A Look
At A Promon Shield Bypass – Part 1

The bypass needed three properties.

• It had to intercept reads at a level below libc, so the raw svc #0 instructions in libRASP.so couldn’t slip past it.

• It had to be selective enough that it only redirected the /proc/self/{maps,mounts,status} reads coming from Promon, without breaking the thousands of other syscalls every other thread in the app makes per second.

• And it had to be cheap enough that it didn’t show up in any of Promon’s other detection layers as a timing anomaly. Frida’s Stalker already failed all three of those.

seccomp-bpf is the kernel feature that fits.

What seccomp-bpf actually is

seccomp-bpf is a Linux kernel facility that lets a process install a Berkeley Packet Filter program that runs on every syscall the process makes, in kernel mode, at the syscall entry point — before the syscall actually executes. The filter inspects the syscall number and arguments and returns a verdict: ALLOW, KILL, ERRNO, TRACE, or — the one we care about — TRAP. A TRAP verdict raises a SIGSYS signal in the calling thread instead of executing the syscall. From inside the SIGSYS handler, you get a siginfo_t containing the original syscall number and a pointer to the saved register state (ucontext_t), and you can do whatever you want before returning — including writing a fake return value into x0 of the saved registers and resuming the thread as if the syscall had completed normally.

Here’s the skeleton of the handler signature, which is just a standard POSIX SA_SIGINFO signal handler:

void sigsys_handler(int signum, siginfo_t *info, void *ucontext_raw) {
    ucontext_t *uc = (ucontext_t *)ucontext_raw;
    int syscall_nr = info->si_syscall;
    // The saved register state lives at uc->uc_mcontext.regs[0..30]
    // On arm64 that starts at offset 168 inside ucontext_t.
    // regs[0] = x0 = syscall arg 0 = return value
    uint64_t *regs = (uint64_t *)((char *)uc + 168);
    // ... do work, write fake return into regs[0], return ...
}

The 168-byte offset to uc_mcontext.regs is a detail that matters: it has to be hand-coded because we can’t pull in ucontext.h cleanly in a -nostdlib shared object, and it differs between arm64 and arm32. We verified the offset empirically on both test devices (kernels 5.10 and 6.1) and it was 168 on both — Google’s arm64 bionic has been stable on this for a long time.

Two things make this exactly the right primitive for this job:

1. It runs in the kernel, on the syscall path itself. It does not care whether the userspace code reached the syscall via libc::openat(), via syscall(SYS_openat, …), or via a hand-written mov x8, #56; svc #0 buried inside an obfuscated jump table. By the time the BPF filter sees the syscall, all of that is gone — there’s just a syscall number and six arguments. Promon’s 431 raw svc sites and the entire computed-jump-table indirection layer become completely irrelevant. The kernel sees openat no matter how you got there.

2. The filter can match on the calling instruction pointer. This is the critical bit. BPF filters get the program counter of the instruction that issued the syscall as part of their input. That means we can write a filter that says “if the syscall came from this specific page of memory, allow it through; otherwise, trap.” That’s how the bypass avoids breaking every other syscall in the process — more on that in a second.

The architecture of the redirector

The whole bypass fits into one Frida agent script (later rewritten as a bundled .so so it works without Frida at all, but the structure is the same). It does five things at startup, in order:

Step 1: Build clean copies of the three files. Before any filter is installed, the agent reads the real /proc/self/maps, /proc/self/mounts, and /proc/self/status, filters them line by line, and writes the cleaned versions out to /data/local/tmp/.cm, .ct, and .cs. The filters are small:

// maps filter — drop Frida-adjacent lines, neuter rwxp pages
for each line in /proc/self/maps:
    if line contains "frida":    continue
    if line contains "gadget":   continue
    if line contains "gum-js":   continue
    line = line.replace("rwxp", "rw-p")  // kill anonymous JIT giveaways
    emit line

// mounts filter — strip Magisk/frida overlay mounts
for each line in /proc/self/mounts:
    lower = line.lower()
    if "magisk"  in lower: continue
    if "frida"   in lower: continue
    if "lsposed" in lower: continue
    if "supersu" in lower: continue
    if "/sbin" in lower and "tmpfs" in lower: continue
    emit line

// status filter — TracerPid must be 0
for each line in /proc/self/status:
    if line.startswith("TracerPid:"):
        emit "TracerPid:\t0"
    else:
        emit line

These three clean files are now the “answers” the bypass will hand back to Promon whenever it asks. (The “frida / lsposed / supersu” mount-filter entries are not hypothetical — we had to add each of them after empirically hitting a Promon kill that came from a Magisk module overlay mount we’d missed. The original filter only stripped “magisk” and survived fine until we enabled a Magisk module that bind-mounted a frida-server binary into /system/bin, which showed up as a mount entry containing “frida” and immediately tripped detection.)

Step 2: Allocate a single RWX code page via mmap. This page is going to host two things: a small set of trampoline stubs for issuing real syscalls from inside the SIGSYS handler, and the SIGSYS handler itself, written as raw ARM64 machine code. Putting both on the same page is what makes the IP-based filter check work — the filter only needs to whitelist one contiguous 4 KB range.

void *code_page = mmap(NULL, 4096,
    PROT_READ | PROT_WRITE | PROT_EXEC,
    MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
// Layout:
//  +0x000: openat trampoline    (12 bytes)
//  +0x010: faccessat trampoline (12 bytes)
//  +0x020: newfstatat trampoline (12 bytes)
//  +0x030: read trampoline      (12 bytes)
//  +0x040: close trampoline     (12 bytes)
//  +0x100: SIGSYS handler (~500 bytes ARM64 machine code)
//  +0x800: fake path strings ("/data/local/tmp/.cm", etc.)
//  +0x900: path-match patterns ("/self/maps", "/self/mounts", ...)

The trampolines are dead simple. Each one is three instructions. Here they are as raw ARM64 bytes, showing the actual encoding that gets written into the page:

// openat trampoline @ +0x000 (SYS_openat = 56 = 0x38)
08 07 80 d2    // mov    x8, #56
01 00 00 d4    // svc    #0
c0 03 5f d6    // ret

// read trampoline @ +0x030 (SYS_read = 63 = 0x3f)
e8 07 80 d2    // mov    x8, #63
01 00 00 d4    // svc    #0
c0 03 5f d6    // ret

// close trampoline @ +0x040 (SYS_close = 57 = 0x39)
28 07 80 d2    // mov    x8, #57
01 00 00 d4    // svc    #0
c0 03 5f d6    // ret

01 00 00 d4 is the same SVC #0 byte pattern we grepped for with radare2 in the previous section — these are the first SVC bytes in the process that our code owns, and their instruction-pointer addresses are what the BPF filter is going to whitelist. There’s one of these stubs for openat (56), faccessat (48), newfstatat (79), read (63), and close (57). They’re laid down at known 16-byte-aligned offsets within the page so the handler can call them as regular function pointers:

typedef int (*openat_fn)(int dirfd, const char *path, int flags, int mode);
openat_fn trampoline_openat = (openat_fn)((char *)code_page + 0x000);
int fd = trampoline_openat(AT_FDCWD, "/data/local/tmp/.cm", O_RDONLY, 0);

When the handler calls that function pointer, the call lands inside the whitelisted page, the three-instruction stub runs, and the svc #0 at the middle of the stub is evaluated by the BPF filter — which sees the PC is inside the whitelist and immediately returns ALLOW. Real syscall, no recursive trap.

Step 3: Hand-assemble the SIGSYS handler. The handler is roughly 500 bytes of ARM64 machine code, also written into the same code page. It runs every time Promon’s code issues a TRAP-flagged syscall. Pseudocode:

on SIGSYS(int signum, siginfo_t *info, ucontext_t *uc):
    syscall_nr = info->si_syscall
    regs = &uc->uc_mcontext.regs[0]      // x0..x30, at offset 168 in uc

    if syscall_nr == openat:
        path = (char *)regs[1]                  // x1 = second arg to openat
        if strstr(path, "/self/maps"):
            path = "/data/local/tmp/.cm"
        elif strstr(path, "/self/mounts"):
            path = "/data/local/tmp/.ct"
        elif strstr(path, "/self/status"):
            path = "/data/local/tmp/.cs"
        // reissue through the trampoline — this goes through the kernel for real
        int fd = trampoline_openat(regs[0], path, regs[2], regs[3])
        regs[0] = fd                            // write return value into saved x0
        return

    if syscall_nr == read:
        // the fd in x0 is already one of our fake-file fds — just pass through
        regs[0] = trampoline_read(regs[0], regs[1], regs[2])
        return

    if syscall_nr == close:
        regs[0] = trampoline_close(regs[0])
        return

    if syscall_nr == faccessat or syscall_nr == newfstatat:
        // if path is a root-indicator string, fail with ENOENT
        path = (char *)regs[1]
        if path_matches_root_pattern(path):
            regs[0] = -ENOENT              // -2
        else:
            regs[0] = trampoline_faccessat(regs[0], path, regs[2], regs[3])
        return

The key trick is the two-level dispatch. When Promon calls openat(“/proc/self/maps”, …), the kernel traps into our handler. The handler rewrites the path argument to point at our pre-built fake file, then calls its own trampoline to actually issue the openat syscall. That second syscall comes from inside the trampoline page, which the BPF filter whitelists, so it goes through to the kernel unmolested and returns a real file descriptor pointing at the fake file. The handler writes that fd into the saved register state and returns. From Promon’s perspective, the original openat(“/proc/self/maps”) call just returned a normal-looking fd. Subsequent read() calls against that fd return the contents of the fake file, not the real one. close() closes it normally. Promon never knows.

Step 4: Install the SIGSYS handler with sigaction. Standard libc call. The handler address is the offset within the code page where we wrote the machine code.

struct sigaction sa = {0};
sa.sa_sigaction = (void (*)(int, siginfo_t *, void *))((char *)code_page + 0x100);
sa.sa_flags     = SA_SIGINFO;
sigemptyset(&sa.sa_mask);
sigaction(SIGSYS, &sa, NULL);

Step 5: Install the BPF filter via prctl(PR_SET_NO_NEW_PRIVS, 1) followed by seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, &fprog). The filter program itself is short — about 13 BPF instructions. Here’s the real sock_filter array we install, with comments:

//  seccomp_data layout (what the BPF program reads from):
//      [0]     u32 nr              (syscall number)
//      [4]     u32 arch
//      [8]     u64 instruction_pointer (lo 32 at [8], hi 32 at [12])
//      [16] u64 args[6]

struct sock_filter filter[] = {
    // --- IP whitelist: is the syscall coming from our trampoline page? ---
    BPF_STMT(BPF_LD | BPF_W | BPF_ABS, 12),                     // A = ip_hi
    BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, page_hi, 0, 6),         // if A != page_hi: goto nr
    BPF_STMT(BPF_LD | BPF_W | BPF_ABS, 8),                      // A = ip_lo
    BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, page_lo, 0, 4),         // if A < page_lo: goto nr
    BPF_JUMP(BPF_JMP | BPF_JGE | BPF_K, page_lo + 4096, 3, 0),  // if A >= page_end: goto nr
    BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),               // in our page -> ALLOW

    // --- syscall number check: not from our page, is it one we care about? ---
    BPF_STMT(BPF_LD | BPF_W | BPF_ABS, 0),                      // A = syscall_nr
    BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SYS_openat,     4, 0),
    BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SYS_faccessat, 3, 0),
    BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SYS_newfstatat, 2, 0),
    BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, SYS_read,       1, 0),
    BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),               // not watched -> ALLOW
    BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_TRAP),                // watched     -> TRAP
};

struct sock_fprog prog = {
    .len = sizeof(filter) / sizeof(filter[0]),
    .filter = filter,
};

prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
syscall(__NR_seccomp,
    SECCOMP_SET_MODE_FILTER,
    SECCOMP_FILTER_FLAG_TSYNC,
    &prog);

(Note that we call the raw seccomp syscall directly via syscall(__NR_seccomp, …) rather than using the libc wrapper or prctl(PR_SET_SECCOMP, …). The prctl variant doesn’t support TSYNC — it only installs the filter on the calling thread. The standalone seccomp syscall is the only way to get multi-thread install on arm64 bionic.)

The first half of the filter does the IP whitelist check: if the syscall was issued from anywhere inside our trampoline page, ALLOW it immediately, no further questions. The second half only runs if the syscall came from anywhere else in the process (i.e., from libRASP.so). It checks the syscall number against the four we care about, and TRAPs if it matches. read is in the watched list because some of Promon’s reads of the fake file still need to pass through the handler so we can validate the fd, but in practice the handler just forwards them straight to the trampoline — the redirection has already happened at openat time.

The SECCOMP_FILTER_FLAG_TSYNC flag is what makes this actually usable in a multi-threaded Android app. Without TSYNC, seccomp filters only apply to the thread that installed them; with TSYNC, the kernel walks every thread in the process and installs the filter on all of them atomically. Since the app already has dozens of threads running by the time the bypass agent loads — main thread, GC threads, Binder threads, the JIT compiler, the heap profiler — TSYNC is non-negotiable. (We learned this the hard way; without TSYNC, the filter only installs on the Frida agent thread, Promon’s main-thread scan goes through unfiltered, and the app dies in 4 seconds.)

Why this works where Stalker didn’t

The seccomp approach has three advantages that turn out to matter a lot:

• Zero per-syscall userspace overhead for the syscalls Promon doesn’t care about. Stalker recompiles every basic block in the process before executing it, which adds 5–10x overhead on every instruction. Seccomp BPF runs entirely in the kernel and adds maybe 50 nanoseconds to the watched syscalls and zero to everything else. Promon’s anti-debug timing checks elsewhere in the binary never see a slowdown.

• It catches the syscall regardless of how the calling code dispatched it. This is the whole point. Promon can compute its syscall number through 200 instructions of XOR-rotated globals and a SMADDL into a function pointer table; doesn’t matter, the kernel sees openat either way.

• The IP whitelist is the bypass to its own trap. A naive seccomp filter that just TRAPs on openat would deadlock the process — the SIGSYS handler can’t issue openat to read the fake file because that openat would also trap, recursively. The IP check is what breaks the recursion: the handler issues real syscalls through its own trampoline page, which the filter explicitly allows, so the handler can do real I/O while every other code path in the process gets redirected.

Two things that still went wrong

Even with the architecture right, two things bit us:

The fake maps file goes stale. /proc/self/maps reflects the current memory layout of the process, which changes constantly — every dlopen, every JIT compilation, every garbage collection cycle, every new thread stack. Promon scans it on a timer, and if the fake file we wrote at startup gets too far out of sync with the real layout, the absence of expected entries (a recently-loaded system library, say) becomes its own anomaly. The fix was a periodic refresh: a Java-side Timer running every 5 seconds that re-reads the real maps through the trampoline (so the read isn’t trapped), re-filters it, and rewrites the fake file in place.

// Java side (in the LSPosed module):
new Timer().scheduleAtFixedRate(new TimerTask() {
    @Override
    public void run() {
        nativeRefreshFakeFiles();  // JNI into our .so
    }
}, 5000, 5000);

// Native side:
JNIEXPORT void JNICALL
Java_com_bypass_Module_nativeRefreshFakeFiles(JNIEnv *env, jclass cls) {
    // call directly into the trampolines, bypassing the filter
    int fd = trampoline_openat(AT_FDCWD, "/proc/self/maps", O_RDONLY, 0);
    char buf[65536];
    int n  = trampoline_read(fd, buf, sizeof(buf));
    trampoline_close(fd);
    filter_maps_inplace(buf, n);
    // write filtered result back out to /data/local/tmp/.cm
    int out = trampoline_openat(AT_FDCWD, "/data/local/tmp/.cm",
        O_WRONLY | O_CREAT | O_TRUNC, 0644);
    trampoline_write(out, buf, n);
    trampoline_close(out);
}

We initially tried to run the refresh from a native background thread we spawned with clone(), but that crashed for reasons related to the new thread inheriting the seccomp filter in a state that the libc thread initializer didn’t like. Calling nativeRefreshFakeFiles() from a Java Timer sidesteps all of that — the Timer runs on an existing thread that’s already been through all the normal init paths, and the refresh is just a few syscalls.

The mounts file is mostly static, so it only needs one refresh; the status file needs the same 5-second cycle as maps because some fields (memory counters) change continuously and Promon may hash the whole file.

The SIGSYS handler is not allowed to use most of libc. Inside a signal handler, you can only call async-signal-safe functions, and even then only carefully. We can’t call printf, can’t take a mutex, can’t allocate. This is why the handler is written as raw machine code rather than a C function — it lets us be precise about exactly which instructions execute and in what order, with no compiler-inserted prologue/epilogue calling into pthread cleanup or anything else that would trip over the signal context. (We initially tried writing the handler in C with __attribute__((no_stack_protector)) and a hand-rolled _start, but the toolchain insisted on emitting a call to __stack_chk_fail that pulled in a pile of libc state. Switching to hand-assembled ARM64 was easier than fighting the linker.)

The handler prologue and epilogue, for the curious, end up looking like this — standard arm64 function entry/exit but without any stack protector:

// prologue: save callee-saved regs we touch
stp     x19, x20, [sp, #-16]!
stp     x21, x22, [sp, #-16]!
stp     x23, x24, [sp, #-16]!
stp     x29, x30, [sp, #-16]!
mov     x29, sp

// ... body: dispatch on info->si_syscall, call trampolines ...

// epilogue: restore and return
ldp     x29, x30, [sp], #16
ldp     x23, x24, [sp], #16
ldp     x21, x22, [sp], #16
ldp     x19, x20, [sp], #16
ret

The result

With the seccomp redirector active, Promon’s three /proc reads return clean data, the native detection result that gets written into the array Java compares against comes back clean, and this entire layer goes silent. Survival time on the test device went from ~10 seconds (immediate kill once the first scan completed) to unbounded with respect to this layer specifically — i.e., the app no longer dies for any reason traceable to /proc scanning.

It does still die, of course, because there are five more enforcement layers waiting behind this one. The next one we hit is the Java-side four-stage integrity check inside Application.attachBaseContext, which runs before Java.perform is even available on Android 15. We will cover that next time!

What you’ve seen in this research is just the start, at Djini.ai, we’re building agentic systems that automate advanced vulnerability research, including analyzing and bypassing RASP protections like Promon Shield.

Instead of spending weeks manually reversing and testing, Djini continuously explores attack paths, generates and validates bypasses, and even discovers novel techniques like the one shown in this articlecutting both time and cost significantly.

 Want to see this in action? 

  Book a demo