Playing with ptrace例子freespaceinject.c无法得到期望的结果
操作系统是Ubuntn 12.04 32位

运行Playing with ptrace中的最后一个例子freespaceinject.c，没有得到期望的结果（让被调试程序dummy2打印字符串“Hello World\n”。）

freespaceinject.c的处理过程如下：
（1）使用ptrace附加到被调试程序
（2）将打印代码注入（注入前先备份）到程序的自由空间
（3）修改EIP，指向打印代码
（4）被调试程序执行打印代码，打印字符串并执行int3指令
（5）freespaceinject恢复数据和寄存器、EIP
（6）被调试程序继续进行。

操作时，先运行被调试程序dummy2，然后启动freespaceinject。
具体的操作过程如下：
【ptrace scope设置】
hx@hx-VirtualBox:~/dev/ptrace$ su
root@hx-VirtualBox:/home/hx/dev/ptrace# echo 0 > /proc/sys/kernel/yama/ptrace_scope
root@hx-VirtualBox:/home/hx/dev/ptrace# exit
exit
hx@hx-VirtualBox:~/dev/ptrace$

【被调试程序dummy2.c】
hx@hx-VirtualBox:~/dev/ptrace/tmp3$ cat dummy2.c

#include <stdio.h>

int main() 
{   int i;
    for(i = 0;i < 10; ++i) {
        printf("My counter: %d \n", i);
        sleep(2);
    }
    return 0;
}

hx@hx-VirtualBox:~/dev/ptrace/tmp3$ gcc -zexecstack dummy2.c -o dummy2
hx@hx-VirtualBox:~/dev/ptrace/tmp3$ ./dummy2
My counter: 0
My counter: 1
My counter: 2
My counter: 3
My counter: 4
My counter: 5
My counter: 6
My counter: 7
My counter: 8
My counter: 9

hx@hx-VirtualBox:~/dev/ptrace/tmp3$ cat /proc/`pgrep dummy2`/maps
08048000-08049000 r-xp 00000000 08:01 54069      /home/hx/dev/ptrace/tmp3/dummy2
08049000-0804a000 r-xp 00000000 08:01 54069      /home/hx/dev/ptrace/tmp3/dummy2
0804a000-0804b000 rwxp 00001000 08:01 54069      /home/hx/dev/ptrace/tmp3/dummy2
b7e20000-b7e21000 rwxp 00000000 00:00 0
b7e21000-b7fc4000 r-xp 00000000 08:01 130959     /lib/i386-linux-gnu/libc-2.15.so
b7fc4000-b7fc6000 r-xp 001a3000 08:01 130959     /lib/i386-linux-gnu/libc-2.15.so
b7fc6000-b7fc7000 rwxp 001a5000 08:01 130959     /lib/i386-linux-gnu/libc-2.15.so
b7fc7000-b7fca000 rwxp 00000000 00:00 0
b7fda000-b7fdd000 rwxp 00000000 00:00 0
b7fdd000-b7fde000 r-xp 00000000 00:00 0          [vdso]
b7fde000-b7ffe000 r-xp 00000000 08:01 130939     /lib/i386-linux-gnu/ld-2.15.so
b7ffe000-b7fff000 r-xp 0001f000 08:01 130939     /lib/i386-linux-gnu/ld-2.15.so
b7fff000-b8000000 rwxp 00020000 08:01 130939     /lib/i386-linux-gnu/ld-2.15.so
bffdf000-c0000000 rwxp 00000000 00:00 0          [stack]

【freespaceinject】
hx@hx-VirtualBox:~/dev/ptrace/tmp3$ cat freespaceinject.c

#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <sys/user.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

const int long_size = sizeof(long);

void getdata(pid_t child, long addr, char *str, int len)
{   char *laddr;
    int i, j;
    union u {
            long val;
            char chars[long_size];
    }data;
    
    i = 0;
    j = len / long_size;
    laddr = str;
    while(i < j) {
        data.val = ptrace(PTRACE_PEEKDATA, child, addr + i * 4, NULL);
        memcpy(laddr, data.chars, long_size);
        ++i;
        laddr += long_size;
    }
}

void putdata(pid_t child, long addr, char *str, int len)
{   char *laddr;
    int i, j;
    union u {
            long val;
            char chars[long_size];
    }data;
    
    i = 0;
    j = len / long_size;
    laddr = str;
    while(i < j) {
        memcpy(data.chars, laddr, long_size);
        ptrace(PTRACE_POKEDATA, child, addr + i * 4, data.val);
        ++i;
        laddr += long_size;
    }
}

long freespaceaddr(pid_t pid)
{
    FILE *fp;
    char filename[30];
    char line[85];
    long addr;
    char str[20];

    sprintf(filename, "/proc/%d/maps", pid);
    fp = fopen(filename, "r");
    if(fp == NULL)
        exit(1);
    while(fgets(line, 85, fp) != NULL) {
        sscanf(line, "%lx-%*lx %*s %*s %s", &addr, str, str, str, str);
        if(strcmp(str, "00:00") == 0){
	    break;
	}
    }
    fclose(fp);
    return addr;
}

int main(int argc, char *argv[])
{   pid_t traced_process;
    struct user_regs_struct oldregs, regs;
    long ins;
    int len = 44;
    char insertcode[] = "\xeb\x15\x5e\xb8\x04\x00\x00\x00\xbb\x02\x00\x00\x00\x89\xf1\xba\x0c\x00\x00\x00\xcd\x80\xcc\xe8\xe6\xff\xff\xff\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x0a\x00\x00\x00\x00";
    char backup[len];
    long addr;

    if(argc != 2) {
        printf("Usage: %s <pid to be traced>\n", argv[0], argv[1]);
        exit(1);
    }

    traced_process = atoi(argv[1]);

    ptrace(PTRACE_ATTACH, traced_process, NULL, NULL);
    wait(NULL);

    ptrace(PTRACE_GETREGS, traced_process, NULL, ®s);
    addr = freespaceaddr(traced_process);
    getdata(traced_process, addr, backup, len);
    putdata(traced_process, addr, insertcode, len);
    memcpy(&oldregs, ®s, sizeof(regs));
    regs.eip = addr;
    ptrace(PTRACE_SETREGS, traced_process, NULL, ®s);
    ptrace(PTRACE_CONT, traced_process, NULL, NULL);
    
    wait(NULL);
    printf("The process stopped, Putting back the original instructions\n");
    putdata(traced_process, addr, backup, len);
    ptrace(PTRACE_SETREGS, traced_process, NULL, &oldregs);
    printf("Letting it continue with original flow\n");
    ptrace(PTRACE_DETACH, traced_process, NULL, NULL);
    
    return 0;
}

hx@hx-VirtualBox:~/dev/ptrace/tmp3$ ./freespaceinject `pgrep dummy2`
free addr: b7e20000
The process stopped, Putting back the original instructions
Letting it continue with original flow

【注入代码hello.c】
freespaceinject.c中的insertcode来自hello.c编译后的结果

hx@hx-VirtualBox:~/dev/ptrace$ cat hello.c

void main()
{
__asm__ (
         "jmp forward\n\t"
"backward:\n\t"
         "popl   %esi          # Get the address of\n\t"
                              "# hello world string\n\t"
         "movl   $4, %eax      # Do write system call\n\t"
         "movl   $2, %ebx\n\t"
         "movl   %esi, %ecx\n\t"
         "movl   $12, %edx\n\t"
         "int    $0x80\n\t"
         "int3                 # Breakpoint. Here the\n\t"
                              "# program will stop and\n\t"
                              "# give control back to\n\t"
                              "# the parent\n\t"
"forward:\n\t"
        "call   backward\n\t"
        ".string \"Hello World\\n\"\n\t"
       );
}

hx@hx-VirtualBox:~/dev/ptrace$ gcc hello.c -o hello
hx@hx-VirtualBox:~/dev/ptrace$ gdb ./hello
(gdb) disass /r main
Dump of assembler code for function main:
   0x080483b4 <+0>:        55        push   %ebp
   0x080483b5 <+1>:        89 e5        mov    %esp,%ebp
   0x080483b7 <+3>:        eb 15        jmp    0x80483ce <forward>             //insertcode的开始
   0x080483b9 <+5>:        5e        pop    %esi
   0x080483ba <+6>:        b8 04 00 00 00        mov    $0x4,%eax
   0x080483bf <+11>:        bb 02 00 00 00        mov    $0x2,%ebx
   0x080483c4 <+16>:        89 f1        mov    %esi,%ecx
   0x080483c6 <+18>:        ba 0c 00 00 00        mov    $0xc,%edx
   0x080483cb <+23>:        cd 80        int    $0x80
   0x080483cd <+25>:        cc        int3   
   0x080483ce <+0>:        e8 e6 ff ff ff        call   0x80483b9 <main+5>
   0x080483d3 <+5>:        48        dec    %eax
   0x080483d4 <+6>:        65        gs
   0x080483d5 <+7>:        6c        insb   (%dx),%es:(%edi)
   0x080483d6 <+8>:        6c        insb   (%dx),%es:(%edi)
   0x080483d7 <+9>:        6f        outsl  %ds:(%esi),(%dx)
   0x080483d8 <+10>:        20 57 6f        and    %dl,0x6f(%edi)
   0x080483db <+13>:        72 6c        jb     0x8048449 <__libc_csu_init+89>
   0x080483dd <+15>:        64 0a 00        or     %fs:(%eax),%al        //insertcode的结束
   0x080483e0 <+18>:        5d        pop    %ebp
   0x080483e1 <+19>:        c3        ret   
End of assembler dump.

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！