Playing with ptrace 2.docx

1、Playing with ptrace 2In Part II of his series on ptrace, Pradeep tackles the more advanced topics of setting breakpoints and injecting code into running processes. In Part I of this article LJ, November 2002, we saw how ptrace can be used to trace system calls and change system call arguments. In th

2、is article, we investigate advanced techniques like setting breakpoints and injecting code into running programs. Debuggers use these methods to set up breakpoints and execute debugging handlers. As with Part I, all code in this article is i386 architecture-specific. Attaching to a Running ProcessIn

3、 Part I, we ran the process to be traced as a child after calling ptrace(PTRACE_TRACEME, .). If you simply wanted to see how the process is making system calls and trace the program, this would be sufficient. If you want to trace or debug a process already running, then ptrace(PTRACE_ATTACH, .) shou

4、ld be used.When a ptrace(PTRACE_ATTACH, .) is called with the pid to be traced, it is roughly equivalent to the process calling ptrace(PTRACE_TRACEME, .) and becoming a child of the tracing process. The traced process is sent a SIGSTOP, so we can examine and modify the process as usual. After we are

5、 done with modifications or tracing, we can let the traced process continue on its own by calling ptrace(PTRACE_DETACH, .).The following is the code for a small example tracing program:int main() int i; for(i = 0;i 10; +i) printf(My counter: %dn, i); sleep(2); return 0;Save the program as dummy2.c.

6、Compile and run it: gcc -o dummy2 dummy2.c./dummy2 &Now, we can attach to dummy2 by using the code below: #include #include #include #include #include /* For user_regs_struct etc. */int main(int argc, char *argv) pid_t traced_process; struct user_regs_struct regs; long ins; if(argc != 2) printf(Usag

7、e: %s n, argv0, argv1); exit(1); traced_process = atoi(argv1); ptrace(PTRACE_ATTACH, traced_process, NULL, NULL); wait(NULL); ptrace(PTRACE_GETREGS, traced_process, NULL, ®s); ins = ptrace(PTRACE_PEEKTEXT, traced_process, regs.eip, NULL); printf(EIP: %lx Instruction executed: %lxn, regs.eip, ins)

8、; ptrace(PTRACE_DETACH, traced_process, NULL, NULL); return 0;The above program simply attaches to a process, waits for it to stop, examines its eip (instruction pointer) and detaches. To inject code use ptrace(PTRACE_POKETEXT, .) and ptrace(PTRACE_POKEDATA, .) after the traced process has stopped.S

9、etting BreakpointsHow do debuggers set breakpoints? Generally, they replace the instruction to be executed with a trap instruction, so that when the traced program stops, the tracing program, the debugger, can examine it. It will replace the original instruction once the tracing program continues th

10、e traced process. Heres an example:#include #include #include #include #include const int long_size = sizeof(long);void getdata(pid_t child, long addr, char *str, int len) char *laddr; int i, j; union u long val; char charslong_size; data; i = 0; j = len / long_size; laddr = str; while(i j) data.val

11、 = ptrace(PTRACE_PEEKDATA, child, addr + i * 4, NULL); memcpy(laddr, data.chars, long_size); +i; laddr += long_size; j = len % long_size; if(j != 0) data.val = ptrace(PTRACE_PEEKDATA, child, addr + i * 4, NULL); memcpy(laddr, data.chars, j); strlen = 0;void putdata(pid_t child, long addr, char *str,

12、 int len) char *laddr; int i, j; union u long val; char charslong_size; data; i = 0; j = len / long_size; laddr = str; while(i j) memcpy(data.chars, laddr, long_size); ptrace(PTRACE_POKEDATA, child, addr + i * 4, data.val); +i; laddr += long_size; j = len % long_size; if(j != 0) memcpy(data.chars, l

13、addr, j); ptrace(PTRACE_POKEDATA, child, addr + i * 4, data.val); int main(int argc, char *argv) pid_t traced_process; struct user_regs_struct regs, newregs; long ins; /* int 0x80, int3 */ char code = 0xcd,0x80,0xcc,0; char backup4; if(argc != 2) printf(Usage: %s n, argv0, argv1); exit(1); traced_pr

14、ocess = atoi(argv1); ptrace(PTRACE_ATTACH, traced_process, NULL, NULL); wait(NULL); ptrace(PTRACE_GETREGS, traced_process, NULL, ®s); /* Copy instructions into a backup variable */ getdata(traced_process, regs.eip, backup, 3); /* Put the breakpoint */ putdata(traced_process, regs.eip, code, 3); /

15、* Let the process continue and execute the int 3 instruction */ ptrace(PTRACE_CONT, traced_process, NULL, NULL); wait(NULL); printf(The process stopped, putting back the original instructionsn); printf(Press to continuen); getchar(); putdata(traced_process, regs.eip, backup, 3); /* Setting the eip b

16、ack to the original instruction to let the process continue */ ptrace(PTRACE_SETREGS, traced_process, NULL, ®s); ptrace(PTRACE_DETACH, traced_process, NULL, NULL); return 0;Here we replace the three bytes with the code for a trap instruction, and when the process stops, we replace the original in

17、structions and reset the eip to original location. Figures 1-4 clarify how the instruction stream looks when above program is executed. Figure 1. After the Process Is StoppedFigure 2. After the Trap Instruction Bytes Are SetFigure 3. Trap Is Hit and Control Is Given to the Tracing ProgramFigure 4. A

18、fter the Original Instructions Are Replaced and eip Is Reset to the Original LocationNow that we have a clear idea of how breakpoints are set, lets inject some code bytes into a running program. These code bytes will print “hello world”.The following program is a simple “hello world” program with mo

19、difications to fit our needs. Compile the following program with:gcc -o hello hello.cvoid main()_asm_( jmp forwardbackward: popl %esi # Get the address of # hello world string movl $4, %eax # Do write system call movl $2, %ebx movl %esi, %ecx movl $12, %edx int $0x80 int3 # Breakpoint. Here the # pr

20、ogram will stop and # give control back to # the parentforward: call backward .string Hello Worldn );The jumping backward and forward here is required to find the address of the “hello world” string. We can get the machine code for the above assembly from GDB. Fire up GDB and disassemble the program

21、:(gdb) disassemble mainDump of assembler code for function main:0x80483e0 : push %ebp0x80483e1 : mov %esp,%ebp0x80483e3 : jmp 0x80483fa End of assembler dump.(gdb) disassemble forwardDump of assembler code for function forward:0x80483fa : call 0x80483e5 0x80483ff : dec %eax0x8048400 : gs0x8048401 :

22、insb (%dx),%es:(%edi)0x8048402 : insb (%dx),%es:(%edi)0x8048403 : outsl %ds:(%esi),(%dx)0x8048404 : and %dl,0x6f(%edi)0x8048407 : jb 0x80484750x8048409 : or %fs:(%eax),%al0x804840c : mov %ebp,%esp0x804840e : pop %ebp0x804840f : retEnd of assembler dump.(gdb) disassemble backwardDump of assembler cod

23、e for function backward:0x80483e5 : pop %esi0x80483e6 : mov $0x4,%eax0x80483eb : mov $0x2,%ebx0x80483f0 : mov %esi,%ecx0x80483f2 : mov $0xc,%edx0x80483f7 : int $0x800x80483f9 : int3End of assembler dump.We need to take the machine code bytes from main+3 to backward+20, which is a total of 41 bytes.

24、The machine code can be seen with the x command in GDB: (gdb) x/40bx main+3: eb 15 5e b8 04 00 00 00: bb 02 00 00 00 89 f1 ba: 0c 00 00 00 cd 80 cc: e6 ff ff ff 48 65 6c 6c: 6f 20 57 6f 72 6c 64 0aNow we have the instruction bytes to be executed. Why wait? We can inject them using the same method as

25、 in the previous example. The following is the source code; only the main function is given here: int main(int argc, char *argv) pid_t traced_process; struct user_regs_struct regs, newregs; long ins; int len = 41; char insertcode =xebx15x5exb8x04x00 x00x00xbbx02x00x00x00x89xf1xba x0cx00x00x00xcdx80x

26、ccxe8xe6xff xffxffx48x65x6cx6cx6fx20x57x6f x72x6cx64x0ax00; char backuplen; if(argc != 2) printf(Usage: %s n, argv0, argv1); exit(1); traced_process = atoi(argv1); ptrace(PTRACE_ATTACH, traced_process, NULL, NULL); wait(NULL); ptrace(PTRACE_GETREGS, traced_process, NULL, ®s); getdata(traced_proce

27、ss, regs.eip, backup, len); putdata(traced_process, regs.eip, insertcode, len); ptrace(PTRACE_SETREGS, traced_process, NULL, ®s); ptrace(PTRACE_CONT, traced_process, NULL, NULL); wait(NULL); printf(The process stopped, Putting back the original instructionsn); putdata(traced_process, regs.eip, ba

28、ckup, len); ptrace(PTRACE_SETREGS, traced_process, NULL, ®s); printf(Letting it continue with original flown); ptrace(PTRACE_DETACH, traced_process, NULL, NULL); return 0;In Part II of his series on ptrace, Pradeep tackles the more advanced topics of setting breakpoints and injecting code into ru

29、nning processes. Injecting the Code into Free SpaceIn the previous example we injected the code directly into the executing instruction stream. However, debuggers can get confused with this kind of behaviour, so lets find the free space in the process and inject the code there. We can find free space by examining the /proc/pid/maps file of the tr