(tokens: Token[]): Var {
+    if (tokens.length > 0) {
+      Output.writeln(TlsCmdLet.USAGE);
+      return Var.ZERO;
+    }
+
+    const tls = Tls.getTls();
+    return new Var(uint64(tls.toString()));
+  }
+
+  public override isSupported(): boolean {
+    return Tls.isSupported();
+  }
+
+  public usage(): Var {
+    Output.writeln(TlsCmdLet.USAGE);
+    return Var.ZERO;
+  }
+}
diff --git a/src/commands/cmdlets.ts b/src/commands/cmdlets.ts
@@ -71,6 +71,7 @@ import { EchoCmdLet } from '../cmdlets/misc/echo.js';
 import { CorpseCmdLet } from '../cmdlets/misc/corpse/corpse.js';
 import { ErrnoCmdLet } from '../cmdlets/misc/errno.js';
 import { SzCmdLet } from '../cmdlets/files/sz.js';
+import { TlsCmdLet } from '../cmdlets/thread/tls.js';
 
 export class CmdLets {
   private static byName: Map<string, CmdLet> = new Map<string, CmdLet>();
@@ -129,6 +130,7 @@ export class CmdLets {
     this.registerCmdletType(SymCmdLet);
     this.registerCmdletType(SzCmdLet);
     this.registerCmdletType(ThreadCmdLet);
+    this.registerCmdletType(TlsCmdLet);
     this.registerCmdletType(TraceBlockCmdLet);
     this.registerCmdletType(TraceCallCmdLet);
     this.registerCmdletType(TraceCoverageCmdLet);
diff --git a/src/tls/arm.ts b/src/tls/arm.ts
@@ -0,0 +1,29 @@
+import { Output } from '../io/output.js';
+
+export class TlsArm {
+  private static readonly SHELL_CODE: Uint8Array = new Uint8Array([
+    /* mrc p15,0x0,r0,cr13,cr0,0x3 */ 0x70, 0x0f, 0x1d, 0xee, /* bx lr */ 0x1e,
+    0xff, 0x2f, 0xe1,
+  ]);
+
+  public getTls(): NativePointer {
+    const buffer = Memory.alloc(
+      TlsArm.SHELL_CODE.length + 2 * Process.pageSize,
+    );
+    Output.debug(`buffer: ${buffer.toString(16)}`);
+    const shellCode = buffer.add(Process.pageSize);
+    Output.debug(`shellCode: ${shellCode.toString(16)}`);
+    shellCode.writeByteArray(TlsArm.SHELL_CODE.buffer as ArrayBuffer);
+    const fnPtr = new NativeFunction(shellCode, 'pointer', []);
+    Memory.protect(shellCode, TlsArm.SHELL_CODE.length, 'r-x');
+    const seg = fnPtr();
+    Memory.protect(shellCode, TlsArm.SHELL_CODE.length, 'rw-');
+    return seg;
+  }
+
+  public static getTls(): NativePointer {
+    const tls = new TlsArm();
+    const ptr = tls.getTls();
+    return ptr;
+  }
+}
diff --git a/src/tls/arm64.ts b/src/tls/arm64.ts
@@ -0,0 +1,29 @@
+import { Output } from '../io/output.js';
+
+export class TlsAarch64 {
+  private static readonly SHELL_CODE: Uint8Array = new Uint8Array([
+    /* mrs x0, tpidr_el0 */ 0x40, 0xd0, 0x3b, 0xd5, /* ret */ 0xc0, 0x03, 0x5f,
+    0xd6,
+  ]);
+
+  public getTls(): NativePointer {
+    const buffer = Memory.alloc(
+      TlsAarch64.SHELL_CODE.length + 2 * Process.pageSize,
+    );
+    Output.debug(`buffer: ${buffer.toString(16)}`);
+    const shellCode = buffer.add(Process.pageSize);
+    Output.debug(`shellCode: ${shellCode.toString(16)}`);
+    shellCode.writeByteArray(TlsAarch64.SHELL_CODE.buffer as ArrayBuffer);
+    const fnPtr = new NativeFunction(shellCode, 'pointer', []);
+    Memory.protect(shellCode, TlsAarch64.SHELL_CODE.length, 'r-x');
+    const seg = fnPtr();
+    Memory.protect(shellCode, TlsAarch64.SHELL_CODE.length, 'rw-');
+    return seg;
+  }
+
+  public static getTls(): NativePointer {
+    const tls = new TlsAarch64();
+    const ptr = tls.getTls();
+    return ptr;
+  }
+}
diff --git a/src/tls/ia32.ts b/src/tls/ia32.ts
@@ -0,0 +1,136 @@
+import { Output } from '../io/output.js';
+
+class Selector {
+  private readonly value: number;
+
+  constructor(value: number) {
+    this.value = value;
+  }
+
+  public getRpl(): number {
+    return this.value & 0x3;
+  }
+
+  public getTi(): number {
+    return (this.value >> 2) & 0x1;
+  }
+
+  public getIndex(): number {
+    return (this.value >> 3) & 0x1fff;
+  }
+
+  public toString(): string {
+    return [
+      `RPL ${this.getRpl()}`,
+      `TI ${this.getTi()}`,
+      `INDEX ${this.getIndex()}`,
+    ].join(' ');
+  }
+}
+
+/*
+ * entry_number: int,
+ * base: void*
+ * limit: void*
+ * flags: int
+ */
+class ThreadArea {
+  private static readonly INT_SIZE = 4;
+  private static readonly SIZE: number =
+    Process.pointerSize * 2 + ThreadArea.INT_SIZE * 2;
+  private readonly buff: NativePointer;
+
+  constructor(segment: Selector) {
+    this.buff = Memory.alloc(ThreadArea.SIZE);
+    this.buff.writeInt(segment.getIndex());
+  }
+
+  public ptr(): NativePointer {
+    return this.buff;
+  }
+
+  public getBase(): NativePointer {
+    return this.buff.add(Process.pointerSize).readPointer();
+  }
+
+  public getLimit(): NativePointer {
+    return this.buff.add(Process.pointerSize * 2).readPointer();
+  }
+
+  public getFlags(): number {
+    return this.buff.add(Process.pointerSize * 3).readInt();
+  }
+
+  public toString(): string {
+    return [
+      `IDX: ${this.buff.readInt()}`,
+      `BASE: ${this.getBase().toString(16)}`,
+      `LIMIT: ${this.getLimit().toString(16)}`,
+      `FLAGS: ${this.getFlags().toString(16)}`,
+    ].join(' ');
+  }
+}
+
+export class TlsIa32 {
+  private static readonly SYS_get_thread_area: number = 0xf4;
+  private fnSyscall: SystemFunction<number, [number | UInt64, NativePointer]>;
+
+  private static readonly SHELL_CODE: Uint8Array = new Uint8Array([
+    /* xor eax, eax */ 0x31, 0xc0, /* mov ax, gs */ 0x66, 0x8c, 0xe8,
+    /* ret */ 0xc3,
+  ]);
+
+  constructor() {
+    const pSyscall = Module.findExportByName(null, 'syscall');
+    if (pSyscall === null) throw new Error('failed to find syscall');
+
+    this.fnSyscall = new SystemFunction(pSyscall, 'int', ['size_t', 'pointer']);
+  }
+
+  public getSegment(): Selector {
+    const buffer = Memory.alloc(
+      TlsIa32.SHELL_CODE.length + 2 * Process.pageSize,
+    );
+    Output.debug(`buffer: ${buffer.toString(16)}`);
+    const shellCode = buffer.add(Process.pageSize);
+    Output.debug(`shellCode: ${shellCode.toString(16)}`);
+    shellCode.writeByteArray(TlsIa32.SHELL_CODE.buffer as ArrayBuffer);
+    const fnPtr = new NativeFunction(shellCode, 'int', []);
+    Memory.protect(shellCode, TlsIa32.SHELL_CODE.length, 'r-x');
+    const seg = fnPtr();
+    Memory.protect(shellCode, TlsIa32.SHELL_CODE.length, 'rw-');
+    return new Selector(seg);
+  }
+
+  public getTls(): NativePointer {
+    const seg = this.getSegment();
+    Output.debug(`tls segment: ${seg.toString()}`);
+
+    if (seg.getRpl() !== 3) {
+      throw new Error('tls segment is not in user space');
+    }
+
+    if (seg.getTi() !== 0) {
+      throw new Error('tls segment is in LDT, expected GDT entry');
+    }
+
+    const user_desc = new ThreadArea(seg);
+
+    const ret = this.fnSyscall(
+      TlsIa32.SYS_get_thread_area,
+      user_desc.ptr(),
+    ) as UnixSystemFunctionResult<number>;
+    if (ret.value !== 0) throw new Error(`syscall failed, errno: ${ret.errno}`);
+
+    Output.debug(`thread area: ${user_desc.toString()}`);
+
+    const tls = user_desc.getBase();
+    return tls;
+  }
+
+  public static getTls(): NativePointer {
+    const tls = new TlsIa32();
+    const ptr = tls.getTls();
+    return ptr;
+  }
+}
diff --git a/src/tls/tls.ts b/src/tls/tls.ts
@@ -0,0 +1,33 @@
+import { TlsArm } from './arm.js';
+import { TlsX64 } from './x64.js';
+import { TlsIa32 } from './ia32.js';
+import { TlsAarch64 as TlsArm64 } from './arm64.js';
+
+export class Tls {
+  public static getTls(): NativePointer {
+    switch (Process.arch) {
+      case 'x64':
+        return TlsX64.getTls();
+      case 'ia32':
+        return TlsIa32.getTls();
+      case 'arm':
+        return TlsArm.getTls();
+      case 'arm64':
+        return TlsArm64.getTls();
+      default:
+        return ptr(0);
+    }
+  }
+
+  public static isSupported(): boolean {
+    switch (Process.arch) {
+      case 'x64':
+      case 'ia32':
+      case 'arm':
+      case 'arm64':
+        return true;
+      default:
+        return false;
+    }
+  }
+}
diff --git a/src/tls/x64.ts b/src/tls/x64.ts

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "frida-cshell",`
`3`		`- "version": "1.8.3",`
	`3`	`+ "version": "1.8.4",`
`4`	`4`	`"description": "Frida's CShell",`
`5`	`5`	`"scripts": {`
`6`	`6`	`"prepare": "npm run version && npm run build && npm run package && npm run copy",`