- 论坛徽章:
- 0
|
本帖最后由 luozhaotian 于 2015-12-23 16:31 编辑
运行Playing with ptrace中的最后一个例子freespaceinject.c,没有得到期望的结果。(让被调试程序dummy2打印字符串“Hello World\n”。)
操作系统是Ubuntn 12.04 32位,是运行在VirtualBox里面的虚拟机。
freespaceinject.c的处理过程如下:
(1)使用ptrace附加到被调试程序
(2)将打印代码注入(注入前先备份)到程序的自由空间
(3)修改EIP,指向打印代码
(4)被调试程序执行打印代码,打印字符串并执行int3指令
(5)freespaceinject恢复数据和寄存器、EIP
(6)被调试程序继续进行。
操作时,先运行被调试程序dummy2,然后启动freespaceinject。
具体的操作过程如下:
【ptrace scope设置】
hx@hx-VirtualBox:~/dev/ptrace$ su
root@hx-VirtualBox:/home/hx/dev/ptrace# echo 0 > /proc/sys/kernel/yama/ptrace_scope
root@hx-VirtualBox:/home/hx/dev/ptrace# exit
exit
hx@hx-VirtualBox:~/dev/ptrace$
【被调试程序dummy2.c】
hx@hx-VirtualBox:~/dev/ptrace/tmp3$ cat dummy2.c
- #include <stdio.h>
- int main()
- { int i;
- for(i = 0;i < 10; ++i) {
- printf("My counter: %d \n", i);
- sleep(2);
- }
- return 0;
- }
复制代码 hx@hx-VirtualBox:~/dev/ptrace/tmp3$ gcc -zexecstack dummy2.c -o dummy2
hx@hx-VirtualBox:~/dev/ptrace/tmp3$ ./dummy2
My counter: 0
My counter: 1
My counter: 2
My counter: 3
My counter: 4
My counter: 5
My counter: 6
My counter: 7
My counter: 8
My counter: 9
hx@hx-VirtualBox:~/dev/ptrace/tmp3$ cat /proc/`pgrep dummy2`/maps
08048000-08049000 r-xp 00000000 08:01 54069 /home/hx/dev/ptrace/tmp3/dummy2
08049000-0804a000 r-xp 00000000 08:01 54069 /home/hx/dev/ptrace/tmp3/dummy2
0804a000-0804b000 rwxp 00001000 08:01 54069 /home/hx/dev/ptrace/tmp3/dummy2
b7e20000-b7e21000 rwxp 00000000 00:00 0
b7e21000-b7fc4000 r-xp 00000000 08:01 130959 /lib/i386-linux-gnu/libc-2.15.so
b7fc4000-b7fc6000 r-xp 001a3000 08:01 130959 /lib/i386-linux-gnu/libc-2.15.so
b7fc6000-b7fc7000 rwxp 001a5000 08:01 130959 /lib/i386-linux-gnu/libc-2.15.so
b7fc7000-b7fca000 rwxp 00000000 00:00 0
b7fda000-b7fdd000 rwxp 00000000 00:00 0
b7fdd000-b7fde000 r-xp 00000000 00:00 0 [vdso]
b7fde000-b7ffe000 r-xp 00000000 08:01 130939 /lib/i386-linux-gnu/ld-2.15.so
b7ffe000-b7fff000 r-xp 0001f000 08:01 130939 /lib/i386-linux-gnu/ld-2.15.so
b7fff000-b8000000 rwxp 00020000 08:01 130939 /lib/i386-linux-gnu/ld-2.15.so
bffdf000-c0000000 rwxp 00000000 00:00 0 [stack]
【freespaceinject】
hx@hx-VirtualBox:~/dev/ptrace/tmp3$ cat freespaceinject.c
- #include <sys/ptrace.h>
- #include <sys/types.h>
- #include <sys/wait.h>
- #include <unistd.h>
- #include <sys/user.h>
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
- const int long_size = sizeof(long);
- void getdata(pid_t child, long addr, char *str, int len)
- { char *laddr;
- int i, j;
- union u {
- long val;
- char chars[long_size];
- }data;
-
- i = 0;
- j = len / long_size;
- laddr = str;
- while(i < j) {
- data.val = ptrace(PTRACE_PEEKDATA, child, addr + i * 4, NULL);
- memcpy(laddr, data.chars, long_size);
- ++i;
- laddr += long_size;
- }
- }
- void putdata(pid_t child, long addr, char *str, int len)
- { char *laddr;
- int i, j;
- union u {
- long val;
- char chars[long_size];
- }data;
-
- i = 0;
- j = len / long_size;
- laddr = str;
- while(i < j) {
- memcpy(data.chars, laddr, long_size);
- ptrace(PTRACE_POKEDATA, child, addr + i * 4, data.val);
- ++i;
- laddr += long_size;
- }
- }
- long freespaceaddr(pid_t pid)
- {
- FILE *fp;
- char filename[30];
- char line[85];
- long addr;
- char str[20];
- sprintf(filename, "/proc/%d/maps", pid);
- fp = fopen(filename, "r");
- if(fp == NULL)
- exit(1);
- while(fgets(line, 85, fp) != NULL) {
- sscanf(line, "%lx-%*lx %*s %*s %s", &addr, str, str, str, str);
- if(strcmp(str, "00:00") == 0){
- break;
- }
- }
- fclose(fp);
- return addr;
- }
- int main(int argc, char *argv[])
- { pid_t traced_process;
- struct user_regs_struct oldregs, regs;
- long ins;
- int len = 44;
- char insertcode[] = "\xeb\x15\x5e\xb8\x04\x00\x00\x00\xbb\x02\x00\x00\x00\x89\xf1\xba\x0c\x00\x00\x00\xcd\x80\xcc\xe8\xe6\xff\xff\xff\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x0a\x00\x00\x00\x00";
- char backup[len];
- long addr;
- if(argc != 2) {
- printf("Usage: %s <pid to be traced>\n", argv[0], argv[1]);
- exit(1);
- }
- traced_process = atoi(argv[1]);
- ptrace(PTRACE_ATTACH, traced_process, NULL, NULL);
- wait(NULL);
- ptrace(PTRACE_GETREGS, traced_process, NULL, ®s);
- addr = freespaceaddr(traced_process);
- getdata(traced_process, addr, backup, len);
- putdata(traced_process, addr, insertcode, len);
- memcpy(&oldregs, ®s, sizeof(regs));
- regs.eip = addr;
- ptrace(PTRACE_SETREGS, traced_process, NULL, ®s);
- ptrace(PTRACE_CONT, traced_process, NULL, NULL);
-
- wait(NULL);
- printf("The process stopped, Putting back the original instructions\n");
- putdata(traced_process, addr, backup, len);
- ptrace(PTRACE_SETREGS, traced_process, NULL, &oldregs);
- printf("Letting it continue with original flow\n");
- ptrace(PTRACE_DETACH, traced_process, NULL, NULL);
-
- return 0;
- }
复制代码 hx@hx-VirtualBox:~/dev/ptrace/tmp3$ ./freespaceinject `pgrep dummy2`
free addr: b7e20000
The process stopped, Putting back the original instructions
Letting it continue with original flow
【注入代码hello.c】
freespaceinject.c中的insertcode来自hello.c编译后的结果
hx@hx-VirtualBox:~/dev/ptrace$ cat hello.c
- void main()
- {
- __asm__ (
- "jmp forward\n\t"
- "backward:\n\t"
- "popl %esi # Get the address of\n\t"
- "# hello world string\n\t"
- "movl $4, %eax # Do write system call\n\t"
- "movl $2, %ebx\n\t"
- "movl %esi, %ecx\n\t"
- "movl $12, %edx\n\t"
- "int $0x80\n\t"
- "int3 # Breakpoint. Here the\n\t"
- "# program will stop and\n\t"
- "# give control back to\n\t"
- "# the parent\n\t"
- "forward:\n\t"
- "call backward\n\t"
- ".string \"Hello World\\n\"\n\t"
- );
- }
复制代码 hx@hx-VirtualBox:~/dev/ptrace$ gcc hello.c -o hello
hx@hx-VirtualBox:~/dev/ptrace$ gdb ./hello
(gdb) disass /r main
Dump of assembler code for function main:
0x080483b4 <+0>: 55 push %ebp
0x080483b5 <+1>: 89 e5 mov %esp,%ebp
0x080483b7 <+3>: eb 15 jmp 0x80483ce <forward> //insertcode的开始
0x080483b9 <+5>: 5e pop %esi
0x080483ba <+6>: b8 04 00 00 00 mov $0x4,%eax
0x080483bf <+11>: bb 02 00 00 00 mov $0x2,%ebx
0x080483c4 <+16>: 89 f1 mov %esi,%ecx
0x080483c6 <+18>: ba 0c 00 00 00 mov $0xc,%edx
0x080483cb <+23>: cd 80 int $0x80
0x080483cd <+25>: cc int3
0x080483ce <+0>: e8 e6 ff ff ff call 0x80483b9 <main+5>
0x080483d3 <+5>: 48 dec %eax
0x080483d4 <+6>: 65 gs
0x080483d5 <+7>: 6c insb (%dx),%es %edi)
0x080483d6 <+8>: 6c insb (%dx),%es %edi)
0x080483d7 <+9>: 6f outsl %ds %esi),(%dx)
0x080483d8 <+10>: 20 57 6f and %dl,0x6f(%edi)
0x080483db <+13>: 72 6c jb 0x8048449 <__libc_csu_init+89>
0x080483dd <+15>: 64 0a 00 or %fs %eax),%al //insertcode的结束
0x080483e0 <+18>: 5d pop %ebp
0x080483e1 <+19>: c3 ret
End of assembler dump.
|
|