我正在通过玩ptrace"一文来学习ptrace.现在,我可以通过将tracee的指令替换为"syscall"来设置断点,但是无法成功注入代码.
I'm learning ptrace by the article "playing with ptrace". Now I can set breakpoint by replacing tracee's instruction with "syscall" but can't inject code successfully.
在X86中,打印可以使用"int 80",然后通过"int3"暂停处理.在x64中完成注入代码后,如何注入具有指令"syscall"的代码并停止进程?
In X86 , the print can use "int 80" then pause process by "int3". How can I inject code that has instruction "syscall " and stop process when the inject code finish in x64 Thanks.
我注入的代码是这个
section .text global main main: mov rax, 1 mov rdi, 1 mov rsi, message mov rdx, 13 syscall int3 message: db "Hello world", 10我的代码是
#include <sys/ptrace.h> #include <sys/reg.h> #include <sys/user.h> #include <sys/wait.h> #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #define LONG_SIZE 8 void getdata(pid_t child, long addr,char *str,int len) { char *laddr = str; int i = 0,j = len/LONG_SIZE; union u{ long val; char chars[LONG_SIZE]; } word; while(i<j) { word.val = ptrace(PTRACE_PEEKDATA,child,addr + i*LONG_SIZE,NULL); if(word.val == -1) perror("trace error"); memcpy(laddr,word.chars,LONG_SIZE); ++i; laddr += LONG_SIZE; } j = len %LONG_SIZE; if(j!=0) { word.val == ptrace(PTRACE_PEEKDATA,child,addr + i*LONG_SIZE,NULL); if(word.val == -1) perror("trace error"); } str[len] = '\0'; } void putdata(pid_t child,long addr,char *str,int len) { char *laddr = str; int i = 0, j = len/LONG_SIZE; union u{ long val; char chars[LONG_SIZE]; }word; while(i<j) { memcpy(word.chars,laddr,LONG_SIZE); if(ptrace(PTRACE_POKEDATA,child,addr+i*LONG_SIZE,word.val) == -1) perror("trace error"); ++i; laddr += LONG_SIZE; } j = len % LONG_SIZE; if(j != 0) { word.val = 0; memcpy(word.chars,laddr,j); if(ptrace(PTRACE_POKEDATA,child,addr+i*LONG_SIZE,word.val) == -1) perror("trace error"); } } void printBytes(const char* tip,char* codes,int len) { int i; printf("%s :",tip); for(i = 0;i<len;++i) { printf("%02x ",(unsigned char)codes[i]); } puts(""); } #define CODE_SIZE 48 int main(int argc ,char *argv[]) { if(argc != 2) { puts("no pid input"); exit(1); } pid_t traced_process; struct user_regs_struct regs; long ins; char code[CODE_SIZE] = {0xb8,0x01,0x00,0x00,0x00,0xbf,0x01,0x00,0x00,0x00,0x48,0xbe,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xba,0x0d,0x00,0x00,0x00,0x0f,0x05,0xcc,0x48,0x65,0x6c,0x6c,0x6f,0x20,0x77,0x6f,0x72,0x6c,0x64,0x0a}; char backup[CODE_SIZE]; traced_process = atoi(argv[1]); printf("try to attach pid:%u\n",traced_process); if(ptrace(PTRACE_ATTACH,traced_process,NULL,NULL) == -1) { perror("trace attach error"); } wait(NULL); if(ptrace(PTRACE_GETREGS,traced_process,NULL,®s) == -1) { perror("trace get regs error"); } //copy instructions into backup variable getdata(traced_process,regs.rip,backup,CODE_SIZE); printBytes("get tracee instuction",backup,CODE_SIZE); puts("try to inject code"); putdata(traced_process,regs.rip,code,CODE_SIZE); puts("inject success, tracee continue"); if(ptrace(PTRACE_CONT,traced_process,NULL,NULL) == -1) { perror("trace continue error"); } //wait tracee to execute int3 to stop wait(NULL); puts("inject code finish, Press <Enter> to continue"); getchar(); printBytes("place inject instructions with backup instructions",backup,CODE_SIZE); putdata(traced_process,regs.rip,backup,CODE_SIZE); ptrace(PTRACE_SETREGS,traced_process,NULL,®s); ptrace(PTRACE_DETACH,traced_process,NULL,NULL); return 0; }它不起作用,只能使Tracee停止并恢复.它出什么问题了?在ubuntu 16.04 64bit上运行它.
It doesn't work, only can make tracee stop and resume. what's wrong with it? run it in ubuntu 16.04 64bit.
推荐答案我知道原因.我发布的asm代码不是PIC,当将其注入到tracee的内存中时,字符串地址错误,因此失败.正确的asm代码应该是
I know the reason. the asm code that I post is not PIC, when it is injected into tracee's memory, string address is wrong, so it failed. right asm code should be
section .text global main main: jmp forward backward: pop rsi mov rax, 1 mov rdi, 1 mov rdx, 13 syscall int3 forward: call backward db "Hello world",0xa更多推荐
在ubuntu 64bit中将代码注入到进程中
发布评论