From 807e500dfd2f2ae0d367c56d1a1102bb5db48bfc Mon Sep 17 00:00:00 2001
From: Andras Gemes <gemesa@protonmail.com>
Date: Thu, 2 Jan 2025 11:46:09 +0100
Subject: [PATCH] feat: print args in frida syscall tracer (write syscall)

---
 README.md                             | 36 +++++++++++++++++++--------
 arsenal/linux/arm64/stalk-syscalls.js | 12 ++++++++-
 arsenal/linux/x64/stalk-syscalls.js   | 12 ++++++++-
 3 files changed, 48 insertions(+), 12 deletions(-)

diff --git a/README.md b/README.md
index 8b36b79..89b3a83 100644
--- a/README.md
+++ b/README.md
@@ -236,8 +236,12 @@ $ frida -l arsenal/linux/arm64/stalk-syscalls.js -f build/linux/arm64/shexec bui
    . . . .   Connected to Local System (id=local)
 Spawned `build/linux/arm64/shexec build/linux/arm64/shcode_hello.bin`. Resuming main thread!
 file size: 52 bytes
-syscall @ 0x7f92223ac8, X8: 0xe2 (226)
-[Local::shexec ]-> syscall @ 0x7f922f7024, X8: 0x40 (64)
+syscall @ 0x7f94453ac8, X8: 0xe2 (226)
+[Local::shexec ]-> syscall @ 0x7f9452d024, X8: 0x40 (64) -> write()
+    X0: 0x1
+    X1: Hello!
+
+    X2: 0x7
 Process terminated
 [Local::shexec ]->
 
@@ -263,8 +267,12 @@ $ frida -l arsenal/linux/arm64/stalk-syscalls.js -f build/linux/arm64/shexec bui
    . . . .   Connected to Local System (id=local)
 Spawned `build/linux/arm64/shexec build/linux/arm64/shcode_hello.bin`. Resuming main thread!
 file size: 52 bytes
-syscall @ 0x7fbe8b7b08, X8: 0xe2 (226)
-[Local::shexec ]-> syscall @ 0x7fbe99b024, X8: 0x40 (64)
+syscall @ 0x7f9d977b08, X8: 0xe2 (226)
+[Local::shexec ]-> syscall @ 0x7f9da4f024, X8: 0x40 (64) -> write()
+    X0: 0x1
+    X1: Hello!
+
+    X2: 0x7
 Process terminated
 [Local::shexec ]->
 
@@ -367,9 +375,13 @@ $ frida -l arsenal/linux/x64/stalk-syscalls.js -f build/linux/x64/shexec build/l
 Spawned `build/linux/x64/shexec build/linux/x64/shcode_hello.bin`. Resuming main thread!
 file size: 57 bytes
 Hello, World!
-[Local::shexec ]-> syscall @ 0x7f006974e839, RAX: 0xa (10)
-syscall @ 0x7f006800101c, RAX: 0x1 (1)
-syscall @ 0x7f0068001028, RAX: 0x3c (60)
+[Local::shexec ]-> syscall @ 0x7f8cf16e3839, RAX: 0xa (10)
+syscall @ 0x7f8cf001b01c, RAX: 0x1 (1) -> write()
+    RDI: 0x1
+    RSI: Hello, World!
+
+    RDX: 0xf
+syscall @ 0x7f8cf001b028, RAX: 0x3c (60)
 ```
 
 #### `frida` (Docker on x64 host)
@@ -392,9 +404,13 @@ $ frida -l arsenal/linux/x64/stalk-syscalls.js -f build/linux/x64/shexec build/l
 Spawned `build/linux/x64/shexec build/linux/x64/shcode_hello.bin`. Resuming main thread!
 file size: 57 bytes
 Hello, World!
-syscall @ 0x7fb66cc65c19, RAX: 0xa (10)
-[Local::shexec ]-> syscall @ 0x7fb66cd5301c, RAX: 0x1 (1)
-syscall @ 0x7fb66cd53028, RAX: 0x3c (60)
+[Local::shexec ]-> syscall @ 0x7f8c4c216c19, RAX: 0xa (10)
+syscall @ 0x7f8c4c30401c, RAX: 0x1 (1) -> write()
+    RDI: 0x1
+    RSI: Hello, World!
+
+    RDX: 0xf
+syscall @ 0x7f8c4c304028, RAX: 0x3c (60)
 ```
 
 ## Windows x64
diff --git a/arsenal/linux/arm64/stalk-syscalls.js b/arsenal/linux/arm64/stalk-syscalls.js
index f5044de..bee3c7a 100644
--- a/arsenal/linux/arm64/stalk-syscalls.js
+++ b/arsenal/linux/arm64/stalk-syscalls.js
@@ -25,6 +25,16 @@ Interceptor.attach(mprotectAddr, {
 })
 
 function printContext(context) {
-    console.log(`syscall @ ${context.pc}, X8: ${context.x8} (${context.x8.toInt32()})`);
+    switch (context.x8.toInt32()) {
+        case 64:
+            console.log(`syscall @ ${context.pc}, X8: ${context.x8} (${context.x8.toInt32()}) -> write()\n` +
+                `    X0: ${context.x0}\n` +
+                `    X1: ${Memory.readCString(context.x1)}\n` +
+                `    X2: ${context.x2}`);
+            break;
+        default:
+            console.log(`syscall @ ${context.pc}, X8: ${context.x8} (${context.x8.toInt32()})`);
+            break;
+    }
 
 }
diff --git a/arsenal/linux/x64/stalk-syscalls.js b/arsenal/linux/x64/stalk-syscalls.js
index 5806dca..9f82419 100644
--- a/arsenal/linux/x64/stalk-syscalls.js
+++ b/arsenal/linux/x64/stalk-syscalls.js
@@ -25,6 +25,16 @@ Interceptor.attach(mprotectAddr, {
 })
 
 function printContext(context) {
-    console.log(`syscall @ ${context.pc}, RAX: ${context.rax} (${context.rax.toInt32()})`);
+    switch (context.rax.toInt32()) {
+        case 1:
+            console.log(`syscall @ ${context.pc}, RAX: ${context.rax} (${context.rax.toInt32()}) -> write()\n` +
+                `    RDI: ${context.rdi}\n` +
+                `    RSI: ${Memory.readCString(context.rsi)}\n` +
+                `    RDX: ${context.rdx}`);
+            break;
+        default:
+            console.log(`syscall @ ${context.pc}, RAX: ${context.rax} (${context.rax.toInt32()})`);
+            break;
+    }
 
 }