def _startServer(self): # create child via ptrace debugger # API: createChild(arguments[], no_stdout, env=None) logging.debug("START: " + str( serverutils.getInvokeTargetArgs(self.config, self.targetPort + 1000))) self.pid = createChild( serverutils.getInvokeTargetArgs(self.config, self.targetPort), False, # no_stdout None, ) # Attach to the process with ptrace and let it run self.dbg = PtraceDebugger() self.proc = self.dbg.addProcess(self.pid, True) self.proc.cont() time.sleep(1) # i dont think this works here... # FIXME event = self.dbg.waitProcessEvent(blocking=False) if event is not None and type(event) == ProcessExit: logging.error("Started server, but it already exited: " + str(event)) return False return True
def procFork(arguments): env = None arguments[0] = locateProgram(arguments[0]) #to stop there being 2 arguments for the no argument case if arguments[1] == "": del(arguments[1]) child = createChild(arguments, False, env) return child
def main(argv=sys.argv): if len(argv) < 2: print(T.red("Error: No command given.")) print("Usage: %s COMMAND [ARGUMENT]..." % argv[0]) return 1 # This is basically "shlex.join" command = " ".join([(("'%s'" % arg) if (" " in arg) else arg) for arg in argv[1:]]) arguments = argv[1:] arguments[0] = locateProgram(arguments[0]) try: pid = createChild(arguments, False) except Exception as error: print(T.red("Error executing %s: %s." % (T.bold(command) + T.red, error))) return 1 debugger = PtraceDebugger() debugger.traceExec() try: debugger.traceFork() except DebuggerError: print(T.yellow("Warning: Running without traceFork support. " + "Syscalls from subprocesses can not be intercepted.")) process = debugger.addProcess(pid, True) prepareProcess(process) try: operations = get_operations(debugger) except Exception as error: print(T.red("Error tracing process: %s." % error)) return 1 except KeyboardInterrupt: print(T.yellow("%s terminated by keyboard interrupt." % (T.bold(command) + T.yellow))) return 2 finally: # Cut down all processes no matter what happens # to prevent them from doing any damage debugger.quit() if operations: print("%s has prevented %s from performing %d file system operations:\n" % (T.bold("maybe"), T.bold(command), len(operations))) for operation in operations: print(" " + operation) try: choice = input("\nDo you want to rerun %s and permit these operations? [y/N] " % T.bold(command)) except KeyboardInterrupt: choice = "" # Ctrl+C does not print a newline automatically print("") if choice.lower() == "y": subprocess.call(argv[1:]) else: print("%s has not detected any file system operations from %s." % (T.bold("maybe"), T.bold(command)))
def start_trace(cmd): new_pid = createChild(cmd, no_stdout=False) debugger = PtraceDebugger() debugger.traceFork() debugger.traceExec() debugger.addProcess(new_pid, is_attached=True) return debugger
def traceProgram(arguments): # Copy the environment variables env = None # Get the full path of the program arguments[0] = locateProgram(arguments[0]) # Create the child process return createChild(arguments, False, env)
def SetupTarget(): ### Let step up our debugger, fork our target ### and attach the debugger to the target dbg = PtraceDebugger() print("Forking the target...") pid = createChild(target.targetArgs, no_stdout=True) print("Attaching to the target process %d" % pid) process = dbg.addProcess(pid, True) return process
def execute(cmd_tokens, syscall_filters): with open(HISTORY_PATH, 'a') as history_file: history_file.write(' '.join(cmd_tokens) + os.linesep) if cmd_tokens: # Extract command name and arguments from tokens cmd_name = cmd_tokens[0] cmd_args = cmd_tokens[1:] DIRFD_ARGUMENTS.clear() SYSCALL_ARG_DICT.clear() ARGUMENT_CALLBACK.clear() # If the command is a built-in command, # invoke its function with arguments if cmd_name in built_in_cmds: return built_in_cmds[cmd_name](cmd_args) # Wait for a kill signal signal.signal(signal.SIGINT, handler_kill) try: # Spawn a child process cmd_tokens[0] = locateProgram(cmd_tokens[0]) pid = createChild(cmd_tokens, False) except Exception as error: print("Error %s executing %s" % (error, cmd_name)) return 1 debugger = ptrace.debugger.PtraceDebugger() debugger.traceFork() debugger.traceExec() process = debugger.addProcess(pid, True) process.syscall() snapshots = None try: snapshots, exit_code = debug_process(debugger, syscall_filters) if exit_code != 0: print('Command unsuccessful - rollbacking changes') snapshots.rollback_all() except Exception as error: print("Error tracing process: %s." % error) return SHELL_STATUS_STOP except KeyboardInterrupt: print("%s terminated by keyboard interrupt." % cmd_name) return SHELL_STATUS_STOP finally: # Cut down all processes no matter what happens # to prevent them from doing any damage debugger.quit() if snapshots is not None: snapshots.clean() # Return status indicating to wait for next command in shell_loop return SHELL_STATUS_RUN
def main(): if len(argv) < 2: print(T.red("Error: No command given.")) print("Usage: %s COMMAND [ARGUMENT]..." % argv[0]) exit(1) # This is basically "shlex.join" command = " ".join([(("'%s'" % arg) if (" " in arg) else arg) for arg in argv[1:]]) arguments = argv[1:] arguments[0] = locateProgram(arguments[0]) try: pid = createChild(arguments, False) except Exception as error: print(T.red("Error executing %s: %s." % (T.bold(command) + T.red, error))) exit(1) debugger = PtraceDebugger() debugger.traceExec() try: debugger.traceFork() except DebuggerError: print(T.yellow("Warning: Running without traceFork support. " + "Syscalls from subprocesses can not be intercepted.")) process = debugger.addProcess(pid, True) prepareProcess(process) try: operations = get_operations(debugger) except Exception as error: print(T.red("Error tracing process: %s." % error)) exit(1) except KeyboardInterrupt: print(T.yellow("%s terminated by keyboard interrupt." % (T.bold(command) + T.yellow))) exit(2) finally: # Cut down all processes no matter what happens # to prevent them from doing any damage debugger.quit() if operations: print("%s has prevented %s from performing %d file system operations:\n" % (T.bold("maybe"), T.bold(command), len(operations))) for operation in operations: print(" " + operation) try: choice = input("\nDo you want to rerun %s and permit these operations? [y/N] " % T.bold(command)) except KeyboardInterrupt: choice = "" if choice.lower() == "y": call(argv[1:]) else: print("%s has not detected any file system operations from %s." % (T.bold("maybe"), T.bold(command)))
def _runTarget(config, outputFile): """ Run the target application specified in the configuration and pass it the file output from the fuzzer """ args = config["target_args"] % ({"input": outputFile}) cmd = shlex.split(config["target_bin"] + " " + args) pid = createChild(cmd, True, None) return pid
def start(self): pid = createChild(["/tmp/test"], False) debugger = PtraceDebugger() debugger.addProcess(pid, True) debugger.enableSysgood() process = debugger[pid] process.syscall() e = process.waitEvent() assert isinstance(e, ptrace_debugger.ProcessSignal) return debugger, process
def main(): sys.argv = sys.argv[1:] filter_scopes = SYSCALL_FILTERS.keys() syscall_filters = {} for filter_scope in SYSCALL_FILTERS: if filter_scope in filter_scopes: for syscall in SYSCALL_FILTERS[filter_scope]: syscall_filters[syscall] = SYSCALL_FILTERS[filter_scope][ syscall] # Suppress logging output from python-ptrace getLogger().addHandler(NullHandler()) # Prevent python-ptrace from decoding arguments to keep raw numerical values DIRFD_ARGUMENTS.clear() SYSCALL_ARG_DICT.clear() ARGUMENT_CALLBACK.clear() try: sys.argv[0] = locateProgram(sys.argv[0]) pid = createChild(sys.argv, False) except Exception as error: print(f"Error executing {sys.argv}: {error}.") return 1 debugger = PtraceDebugger() debugger.traceFork() debugger.traceExec() process = debugger.addProcess(pid, True) process.syscall() try: operations = get_operations(debugger, syscall_filters, True) except Exception as error: print(f"Error tracing process: {error}.") return 1 finally: # Cut down all processes no matter what happens # to prevent them from doing any damage debugger.quit() if operations: for operation in operations: print(" " + operation) else: print(f"Not detected any file system operations from: {sys.argv}")
def main(): if len(argv) < 2: usage() # create process env = None arguments = argv[1:] arguments[0] = locateProgram(arguments[0]) pid = createChild(arguments, False, env) # create debugger debugger = PtraceDebugger() debugger.enableSysgood() debugger.traceExec() debugger.traceFork() # attach process debugger.addProcess(pid, True) process = debugger[pid] process.syscall() # start event loop loop(debugger) debugger.quit()
def main(argv=sys.argv[1:]): if PY2: argv = [unicode(arg, sys.getfilesystemencoding()) for arg in argv] # noqa # Insert positional argument separator, if not already present if "--" not in argv: for i, argument in enumerate(argv): if not argument.startswith("-"): argv.insert(i, "--") break arg_parser = ArgumentParser( prog="maybe", usage="%(prog)s [options] command [argument ...]", description="Run a command without the ability to make changes to your system " + "and list the changes it would have made.", epilog="For more information, to report issues or to contribute, " + "visit https://github.com/p-e-w/maybe.", ) arg_parser.add_argument("command", nargs="+", help="the command to run under maybe's control") arg_group = arg_parser.add_mutually_exclusive_group() arg_group.add_argument("-a", "--allow", nargs="+", metavar="OPERATION", help="allow the command to perform the specified operation(s). " + "all other operations will be denied. " + "possible values for %(metavar)s are: " + ", ".join(sorted(SYSCALL_FILTERS.keys())) + "; as well as any filter scopes defined by loaded plugins") arg_group.add_argument("-d", "--deny", nargs="+", metavar="OPERATION", help="deny the command the specified operation(s). " + "all other operations will be allowed. " + "see --allow for a list of possible values for %(metavar)s. " + "--allow and --deny cannot be combined") arg_parser.add_argument("-p", "--plugin", nargs="+", metavar="FILE", help="load the specified plugin script(s). " + "see the README for details and plugin API documentation") arg_parser.add_argument("-l", "--list-only", action="store_true", help="list operations without header, indentation and rerun prompt") arg_parser.add_argument("--style-output", choices=["yes", "no", "auto"], default="auto", help="colorize output using ANSI escape sequences (yes/no) " + "or automatically decide based on whether stdout is a terminal (auto, default)") arg_parser.add_argument("-v", "--verbose", action="count", help="if specified once, print every filtered syscall. " + "if specified twice, print every syscall, highlighting filtered syscalls") arg_parser.add_argument("--version", action="version", version="%(prog)s 0.4.0") args = arg_parser.parse_args(argv) initialize_terminal(args.style_output) if args.plugin is not None: for plugin_path in args.plugin: try: module_name = splitext(basename(plugin_path))[0] # Note: imp.load_source is *long* deprecated and not even documented # in Python 3 anymore, but it still seems to work and the "alternatives" # (see http://stackoverflow.com/a/67692) are simply too insane to use load_source(module_name, plugin_path) except Exception as error: print(T.red("Error loading %s: %s." % (T.bold(plugin_path) + T.red, error))) return 1 if args.allow is not None: for filter_scope in args.allow: if filter_scope not in SYSCALL_FILTERS: print(T.red("Unknown operation in --allow: %s." % (T.bold(filter_scope) + T.red))) return 1 filter_scopes = set(SYSCALL_FILTERS.keys()) - set(args.allow) elif args.deny is not None: for filter_scope in args.deny: if filter_scope not in SYSCALL_FILTERS: print(T.red("Unknown operation in --deny: %s." % (T.bold(filter_scope) + T.red))) return 1 filter_scopes = args.deny else: filter_scopes = SYSCALL_FILTERS.keys() syscall_filters = {} for filter_scope in SYSCALL_FILTERS: if filter_scope in filter_scopes: for syscall in SYSCALL_FILTERS[filter_scope]: syscall_filters[syscall] = SYSCALL_FILTERS[filter_scope][syscall] # Suppress logging output from python-ptrace getLogger().addHandler(NullHandler()) # Prevent python-ptrace from decoding arguments to keep raw numerical values DIRFD_ARGUMENTS.clear() SYSCALL_ARG_DICT.clear() ARGUMENT_CALLBACK.clear() # This is basically "shlex.join" command = " ".join([(("'%s'" % arg) if (" " in arg) else arg) for arg in args.command]) try: args.command[0] = locateProgram(args.command[0]) pid = createChild(args.command, False) except Exception as error: print(T.red("Error executing %s: %s." % (T.bold(command) + T.red, error))) return 1 debugger = PtraceDebugger() debugger.traceFork() debugger.traceExec() process = debugger.addProcess(pid, True) process.syscall() try: operations = get_operations(debugger, syscall_filters, args.verbose) except Exception as error: print(T.red("Error tracing process: %s." % error)) return 1 except KeyboardInterrupt: print(T.yellow("%s terminated by keyboard interrupt." % (T.bold(command) + T.yellow))) return 2 finally: # Cut down all processes no matter what happens # to prevent them from doing any damage debugger.quit() if operations: if not args.list_only: print("%s has prevented %s from performing %d file system operations:\n" % (T.bold("maybe"), T.bold(command), len(operations))) for operation in operations: print(("" if args.list_only else " ") + operation) if not args.list_only: print("\nDo you want to rerun %s and permit these operations? [y/N] " % T.bold(command), end="") try: choice = input() except KeyboardInterrupt: choice = "" # Ctrl+C does not print a newline automatically print("") if choice.lower() == "y": subprocess.call(args.command) else: print("%s has not detected any file system operations from %s." % (T.bold("maybe"), T.bold(command)))
def main(argv=sys.argv[1:]): # Insert positional argument separator, if not already present if "--" not in argv: for i, argument in enumerate(argv): if not argument.startswith("-"): argv.insert(i, "--") break arg_parser = ArgumentParser( prog="maybe", usage="%(prog)s [options] command [argument ...]", description="Run a command without the ability to make changes to your system " + "and list the changes it would have made.", epilog="For more information, to report issues or to contribute, " + "visit https://github.com/p-e-w/maybe.", ) arg_parser.add_argument("command", nargs="+", help="the command to run under maybe's control") arg_parser.add_argument("-l", "--list-only", action="store_true", help="list operations without header, indentation and rerun prompt") arg_parser.add_argument("--style-output", choices=["yes", "no", "auto"], default="auto", help="colorize output using ANSI escape sequences (yes/no) " + "or automatically decide based on whether stdout is a terminal (auto, default)") arg_parser.add_argument("-v", "--verbose", action="count", help="if specified once, print every filtered syscall. " + "if specified twice, print every syscall, highlighting filtered syscalls") arg_parser.add_argument("--version", action="version", version="%(prog)s 0.4.0") args = arg_parser.parse_args(argv) initialize_terminal(args.style_output) # This is basically "shlex.join" command = " ".join([(("'%s'" % arg) if (" " in arg) else arg) for arg in args.command]) try: args.command[0] = locateProgram(args.command[0]) pid = createChild(args.command, False) except Exception as error: print(T.red("Error executing %s: %s." % (T.bold(command) + T.red, error))) return 1 debugger = PtraceDebugger() debugger.traceExec() try: debugger.traceFork() except DebuggerError: print(T.yellow("Warning: Running without traceFork support. " + "Syscalls from subprocesses can not be intercepted.")) process = debugger.addProcess(pid, True) process.syscall() try: operations = get_operations(debugger, args) except Exception as error: print(T.red("Error tracing process: %s." % error)) return 1 except KeyboardInterrupt: print(T.yellow("%s terminated by keyboard interrupt." % (T.bold(command) + T.yellow))) return 2 finally: # Cut down all processes no matter what happens # to prevent them from doing any damage debugger.quit() if operations: if not args.list_only: print("%s has prevented %s from performing %d file system operations:\n" % (T.bold("maybe"), T.bold(command), len(operations))) for operation in operations: print(("" if args.list_only else " ") + operation) if not args.list_only: try: choice = input("\nDo you want to rerun %s and permit these operations? [y/N] " % T.bold(command)) except KeyboardInterrupt: choice = "" # Ctrl+C does not print a newline automatically print("") if choice.lower() == "y": subprocess.call(args.command) else: print("%s has not detected any file system operations from %s." % (T.bold("maybe"), T.bold(command)))
def create_process(self, arguments): pid = createChild(arguments, no_stdout=False) self.root = self.debugger.addProcess(pid, is_attached=True) return self.root
def main(argv=sys.argv[1:]): filter_scopes = sorted(SYSCALL_FILTERS.keys()) # Insert positional argument separator, if not already present if "--" not in argv: for i, argument in enumerate(argv): if not argument.startswith("-"): argv.insert(i, "--") break arg_parser = ArgumentParser( prog="maybe", usage="%(prog)s [options] command [argument ...]", description= "Run a command without the ability to make changes to your system " + "and list the changes it would have made.", epilog="For more information, to report issues or to contribute, " + "visit https://github.com/p-e-w/maybe.", ) arg_parser.add_argument("command", nargs="+", help="the command to run under maybe's control") arg_group = arg_parser.add_mutually_exclusive_group() arg_group.add_argument( "-a", "--allow", nargs="+", choices=filter_scopes, metavar="OPERATION", help="allow the command to perform the specified operation(s). " + "all other operations will be denied. " + "possible values for %(metavar)s are: %(choices)s") arg_group.add_argument( "-d", "--deny", nargs="+", choices=filter_scopes, metavar="OPERATION", help="deny the command the specified operation(s). " + "all other operations will be allowed. " + "see --allow for a list of possible values for %(metavar)s. " + "--allow and --deny cannot be combined") arg_parser.add_argument( "-l", "--list-only", action="store_true", help="list operations without header, indentation and rerun prompt") arg_parser.add_argument( "--style-output", choices=["yes", "no", "auto"], default="auto", help="colorize output using ANSI escape sequences (yes/no) " + "or automatically decide based on whether stdout is a terminal (auto, default)" ) arg_parser.add_argument( "-v", "--verbose", action="count", help="if specified once, print every filtered syscall. " + "if specified twice, print every syscall, highlighting filtered syscalls" ) arg_parser.add_argument("--version", action="version", version="%(prog)s 0.4.0") args = arg_parser.parse_args(argv) initialize_terminal(args.style_output) if args.allow is not None: filter_scopes = set(filter_scopes) - set(args.allow) elif args.deny is not None: filter_scopes = args.deny syscall_filters = {} for filter_scope in filter_scopes: for syscall in SYSCALL_FILTERS[filter_scope]: syscall_filters[syscall] = SYSCALL_FILTERS[filter_scope][syscall] # Prevent python-ptrace from decoding arguments to keep raw numerical values DIRFD_ARGUMENTS.clear() SYSCALL_ARG_DICT.clear() ARGUMENT_CALLBACK.clear() # This is basically "shlex.join" command = " ".join([(("'%s'" % arg) if (" " in arg) else arg) for arg in args.command]) try: args.command[0] = locateProgram(args.command[0]) pid = createChild(args.command, False) except Exception as error: print( T.red("Error executing %s: %s." % (T.bold(command) + T.red, error))) return 1 debugger = PtraceDebugger() debugger.traceFork() debugger.traceExec() process = debugger.addProcess(pid, True) process.syscall() try: operations = get_operations(debugger, syscall_filters, args.verbose) except Exception as error: print(T.red("Error tracing process: %s." % error)) return 1 except KeyboardInterrupt: print( T.yellow("%s terminated by keyboard interrupt." % (T.bold(command) + T.yellow))) return 2 finally: # Cut down all processes no matter what happens # to prevent them from doing any damage debugger.quit() if operations: if not args.list_only: print( "%s has prevented %s from performing %d file system operations:\n" % (T.bold("maybe"), T.bold(command), len(operations))) for operation in operations: print(("" if args.list_only else " ") + operation) if not args.list_only: try: choice = input( "\nDo you want to rerun %s and permit these operations? [y/N] " % T.bold(command)) except KeyboardInterrupt: choice = "" # Ctrl+C does not print a newline automatically print("") if choice.lower() == "y": subprocess.call(args.command) else: print("%s has not detected any file system operations from %s." % (T.bold("maybe"), T.bold(command)))
import os from ptrace.debugger.debugger import PtraceDebugger from ptrace.debugger.child import createChild from ptrace.syscall.ptrace_syscall import PtraceSyscall process = createChild(["ls -a"]) call = PtraceSyscall(process) call.enter() # if pid == 0: # print "Child Process: PID# %s" % os.getpid() # # else: # print "Parent Process: PID# %s" % os.getpid()
def main(argv=sys.argv[1:]): filter_scopes = sorted(SYSCALL_FILTERS.keys()) # Insert positional argument separator, if not already present if "--" not in argv: for i, argument in enumerate(argv): if not argument.startswith("-"): argv.insert(i, "--") break arg_parser = ArgumentParser( prog="maybe", usage="%(prog)s [options] command [argument ...]", description="Run a command without the ability to make changes to your system " + "and list the changes it would have made.", epilog="For more information, to report issues or to contribute, " + "visit https://github.com/p-e-w/maybe.", ) arg_parser.add_argument("command", nargs="+", help="the command to run under maybe's control") arg_group = arg_parser.add_mutually_exclusive_group() arg_group.add_argument("-a", "--allow", nargs="+", choices=filter_scopes, metavar="OPERATION", help="allow the command to perform the specified operation(s). " + "all other operations will be denied. " + "possible values for %(metavar)s are: %(choices)s") arg_group.add_argument("-d", "--deny", nargs="+", choices=filter_scopes, metavar="OPERATION", help="deny the command the specified operation(s). " + "all other operations will be allowed. " + "see --allow for a list of possible values for %(metavar)s. " + "--allow and --deny cannot be combined") arg_parser.add_argument("-l", "--list-only", action="store_true", help="list operations without header, indentation and rerun prompt") arg_parser.add_argument("--style-output", choices=["yes", "no", "auto"], default="auto", help="colorize output using ANSI escape sequences (yes/no) " + "or automatically decide based on whether stdout is a terminal (auto, default)") arg_parser.add_argument("-v", "--verbose", action="count", help="if specified once, print every filtered syscall. " + "if specified twice, print every syscall, highlighting filtered syscalls") arg_parser.add_argument("--version", action="version", version="%(prog)s 0.4.0") args = arg_parser.parse_args(argv) initialize_terminal(args.style_output) if args.allow is not None: filter_scopes = set(filter_scopes) - set(args.allow) elif args.deny is not None: filter_scopes = args.deny syscall_filters = {} for filter_scope in filter_scopes: for syscall_filter in SYSCALL_FILTERS[filter_scope]: syscall_filters[syscall_filter.syscall] = syscall_filter # Prevent python-ptrace from decoding arguments to keep raw numerical values DIRFD_ARGUMENTS.clear() SYSCALL_ARG_DICT.clear() ARGUMENT_CALLBACK.clear() # This is basically "shlex.join" command = " ".join([(("'%s'" % arg) if (" " in arg) else arg) for arg in args.command]) try: args.command[0] = locateProgram(args.command[0]) pid = createChild(args.command, False) except Exception as error: print(T.red("Error executing %s: %s." % (T.bold(command) + T.red, error))) return 1 debugger = PtraceDebugger() debugger.traceExec() try: debugger.traceFork() except DebuggerError: print(T.yellow("Warning: Running without traceFork support. " + "Syscalls from subprocesses can not be intercepted.")) process = debugger.addProcess(pid, True) process.syscall() try: operations = get_operations(debugger, syscall_filters, args.verbose) except Exception as error: print(T.red("Error tracing process: %s." % error)) return 1 except KeyboardInterrupt: print(T.yellow("%s terminated by keyboard interrupt." % (T.bold(command) + T.yellow))) return 2 finally: # Cut down all processes no matter what happens # to prevent them from doing any damage debugger.quit() if operations: if not args.list_only: print("%s has prevented %s from performing %d file system operations:\n" % (T.bold("maybe"), T.bold(command), len(operations))) for operation in operations: print(("" if args.list_only else " ") + operation) if not args.list_only: try: choice = input("\nDo you want to rerun %s and permit these operations? [y/N] " % T.bold(command)) except KeyboardInterrupt: choice = "" # Ctrl+C does not print a newline automatically print("") if choice.lower() == "y": subprocess.call(args.command) else: print("%s has not detected any file system operations from %s." % (T.bold("maybe"), T.bold(command)))
def createChild(self, arguments, env=None): return createChild(arguments, self.options.no_stdout, env)