-
-
[分享][分享]玩转ptrace之x64举例
-
发表于: 2014-8-24 17:44
-
关于ptrace的用法,首推Pradeep Padala 的作品Playing with ptrace:
Playing with ptrace, Part I
Playing with ptrace, Part II
现在用64系统的比较多了,文中的例子都是基于x86的,要想在64位系统上运行,就需适当修改。下面举个例子,大牛不要拍砖啊
。
注释部分是对原代码的修改,测试环境ubuntu 14。
Playing with ptrace, Part I
Playing with ptrace, Part II
现在用64系统的比较多了,文中的例子都是基于x86的,要想在64位系统上运行,就需适当修改。下面举个例子,大牛不要拍砖啊
。
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <sys/reg.h> //#include <linux/user.h>
#include <sys/syscall.h>
const int long_size = sizeof(long);
void reverse(char *str)
{
int i, j;
char temp;
for(i = 0, j = strlen(str) - 2;
i <= j; ++i, --j) {
temp = str[i];
str[i] = str[j];
str[j] = temp;
}
}
void getdata(pid_t child, long addr,
char *str, int len)
{
char *laddr;
int i, j;
union u {
long val;
char chars[long_size];
}data;
i = 0;
j = len / long_size;
laddr = str;
while(i < j) {
data.val = ptrace(PTRACE_PEEKDATA,
child, addr + i * 8, //i * 4
NULL);
memcpy(laddr, data.chars, long_size);
++i;
laddr += long_size;
}
j = len % long_size;
if(j != 0) {
data.val = ptrace(PTRACE_PEEKDATA,
child, addr + i * 8, //i * 4
NULL);
memcpy(laddr, data.chars, j);
}
str[len] = '\0';
}
void putdata(pid_t child, long addr,
char *str, int len)
{
char *laddr;
int i, j;
union u {
long val;
char chars[long_size];
}data;
i = 0;
j = len / long_size;
laddr = str;
while(i < j) {
memcpy(data.chars, laddr, long_size);
ptrace(PTRACE_POKEDATA, child,
addr + i * 8, data.val); //i * 4
++i;
laddr += long_size;
}
j = len % long_size;
if(j != 0) {
memcpy(data.chars, laddr, j);
ptrace(PTRACE_POKEDATA, child,
addr + i * 8, data.val); //i * 4
}
}
int main()
{
pid_t child;
child = fork();
if(child == 0) {
ptrace(PTRACE_TRACEME, 0, NULL, NULL);
execl("/bin/ls", "ls", NULL);
}
else {
long orig_eax;
long params[3];
int status;
char *str, *laddr;
int toggle = 0;
while(1) {
wait(&status);
if(WIFEXITED(status))
break;
orig_eax = ptrace(PTRACE_PEEKUSER,
child, 8 * ORIG_RAX, //4 * ORIG_EAX
NULL);
if(orig_eax == SYS_write) {
if(toggle == 0) {
toggle = 1;
params[0] = ptrace(PTRACE_PEEKUSER,
child, 8 * RDI, //4 * EBX
NULL);
params[1] = ptrace(PTRACE_PEEKUSER,
child, 8 * RSI, //4 * ECX
NULL);
params[2] = ptrace(PTRACE_PEEKUSER,
child, 8 * RDX, //4 * EDX
NULL);
str = (char *)calloc((params[2]+1) //
, sizeof(char));
getdata(child, params[1], str,
params[2]);
reverse(str);
putdata(child, params[1], str,
params[2]);
}
else {
toggle = 0;
}
}
ptrace(PTRACE_SYSCALL, child, NULL, NULL);
}
}
return 0;
}注释部分是对原代码的修改,测试环境ubuntu 14。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
