LuaJIT trickery

In this blog-post I will bring together two cool things: ELF DSO injection into runtime processes and LuaJIT. Lua itself is a very nice scripting language and LuaJIT integrates a very decent FFI module which contains a cdecl parser and other interesting things. I do not need the speedup of LuaJIT over Lua so much, but the C-binding and -inter-operability is "awesome".

I wrote my first ELF injection tools >20y ago, so my actual injectso project needed some polishing first to work with current distros at all. Not only did the ld.so impl and glibc pathnames change, CPUs also feature new extensions like SSE2 and compilers make use of it for string and memory related functions like memset(). The drawback in this particular case was that SSE2 instructions add 16byte alignment requirements for the address operands (in this case indirectly the stack) which made injectso fail on distros that make use of it. Now that was fixed and injectso runs on most glibc based distros again, it was time to add LuaJIT support to allow loading of Lua scripts into "foreign" processes in order to do similar things that you know from frida: accessing memory locations, hooking functions, dumping parameters etc. but with much less bloat.

Here is how it would look in Lua:

It was necessary to add peek/poke primitives to LuaJIT as well as a trap mechanism for functions in order to hook/unhook functions and dump their parameters or otherwise access memory at this point. Changing of function parameters on entry is not yet supported, but would be easy.

When you hook a python interpreter with this script, it would look like this:

Is that cool? Running Lua code when Python calls into a C function to do some things. Some fun that AI assisted coding will never give you. You can try out yourself here.