如何在Ubuntu x64中使用ptrace插入int3？

内容导读

互联网集市收集整理的这篇技术教程文章主要介绍了如何在Ubuntu x64中使用ptrace插入int3？，小编现在分享给大家，供广大互联网技能从业者学习和参考。文章包含5043字，纯文字阅读大概需要8分钟。

内容图文

我试图按照this guide设置断点来获得相同的结果,唯一的区别是我在x64系统上.因此,我有以下代码用于“ Hello,World！”：

; The _start symbol must be declared for the linker (ld)
global _start

section    .text
_start:

    ; Prepare arguments for the sys_write system call:
    ;   - rax: system call number (sys_write)
    ;   - rdi: file descriptor (stdout)
    ;   - rsi: pointer to string
    ;   - rdx: string length
    mov    rax, 1
    mov    rdi, 1
    mov    rsi, msg1
    mov    rdx, len1
    syscall

    ; int3 should be here

    mov    rax, 1
    mov    rdi, 1
    mov    rsi, msg2
    mov    rdx, len2
    syscall

    ; Execute sys_exit
    mov    rax, 60
    mov    rdi, 0
    syscall

section   .data
    msg1 db    'Hello, ', 0xa
    len1 equ    $- msg1
    msg2 db    'world!', 0xa
    len2 equ    $- msg2

这段代码是这样编译的：nasm -f elf64 hello.s&& ld -s -o你好hello.o：

~$objdump -d hello    

hello:     file format elf64-x86-64


Disassembly of section .text:

00000000004000b0 <.text>:
  4000b0:   48 b8 01 00 00 00 00    movabs $0x1,%rax
  4000b7:   00 00 00 
  4000ba:   48 bf 01 00 00 00 00    movabs $0x1,%rdi
  4000c1:   00 00 00 
  4000c4:   48 be 1c 01 60 00 00    movabs $0x60011c,%rsi
  4000cb:   00 00 00 
  4000ce:   48 ba 08 00 00 00 00    movabs $0x8,%rdx
  4000d5:   00 00 00 
  4000d8:   0f 05                   syscall 
  4000da:   48 b8 01 00 00 00 00    movabs $0x1,%rax
  4000e1:   00 00 00 
  4000e4:   48 bf 01 00 00 00 00    movabs $0x1,%rdi
  4000eb:   00 00 00 
  4000ee:   48 be 24 01 60 00 00    movabs $0x600124,%rsi
  4000f5:   00 00 00 
  4000f8:   48 ba 07 00 00 00 00    movabs $0x7,%rdx
  4000ff:   00 00 00 
  400102:   0f 05                   syscall 
  400104:   48 b8 3c 00 00 00 00    movabs $0x3c,%rax
  40010b:   00 00 00 
  40010e:   48 bf 00 00 00 00 00    movabs $0x0,%rdi
  400115:   00 00 00 
  400118:   0f 05                   syscall

之后,在C程序中,我尝试设置一个断点,如本文中所述.

#include <stdio.h>
#include <stdarg.h>
#include <stdlib.h>
#include <signal.h>
#include <syscall.h>
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/reg.h>
#include <sys/user.h>
#include <unistd.h>
#include <errno.h>


void procmsg(const char* format, ...)
{
    va_list ap;
    fprintf(stdout, "[%d] ", getpid());
    va_start(ap, format);
    vfprintf(stdout, format, ap);
    va_end(ap);
}

void run_target(const char* programname)
{
    procmsg("target started. will run '%s'\n", programname);

    /* Allow tracing of this process */
    if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0) {
        perror("ptrace");
        return;
    }

    /* Replace this process's image with the given program */
    execl(programname, programname, (char *)NULL);
}

void run_debugger(pid_t child_pid)
{
    int wait_status;
    struct user_regs_struct regs;

    procmsg("debugger started\n");

    /* Wait for child to stop on its first instruction */
    wait(&wait_status);

    /* Obtain and show child's instruction pointer */
    ptrace(PTRACE_GETREGS, child_pid, 0, &regs);
    procmsg("Child started. RIP = 0x%08x\n", regs.rip);

    unsigned addr = 0x004000da;
    unsigned data = ptrace(PTRACE_PEEKTEXT, child_pid, (void*)addr, 0);
    procmsg("Original data at 0x%08x: 0x%08x\n", addr, data);

    /* Write the trap instruction 'int 3' into the address */
    unsigned data_with_trap = (data & 0xFFFFFF00) | 0xCC;
    ptrace(PTRACE_POKETEXT, child_pid, (void*)addr, (void*)data_with_trap);

    /* See what's there again... */
    unsigned readback_data = ptrace(PTRACE_PEEKTEXT, child_pid, (void*)addr, 0);
    procmsg("After trap, data at 0x%08x: 0x%08x\n", addr, readback_data);

    /* Let the child run to the breakpoint and wait for it to
    ** reach it
    */
    ptrace(PTRACE_CONT, child_pid, 0, 0);

    wait(&wait_status);
    if (WIFSTOPPED(wait_status)) {
        procmsg("Child got a signal: %s\n", strsignal(WSTOPSIG(wait_status)));
    }
    else {
        perror("wait");
        return;
    }

    /* See where the child is now */
    ptrace(PTRACE_GETREGS, child_pid, 0, &regs);
    procmsg("Child stopped at RIP = 0x%08x\n", regs.rip);

    /* Remove the breakpoint by restoring the previous data
    ** at the target address, and unwind the EIP back by 1 to
    ** let the CPU execute the original instruction that was
    ** there.
    */
    ptrace(PTRACE_POKETEXT, child_pid, (void*)addr, (void*)data);
    regs.rip -= 1;
    ptrace(PTRACE_SETREGS, child_pid, 0, &regs);

    /* The child can continue running now */
    ptrace(PTRACE_CONT, child_pid, 0, 0);

    wait(&wait_status);

    if (WIFEXITED(wait_status)) {
        procmsg("Child exited\n");
    }
    else {
        procmsg("Unexpected signal\n");
    }
}


int main(int argc, char** argv)
{
    pid_t child_pid;

    if (argc < 2) {
        fprintf(stderr, "Expected a program name as argument\n");
        return -1;
    }

    child_pid = fork();
    if (child_pid == 0)
        run_target(argv[1]);
    else if (child_pid > 0)
        run_debugger(child_pid);
    else {
        perror("fork");
        return -1;
    }

    return 0;
}

该代码也可以编译,但是会在执行期间导致分段错误：

~$./ptrace_test_bp hello                         
[24100] debugger started
[24101] target started. will run 'hello'
[24100] Child started. RIP = 0x004000b0
[24100] Original data at 0x004000da: 0x0001b848
[24100] After trap, data at 0x004000da: 0x0001b8cc
Hello, 
[1]    24100 segmentation fault (core dumped)  ./ptrace_test_bp hello

我应该怎么做才能使其在x64上正常运行(在断点处停止并恢复)？

解决方法:

您的C代码在strsignal中出现段错误,因为您忘记了#include< string.h>.

准确地说,它是段错误的,因为没有原型时,strsignal的返回值被假定为int(32位),而实际上它是一个64位的指针.

内容总结

以上是互联网集市为您收集整理的如何在Ubuntu x64中使用ptrace插入int3？全部内容，希望文章能够帮你解决如何在Ubuntu x64中使用ptrace插入int3？所遇到的程序开发问题。 如果觉得互联网集市技术教程内容还不错，欢迎将互联网集市网站推荐给程序员好友。

内容备注

版权声明：本文内容由互联网用户自发贡献，该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容， 请发送邮件至 gblab@vip.qq.com 举报，一经查实，本站将立刻删除。

内容手机端

---