Can't find how to use ptrace() properly

Question

Currently, for a project, I need to code some kind of debugger using ptrace(). At the end, it should show every function/syscall entered/exited in the program to trace.

Right now, I'm pretty stuck. I made a small program that should try to trace a given program, and print if it finds a call or a syscall based on the opcode (retreived with the registers). Here it is:

#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <sys/reg.h>
#include <sys/syscall.h>
#include <sys/user.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

int main()
{
        pid_t child;
        const int long_size = sizeof(long);

        child = fork();

        if(child == 0) {
                ptrace(PTRACE_TRACEME, 0, NULL, NULL);
                execl("./bin", "bin", NULL);
        } else {
                int status;
                unsigned ins;
                struct user_regs_struct regs;
                unsigned char prim, sec;

                while (1) {
                        wait(&status);
                        if (WIFEXITED(status))
                                break;
                        ptrace(PTRACE_GETREGS, child, NULL, &regs);
                        ins = ptrace(PTRACE_PEEKTEXT, child, regs.rip, NULL);
                        prim = (unsigned)0xFF & ins;
                        sec = ((unsigned)0xFF00 & ins) >> 8;
                        if (prim == 0xE8 && sec == 0xCD)
                                printf("call found!\n");
                        if (prim == 0x80 && sec == 0xCD)
                                printf("syscall found!\n");
                        ptrace(PTRACE_SINGLESTEP, child, NULL, NULL);
                }
        }
        return 0;
}

And here's the code for the "bin" binary :

#include <unistd.h>

void toto()
{
        write(1, "hello\n", 6);
}

int main()
{
        toto();
        toto();
        return (1);
}

When I'm looking the output of my mini debugger, it seems to find only one syscall and one call... I tried messing with the registers and the offset, but every tutorial I found on internet seems to be for a 32bits machine, which won't work in my case :/

Can someone give me a small hint to help me continue?

Thanks and have a nice day !

Direct use of `ptrace` is a [black art](http://foldoc.org/black+art) (one of the last remaining true examples of that term as applied to computing). If there is any way you can reuse an existing program that already does this job, such as `strace` or `gdb`, then you absolutely should. — zwol, May 08 '18 at 16:27
@tijko yes, I might (and I'm sure I am) be wrong, but I've seen some doing it this way. If it doesn't work, it might be why ^^... Do you have any idea? — SamuelRousseaux, May 08 '18 at 16:30

tijko · Accepted Answer · 2018-05-08T17:45:24.530

2

You were almost there but your masking (as first suspected) wasn't catching the callq opcode. There is also going to be a whole lot of extra callq codes caught by using PTRACE_SINGLESTEP too, I'm not sure if you realize this or not.

I compiled your bin program statically so you can get a consistent address for main and toto

gcc bin.c -o bin -g -Wall -static on a 64-bit machine.

And then in the main-script, I changed the masking opertion on ins variable:

#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <sys/reg.h>
#include <sys/syscall.h>
#include <sys/user.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

int main()
{
        pid_t child;

        child = fork();

        if(child == 0) {
                ptrace(PTRACE_TRACEME, 0, NULL, NULL);
                execl("./bin", "bin", NULL);
        } else {
                int status;
                unsigned ins;
                struct user_regs_struct regs;
                unsigned char prim;

                while (1) {
                        ptrace(PTRACE_SINGLESTEP, child, NULL, NULL);
                        wait(&status);
                        if (WIFEXITED(status))
                                break;
                        ptrace(PTRACE_GETREGS, child, NULL, &regs);
                        ins = ptrace(PTRACE_PEEKTEXT, child, regs.rip, NULL);
                        prim = (unsigned)0xFF & ins;
                        // Here in prim just mask for the first byte
                        if (prim == 0xe8) {
                        // Print the addresses to check out too
                                printf("RIP: %#x --> %#x\n", regs.rip, ins);
                                printf("call found!\n");
                        }
                }
        }
        return 0;
}

You only need to mask to check the first byte to see if it matches the call opcode. I added some extra print statements with the instruction pointer address so you can check the static source code just to make sure you are catching the right calls.

You can redirect your output from the main-program (I called it stepper):

./stepper > calls.txt

If you then do objdump -S bin > dump.txt you can see the addresses from toto and main where the callq instruction is made will also be in calls.txt file

You end up with all the extra calls being made from the crt-functions, the linker, and library calls.

edited May 08 '18 at 17:45

answered May 08 '18 at 16:34

tijko

7,599
11
44
64

I was going for that, but this way, I can't trace the user functions too :/ (like toto() in my example) – SamuelRousseaux May 08 '18 at 16:36
@LeVentilo You have a requirement for user defined functions not just syscalls? – tijko May 08 '18 at 16:38
Yep, that's the problem :/ Else I would be using SYSCALL, that would have been easier ^^ – SamuelRousseaux May 08 '18 at 16:39
Thanks, I'm trying that ! – SamuelRousseaux May 08 '18 at 17:49
So, what is the address I must look for? ins ? – SamuelRousseaux May 08 '18 at 19:17
@LeVentilo it depends, grep for `toto` after objdump – tijko May 08 '18 at 19:18
And for the addr, I prefer to use "nm", it's more concise ^^ – SamuelRousseaux May 08 '18 at 19:20
@LeVentilo absolutely ;) – tijko May 08 '18 at 19:22
The reason I recommend objdump is so you can see all those addresses have call instructions – tijko May 08 '18 at 19:26
So I redirected the output of the tracer into a file, checked the addr of toto (which is 400b0d), then tried to grep the output file (with grep -r 400b0d calls.txt), but there's no result :/ – SamuelRousseaux May 08 '18 at 19:28
I have a bit of experience in nm and objdump, for an exercise, I had to recode these commands in c ^^ – SamuelRousseaux May 08 '18 at 19:29
@LeVentilo that's the first instruction to `toto` you need that to find where the call opcode is in there. Should be a few bytes away – tijko May 08 '18 at 19:31
I didn't understand. When I grep the output of objdump, it gives me this : https://imgur.com/a/vHKD6wO . Which one am I supposed to look for in the output of stepper? – SamuelRousseaux May 08 '18 at 19:36
400b- *3d and *33 – tijko May 08 '18 at 19:38
Oh ! I understand now ! Thanks a lot for your help, I'm a bit less hopeless :D – SamuelRousseaux May 08 '18 at 19:43
Excuse me, I have one last question, is there any way to rely 400b3d and 400b33 to the toto call ? (like the function addr 400b0d) Code speaking – SamuelRousseaux May 08 '18 at 21:29
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/170637/discussion-between-tijko-and-leventilo). – tijko May 08 '18 at 21:36

Can't find how to use ptrace() properly

1 Answers1