Created
July 3, 2016 16:56
-
-
Save Xyene/6574b3bf4771c1a928c976af02a4b933 to your computer and use it in GitHub Desktop.
Old ptbox files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| CXX=g++ | |
| CXXFLAGS=-g -fPIC -Wall -O3 -march=native -I/usr/include/python$(PYVER) -D_FILE_OFFSET_BITS=64 | |
| LIBS=-lrt | |
| SOURCES=ptbox.cpp ptdebug.cpp ptdebug32.cpp ptdebug64.cpp ptproc.cpp | |
| OBJECTS=$(SOURCES:.cpp=.o) | |
| EXECUTABLE=ptbox | |
| all: $(SOURCES) $(EXECUTABLE) _cptbox.so | |
| $(EXECUTABLE): $(OBJECTS) | |
| $(CXX) $(CXXFLAGS) -o $@ $(OBJECTS) $(LIBS) | |
| strip: $(EXECUTABLE) _cptbox.so | |
| strip -s $(EXECUTABLE) _cptbox.so | |
| ptbox.o: ptbox.cpp ptbox.h | |
| ptdebug32.o: ptdebug32.cpp ptbox.h | |
| ptdebug64.o: ptdebug64.cpp ptbox.h | |
| ptdebug.o: ptdebug.cpp ptbox.h | |
| ptproc.o: ptproc.cpp ptbox.h | |
| .cpp.o: | |
| $(CXX) $(CXXFLAGS) -c -o $@ $< | |
| _cptbox.so: _cptbox.o $(OBJECTS) | |
| $(CXX) -shared $(CXXFLAGS) -o $@ $(OBJECTS) _cptbox.o $(LIBS) -lpython$(PYVER) | |
| _cptbox.cpp: _cptbox.pyx | |
| cython --cplus _cptbox.pyx | |
| clean: | |
| -rm -f $(OBJECTS) _cptbox.so $(EXECUTABLE) _cptbox.cpp _cptbox.o |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define _BSD_SOURCE | |
| #include <stdio.h> | |
| #include <unistd.h> | |
| #include <signal.h> | |
| #include <sys/ptrace.h> | |
| #include <sys/resource.h> | |
| #include "ptbox.h" | |
| int child(void *context) { | |
| char *envp[] = { NULL }; | |
| ptrace(PTRACE_TRACEME, 0, NULL, NULL); | |
| kill(getpid(), SIGSTOP); | |
| execle("/bin/ls", "ls", (char *) NULL, envp); | |
| return 3306; | |
| } | |
| void pt_syscall_return(void *context, int syscall) { | |
| pt_debugger* debugger = (pt_debugger*) context; | |
| printf("Returning from: %d: 0x%016lx\n", syscall, debugger->result()); | |
| } | |
| int pt_syscall_handler(void *context, int syscall) { | |
| pt_debugger* debugger = (pt_debugger*) context; | |
| if (syscall == 5) { | |
| char *file = debugger->readstr((unsigned long) debugger->arg0(), 4096); | |
| printf("Opening: %s\n", file); | |
| debugger->freestr(file); | |
| } | |
| debugger->on_return(pt_syscall_return, context); | |
| return true; | |
| } | |
| int main() { | |
| pt_debugger32 *debugger = new pt_debugger32(); | |
| pt_process *process = pt_alloc_process(debugger); | |
| for (unsigned i = 0; i < MAX_SYSCALL; ++i) | |
| process->set_handler(i, PTBOX_HANDLER_ALLOW); | |
| process->set_handler(5, PTBOX_HANDLER_CALLBACK); | |
| process->set_callback(pt_syscall_handler, debugger); | |
| process->spawn(child, NULL); | |
| printf("Return: %d", process->monitor()); | |
| delete process; | |
| delete debugger; | |
| return 0; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define _BSD_SOURCE | |
| #include <sys/ptrace.h> | |
| #include "ptbox.h" | |
| #define EBX 0 | |
| #define ECX 1 | |
| #define EDX 2 | |
| #define ESI 3 | |
| #define EDI 4 | |
| #define EBP 5 | |
| #define EAX 6 | |
| #define DS 7 | |
| #define ES 8 | |
| #define FS 9 | |
| #define GS 10 | |
| #define ORIG_EAX 11 | |
| #define EIP 12 | |
| #define CS 13 | |
| #define EFL 14 | |
| #define UESP 15 | |
| #define SS 16 | |
| long pt_debugger32::peek_reg(int reg) { | |
| return ptrace(PTRACE_PEEKUSER, process->getpid(), 4 * reg, 0); | |
| } | |
| void pt_debugger32::poke_reg(int reg, long data) { | |
| ptrace(PTRACE_POKEUSER, process->getpid(), 4 * reg, data); | |
| } | |
| int pt_debugger32::syscall() { | |
| return (int) peek_reg(ORIG_EAX); | |
| } | |
| void pt_debugger32::syscall(int id) { | |
| poke_reg(ORIG_EAX, id); | |
| } | |
| long pt_debugger32::result() { | |
| return peek_reg(EAX); | |
| } | |
| void pt_debugger32::result(long value) { | |
| poke_reg(EAX, value); | |
| } | |
| #define make_arg(id, reg) \ | |
| long pt_debugger32::arg##id() { \ | |
| return peek_reg(reg); \ | |
| } \ | |
| \ | |
| void pt_debugger32::arg##id(long data) {\ | |
| poke_reg(reg, data); \ | |
| } | |
| make_arg(0, EBX); | |
| make_arg(1, ECX); | |
| make_arg(2, EDX); | |
| make_arg(3, ESI); | |
| make_arg(4, EDI); | |
| #undef make_arg | |
| long pt_debugger32::arg5() { | |
| return 0; | |
| } | |
| void pt_debugger32::arg5(long data) {} | |
| bool pt_debugger32::is_exit(int syscall) { | |
| return syscall == 252 || syscall == 1; | |
| } | |
| int pt_debugger32::getpid_syscall() { | |
| return 20; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define _BSD_SOURCE | |
| #include <errno.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <string.h> | |
| #include <sys/ptrace.h> | |
| #include "ptbox.h" | |
| #define R15 0 | |
| #define R14 1 | |
| #define R13 2 | |
| #define R12 3 | |
| #define RBP 4 | |
| #define RBX 5 | |
| #define R11 6 | |
| #define R10 7 | |
| #define R9 8 | |
| #define R8 9 | |
| #define RAX 10 | |
| #define RCX 11 | |
| #define RDX 12 | |
| #define RSI 13 | |
| #define RDI 14 | |
| #define ORIG_RAX 15 | |
| #define RIP 16 | |
| #define CS 17 | |
| #define EFLAGS 18 | |
| #define RSP 19 | |
| #define SS 20 | |
| #define FS_BASE 21 | |
| #define GS_BASE 22 | |
| #define DS 23 | |
| #define ES 24 | |
| #define FS 25 | |
| #define GS 26 | |
| long pt_debugger64::peek_reg(int reg) { | |
| return ptrace(PTRACE_PEEKUSER, process->getpid(), 8 * reg, NULL); | |
| } | |
| void pt_debugger64::poke_reg(int reg, long data) { | |
| ptrace(PTRACE_POKEUSER, process->getpid(), 8 * reg, data); | |
| } | |
| int pt_debugger64::syscall() { | |
| return (int) peek_reg(ORIG_RAX); | |
| } | |
| void pt_debugger64::syscall(int id) { | |
| poke_reg(ORIG_RAX, id); | |
| } | |
| long pt_debugger64::result() { | |
| return peek_reg(RAX); | |
| } | |
| void pt_debugger64::result(long value) { | |
| poke_reg(RAX, value); | |
| } | |
| #define make_arg(id, reg) \ | |
| long pt_debugger64::arg##id() { \ | |
| return peek_reg(reg); \ | |
| } \ | |
| \ | |
| void pt_debugger64::arg##id(long data) {\ | |
| poke_reg(reg, data); \ | |
| } | |
| make_arg(0, RDI); | |
| make_arg(1, RSI); | |
| make_arg(2, RDX); | |
| make_arg(3, R10); | |
| make_arg(4, R8); | |
| make_arg(5, R9); | |
| #undef make_arg | |
| bool pt_debugger64::is_exit(int syscall) { | |
| return syscall == 231 || syscall == 60; | |
| } | |
| int pt_debugger64::getpid_syscall() { | |
| return 39; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment