ptrace
Transcript of ptrace
-
8/3/2019 ptrace
1/13
ptrace
Playing Debugger ChessMuli Ben-Yehuda
IBM Haifa Research Labs
ptrace - Playing Debugger Chess, Haifux, December 2004 p.1/1
-
8/3/2019 ptrace
2/13
TOC
What is ptrace?
What is it good for?
How to use it?The ptrace API
Show me the code!
Caveat Emptor
ptrace - Playing Debugger Chess, Haifux, December 2004 p.2/1
-
8/3/2019 ptrace
3/13
What is ptrace?
ptrace is a posix standard that defines how oneprogram can control another. It is used by debuggers,emulators, and discerning programmers everywhere.
sys_ptrace is a Linux system call, which provides theentry point to the code in the kernel that implements thePOSIX ptrace API. glibc provides a ptrace() wrapper
that user programs should call.
ptrace - Playing Debugger Chess, Haifux, December 2004 p.3/1
-
8/3/2019 ptrace
4/13
What is it good for?
Figuring out what a program is doing before looking atthe source, and when you dont have the source. Is theprogram failing to find a file? timing out on DNS
lookups? connecting to strange hosts and sendingthem all of your data?
Debugging programs.
Modifying program execution, when you want a quickand dirty solution (no recompilation), or when you donthave the source.
Remote controlling programs. Directing programexecution in ways which are beneficial to you, and notnecessarily what the programs author intended.
ptrace - Playing Debugger Chess, Haifux, December 2004 p.4/1
-
8/3/2019 ptrace
5/13
How to use it?
From the command line:
The ubiquitous strace(1)
$DEBUGGER, especially gdb
dumpmem (1), available athttp://www.mulix.org/dumpmem.html
Programatically (see next slides)
ptrace - Playing Debugger Chess, Haifux, December 2004 p.5/1
http://www.mulix.org/dumpmem.htmlhttp://www.mulix.org/dumpmem.html -
8/3/2019 ptrace
6/13
the ptrace API interface
#include
long ptrace(enum __ptrace_request request, pid_t pid, void
*addr, void *data);
enum __ptrace_request
{
/* Indicate that the process making this request should be traced.
All signals received by this process can be intercepted by its
parent, and its parent can use the other ptrace requests. */
PTRACE_TRACEME = 0,
/* Return the word in the processs text space at address ADDR. */
PTRACE_PEEKTEXT = 1,
/* Return the word in the processs data space at address ADDR. */
PTRACE_PEEKDATA = 2,
ptrace - Playing Debugger Chess, Haifux, December 2004 p.6/1
-
8/3/2019 ptrace
7/13
the ptrace API interface - cont
/* Return the word in the processs user area at offset ADDR. */
PTRACE_PEEKUSER = 3,
/* Write DATA into the processs text space at address ADDR.*/
PTRACE_POKETEXT = 4,
/* Write DATA into the processs data space at address ADDR.*/PTRACE_POKEDATA = 5,
/* Write DATA into the processs user area at offset ADDR. */
PTRACE_POKEUSER = 6,
/* Continue the process. */
PTRACE_CONT = 7,
/* Kill the process. */
PTRACE_KILL = 8,
/* Single step the process. This is not supported on all machines. */
PTRACE_SINGLESTEP = 9,
/* Get all general purpose registers used by a processes.
This is not supported on all machines. */
PTRACE_GETREGS = 12,
ptrace - Playing Debugger Chess, Haifux, December 2004 p.7/1
-
8/3/2019 ptrace
8/13
the ptrace API interface - cont
/* Set all general purpose registers used by a processes.
This is not supported on all machines. */
PTRACE_SETREGS = 13,
[snip]
/* Attach to a process that is already running. */PTRACE_ATTACH = 16,
/* Detach from a process attached to with PTRACE_ATTACH. */
PTRACE_DETACH = 17,
[snip]
/* Continue and stop at the next (return from) syscall. */
PTRACE_SYSCALL = 24
};
ptrace - Playing Debugger Chess, Haifux, December 2004 p.8/1
-
8/3/2019 ptrace
9/13
Show me the code: dumpmem
http://www.mulix.org/dumpmem.html
dumpmem is a process memory dumper.
It works by running a process (or attaching to a runningprocess) and then using ptrace to read its mappedmemory 4 bytes at a time.
To avoid reading the entire 4GB of virtual addressspace, it gets the mapped memory regions out of/proc/PID/maps.
ptrace - Playing Debugger Chess, Haifux, December 2004 p.9/1
http://www.mulix.org/dumpmem.htmlhttp://www.mulix.org/dumpmem.html -
8/3/2019 ptrace
10/13
Show me the code: randwrap
http://www.mulix.org/misc/randwrap-0.1.tar.gz
Lets say you have a program that uses the environment
for some random values (e.g. a Monte-Carlosimulation).
It reads /dev/urandom, asks the user for initial input (via
/dev/tty), look at the current time and its pid.Lets say you want it to use the same random values inseveral runs, to correlate or debug results.
Modifying the source is not an option.How do you do it?
Running the utility viarandwrap
will fool the utility intogetting the same random values from its environment onevery run. ptrace - Playing Debugger Chess, Haifux, December 2004 p.10/1
http://www.mulix.org/misc/randwrap-0.1.tar.gzhttp://www.mulix.org/misc/randwrap-0.1.tar.gz -
8/3/2019 ptrace
11/13
randwrap - how does it work
randwrap works by ptracing its victim and hijackingcertain system calls.
we hijack open to find out when the victim opens fileswe care about (such as /dev/urandom or /dev/tty).
we hijack read so that we can return prearrangedvalues when reading from the files we care about.
a side of effect of reading from /dev/tty is that it will blockuntil the user gives input - we nullify read (makingread calls into getpid calls) to get around this. We
make sure to still return the read data to the victim.
ptrace - Playing Debugger Chess, Haifux, December 2004 p.11/1
-
8/3/2019 ptrace
12/13
randwrap - how does it work continued
We hijack close so that we can know when the fileswe care about are no longer in use.
We hijack time since its a commonly used source ofrandomness. we hijack getpid because of the readnullification mentioned earlier, and because its also acommonly used source of (not very random)
randomness.
It should be noted that randwrap assumes some thingsabout its victim and relies upon them. Writing a general
purpose randwrap (that does not rely on the its victims fileaccess pattern for example), is possible, but much morecomplicated.
ptrace - Playing Debugger Chess, Haifux, December 2004 p.12/1
-
8/3/2019 ptrace
13/13
Caveat Emptor
Certain caution must be exercised when using ptrace
It is not portable between architectures.
It is intimately tied to the syscall ABI on a givenarchitecture (where is each argument passed)
It is a very low level API - easy to get wrong and hard to
debug
Nonetheless, ptrace is a useful tool to in a programmersarsenal. As always, use the right tool for the job...
ptrace - Playing Debugger Chess, Haifux, December 2004 p.13/1