ptrace基于地址调试
来源:互联网 发布:winner2016淘宝造物节 编辑:程序博客网 时间:2024/05/22 08:04
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
section .text
; The _start symbol must be declared
for
the linker (ld)
global _start
_start:
; Prepare arguments
for
the sys_write
system
call:
; - eax:
system
call number (sys_write)
; - ebx: file descriptor (stdout)
; - ecx: pointer to string
; - edx: string length
mov edx, len1
mov ecx, msg1
mov ebx, 1
mov eax, 4
; Execute the sys_write
system
call
int
0x80
; Now print the other message
mov edx, len2
mov ecx, msg2
mov ebx, 1
mov eax, 4
int
0x80
; Execute sys_exit
mov eax, 1
int
0x80
section .data
msg1 db
'Hello,'
, 0xa
len1 equ $ - msg1
msg2 db
'world!'
, 0xa
len2 equ $ - msg2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
traced_printer2: file format elf32-i386
Sections:
Idx Name Size VMA LMA File off Algn
0 .text 00000033 08048080 08048080 00000080 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .data 0000000e 080490b4 080490b4 000000b4 2**2
CONTENTS, ALLOC, LOAD, DATA
Disassembly of section .text:
08048080 <.text>:
8048080: ba 07 00 00 00 mov $0x7,%edx
8048085: b9 b4 90 04 08 mov $0x80490b4,%ecx
804808a: bb 01 00 00 00 mov $0x1,%ebx
804808f: b8 04 00 00 00 mov $0x4,%eax
8048094: cd 80
int
$0x80
8048096: ba 07 00 00 00 mov $0x7,%edx
804809b: b9 bb 90 04 08 mov $0x80490bb,%ecx
80480a0: bb 01 00 00 00 mov $0x1,%ebx
80480a5: b8 04 00 00 00 mov $0x4,%eax
80480aa: cd 80
int
$0x80
80480ac: b8 01 00 00 00 mov $0x1,%eax
80480b1: cd 80
int
$0x80
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ readelf -h traced_printer2
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS
/ABI
: UNIX - System V
ABI Version: 0
Type: EXEC (Executable
file
)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x8048080
Start of program headers: 52 (bytes into
file
)
Start of section headers: 220 (bytes into
file
)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 2
Size of section headers: 40 (bytes)
Number of section headers: 4
Section header string table index: 3
1
2
3
4
5
6
7
8
/* Obtain and show child's instruction pointer */
ptrace(PTRACE_GETREGS, child_pid, 0, ®s);
procmsg(
"Child started. EIP = 0x%08x\n"
, regs.eip);
/* Look at the word at the address we're interested in */
unsigned addr = 0x8048096;
unsigned data = ptrace(PTRACE_PEEKTEXT, child_pid, (
void
*)addr, 0);
procmsg(
"Original data at 0x%08x: 0x%08x\n"
, addr, data);
1
2
[13028] Child started. EIP = 0x08048080
[13028] Original data at 0x08048096: 0x000007ba
1
2
3
4
5
6
7
/* Write the trap instruction 'int 3' into the address */
unsigned data_with_trap = (data & 0xFFFFFF00) | 0xCC;
ptrace(PTRACE_POKETEXT, child_pid, (
void
*)addr, (
void
*)data_with_trap);
/* See what's there again... */
unsigned readback_data = ptrace(PTRACE_PEEKTEXT, child_pid, (
void
*)addr, 0);
procmsg(
"After trap, data at 0x%08x: 0x%08x\n"
, addr, readback_data);
1
[13028] After trap, data at 0x08048096: 0x000007cc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
/* Let the child run to the breakpoint and wait for it to
** reach it
*/
ptrace(PTRACE_CONT, child_pid, 0, 0);
wait(&wait_status);
if
(WIFSTOPPED(wait_status)) {
procmsg(
"Child got a signal: %s\n"
, strsignal(WSTOPSIG(wait_status)));
}
else
{
perror
(
"wait"
);
return
;
}
/* See where the child is now */
ptrace(PTRACE_GETREGS, child_pid, 0, ®s);
procmsg(
"Child stopped at EIP = 0x%08x\n"
, regs.eip);
1
2
3
Hello,
[13028] Child got a
signal
: Trace/breakpoint trap
[13028] Child stopped at EIP = 0x08048097
1
2
3
4
5
6
7
8
9
10
11
/* Remove the breakpoint by restoring the previous data
** at the target address, and unwind the EIP back by 1 to
** let the CPU execute the original instruction that was
** there.
*/
ptrace(PTRACE_POKETEXT, child_pid, (
void
*)addr, (
void
*)data);
regs.eip -= 1;
ptrace(PTRACE_SETREGS, child_pid, 0, ®s);
/* The child can continue running now */
ptrace(PTRACE_CONT, child_pid, 0, 0);
1
2
3
4
5
6
.. some code ..
jz foo
dec eax
foo:
call bar
.. some code ..
1
2
3
4
5
6
7
8
9
10
11
12
13
14
#include <stdio.h>
void
do_stuff()
{
printf
(
"Hello, "
);
}
int
main()
{
for
(
int
i = 0; i < 4; ++i)
do_stuff();
printf
(
"world!\n"
);
return
0;
}
1
2
3
4
5
6
7
8
080483e4 <do_stuff>:
80483e4: 55 push %ebp
80483e5: 89 e5 mov %esp,%ebp
80483e7: 83 ec 18 sub $0x18,%esp
80483ea: c7 04 24 f0 84 04 08 movl $0x80484f0,(%esp)
80483f1: e8 22 ff ff ff call 8048318 <
puts
@plt>
80483f6: c9 leave
80483f7: c3 ret
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
void
run_debugger(pid_t child_pid)
{
procmsg(
"debugger started\n"
);
/* Wait for child to stop on its first instruction */
wait(0);
procmsg(
"child now at EIP = 0x%08x\n"
, get_child_eip(child_pid));
/* Create breakpoint and run to it*/
debug_breakpoint* bp = create_breakpoint(child_pid, (
void
*)0x080483e4);
procmsg(
"breakpoint created\n"
);
ptrace(PTRACE_CONT, child_pid, 0, 0);
wait(0);
/* Loop as long as the child didn't exit */
while
(1) {
/* The child is stopped at a breakpoint here. Resume its
** execution until it either exits or hits the
** breakpoint again.
*/
procmsg(
"child stopped at breakpoint. EIP = 0x%08X\n"
, get_child_eip(child_pid));
procmsg(
"resuming\n"
);
int
rc = resume_from_breakpoint(child_pid, bp);
if
(rc == 0) {
procmsg(
"child exited\n"
);
break
;
}
else
if
(rc == 1) {
continue
;
}
else
{
procmsg(
"unexpected: %d\n"
, rc);
break
;
}
}
cleanup_breakpoint(bp);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ bp_use_lib traced_c_loop
[13363] debugger started
[13364] target started. will run
'traced_c_loop'
[13363] child now at EIP = 0x00a37850
[13363] breakpoint created
[13363] child stopped at breakpoint. EIP = 0x080483E5
[13363] resuming
Hello,
[13363] child stopped at breakpoint. EIP = 0x080483E5
[13363] resuming
Hello,
[13363] child stopped at breakpoint. EIP = 0x080483E5
[13363] resuming
Hello,
[13363] child stopped at breakpoint. EIP = 0x080483E5
[13363] resuming
Hello,
world!
[13363] child exited
0 0
- ptrace基于地址调试
- ptrace基于行数调试
- QTCreater调试提示ptrace
- 基于ARM的Ptrace
- ptrace之SMC,反调试
- Ptrace
- ptrace
- ptrace
- ptrace
- ptrace
- ptrace
- ptrace
- linux应用程序调试的基石---ptrace
- qt调试 ptrace:不允许的操作
- 调试器原理之ptrace调用学习
- 反调试方法二 - 抢占ptrace
- qt调试 ptrace:不允许的操作
- Linux中基于ptrace的外挂程序设计
- LeetCode Largest Number
- ptrace基础
- 贪心 ? OR DP?
- 在AndroidStudio使用Genymotion安卓虚拟机
- 欢迎使用CSDN-markdown编辑器
- ptrace基于地址调试
- Java学习笔记之LinkedList基本用法
- main()命令行参数在cmd下输入
- GitHub
- json接受服务器数据实现下拉框样式
- 操作系统面试题总结
- java中输入一个字符串,怎么将字母去掉
- Error Error occurred running Grails CLI: No profile found for name [web]. (Use --stacktrace to see
- linux问题汇总