def main(self):
self.debugger = PtraceDebugger()
try:
self.runDebugger()
except KeyboardInterrupt:
error("Interrupt debugger: quit!")
except PTRACE_ERRORS as err:
writeError(getLogger(), err, "Debugger error")
self.process = None
self.debugger.quit()
error("Quit gdb.")
self.restoreTerminal()
def _main(self):
self.debugger = PtraceDebugger()
try:
self.runDebugger()
except ProcessExit as event:
self.processExited(event)
except PtraceError as err:
error("ptrace() error: %s" % err)
except KeyboardInterrupt:
error("Interrupted.")
except PTRACE_ERRORS as err:
writeError(getLogger(), err, "Debugger error")
self.debugger.quit()
def main(self):
self.debugger = PtraceDebugger()
try:
self.runDebugger()
except ChildError as event:
self.event_callback(event)
except ProcessExit as event:
self.processExited(event)
except (KeyError, PtraceError, OSError) as error:
self._handle_exceptions_during_quit(error, 'main')
if self.debugger:
self.debugger.quit()
self.quit_callback()
def do_dump (process, maxmem):
print_process (process, "===")
# Attach to the process
debugger = PtraceDebugger()
try:
d_process = debugger.addProcess(process['pid'], False)
except:
print("Error attaching to the process pid {0}. Aborting".format(process['pid']))
sys.exit(1)
d_process.was_attached = True
procmaps = readProcessMappings(d_process)
# Look for process heap region
for pm in procmaps:
if pm.pathname == None:
mem_start=pm.start
mem_end=pm.end
mem_total=mem_end-mem_start
if maxmem > 0 and mem_total > maxmem :
print("Process memory is {0} but you defined maxmem to {1}".format(mem_total, maxmem))
return False
# Use StringIO to work only in memory. This can be dangerous, because "heap" can be big.
the_mem = StringIO.StringIO()
# Transfer process heap memory to the_mem var.
the_mem.write(d_process.readBytes(mem_start, mem_total))
# We have what we were looking for. Let's detach the process.
d_process.detach()
# Start search
request_end=0
found=False
while True:
hdr_pos=fnd(the_mem, process['request'], request_end)
if hdr_pos==-1: # EOF
break
request_pos=hdr_pos # This is the start of the possible match
request_end=fnd(the_mem, "\x00", request_pos) # This is the end of the possible match
# If we find double new line then this should be a valid request and data block.
if fnd(the_mem,"\x0d\x0a\x0d\x0a", request_pos) < request_end:
found=True
# If valid, print it!
print get_fragment(the_mem, request_pos, request_end)
# Prepare to continue searching
the_mem.seek(request_end+1)
the_mem.close()
if found:
break
def startDebugger(self, args):
debugger = PtraceDebugger()
debugger.traceFork()
debugger.traceExec()
debugger.enableSysgood(
) # to differentiate between traps raised by syscall, no syscall
newProcess = ProcessWrapper(args=args,
debugger=debugger,
redirect=True) # first process
newProcess.syscalls_to_trace = self.syscalls_to_trace
self.addProcess(newProcess)
return debugger
def __init__(self, project):
ProjectAgent.__init__(self, project, "dbg")
self.debugger = None
self.enabled = (HAS_PTRACE and project.config.use_debugger)
self.fusil_processes = {}
if self.enabled:
self.error("Use python-ptrace debugger")
self.debugger = PtraceDebugger()
if project.config.debugger_trace_forks:
try:
self.debugger.traceFork()
self.warning("Debugger trace process forks")
except PtraceDebuggerError, err:
self.error("Unable to trace forks: %s" % err)
def main():
global options
options = get_options()
dbg = PtraceDebugger()
pid = int(subprocess.check_output(['pidof', "typespeed"]))
process = dbg.addProcess(pid, False)
process.syscall()
while True:
event = dbg.waitSyscall()
process = event.process
op_syscall(process)
dbg.quit()
def debugFindRtld(pid):
dbg = PtraceDebugger()
process = dbg.addProcess(pid, False)
for pm in readProcessMappings(process):
if 'rwx' in pm.permissions:
for addr in pm.search(b'\x78\x56\x34\x12'):
# There are no ret instructions in the CC
memory = process.readBytes(addr, 20)
if b'\xC3' not in memory:
process = None
dbg.quit()
return addr
print('ERROR: Could not find the address of rtld_lock_default_lock_recursive in code cache!')
exit(-1)
def _main(self):
self.debugger = PtraceDebugger()
try:
self.runDebugger()
except ProcessExit as event:
self.processExited(event)
except PtraceError as err:
error("ptrace() error: %s" % err)
except KeyboardInterrupt:
error("Interrupted.")
except PTRACE_ERRORS as err:
writeError(getLogger(), err, "Debugger error")
processes = list(self.debugger.list)
self.debugger.quit()
# python-ptrace seems iffy on actually detaching sometimes, so we make
# sure we let the process continue
for process in processes:
subprocess.check_output(['kill', '-cont', str(process.pid)])
def getData(self, inputs):
self.events = []
self.nevents = dict()
self.debugger = PtraceDebugger()
self.runProcess([self.program] + inputs)
# print self.pid
# if self.crashed:
# print "we should terminate.."
# sleep(3)
if self.process is None:
return None
self.process.terminate()
self.process.detach()
# print self.nevents
self.process = None
return self.events
def _main(self):
self.debugger = PtraceDebugger()
exitcode = 0
try:
exitcode = self.runDebugger()
except ProcessExit as event:
self.processExited(event)
if event.exitcode is not None:
exitcode = event.exitcode
except PtraceError as err:
error("ptrace() error: %s" % err)
if err.errno is not None:
exitcode = err.errno
except KeyboardInterrupt:
error("Interrupted.")
exitcode = 1
except PTRACE_ERRORS as err:
writeError(getLogger(), err, "Debugger error")
exitcode = 1
self.debugger.quit()
return exitcode
def main(self):
self.debugger = PtraceDebugger()
self.setupDebugger()
# Create new process
try:
self.process = self.createProcess()
except ChildError as err:
writeError(getLogger(), err, "Unable to create child process")
return
if not self.process:
return
#self.backtrace()
#self.process.dumpMaps()
while True:
if not self.debugger:
# There is no more process: quit
return
# Execute the user command
try:
self.syscallTrace()
except KeyboardInterrupt:
self.interrupt()
except NewProcessEvent as event:
self.newProcess(event)
except ProcessSignal as event:
self.processSignal(event)
except ProcessExit as event:
error(event)
self.nextProcess()
except ProcessExecution as event:
self.processExecution(event)
except PtraceError as err:
error("ERROR: %s" % err)
if err.errno == ESRCH:
self.deleteProcess(err.pid)
def run(self):
"""
Trace the given process or thread for one syscall
"""
finished = False
self.record.log("Attaching debugger")
try:
self.debugger = PtraceDebugger()
self.debugger.traceFork()
self.debugger.traceExec()
self.debugger.traceClone()
self.traced_item = self.debugger.addProcess(
self.process.pid, False, is_thread=self.is_thread)
self.record.log("PTrace debugger attached successfully")
TracingThread._trace_continue(self.traced_item)
except Exception as e:
self.record.log(
"PTrace debugger attachment failed with reason: {}".format(e))
finished = True
# Trace process until finished
while not finished and not self.stopped:
finished = self._trace(self.traced_item, self.record)
if self.traced_item:
self.traced_item.detach()
# Keep in mind that the process maybe already gone
try:
if self.process.status() == psutil.STATUS_STOPPED:
posix.kill(self.process.pid, signal.SIGCONT)
except psutil.NoSuchProcess:
pass
self.record.log("Tracee appears to have ended and thread will finish")
import sys
import struct
from gdb import Gdb
from ptrace.debugger import PtraceDebugger, ProcessSignal, ProcessExit
pid = sys.argv[1]
gdb = Gdb()
gdb.debugger = PtraceDebugger()
gdb.process = None
gdb.attachProcess(pid)
print("[!] attached to {0}".format(pid))
#gdb.breakpoint("0x80487e0")
gdb.breakpoint("0x080487d6")
gdb.breakpoint("0x08048802")
while (True):
try:
gdb.cont()
eip = gdb.process.getreg("eip")
print("EIP: {0}".format(hex(eip)))
#if eip == 0x80487e0:
# print("pipe descriptor: {0}".format(hex(gdb.process.getreg("eax"))))
# WRITE WHERE
if eip == 0x80487d6:
eax = gdb.process.getreg("eax")
i = gdb.process.readBytes(eax, 4)
def __init__(self):
self.pid = searchProcessByName('wow.exe')
self.name = ""
print("Attach the running process %s" % self.pid)
self.__tracer = PtraceProcess(PtraceDebugger(), self.pid, False)
