如何在Ubuntu x64中插入带ptrace的int3？_C_Linux_Debugging_X86 64_Ptrace

如何在Ubuntu x64中插入带ptrace的int3？

c linux debugging

如何在Ubuntu x64中插入带ptrace的int3？,c,linux,debugging,x86-64,ptrace,C,Linux,Debugging,X86 64,Ptrace,我试图通过设置断点来获得相同的结果，唯一的区别是我在x64系统上。所以，我有“你好，世界！”的代码：此代码的编译方式如下：nasm-f elf64 hello.s&&ld-s-o hello hello.o： ~$ objdump -d hello hello: file format elf64-x86-64 Disassembly of section .text: 00000000004000b0 <.text>: 4000b0: 48 b8

我试图通过设置断点来获得相同的结果，唯一的区别是我在x64系统上。所以，我有“你好，世界！”的代码：

此代码的编译方式如下：

nasm-f elf64 hello.s&&ld-s-o hello hello.o

：

~$ objdump -d hello    

hello:     file format elf64-x86-64


Disassembly of section .text:

00000000004000b0 <.text>:
  4000b0:   48 b8 01 00 00 00 00    movabs $0x1,%rax
  4000b7:   00 00 00 
  4000ba:   48 bf 01 00 00 00 00    movabs $0x1,%rdi
  4000c1:   00 00 00 
  4000c4:   48 be 1c 01 60 00 00    movabs $0x60011c,%rsi
  4000cb:   00 00 00 
  4000ce:   48 ba 08 00 00 00 00    movabs $0x8,%rdx
  4000d5:   00 00 00 
  4000d8:   0f 05                   syscall 
  4000da:   48 b8 01 00 00 00 00    movabs $0x1,%rax
  4000e1:   00 00 00 
  4000e4:   48 bf 01 00 00 00 00    movabs $0x1,%rdi
  4000eb:   00 00 00 
  4000ee:   48 be 24 01 60 00 00    movabs $0x600124,%rsi
  4000f5:   00 00 00 
  4000f8:   48 ba 07 00 00 00 00    movabs $0x7,%rdx
  4000ff:   00 00 00 
  400102:   0f 05                   syscall 
  400104:   48 b8 3c 00 00 00 00    movabs $0x3c,%rax
  40010b:   00 00 00 
  40010e:   48 bf 00 00 00 00 00    movabs $0x0,%rdi
  400115:   00 00 00 
  400118:   0f 05                   syscall

我应该怎么做才能使其在x64上正常运行（在断点处停止并恢复？

您的C代码在

strsignal

中出现故障，因为您忘记了

\include

准确地说，这是分段错误，因为如果没有原型，

strsignal

的返回值被假定为int（32位），而实际上它是一个64位的指针。

@Enchantner，谢谢你的问题。我最近遇到了类似的问题。它给了我很多启发。根据@Jester修复错误后，仍然存在段错误。所以我花了一些时间研究它。最后，我终于解决了

在x86-64 Linux上，peek/poke的
ptrace
字长为64位，而不是32位。但是代码使用的是无符号的（32位），它将在调用中转换为长类型64位
例如，
0xaabbccdd
的POKETEXT实际上将
0x00000000aabbccdd
写入内存，假设调用者恰好对其进行零扩展。这必然会弄乱记忆
因此，将类型更改为
long
，在x86-64系统V ABI中为64位

#include <stdio.h> #include <stdarg.h> #include <stdlib.h> #include <signal.h> #include <syscall.h> #include <sys/ptrace.h> #include <sys/types.h> #include <sys/wait.h> #include <sys/reg.h> #include <sys/user.h> #include <unistd.h> #include <errno.h> #include <string.h> void procmsg(const char* format, ...) { va_list ap; fprintf(stdout, "[%d] ", getpid()); va_start(ap, format); vfprintf(stdout, format, ap); va_end(ap); } void run_target(const char* programname) { procmsg("target started. will run '%s'\n", programname); /* Allow tracing of this process */ if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0) { perror("ptrace"); return; } /* Replace this process's image with the given program */ execl(programname, programname, (char *)NULL); } void run_debugger(pid_t child_pid) { int wait_status; struct user_regs_struct regs; procmsg("debugger started\n"); /* Wait for child to stop on its first instruction */ wait(&wait_status); /* Obtain and show child's instruction pointer */ ptrace(PTRACE_GETREGS, child_pid, 0, &regs); procmsg("Child started. RIP = 0x%08x\n", regs.rip); long addr = 0x004000cb;//0x004000da; long data = ptrace(PTRACE_PEEKTEXT, child_pid, (void*)addr, 0); procmsg("Original data at 0x%08x: 0x%08x\n", addr, data); /* Write the trap instruction 'int 3' into the address */ long data_with_trap = (data & 0xFFFFFFFFFFFFFF00) | 0xCC; ptrace(PTRACE_POKETEXT, child_pid, (void*)addr, (void*)data_with_trap); /* See what's there again... */ long readback_data = ptrace(PTRACE_PEEKTEXT, child_pid, (void*)addr, 0); procmsg("After trap, data at 0x%08x: 0x%08x\n", addr, readback_data); /* Let the child run to the breakpoint and wait for it to ** reach it */ ptrace(PTRACE_CONT, child_pid, 0, 0); wait(&wait_status); if (WIFSTOPPED(wait_status)) { procmsg("Child got a signal: %s\n", strsignal(WSTOPSIG(wait_status))); } else { perror("wait"); return; } /* See where the child is now */ ptrace(PTRACE_GETREGS, child_pid, 0, &regs); procmsg("Child stopped at RIP = 0x%08x\n", regs.rip); /* Remove the breakpoint by restoring the previous data ** at the target address, and unwind the EIP back by 1 to ** let the CPU execute the original instruction that was ** there. */ ptrace(PTRACE_POKETEXT, child_pid, (void*)addr, (void*)data); /* See what's there again... */ readback_data = ptrace(PTRACE_PEEKTEXT, child_pid, (void*)addr, 0); procmsg("After restore, data at 0x%08x: 0x%08x\n", addr, readback_data); regs.rip -= 1; ptrace(PTRACE_SETREGS, child_pid, 0, &regs); /* The child can continue running now */ ptrace(PTRACE_CONT, child_pid, 0, 0); wait(&wait_status); if (WIFEXITED(wait_status)) { procmsg("Child exited\n"); } else if(WIFSIGNALED(wait_status)) { procmsg("signal !!!\n"); } else { procmsg("Unexpected signal. %s \n", strsignal(WSTOPSIG(wait_status))); } } int main(int argc, char** argv) { pid_t child_pid; if (argc < 2) { fprintf(stderr, "Expected a program name as argument\n"); return -1; } child_pid = fork(); if (child_pid == 0) run_target(argv[1]); else if (child_pid > 0) run_debugger(child_pid); else { perror("fork"); return -1; } return 0; }
调试器.c内容

hello2: file format elf64-x86-64 Disassembly of section .text: 00000000004000b0 <.text>: 4000b0: b8 01 00 00 00 mov $0x1,%eax 4000b5: bf 01 00 00 00 mov $0x1,%edi 4000ba: 48 be f4 00 60 00 00 movabs $0x6000f4,%rsi 4000c1: 00 00 00 4000c4: ba 08 00 00 00 mov $0x8,%edx 4000c9: 0f 05 syscall 4000cb: b8 01 00 00 00 mov $0x1,%eax 4000d0: bf 01 00 00 00 mov $0x1,%edi 4000d5: 48 be fc 00 60 00 00 movabs $0x6000fc,%rsi 4000dc: 00 00 00 4000df: ba 07 00 00 00 mov $0x7,%edx 4000e4: 0f 05 syscall 4000e6: b8 3c 00 00 00 mov $0x3c,%eax 4000eb: bf 00 00 00 00 mov $0x0,%edi 4000f0: 0f 05 syscall

#include <stdio.h> #include <stdarg.h> #include <stdlib.h> #include <signal.h> #include <syscall.h> #include <sys/ptrace.h> #include <sys/types.h> #include <sys/wait.h> #include <sys/reg.h> #include <sys/user.h> #include <unistd.h> #include <errno.h> #include <string.h> void procmsg(const char* format, ...) { va_list ap; fprintf(stdout, "[%d] ", getpid()); va_start(ap, format); vfprintf(stdout, format, ap); va_end(ap); } void run_target(const char* programname) { procmsg("target started. will run '%s'\n", programname); /* Allow tracing of this process */ if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0) { perror("ptrace"); return; } /* Replace this process's image with the given program */ execl(programname, programname, (char *)NULL); } void run_debugger(pid_t child_pid) { int wait_status; struct user_regs_struct regs; procmsg("debugger started\n"); /* Wait for child to stop on its first instruction */ wait(&wait_status); /* Obtain and show child's instruction pointer */ ptrace(PTRACE_GETREGS, child_pid, 0, &regs); procmsg("Child started. RIP = 0x%016x\n", regs.rip); long addr = 0x004000cb;//0x004000da; unsigned data = ptrace(PTRACE_PEEKTEXT, child_pid, (void*)addr, 0); procmsg("Original data at 0x%016x: 0x%016x\n", addr, data); //test unsigned data_u = data; procmsg("test data_u: 0x%08x\n", data_u); /* Write the trap instruction 'int 3' into the address */ long data_with_trap = (data & 0xFFFFFFFFFFFFFF00) | 0xCC; ptrace(PTRACE_POKETEXT, child_pid, (void*)addr, (void*)data_with_trap); /* See what's there again... */ long readback_data = ptrace(PTRACE_PEEKTEXT, child_pid, (void*)addr, 0); procmsg("After trap,set breakpoint, data at 0x%016x: 0x%016x\n", addr, readback_data); /* Let the child run to the breakpoint and wait for it to ** reach it */ ptrace(PTRACE_CONT, child_pid, 0, 0); //wait to breakpoint wait(&wait_status); if (WIFSTOPPED(wait_status)) { procmsg("Child got a signal: %s\n", strsignal(WSTOPSIG(wait_status))); } else { perror("wait"); return; } /* See where the child is now */ ptrace(PTRACE_GETREGS, child_pid, 0, &regs); procmsg("Child stopped at RIP = 0x%016x\n", regs.rip); /* Remove the breakpoint by restoring the previous data ** at the target address, and unwind the EIP back by 1 to ** let the CPU execute the original instruction that was ** there. */ int result = ptrace(PTRACE_POKETEXT, child_pid, (void*)addr, (void*)data); procmsg("poketext origin back result %d\n", result); /* See what's there again... */ readback_data = ptrace(PTRACE_PEEKTEXT, child_pid, (void*)addr, 0); procmsg("After restore, data at 0x%llx: 0x%llx\n", addr, readback_data); int offset = 0; for(offset = 1; offset < 25; offset++) { readback_data = ptrace(PTRACE_PEEKTEXT, child_pid, (void*)(addr+offset), 0); procmsg("After restore, data at 0x%llx: 0x%llx\n", addr+offset, readback_data); } regs.rip -= 1; ptrace(PTRACE_SETREGS, child_pid, 0, &regs); /* The child can continue running now */ ptrace(PTRACE_CONT, child_pid, 0, 0); wait(&wait_status); if (WIFEXITED(wait_status)) { procmsg("Child exited\n"); } else if(WIFSIGNALED(wait_status)) { procmsg("signal !!!\n"); } else { procmsg("Unexpected signal. %s \n", strsignal(WSTOPSIG(wait_status))); } } int main(int argc, char** argv) { pid_t child_pid; if (argc < 2) { fprintf(stderr, "Expected a program name as argument\n"); return -1; } child_pid = fork(); if (child_pid == 0) run_target(argv[1]); else if (child_pid > 0) run_debugger(child_pid); else { perror("fork"); return -1; } return 0; }

[20832] debugger started [20833] target started. will run 'hello2' [20832] Child started. RIP = 0x00000000004000b0 [20832] Original data at 0x00000000004000cb: 0x00000000000001b8 [20832] test data_u: 0x000001b8 [20832] After trap,set breakpoint, data at 0x00000000004000cb: 0x00000000000001cc Hello, [20832] Child got a signal: Trace/breakpoint trap [20832] Child stopped at RIP = 0x00000000004000cc [20832] poketext origin back result 0 [20832] After restore, data at 0x4000cb: 0x1b8 [20832] After restore, data at 0x4000cc: 0x1 [20832] After restore, data at 0x4000cd: 0x0 [20832] After restore, data at 0x4000ce: 0x4800000000000000 [20832] After restore, data at 0x4000cf: 0xbe48000000000000 [20832] After restore, data at 0x4000d0: 0xfcbe480000000000 [20832] After restore, data at 0x4000d1: 0xfcbe4800000000 [20832] After restore, data at 0x4000d2: 0x6000fcbe48000000 [20832] After restore, data at 0x4000d3: 0x6000fcbe480000 [20832] After restore, data at 0x4000d4: 0x6000fcbe4800 [20832] After restore, data at 0x4000d5: 0x6000fcbe48 [20832] After restore, data at 0x4000d6: 0x6000fcbe [20832] After restore, data at 0x4000d7: 0x6000fc [20832] After restore, data at 0x4000d8: 0xba00000000006000 [20832] After restore, data at 0x4000d9: 0x7ba000000000060 [20832] After restore, data at 0x4000da: 0x7ba0000000000 [20832] After restore, data at 0x4000db: 0x7ba00000000 [20832] After restore, data at 0x4000dc: 0x7ba000000 [20832] After restore, data at 0x4000dd: 0xf00000007ba0000 [20832] After restore, data at 0x4000de: 0x50f00000007ba00 [20832] After restore, data at 0x4000df: 0xb8050f00000007ba [20832] After restore, data at 0x4000e0: 0x3cb8050f00000007 [20832] After restore, data at 0x4000e1: 0x3cb8050f000000 [20832] After restore, data at 0x4000e2: 0x3cb8050f0000 [20832] After restore, data at 0x4000e3: 0x3cb8050f00 [20832] Unexpected signal. Segmentation fault
很明显，我只是在循环中长时间地进行未签名、回写和打印

...... unsigned data = ptrace(PTRACE_PEEKTEXT, child_pid, (void*)addr, 0); procmsg("After restore, data at 0x%llx: 0x%llx\n", addr, readback_data); ...... int offset = 0; for(offset = 1; offset < 25; offset++) { readback_data = ptrace(PTRACE_PEEKTEXT, child_pid, (void*)(addr+offset), 0); procmsg("After restore, data at 0x%llx: 0x%llx\n", addr+offset, readback_data); } .....

。。。。。。无符号数据=ptrace（ptrace_peek text，child_pid，（void*）addr，0）； PROCMG（“还原后，0x%llx处的数据：0x%llx\n”，地址，回读\u数据）； ...... 整数偏移=0；用于（偏移量=1；偏移量<25；偏移量++）{ readback_data=ptrace（ptrace_peek text，child_pid，（void*）（addr+offset），0）； PROCMG（“还原后，0x%llx处的数据：0x%llx\n”，地址+偏移量，回读\u数据）； } .....
最后，输出，

[20832]还原后，0x4000d0处的数据：0xFCBE48000000000
，
显示内存中的指令
4000d0:bf 01 00 mov$0x1，%edi
写入到零。这会导致
分段错误

我现在对答案很满意~~
您说指令的字长是64位，而不是32位。但这没有意义；x86没有固定长度的指令字。我想你的意思是
ptrace
只允许窥视/戳看
长的，在x86-64系统V ABI中为64位。所以我们说的是ptrace“单词”，而不是指令词。@PeterCordes是的，你让答案的意思更准确，格式更美观。你做得很好。谢谢 #include <stdio.h> #include <stdarg.h> #include <stdlib.h> #include <signal.h> #include <syscall.h> #include <sys/ptrace.h> #include <sys/types.h> #include <sys/wait.h> #include <sys/reg.h> #include <sys/user.h> #include <unistd.h> #include <errno.h> #include <string.h> void procmsg(const char* format, ...) { va_list ap; fprintf(stdout, "[%d] ", getpid()); va_start(ap, format); vfprintf(stdout, format, ap); va_end(ap); } void run_target(const char* programname) { procmsg("target started. will run '%s'\n", programname); /* Allow tracing of this process */ if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0) { perror("ptrace"); return; } /* Replace this process's image with the given program */ execl(programname, programname, (char *)NULL); } void run_debugger(pid_t child_pid) { int wait_status; struct user_regs_struct regs; procmsg("debugger started\n"); /* Wait for child to stop on its first instruction */ wait(&wait_status); /* Obtain and show child's instruction pointer */ ptrace(PTRACE_GETREGS, child_pid, 0, &regs); procmsg("Child started. RIP = 0x%016x\n", regs.rip); long addr = 0x004000cb;//0x004000da; unsigned data = ptrace(PTRACE_PEEKTEXT, child_pid, (void*)addr, 0); procmsg("Original data at 0x%016x: 0x%016x\n", addr, data); //test unsigned data_u = data; procmsg("test data_u: 0x%08x\n", data_u); /* Write the trap instruction 'int 3' into the address */ long data_with_trap = (data & 0xFFFFFFFFFFFFFF00) | 0xCC; ptrace(PTRACE_POKETEXT, child_pid, (void*)addr, (void*)data_with_trap); /* See what's there again... */ long readback_data = ptrace(PTRACE_PEEKTEXT, child_pid, (void*)addr, 0); procmsg("After trap,set breakpoint, data at 0x%016x: 0x%016x\n", addr, readback_data); /* Let the child run to the breakpoint and wait for it to ** reach it */ ptrace(PTRACE_CONT, child_pid, 0, 0); //wait to breakpoint wait(&wait_status); if (WIFSTOPPED(wait_status)) { procmsg("Child got a signal: %s\n", strsignal(WSTOPSIG(wait_status))); } else { perror("wait"); return; } /* See where the child is now */ ptrace(PTRACE_GETREGS, child_pid, 0, &regs); procmsg("Child stopped at RIP = 0x%016x\n", regs.rip); /* Remove the breakpoint by restoring the previous data ** at the target address, and unwind the EIP back by 1 to ** let the CPU execute the original instruction that was ** there. */ int result = ptrace(PTRACE_POKETEXT, child_pid, (void*)addr, (void*)data); procmsg("poketext origin back result %d\n", result); /* See what's there again... */ readback_data = ptrace(PTRACE_PEEKTEXT, child_pid, (void*)addr, 0); procmsg("After restore, data at 0x%llx: 0x%llx\n", addr, readback_data); int offset = 0; for(offset = 1; offset < 25; offset++) { readback_data = ptrace(PTRACE_PEEKTEXT, child_pid, (void*)(addr+offset), 0); procmsg("After restore, data at 0x%llx: 0x%llx\n", addr+offset, readback_data); } regs.rip -= 1; ptrace(PTRACE_SETREGS, child_pid, 0, &regs); /* The child can continue running now */ ptrace(PTRACE_CONT, child_pid, 0, 0); wait(&wait_status); if (WIFEXITED(wait_status)) { procmsg("Child exited\n"); } else if(WIFSIGNALED(wait_status)) { procmsg("signal !!!\n"); } else { procmsg("Unexpected signal. %s \n", strsignal(WSTOPSIG(wait_status))); } } int main(int argc, char** argv) { pid_t child_pid; if (argc < 2) { fprintf(stderr, "Expected a program name as argument\n"); return -1; } child_pid = fork(); if (child_pid == 0) run_target(argv[1]); else if (child_pid > 0) run_debugger(child_pid); else { perror("fork"); return -1; } return 0; } [20832] debugger started [20833] target started. will run 'hello2' [20832] Child started. RIP = 0x00000000004000b0 [20832] Original data at 0x00000000004000cb: 0x00000000000001b8 [20832] test data_u: 0x000001b8 [20832] After trap,set breakpoint, data at 0x00000000004000cb: 0x00000000000001cc Hello, [20832] Child got a signal: Trace/breakpoint trap [20832] Child stopped at RIP = 0x00000000004000cc [20832] poketext origin back result 0 [20832] After restore, data at 0x4000cb: 0x1b8 [20832] After restore, data at 0x4000cc: 0x1 [20832] After restore, data at 0x4000cd: 0x0 [20832] After restore, data at 0x4000ce: 0x4800000000000000 [20832] After restore, data at 0x4000cf: 0xbe48000000000000 [20832] After restore, data at 0x4000d0: 0xfcbe480000000000 [20832] After restore, data at 0x4000d1: 0xfcbe4800000000 [20832] After restore, data at 0x4000d2: 0x6000fcbe48000000 [20832] After restore, data at 0x4000d3: 0x6000fcbe480000 [20832] After restore, data at 0x4000d4: 0x6000fcbe4800 [20832] After restore, data at 0x4000d5: 0x6000fcbe48 [20832] After restore, data at 0x4000d6: 0x6000fcbe [20832] After restore, data at 0x4000d7: 0x6000fc [20832] After restore, data at 0x4000d8: 0xba00000000006000 [20832] After restore, data at 0x4000d9: 0x7ba000000000060 [20832] After restore, data at 0x4000da: 0x7ba0000000000 [20832] After restore, data at 0x4000db: 0x7ba00000000 [20832] After restore, data at 0x4000dc: 0x7ba000000 [20832] After restore, data at 0x4000dd: 0xf00000007ba0000 [20832] After restore, data at 0x4000de: 0x50f00000007ba00 [20832] After restore, data at 0x4000df: 0xb8050f00000007ba [20832] After restore, data at 0x4000e0: 0x3cb8050f00000007 [20832] After restore, data at 0x4000e1: 0x3cb8050f000000 [20832] After restore, data at 0x4000e2: 0x3cb8050f0000 [20832] After restore, data at 0x4000e3: 0x3cb8050f00 [20832] Unexpected signal. Segmentation fault ...... unsigned data = ptrace(PTRACE_PEEKTEXT, child_pid, (void*)addr, 0); procmsg("After restore, data at 0x%llx: 0x%llx\n", addr, readback_data); ...... int offset = 0; for(offset = 1; offset < 25; offset++) { readback_data = ptrace(PTRACE_PEEKTEXT, child_pid, (void*)(addr+offset), 0); procmsg("After restore, data at 0x%llx: 0x%llx\n", addr+offset, readback_data); } .....