Playing with ptrace, Part I
X86_64 的 Redhat / Centos / Scientific 下面,若要编译、运行32位程序,需要安装以下包:
yum install libgcc.i686
yum install glibc-static.i686
yum install glibc-devel.i686
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <sys/reg.h>
#include <stdio.h>
int main()
{ pid_t child;
long orig_eax;
child = fork();
if(child == ) {
ptrace(PTRACE_TRACEME, , NULL, NULL);
execl("/bin/ls", "ls", NULL);
}
else {
wait(NULL);
orig_eax = ptrace(PTRACE_PEEKUSER,
child, * ORIG_EAX,
NULL);
printf("The child made a "
"system call %ld\n", orig_eax);
ptrace(PTRACE_CONT, child, NULL, NULL);
}
return ;
}
"2.c" 27L, 619C written
[root@monitor ~]# gcc .c -m32 -o
[root@monitor ~]# ./
The child made a system call
Playing with ptrace, Part I
Issue
From Issue #
November
Nov , By Pradeep Padala
inSysAdmin
Using ptrace allows you to set up system call interception and modification at the user level.
Have you ever wondered how system calls can be intercepted? Have you ever tried fooling the kernel by changing system call arguments? Have you ever wondered how debuggers stop a running process and let you take control of the process? If you are thinking of using complex kernel programming to accomplish tasks, think again. Linux provides an elegant mechanism to achieve all of these things: the ptrace (Process Trace) system call. ptrace provides a mechanism by which a parent process may observe and control the execution of another process. It can examine and change its core image and registers and is used primarily to implement breakpoint debugging and system call tracing. In this article, we learn how to intercept a system call and change its arguments. In Part II of the article we will study advanced techniques—setting breakpoints and injecting code into a running program. We will peek into the child process' registers and data segment and modify the contents. We will also describe a way to inject code so the process can be stopped and execute arbitrary instructions. Basics
Operating systems offer services through a standard mechanism called system calls. They provide a standard API for accessing the underlying hardware and low-level services, such as the filesystems. When a process wants to invoke a system call, it puts the arguments to system calls in registers and calls soft interrupt 0x80. This soft interrupt is like a gate to the kernel mode, and the kernel will execute the system call after examining the arguments. On the i386 architecture (all the code in this article is i386-specific), the system call number is put in the register %eax. The arguments to this system call are put into registers %ebx, %ecx, %edx, %esi and %edi, in that order. For example, the call: write(, "Hello", )
roughly would translate into movl $, %eax
movl $, %ebx
movl $hello,%ecx
movl $, %edx
int $0x80
where $hello points to a literal string “Hello”.
So where does ptrace come into picture? Before executing the system call, the kernel checks whether the process is being traced. If it is, the kernel stops the process and gives control to the tracking process so it can examine and modify the traced process' registers. Let's clarify this explanation with an example of how the process works: #include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <stdio.h>
#include <linux/user.h> /* For constants x86_64=> <sys/reg.h>
ORIG_EAX etc */ int main()
{ pid_t child;
long orig_eax;
child = fork();
if(child == ) {
ptrace(PTRACE_TRACEME, , NULL, NULL);
execl("/bin/ls", "ls", NULL);
}
else {
wait(NULL);
orig_eax = ptrace(PTRACE_PEEKUSER,
child, * ORIG_EAX,
NULL);
printf("The child made a "
"system call %ld\n", orig_eax);
ptrace(PTRACE_CONT, child, NULL, NULL);
}
return ;
}
When run, this program prints: The child made a system call
along with the output of ls. System call number is execve, and it's the first system call executed by the child. For reference, system call numbers can be found in /usr/include/asm/unistd.h.
As you can see in the example, a process forks a child and the child executes the process we want to trace. Before running exec, the child calls ptrace with the first argument, equal to PTRACE_TRACEME. This tells the kernel that the process is being traced, and when the child executes the execve system call, it hands over control to its parent. The parent waits for notification from the kernel with a wait() call. Then the parent can check the arguments of the system call or do other things, such as looking into the registers. When the system call occurs, the kernel saves the original contents of the eax register, which contains the system call number. We can read this value from child's USER segment by calling ptrace with the first argument PTRACE_PEEKUSER, shown as above. After we are done examining the system call, the child can continue with a call to ptrace with the first argument PTRACE_CONT, which lets the system call continue. ptrace Parameters
ptrace is called with four arguments: long ptrace(enum __ptrace_request request,
pid_t pid,
void *addr,
void *data);
The first argument determines the behaviour of ptrace and how other arguments are used. The value of request should be one of PTRACE_TRACEME, PTRACE_PEEKTEXT, PTRACE_PEEKDATA, PTRACE_PEEKUSER, PTRACE_POKETEXT, PTRACE_POKEDATA, PTRACE_POKEUSER, PTRACE_GETREGS, PTRACE_GETFPREGS, PTRACE_SETREGS, PTRACE_SETFPREGS, PTRACE_CONT, PTRACE_SYSCALL, PTRACE_SINGLESTEP, PTRACE_DETACH. The significance of each o
Playing with ptrace, Part I Issue
From Issue #
November
Nov , By Pradeep Padala
inSysAdmin
Using ptrace allows you to set up system call interception and modification at the user level.
Reading System Call Parameters
By calling ptrace with PTRACE_PEEKUSER as the first argument, we can examine the contents of the USER area where register contents and other information is stored. The kernel stores the contents of registers in this area for the parent process to examine through ptrace. Let's show this with an example: #include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <linux/user.h>
#include <sys/syscall.h> /* For SYS_write etc */
int main()
{ pid_t child;
long orig_eax, eax;
long params[];
int status;
int insyscall = ;
child = fork();
if(child == ) {
ptrace(PTRACE_TRACEME, , NULL, NULL);
execl("/bin/ls", "ls", NULL);
}
else {
while() {
wait(&status);
if(WIFEXITED(status))
break;
orig_eax = ptrace(PTRACE_PEEKUSER,
child, * ORIG_EAX, NULL);
if(orig_eax == SYS_write) {
if(insyscall == ) {
/* Syscall entry */
insyscall = ;
params[] = ptrace(PTRACE_PEEKUSER,
child, * EBX,
NULL);
params[] = ptrace(PTRACE_PEEKUSER,
child, * ECX,
NULL);
params[] = ptrace(PTRACE_PEEKUSER,
child, * EDX,
NULL);
printf("Write called with "
"%ld, %ld, %ld\n",
params[], params[],
params[]);
}
else { /* Syscall exit */
eax = ptrace(PTRACE_PEEKUSER,
child, * EAX, NULL);
printf("Write returned "
"with %ld\n", eax);
insyscall = ;
}
}
ptrace(PTRACE_SYSCALL,
child, NULL, NULL);
}
}
return ;
}
This program should print an output similar to the following: ppadala@linux:~/ptrace > ls
a.out dummy.s ptrace.txt
libgpm.html registers.c syscallparams.c
dummy ptrace.html simple.c
ppadala@linux:~/ptrace > ./a.out
Write called with , ,
a.out dummy.s ptrace.txt
Write returned with
Write called with , ,
libgpm.html registers.c syscallparams.c
Write returned with
Write called with , ,
dummy ptrace.html simple.c
Write returned with
Here we are tracing the write system calls, and ls makes three write system calls. The call to ptrace, with a first argument of PTRACE_SYSCALL, makes the kernel stop the child process whenever a system call entry or exit is made. It's equivalent to doing a PTRACE_CONT and stopping at the next system call entry/exit.
In the previous example, we used PTRACE_PEEKUSER to look into the arguments of the write system call. When a system call returns, the return value is placed in %eax, and it can be read as shown in that example. The status variable in the wait call is used to check whether the child has exited. This is the typical way to check whether the child has been stopped by ptrace or was able to exit. For more details on macros like WIFEXITED, see the wait() man page. Reading Register Values
If you want to read register values at the time of a syscall entry or exit, the procedure shown above can be cumbersome. Calling ptrace with a first argument of PTRACE_GETREGS will place all the registers in a single call. The code to fetch register values looks like this: #include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <linux/user.h>
#include <sys/syscall.h>
int main()
{ pid_t child;
long orig_eax, eax;
long params[];
int status;
int insyscall = ;
struct user_regs_struct regs;
child = fork();
if(child == ) {
ptrace(PTRACE_TRACEME, , NULL, NULL);
execl("/bin/ls", "ls", NULL);
}
else {
while() {
wait(&status);
if(WIFEXITED(status))
break;
orig_eax = ptrace(PTRACE_PEEKUSER,
child, * ORIG_EAX,
NULL);
if(orig_eax == SYS_write) {
if(insyscall == ) {
/* Syscall entry */
insyscall = ;
ptrace(PTRACE_GETREGS, child,
NULL, ®s);
printf("Write called with "
"%ld, %ld, %ld\n",
regs.ebx, regs.ecx,
regs.edx);
}
else { /* Syscall exit */
eax = ptrace(PTRACE_PEEKUSER,
child, * EAX,
NULL);
printf("Write returned "
"with %ld\n", eax);
insyscall = ;
}
}
ptrace(PTRACE_SYSCALL, child,
NULL, NULL);
}
}
return ;
}
This code is similar to the previous example except for the call to ptrace with PTRACE_GETREGS. Here we have made use of the user_regs_struct defined in <linux/user.h> to read the register values.
Playing with ptrace, Part I Issue
From Issue #
November
Nov , By Pradeep Padala
inSysAdmin
Using ptrace allows you to set up system call interception and modification at the user level.
Doing Funny Things
Now it's time for some fun. In the following example, we will reverse the string passed to the write system call: #include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <linux/user.h>
#include <sys/syscall.h>
const int long_size = sizeof(long);
void reverse(char *str)
{ int i, j;
char temp;
for(i = , j = strlen(str) - ;
i <= j; ++i, --j) {
temp = str[i];
str[i] = str[j];
str[j] = temp;
}
}
void getdata(pid_t child, long addr,
char *str, int len)
{ char *laddr;
int i, j;
union u {
long val;
char chars[long_size];
}data;
i = ;
j = len / long_size;
laddr = str;
while(i < j) {
data.val = ptrace(PTRACE_PEEKDATA,
child, addr + i * ,
NULL);
memcpy(laddr, data.chars, long_size);
++i;
laddr += long_size;
}
j = len % long_size;
if(j != ) {
data.val = ptrace(PTRACE_PEEKDATA,
child, addr + i * ,
NULL);
memcpy(laddr, data.chars, j);
}
str[len] = '\0';
}
void putdata(pid_t child, long addr,
char *str, int len)
{ char *laddr;
int i, j;
union u {
long val;
char chars[long_size];
}data;
i = ;
j = len / long_size;
laddr = str;
while(i < j) {
memcpy(data.chars, laddr, long_size);
ptrace(PTRACE_POKEDATA, child,
addr + i * , data.val);
++i;
laddr += long_size;
}
j = len % long_size;
if(j != ) {
memcpy(data.chars, laddr, j);
ptrace(PTRACE_POKEDATA, child,
addr + i * , data.val);
}
}
int main()
{
pid_t child;
child = fork();
if(child == ) {
ptrace(PTRACE_TRACEME, , NULL, NULL);
execl("/bin/ls", "ls", NULL);
}
else {
long orig_eax;
long params[];
int status;
char *str, *laddr;
int toggle = ;
while() {
wait(&status);
if(WIFEXITED(status))
break;
orig_eax = ptrace(PTRACE_PEEKUSER,
child, * ORIG_EAX,
NULL);
if(orig_eax == SYS_write) {
if(toggle == ) {
toggle = ;
params[] = ptrace(PTRACE_PEEKUSER,
child, * EBX,
NULL);
params[] = ptrace(PTRACE_PEEKUSER,
child, * ECX,
NULL);
params[] = ptrace(PTRACE_PEEKUSER,
child, * EDX,
NULL);
str = (char *)calloc((params[]+)
* sizeof(char));
getdata(child, params[], str,
params[]);
reverse(str);
putdata(child, params[], str,
params[]);
}
else {
toggle = ;
}
}
ptrace(PTRACE_SYSCALL, child, NULL, NULL);
}
}
return ;
}
The output looks like this: ppadala@linux:~/ptrace > ls
a.out dummy.s ptrace.txt
libgpm.html registers.c syscallparams.c
dummy ptrace.html simple.c
ppadala@linux:~/ptrace > ./a.out
txt.ecartp s.ymmud tuo.a
c.sretsiger lmth.mpgbil c.llacys_egnahc
c.elpmis lmth.ecartp ymmud
This example makes use of all the concepts previously discussed, plus a few more. In it, we use calls to ptrace with PTRACE_POKEDATA to change the data values. It works exactly the same way as PTRACE_PEEKDATA, except it both reads and writes the data thatt the child passes in arguments to the system call whereas PEEKDATA only reads the data.
Single-Stepping
ptrace provides features to single-step through the child's code. The call to ptrace(PTRACE_SINGLESTEP,..) tells the kernel to stop the child at each instruction and let the parent take control. The following example shows a way of reading the instruction being executed when a system call is executed. I have created a small dummy executable for you to understand what is happening instead of bothering with the calls made by libc. Here's the listing for dummy1.s. It's written in assembly language and compiled as gcc -o dummy1 dummy1.s: .data
hello:
.string "hello world\n"
.globl main
main:
movl $, %eax
movl $, %ebx
movl $hello, %ecx
movl $, %edx
int $0x80
movl $, %eax
xorl %ebx, %ebx
int $0x80
ret
The example program that single-steps through the above code is: #include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <linux/user.h>
#include <sys/syscall.h>
int main()
{ pid_t child;
const int long_size = sizeof(long);
child = fork();
if(child == ) {
ptrace(PTRACE_TRACEME, , NULL, NULL);
execl("./dummy1", "dummy1", NULL);
}
else {
int status;
union u {
long val;
char chars[long_size];
}data;
struct user_regs_struct regs;
int start = ;
long ins;
while() {
wait(&status);
if(WIFEXITED(status))
break;
ptrace(PTRACE_GETREGS,
child, NULL, ®s);
if(start == ) {
ins = ptrace(PTRACE_PEEKTEXT,
child, regs.eip,
NULL);
printf("EIP: %lx Instruction "
"executed: %lx\n",
regs.eip, ins);
}
if(regs.orig_eax == SYS_write) {
start = ;
ptrace(PTRACE_SINGLESTEP, child,
NULL, NULL);
}
else
ptrace(PTRACE_SYSCALL, child,
NULL, NULL);
}
}
return ;
}
This program prints:
hello world
EIP: Instruction executed: 80cddb31
EIP: 804947c Instruction executed: c3
You might have to look at Intel's manuals to make sense out of those instruction bytes. Using single stepping for more complex processes, such as setting breakpoints, requires careful design and more complex code.
In Part II, we will see how breakpoints can be inserted and code can be injected into a running program. All of the example code from this article and from Part II (which will be printed in next month's issue) is available as a tar archive on the Linux Journal FTP site [ftp.linuxjournal.com/pub/lj/listings/issue103/6011.tgz]. email: ppadala@cise.ufl.edu
Pradeep Padala is currently working on his Master's degree at the University of Florida. His research interests include Grid and distributed systems. He can be reached via e-mail at p_padala@yahoo.com or through his web site (www.cise.ufl.edu/~ppadala).
Playing with ptrace, Part I的更多相关文章
- Playing with ptrace, Part II
Playing with ptrace, Part II Issue From Issue # December Dec , By Pradeep Padala inSysAdmin In Part ...
- linux ptrace II
第一篇 linux ptrace I 在之前的文章中我们用ptrace函数实现了查看系统调用参数的功能.在这篇文章中,我们会用ptrace函数实现设置断点,跟代码注入功能. 参考资料 Playing ...
- linux ptrace I
这几天通过<游戏安全--手游安全技术入门这本书>了解到linux系统中ptrace()这个函数可以实现外挂功能,于是在ubuntu 16.04 x86_64系统上对这个函数进行了学习. 参 ...
- linux ptrace I【转】
转自:https://www.cnblogs.com/mmmmar/p/6040325.html 这几天通过<游戏安全——手游安全技术入门这本书>了解到linux系统中ptrace()这个 ...
- 安卓动态调试七种武器之离别钩 – Hooking(上)
安卓动态调试七种武器之离别钩 – Hooking(上) 作者:蒸米@阿里聚安全 0x00 序 随着移动安全越来越火,各种调试工具也都层出不穷,但因为环境和需求的不同,并没有工具是万能的.另外工具是死的 ...
- 每天学点GDB 13
ptrace是gdb实现的基石,本文简要介绍一下ptrace. ptrace linux提供的系统调用ptrace,使得一个进程可以attach到另一个进程并进而完整的控制被attach上的进程. 被 ...
- ltrace命令详解
原文链接:https://ipcmen.com/ltrace 用来跟踪进程调用库函数的情况 补充说明 NAME ltrace - A library call tracer ltrace命 ...
- Linux Hook 笔记
相信很多人对"Hook"都不会陌生,其中文翻译为"钩子".在编程中, 钩子表示一个可以允许编程者插入自定义程序的地方,通常是打包好的程序中提供的接口. 比如,我 ...
- linux 进程学习笔记-进程跟踪
进程跟踪 long ptrace(enum __ptrace_request request, pid_t pid, void *addr, void *data); Linux用ptrace来进行进 ...
随机推荐
- HDU 4630-No Pain No Game(线段树+离线处理)
题意: 给你n个数的序列a,q个询问,每个询问给l,r,求在下标i在[l,r]的区间任意两个数的最大公约数中的最大值 分析: 有了hdu3333经验,我们从左向右扫序列,如果当前数的约数在前面出现过, ...
- 【原】Kryo序列化篇
Kryo是一个快速有效的对象图序列化Java库.它的目标是快速.高效.易使用.该项目适用于对象持久化到文件或数据库中或通过网络传输.Kryo还可以自动实现深浅的拷贝/克隆. 就是直接复制一个对象对象到 ...
- 第四章:更多的bash shell命令
第四章:更多的bash shell命令 监测程序 ps (其他ps内容见#1 ) Unix风格的ps命令参数 参数 描述 -A 显示所有进程 -N 显示与指定参数不符的所有进程 -a 显示除控制进程( ...
- Codeforces Round #363
http://codeforces.com/contest/699 ALaunch of Collider 题意:n个球,每个球向左或右,速度都为1米每秒,问第一次碰撞的时间,否则输出-1 贪心最短时 ...
- SSHFS
SSHFS(SSH文件系统) 是一个文件系统客户端程序,使用它可以将远程服务器上的目录挂载在本地直接访问 可以在网站http://igikorn.com/sshfs-windows-8/内下载
- SpringMVC 避免IE执行AJAX时,返回JSON出现下载文件
<?xml version="1.0" encoding="UTF-8"?> <!-- SpringMVC配置文件 --> <be ...
- 咏南中间件支持DELPHI低版本开发的两层程序平稳升级到三层
提供DELPHI中间件及中间件集群,有意请联系. N年前,我们用DELPHI低版本开发的两层程序(比如工厂ERP系统),现在仍然在企业广泛地得到使用,但老系统有些跟不上企业的发展需要了.主要表现在:虽 ...
- App启动加载广告页面思路
需求 很多app(如淘宝.美团等)在启动图加载完毕后,还会显示几秒的广告,一般都有个跳过按钮可以跳过这个广告,有的app在点击广告页之后还会进入一个广告页面,点击返回进入首页.今天我们就来开发一个广告 ...
- ASP.NET中身份验证的三种方法
Asp.net的身份验证有有三种,分别是"Windows | Forms | Passport",其中又以Forms验证用的最多,也最灵活.Forms 验证方式对基于用户的验证授权 ...
- AfxGetMainWnd()函数用法
CWnd* AfxGetMainWnd( ); 使用AfxGetMainWnd函数获取MFC程序中的主框架类指针是一个常用作法. 就是获得应用程序主窗口的指针,AfxGetMainWnd()-> ...