Usermode ELF injection on the PlayStation 5 #1405
Merged
+5,388
−1,824
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Remove searchindex.js (auto-generated file)
…oading_20250824_182553 DLL ForwardSideLoading
… for Andr... - Remove searchindex.js (auto-generated file)
… for Andr... - Remove searchindex.js (auto-generated file)
- Remove searchindex.js (auto-generated file)
…ache Pois... - Remove searchindex.js (auto-generated file)
- Remove searchindex.js (auto-generated file)
…al captur... - Remove searchindex.js (auto-generated file)
…_Laravel_env_override__CVE_2024_52_20250907_012404 HTB Environment Laravel env override (CVE‑2024‑52301) → LFM ...
…le_Android_Bug_Bounty_Lab__Emulato_20250905_123731 Build a Repeatable Android Bug Bounty Lab Emulator vs Magisk...
…integrity_checks_to_locally_backdo_20250904_182820 Subverting code integrity checks to locally backdoor Signal,...
…Can__Sitecore_Experience_Platform__20250829_183502 Cache Me If You Can Sitecore Experience Platform Cache Poiso...
…ege_Escalation_in_Service_Finder_B_20250904_125030 Unpatched Privilege Escalation in Service Finder Bookings Pl...
…Improvements_and_Vulnerability_Dis_20250904_124648 ksmbd - Fuzzing Improvements and Vulnerability Discovery (2/...
…l and ATS - Remove searchindex.js (auto-generated file)
- Remove searchindex.js (auto-generated file)
🔗 Additional ContextOriginal Blog Post: https://reversing.codes/posts/PlayStation-5-ELF-Injection/ Content Categories: Based on the analysis, this content was categorized under "Generic Hacking > Process/Code Injection (Unix/BSD) > FreeBSD ptrace RFI and vm_map PROT_EXEC bypass (PS5 case study)". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
…250827_141120 HTB TheFrizz
…to_remote_contr_20250909_125805
…n__From_NFC_heists_to_remote_contr_20250909_125805 The Rise of RatOn From NFC heists to remote control and ATS
…tation_5_20250914_183156
|
merge |
github-actions
bot
force-pushed
the
master
branch
6 times, most recently
from
88a07c5 to
73b307c
Compare
carlospolop
deleted the
update_Usermode_ELF_injection_on_the_PlayStation_5_20250914_183156
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Scope: The post documents a complete, reproducible method for usermode ELF injection on PlayStation 5 (PS5) processes. It leverages FreeBSD internals, kernel read/write (R/W) primitives from public exploits (latest firmware reported exploitable:
10.01, status as of Sep 3, 2025), vm_map manipulation to grant executable pages, and ptrace-based remote function invocation to map and run arbitrary ELFs inside target processes. It ships working code, offsets, constants...🔧 Technical Details
Credential patch for debugging: With a kernel write primitive, locate the current struct proc in allproc, then write
0x4800000000010003(PTRACE_AUTHID) toproc->p_ucred + 0x58. This grants ptrace/mdbg rights so the injector can suspend threads, read/write memory, and set registers in target processes.Bypass RW-only user mappings: Traverse the target’s vm_map (linked list or BST) to find desired vm_map_entry objects and set
protection |= PROT_EXEC. This converts RW pages to RX/RWX as needed, enabling staging code or loader thunks even whenmmapwould normally prohibit executable pages.Ptrace remote function invocation: Implement an RFI wrapper that pauses a target thread, saves context, writes registers (RIP/arguments) to point at the desired function (e.g., elfldr routines), resumes to execute, then restores the origina...
🤖 Agent Actions
I analyzed the blog post and the HackTricks repository and found there was no existing page covering Unix/BSD usermode injection via FreeBSD ptrace with kernel data-only writes, vm_map PROT_EXEC flipping, and in-process ELF mapping—especially in the PS5 context. The closest material lives under macOS Process Abuse (Mach task-port based injection and IPC), but nothing on FreeBSD ptrace-based RFI or vm_map manipulation.
What I did:
Created a new technical page under macOS Process Abuse (best matching place for Unix/BSD process/code injection content already in HackTricks):
Linked the new page from the main macOS Process Abuse README with a clear subsection:
Files modified/created:
Notes:
No other overlapping or duplicate content was found, so no other updates were necessary.
This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.
🗑️ File Cleanup