def do_function_starts(self, in_memory): """Run the binary, stop at our unstripped function, make sure the caller has synthetic symbols""" exe = self.getBuildArtifact(exe_name) # Now strip the binary, but leave externals so we can break on dont_strip_me. try: fail_str = system([["strip", "-u", "-x", "-S", exe]]) except CalledProcessError as cmd_error: self.fail("Strip failed: %d" % (cmd_error.returncode)) # Use a file as a synchronization point between test and inferior. pid_file_path = lldbutil.append_to_process_working_directory( self, "token_pid_%d" % (int(os.getpid()))) self.addTearDownHook( lambda: self.run_platform_command("rm %s" % (pid_file_path))) popen = self.spawnSubprocess(exe, [pid_file_path]) self.addTearDownHook(self.cleanupSubprocesses) # Wait until process has fully started up. pid = lldbutil.wait_for_file_on_target(self, pid_file_path) if in_memory: remove_file(exe) target = self.dbg.CreateTarget(None) self.assertTrue(target.IsValid(), "Got a vaid empty target.") error = lldb.SBError() attach_info = lldb.SBAttachInfo() attach_info.SetProcessID(popen.pid) attach_info.SetIgnoreExisting(False) process = target.Attach(attach_info, error) self.assertTrue( error.Success(), "Didn't attach successfully to %d: %s" % (popen.pid, error.GetCString())) bkpt = target.BreakpointCreateByName("dont_strip_me", exe) self.assertTrue(bkpt.GetNumLocations() > 0, "Didn't set the dont_strip_me bkpt.") threads = lldbutil.continue_to_breakpoint(process, bkpt) self.assertEqual(len(threads), 1, "Didn't hit my breakpoint.") # Our caller frame should have been stripped. Make sure we made a synthetic symbol # for it: thread = threads[0] self.assertTrue(thread.num_frames > 1, "Couldn't backtrace.") name = thread.frame[1].GetFunctionName() self.assertTrue(name.startswith("___lldb_unnamed_symbol")) self.assertTrue(name.endswith("$$StripMe"))
def do_function_starts(self, in_memory): """Run the binary, stop at our unstripped function, make sure the caller has synthetic symbols""" exe = self.getBuildArtifact(exe_name) # Now strip the binary, but leave externals so we can break on dont_strip_me. try: fail_str = system([["strip", "-u", "-x", "-S", exe]]) except CalledProcessError as cmd_error: self.fail("Strip failed: %d" % (cmd_error.returncode)) popen = self.spawnSubprocess(exe) self.addTearDownHook(self.cleanupSubprocesses) if in_memory: remove_file(exe) target = self.dbg.CreateTarget(None) self.assertTrue(target.IsValid(), "Got a vaid empty target.") error = lldb.SBError() attach_info = lldb.SBAttachInfo() attach_info.SetProcessID(popen.pid) attach_info.SetIgnoreExisting(False) process = target.Attach(attach_info, error) self.assertTrue( error.Success(), "Didn't attach successfully to %d: %s" % (popen.pid, error.GetCString())) bkpt = target.BreakpointCreateByName("dont_strip_me", exe) self.assertTrue(bkpt.GetNumLocations() > 0, "Didn't set the dont_strip_me bkpt.") threads = lldbutil.continue_to_breakpoint(process, bkpt) self.assertEqual(len(threads), 1, "Didn't hit my breakpoint.") # Our caller frame should have been stripped. Make sure we made a synthetic symbol # for it: thread = threads[0] self.assertTrue(thread.num_frames > 1, "Couldn't backtrace.") name = thread.frame[1].GetFunctionName() self.assertEqual("___lldb_unnamed_symbol1$$StripMe", name, "Frame name not synthetic")
def main(argv): description = '''Debugs a program using the LLDB python API and uses asynchronous broadcast events to watch for process state changes.''' epilog = '''Examples: #---------------------------------------------------------------------- # Run "/bin/ls" with the arguments "-lAF /tmp/", and set a breakpoint # at "malloc" and backtrace and read all registers each time we stop #---------------------------------------------------------------------- % ./process_events.py --breakpoint malloc --stop-command bt --stop-command 'register read' -- /bin/ls -lAF /tmp/ ''' optparse.OptionParser.format_epilog = lambda self, formatter: self.epilog parser = optparse.OptionParser( description=description, prog='process_events', usage='usage: process_events [options] program [arg1 arg2]', epilog=epilog) parser.add_option( '-v', '--verbose', action='store_true', dest='verbose', help="Enable verbose logging.", default=False) parser.add_option( '-b', '--breakpoint', action='append', type='string', metavar='BPEXPR', dest='breakpoints', help='Breakpoint commands to create after the target has been created, the values will be sent to the "_regexp-break" command which supports breakpoints by name, file:line, and address.') parser.add_option( '-a', '--arch', type='string', dest='arch', help='The architecture to use when creating the debug target.', default=None) parser.add_option( '--platform', type='string', metavar='platform', dest='platform', help='Specify the platform to use when creating the debug target. Valid values include "localhost", "darwin-kernel", "ios-simulator", "remote-freebsd", "remote-macosx", "remote-ios", "remote-linux".', default=None) parser.add_option( '-l', '--launch-command', action='append', type='string', metavar='CMD', dest='launch_commands', help='LLDB command interpreter commands to run once after the process has launched. This option can be specified more than once.', default=[]) parser.add_option( '-s', '--stop-command', action='append', type='string', metavar='CMD', dest='stop_commands', help='LLDB command interpreter commands to run each time the process stops. This option can be specified more than once.', default=[]) parser.add_option( '-c', '--crash-command', action='append', type='string', metavar='CMD', dest='crash_commands', help='LLDB command interpreter commands to run in case the process crashes. This option can be specified more than once.', default=[]) parser.add_option( '-x', '--exit-command', action='append', type='string', metavar='CMD', dest='exit_commands', help='LLDB command interpreter commands to run once after the process has exited. This option can be specified more than once.', default=[]) parser.add_option( '-T', '--no-threads', action='store_false', dest='show_threads', help="Don't show threads when process stops.", default=True) parser.add_option( '--ignore-errors', action='store_false', dest='stop_on_error', help="Don't stop executing LLDB commands if the command returns an error. This applies to all of the LLDB command interpreter commands that get run for launch, stop, crash and exit.", default=True) parser.add_option( '-n', '--run-count', type='int', dest='run_count', metavar='N', help='How many times to run the process in case the process exits.', default=1) parser.add_option( '-t', '--event-timeout', type='int', dest='event_timeout', metavar='SEC', help='Specify the timeout in seconds to wait for process state change events.', default=lldb.UINT32_MAX) parser.add_option( '-e', '--environment', action='append', type='string', metavar='ENV', dest='env_vars', help='Environment variables to set in the inferior process when launching a process.') parser.add_option( '-d', '--working-dir', type='string', metavar='DIR', dest='working_dir', help='The the current working directory when launching a process.', default=None) parser.add_option( '-p', '--attach-pid', type='int', dest='attach_pid', metavar='PID', help='Specify a process to attach to by process ID.', default=-1) parser.add_option( '-P', '--attach-name', type='string', dest='attach_name', metavar='PROCESSNAME', help='Specify a process to attach to by name.', default=None) parser.add_option( '-w', '--attach-wait', action='store_true', dest='attach_wait', help='Wait for the next process to launch when attaching to a process by name.', default=False) try: (options, args) = parser.parse_args(argv) except: return attach_info = None launch_info = None exe = None if args: exe = args.pop(0) launch_info = lldb.SBLaunchInfo(args) if options.env_vars: launch_info.SetEnvironmentEntries(options.env_vars, True) if options.working_dir: launch_info.SetWorkingDirectory(options.working_dir) elif options.attach_pid != -1: if options.run_count == 1: attach_info = lldb.SBAttachInfo(options.attach_pid) else: print("error: --run-count can't be used with the --attach-pid option") sys.exit(1) elif not options.attach_name is None: if options.run_count == 1: attach_info = lldb.SBAttachInfo( options.attach_name, options.attach_wait) else: print("error: --run-count can't be used with the --attach-name option") sys.exit(1) else: print('error: a program path for a program to debug and its arguments are required') sys.exit(1) # Create a new debugger instance debugger = lldb.SBDebugger.Create() debugger.SetAsync(True) command_interpreter = debugger.GetCommandInterpreter() # Create a target from a file and arch if exe: print("Creating a target for '%s'" % exe) error = lldb.SBError() target = debugger.CreateTarget( exe, options.arch, options.platform, True, error) if target: # Set any breakpoints that were specified in the args if we are launching. We use the # command line command to take advantage of the shorthand breakpoint # creation if launch_info and options.breakpoints: for bp in options.breakpoints: debugger.HandleCommand("_regexp-break %s" % (bp)) run_commands(command_interpreter, ['breakpoint list']) for run_idx in range(options.run_count): # Launch the process. Since we specified synchronous mode, we won't return # from this function until we hit the breakpoint at main error = lldb.SBError() if launch_info: if options.run_count == 1: print('Launching "%s"...' % (exe)) else: print('Launching "%s"... (launch %u of %u)' % (exe, run_idx + 1, options.run_count)) process = target.Launch(launch_info, error) else: if options.attach_pid != -1: print('Attaching to process %i...' % (options.attach_pid)) else: if options.attach_wait: print('Waiting for next to process named "%s" to launch...' % (options.attach_name)) else: print('Attaching to existing process named "%s"...' % (options.attach_name)) process = target.Attach(attach_info, error) # Make sure the launch went ok if process and process.GetProcessID() != lldb.LLDB_INVALID_PROCESS_ID: pid = process.GetProcessID() print('Process is %i' % (pid)) if attach_info: # continue process if we attached as we won't get an # initial event process.Continue() listener = debugger.GetListener() # sign up for process state change events stop_idx = 0 done = False while not done: event = lldb.SBEvent() if listener.WaitForEvent(options.event_timeout, event): if lldb.SBProcess.EventIsProcessEvent(event): state = lldb.SBProcess.GetStateFromEvent(event) if state == lldb.eStateInvalid: # Not a state event print('process event = %s' % (event)) else: print("process state changed event: %s" % (lldb.SBDebugger.StateAsCString(state))) if state == lldb.eStateStopped: if stop_idx == 0: if launch_info: print("process %u launched" % (pid)) run_commands( command_interpreter, ['breakpoint list']) else: print("attached to process %u" % (pid)) for m in target.modules: print(m) if options.breakpoints: for bp in options.breakpoints: debugger.HandleCommand( "_regexp-break %s" % (bp)) run_commands( command_interpreter, ['breakpoint list']) run_commands( command_interpreter, options.launch_commands) else: if options.verbose: print("process %u stopped" % (pid)) run_commands( command_interpreter, options.stop_commands) stop_idx += 1 print_threads(process, options) print("continuing process %u" % (pid)) process.Continue() elif state == lldb.eStateExited: exit_desc = process.GetExitDescription() if exit_desc: print("process %u exited with status %u: %s" % (pid, process.GetExitStatus(), exit_desc)) else: print("process %u exited with status %u" % (pid, process.GetExitStatus())) run_commands( command_interpreter, options.exit_commands) done = True elif state == lldb.eStateCrashed: print("process %u crashed" % (pid)) print_threads(process, options) run_commands( command_interpreter, options.crash_commands) done = True elif state == lldb.eStateDetached: print("process %u detached" % (pid)) done = True elif state == lldb.eStateRunning: # process is running, don't say anything, # we will always get one of these after # resuming if options.verbose: print("process %u resumed" % (pid)) elif state == lldb.eStateUnloaded: print("process %u unloaded, this shouldn't happen" % (pid)) done = True elif state == lldb.eStateConnected: print("process connected") elif state == lldb.eStateAttaching: print("process attaching") elif state == lldb.eStateLaunching: print("process launching") else: print('event = %s' % (event)) else: # timeout waiting for an event print("no process event for %u seconds, killing the process..." % (options.event_timeout)) done = True # Now that we are done dump the stdout and stderr process_stdout = process.GetSTDOUT(1024) if process_stdout: print("Process STDOUT:\n%s" % (process_stdout)) while process_stdout: process_stdout = process.GetSTDOUT(1024) print(process_stdout) process_stderr = process.GetSTDERR(1024) if process_stderr: print("Process STDERR:\n%s" % (process_stderr)) while process_stderr: process_stderr = process.GetSTDERR(1024) print(process_stderr) process.Kill() # kill the process else: if error: print(error) else: if launch_info: print('error: launch failed') else: print('error: attach failed') lldb.SBDebugger.Terminate()
def main(argv): description = '''Debugs a program using the LLDB python API and does crash analysis on stop events''' epilog = '''Examples: % ./exploitaben.py -- /path/to/app -infile file_that_causes.crash ''' optparse.OptionParser.format_epilog = lambda self, formatter: self.epilog parser = optparse.OptionParser( description=description, prog='process_events', usage='usage: process_events [options] program [arg1 arg2]', epilog=epilog) parser.add_option('-v', '--verbose', action='store_true', dest='verbose', help="Enable verbose logging.", default=False) parser.add_option( '-b', '--breakpoint', action='append', type='string', metavar='BPEXPR', dest='breakpoints', help= 'Breakpoint commands to create after the target has been created, the values will be sent to the "_regexp-break" command which supports breakpoints by name, file:line, and address.' ) # parser.add_option('-a', '--arch', type='string', dest='arch', help='The architecture to use when creating the debug target.', default=None) # parser.add_option('--platform', type='string', metavar='platform', dest='platform', help='Specify the platform to use when creating the debug target. Valid values include "localhost", "darwin-kernel", "ios-simulator", "remote-freebsd", "remote-macosx", "remote-ios", "remote-linux".', default=None) # parser.add_option('-l', '--launch-command', action='append', type='string', metavar='CMD', dest='launch_commands', help='LLDB command interpreter commands to run once after the process has launched. This option can be specified more than once.', default=[]) # parser.add_option('-s', '--stop-command', action='append', type='string', metavar='CMD', dest='stop_commands', help='LLDB command interpreter commands to run each time the process stops. This option can be specified more than once.', default=[]) parser.add_option( '-c', '--crash-command', action='append', type='string', metavar='CMD', dest='crash_commands', help= 'LLDB command interpreter commands to run in case the process crashes. This option can be specified more than once.', default=[]) parser.add_option( '-x', '--exit-command', action='append', type='string', metavar='CMD', dest='exit_commands', help= 'LLDB command interpreter commands to run once after the process has exited. This option can be specified more than once.', default=[]) # parser.add_option('-T', '--no-threads', action='store_false', dest='show_threads', help="Don't show threads when process stops.", default=True) parser.add_option( '--ignore-errors', action='store_false', dest='stop_on_error', help= "Don't stop executing LLDB commands if the command returns an error. This applies to all of the LLDB command interpreter commands that get run for launch, stop, crash and exit.", default=True) # parser.add_option('-n', '--run-count', type='int', dest='run_count', metavar='N', help='How many times to run the process in case the process exits.', default=1) parser.add_option( '-t', '--event-timeout', type='int', dest='event_timeout', metavar='SEC', help= 'Specify the timeout in seconds to wait for process state change events.', default=lldb.UINT32_MAX) parser.add_option( '-e', '--environment', action='append', type='string', metavar='ENV', dest='env_vars', help= 'Environment variables to set in the inferior process when launching a process.' ) parser.add_option( '-d', '--working-dir', type='string', metavar='DIR', dest='working_dir', help='The the current working directory when launching a process.', default=None) parser.add_option('-p', '--attach-pid', type='int', dest='attach_pid', metavar='PID', help='Specify a process to attach to by process ID.', default=-1) parser.add_option('-P', '--attach-name', type='string', dest='attach_name', metavar='PROCESSNAME', help='Specify a process to attach to by name.', default=None) parser.add_option( '-w', '--attach-wait', action='store_true', dest='attach_wait', help= 'Wait for the next process to launch when attaching to a process by name.', default=False) parser.add_option( '-O', '--show-output', action='store_true', dest='show_output', help='Print the captured stdout/stderr from the target at exit.', default=False) try: (options, args) = parser.parse_args(argv) except: return options.run_count = 1 # I used a closure because we need to wait until options have been parsed def debug(str): if options.verbose: print str attach_info = None launch_info = None exe = None if args: exe = args.pop(0) launch_info = lldb.SBLaunchInfo(args) if options.env_vars: launch_info.SetEnvironmentEntries(options.env_vars, True) if options.working_dir: launch_info.SetWorkingDirectory(options.working_dir) elif options.attach_pid != -1: if options.run_count == 1: attach_info = lldb.SBAttachInfo(options.attach_pid) else: print "error: --run-count can't be used with the --attach-pid option" sys.exit(1) elif options.attach_name is not None: attach_info = lldb.SBAttachInfo(options.attach_name, options.attach_wait) if options.attach_wait: waiting = True else: print 'error: a program path for a program to debug and its arguments are required' sys.exit(1) # Create a new debugger instance debugger = lldb.SBDebugger.Create() debugger.SetAsync(True) command_interpreter = debugger.GetCommandInterpreter() # Create a target from a file and arch if exe: debug("Creating a target for '%s'" % exe) error = lldb.SBError() target = debugger.CreateTarget(exe, None, None, True, error) if target: # Set any breakpoints that were specified in the args if we are launching. We use the # command line command to take advantage of the shorthand breakpoint creation if launch_info and options.breakpoints: for bp in options.breakpoints: debugger.HandleCommand("_regexp-break %s" % (bp)) run_commands(command_interpreter, ['breakpoint list']) for run_idx in range(options.run_count): # Launch the process. Since we specified synchronous mode, we won't return # from this function until we hit the breakpoint at main error = lldb.SBError() if launch_info: if options.run_count == 1: debug('Launching "%s"...' % (exe)) else: debug('Launching "%s"... (launch %u of %u)' % (exe, run_idx + 1, options.run_count)) process = target.Launch(launch_info, error) else: if options.attach_pid != -1: debug('Attaching to process %i...' % (options.attach_pid)) else: if options.attach_wait: debug( 'Waiting for next to process named "%s" to launch...' % (options.attach_name)) else: debug('Attaching to existing process named "%s"...' % (options.attach_name)) process = target.Attach(attach_info, error) # Make sure the launch went ok if process and options.attach_wait or process.GetProcessID( ) != lldb.LLDB_INVALID_PROCESS_ID: pid = process.GetProcessID() listener = debugger.GetListener() # sign up for process state change events done = False # moved this outside the main event loop so we re-use one C++ # object. Saves a lot of __init__ calls. event = lldb.SBEvent() while not done: if listener.WaitForEvent(options.event_timeout, event): if lldb.SBProcess.EventIsProcessEvent(event): state = lldb.SBProcess.GetStateFromEvent(event) if state == lldb.eStateInvalid: # Not a state event debug('process event = %s' % (event)) else: # don't call StateAsCString in the critical path! # debug("process state changed event: %s" % (lldb.SBDebugger.StateAsCString(state))) if state == lldb.eStateStopped: debug("process %u stopped" % (pid)) # handle initial stop event after attach ( including attach_wait ) if options.attach_name: debug("Attached to {}!".format( options.attach_name)) # clobber the attach_name option to save using a scratch variable ;) options.attach_name = False process.Continue() continue # OK, now it's a 'real' stop. # skip ahead to the first faulting thread. Not perfect, but better # than nothing. # TODO: Handle cases where multiple threads have a StopReason # ( need to find one first ) for thread in process: if thread.GetStopReason( ) != lldb.eStopReasonNone: process.SetSelectedThread(thread) break # Adding some parser sugar... print "Stack trace:" run_commands(command_interpreter, ['bt 25']) print "Nearby code:" try: run_commands( command_interpreter, ['disass -p -c 10 -b -F intel']) except: print "<disassembly failed>" run_commands(command_interpreter, ['reg read']) print "Hash: %s" % stack_hash( process.selected_thread) analyzer = lldbx86.Analyzer(target) print "ANALYSIS INDICATORS:" print "--------------------" print "StopDesc: %s" % analyzer.getStopDescription( ) print "AvNearNull: %s" % analyzer.isAvNearNull( ) print "AvNearSP: %s" % analyzer.isAvNearSP( ) print "BadBeef: %s" % analyzer.isAvBadBeef( ) print "Access Type: %s" % analyzer.getAccessType( analyzer.getCurrentInstruction()) regs = analyzer.getInsnRegisters( analyzer.getCurrentInstruction()) print "Registers: %s" % ' '.join( map( lambda r: "{}={}".format( r, regs[r]), regs.keys())) print "BlockMov: %s" % analyzer.isBlockMove( ) print "Weird PC: %s" % analyzer.isPcWeird( ) print "Weird SP: %s" % analyzer.isSpWeird( ) print "Suspicious Funcs: %s" % " ".join( analyzer.getSuspiciousStackFuncs()) print "Illegal Insn: %s" % analyzer.isIllegalInstruction( ) print "Huge Stack: %s" % analyzer.isStackHuge( ) done = True elif state == lldb.eStateExited: exit_desc = process.GetExitDescription() if exit_desc: debug( "process %u exited with status %u: %s" % (pid, process.GetExitStatus(), exit_desc)) else: debug( "process %u exited with status %u" % (pid, process.GetExitStatus())) run_commands(command_interpreter, options.exit_commands) done = True elif state == lldb.eStateCrashed: # TODO no idea when this happens without first hitting a stop event debug("process %u crashed" % (pid)) print_threads(process, options) run_commands(command_interpreter, options.crash_commands) done = True elif state == lldb.eStateDetached: debug("process %u detached" % (pid)) done = True elif state == lldb.eStateRunning: debug("process %u resumed" % (pid)) elif state == lldb.eStateUnloaded: debug( "process %u unloaded, this shouldn't happen" % (pid)) done = True elif state == lldb.eStateConnected: debug("process connected") elif state == lldb.eStateAttaching: debug("process attaching") elif state == lldb.eStateLaunching: debug("process launching") else: debug('event = %s' % (event)) else: # timeout waiting for an event print "no process event for %u seconds, killing the process..." % ( options.event_timeout) done = True if options.show_output: process_stdout = process.GetSTDOUT(1024) if process_stdout: print "Process STDOUT:\n%s" % (process_stdout) while process_stdout: process_stdout = process.GetSTDOUT(1024) print process_stdout process_stderr = process.GetSTDERR(1024) if process_stderr: print "Process STDERR:\n%s" % (process_stderr) while process_stderr: process_stderr = process.GetSTDERR(1024) print process_stderr process.Kill() else: if error: print error else: if launch_info: print 'error: launch failed' else: print 'error: attach failed' lldb.SBDebugger.Terminate()
def main(argv): ## #--breakpoint begin_funcion --normal_end [end_function] --spin_end [end_function] #--pid attached_process ## parser = optparse.OptionParser() parser.add_option('-b', '--breakpoint', dest='breakpoint', type='string', help='Trace calls from the breakpoint', metavar='BPEXPR', default=None) parser.add_option('-n', '--normal_end', dest='normal_endf', type='string', help='End function in normal execution', metavar='NORMEND', default=None) parser.add_option('-s', '--spin_end', dest='spin_endf', type='string', help='End function in spinning execution', metavar='SPINEND', default=None) parser.add_option('-p', '--pid', dest='pid', type='int', help='Process to attach', metavar='PID', default=-1) (options, args) = parser.parse_args(argv) if options.pid == -1: sys.exit(1) debugger = lldb.SBDebugger.Create() debugger.SetAsync(False) command_interpreter = debugger.GetCommandInterpreter() #attach to target process attach_info = lldb.SBAttachInfo(options.pid) error = lldb.SBError() target = debugger.CreateTarget(None, 'x86_64', None, True, error) print 'Create target: ', error process = target.Attach(attach_info, error) print 'Attach to process: ', error if process and process.GetProcessID() != lldb.LLDB_INVALID_PROCESS_ID: pid = process.GetProcessID() print 'Process is ', pid else: print 'Fail to attach lldb to ', options.pid set_breakpoint(debugger, options) process.Continue() check_notification_post(process, debugger, options) lldb.SBDebugger.Terminate()