ptrace

8/3/2019 ptrace

1/13

ptrace

Playing Debugger ChessMuli Ben-Yehuda

[email protected]

IBM Haifa Research Labs

ptrace - Playing Debugger Chess, Haifux, December 2004 p.1/1

8/3/2019 ptrace

2/13

TOC

What is ptrace?

What is it good for?

How to use it?The ptrace API

Show me the code!

Caveat Emptor


8/3/2019 ptrace

3/13

What is ptrace?

ptrace is a posix standard that defines how oneprogram can control another. It is used by debuggers,emulators, and discerning programmers everywhere.

sys_ptrace is a Linux system call, which provides theentry point to the code in the kernel that implements thePOSIX ptrace API. glibc provides a ptrace() wrapper

that user programs should call.


8/3/2019 ptrace

4/13

What is it good for?

Figuring out what a program is doing before looking atthe source, and when you dont have the source. Is theprogram failing to find a file? timing out on DNS

lookups? connecting to strange hosts and sendingthem all of your data?

Debugging programs.

Modifying program execution, when you want a quickand dirty solution (no recompilation), or when you donthave the source.

Remote controlling programs. Directing programexecution in ways which are beneficial to you, and notnecessarily what the programs author intended.


8/3/2019 ptrace

5/13

How to use it?

From the command line:

The ubiquitous strace(1)

$DEBUGGER, especially gdb

dumpmem (1), available athttp://www.mulix.org/dumpmem.html

Programatically (see next slides)

http://www.mulix.org/dumpmem.htmlhttp://www.mulix.org/dumpmem.html

8/3/2019 ptrace

6/13

the ptrace API interface

#include

long ptrace(enum __ptrace_request request, pid_t pid, void

*addr, void *data);

enum __ptrace_request

{

/* Indicate that the process making this request should be traced.

All signals received by this process can be intercepted by its

parent, and its parent can use the other ptrace requests. */

PTRACE_TRACEME = 0,

/* Return the word in the processs text space at address ADDR. */

PTRACE_PEEKTEXT = 1,

/* Return the word in the processs data space at address ADDR. */

PTRACE_PEEKDATA = 2,


8/3/2019 ptrace

7/13

the ptrace API interface - cont

/* Return the word in the processs user area at offset ADDR. */

PTRACE_PEEKUSER = 3,

/* Write DATA into the processs text space at address ADDR.*/

PTRACE_POKETEXT = 4,

/* Write DATA into the processs data space at address ADDR.*/PTRACE_POKEDATA = 5,

/* Write DATA into the processs user area at offset ADDR. */

PTRACE_POKEUSER = 6,

/* Continue the process. */

PTRACE_CONT = 7,

/* Kill the process. */

PTRACE_KILL = 8,

/* Single step the process. This is not supported on all machines. */

PTRACE_SINGLESTEP = 9,

/* Get all general purpose registers used by a processes.

This is not supported on all machines. */

PTRACE_GETREGS = 12,


8/3/2019 ptrace

8/13

the ptrace API interface - cont

/* Set all general purpose registers used by a processes.

This is not supported on all machines. */

PTRACE_SETREGS = 13,

[snip]

/* Attach to a process that is already running. */PTRACE_ATTACH = 16,

/* Detach from a process attached to with PTRACE_ATTACH. */

PTRACE_DETACH = 17,

[snip]

/* Continue and stop at the next (return from) syscall. */

PTRACE_SYSCALL = 24

};


8/3/2019 ptrace

9/13

Show me the code: dumpmem

http://www.mulix.org/dumpmem.html

dumpmem is a process memory dumper.

It works by running a process (or attaching to a runningprocess) and then using ptrace to read its mappedmemory 4 bytes at a time.

To avoid reading the entire 4GB of virtual addressspace, it gets the mapped memory regions out of/proc/PID/maps.

http://www.mulix.org/dumpmem.htmlhttp://www.mulix.org/dumpmem.html

8/3/2019 ptrace

10/13

Show me the code: randwrap

http://www.mulix.org/misc/randwrap-0.1.tar.gz

Lets say you have a program that uses the environment

for some random values (e.g. a Monte-Carlosimulation).

It reads /dev/urandom, asks the user for initial input (via

/dev/tty), look at the current time and its pid.Lets say you want it to use the same random values inseveral runs, to correlate or debug results.

Modifying the source is not an option.How do you do it?

Running the utility viarandwrap

will fool the utility intogetting the same random values from its environment onevery run. ptrace - Playing Debugger Chess, Haifux, December 2004 p.10/1
http://www.mulix.org/misc/randwrap-0.1.tar.gzhttp://www.mulix.org/misc/randwrap-0.1.tar.gz

8/3/2019 ptrace

11/13

randwrap - how does it work

randwrap works by ptracing its victim and hijackingcertain system calls.

we hijack open to find out when the victim opens fileswe care about (such as /dev/urandom or /dev/tty).

we hijack read so that we can return prearrangedvalues when reading from the files we care about.

a side of effect of reading from /dev/tty is that it will blockuntil the user gives input - we nullify read (makingread calls into getpid calls) to get around this. We

make sure to still return the read data to the victim.


8/3/2019 ptrace

12/13

randwrap - how does it work continued

We hijack close so that we can know when the fileswe care about are no longer in use.

We hijack time since its a commonly used source ofrandomness. we hijack getpid because of the readnullification mentioned earlier, and because its also acommonly used source of (not very random)

randomness.

It should be noted that randwrap assumes some thingsabout its victim and relies upon them. Writing a general

purpose randwrap (that does not rely on the its victims fileaccess pattern for example), is possible, but much morecomplicated.


8/3/2019 ptrace

13/13

Caveat Emptor

Certain caution must be exercised when using ptrace

It is not portable between architectures.

It is intimately tied to the syscall ABI on a givenarchitecture (where is each argument passed)

It is a very low level API - easy to get wrong and hard to

debug

Nonetheless, ptrace is a useful tool to in a programmersarsenal. As always, use the right tool for the job...


ptrace

Documents

Transcript of ptrace