alex-bender/prevent_syscall_test.py

## prevent_syscall_test.py
#!/usr/bin/python
#
# prevent_syscall_test.py - python-ptrace sample program
#
# python-ptrace
#   https://bitbucket.org/haypo/python-ptrace/wiki/Home
#
# Debian / Ubuntu
#   $ sudo apt-get install python-ptrace
#
from ptrace.debugger.debugger import PtraceDebugger
from ptrace.debugger import (ProcessExit, ProcessSignal, NewProcessEvent, ProcessExecution)
from ptrace.func_call import FunctionCallOptions
from ptrace.ctypes_tools import formatAddress
from ptrace.debugger.child import createChild
from ptrace.tools import locateProgram
from sys import stderr, argv, exit
from os import getpid
from pprint import pprint
import re

prevent_str = "9f900e2d14cbbff7536587baf3003f89"

syscall_options = FunctionCallOptions(
    write_types=True,
    write_argname=True,
    string_max_length=8192,
    replace_socketcall=True,
    write_address=True,
    max_array_count=100,
)

def usage():
    print >>stderr, "usage: %s program [arg1 arg2 ...]" % argv[0]
    exit(1)

def get_syscall_str(process):
    state = process.syscall_state
    syscall = state.event(syscall_options)
    if syscall and (syscall.result is not None):
        name = syscall.name
        text = syscall.format()
        prefix = []
        prefix.append("[%s]" % process.pid)
        text = ''.join(prefix) + ' ' + text
        return text
    else:
        return ""

def loop(debugger):
    while True:
        try:
            event = debugger.waitSyscall()
        except ProcessExit, event:
            state = event.process.syscall_state
            if (state.next_event == "exit") and state.syscall:
                print("[%d] exit() : exit process" % event.process.pid)
                debugger.deleteProcess(pid=event.process.pid)
            continue
        except ProcessSignal, event:
            print("*** SIGNAL pid=%s ***" % event.process.pid)
            event.display()
            event.process.syscall(event.signum)
            continue
        except NewProcessEvent, event:
            print("*** New process %s ***" % event.process.pid)
            event.process.syscall()
            continue
        except ProcessExecution, event:
            print("*** Process %s execution ***" % event.process.pid)
            event.process.syscall()
            continue
        except:
            #print("all target processes finished...")
            return
        process = event.process

        # get syscall string
        str = get_syscall_str(process)

        # print systemcall
        #if len(str) > 0:
        #    print(str)

        # prevent systemcall?
        if str.find(prevent_str) >= 0:
            print("IGNORE OPERATION!!")
            process.terminate(False)
            debugger.deleteProcess(pid=process.pid)
            continue
        process.syscall()

def main():
    if len(argv) < 2: usage()

        # create process
    env = None
    arguments = argv[1:]
    arguments[0] = locateProgram(arguments[0])
    pid = createChild(arguments, False, env)

    # create debugger
    debugger = PtraceDebugger()
    debugger.enableSysgood()
    debugger.traceExec()
    debugger.traceFork()

    # attach process
    debugger.addProcess(pid, True)
    process = debugger[pid]
    process.syscall()

    # start event loop
    loop(debugger)

    debugger.quit()

if __name__ == "__main__":
    main()

## puts_test1.c
// $ gcc puts_test1.c -o puts_test1
#include <stdio.h>

int main(int argc, char *argv[])
{
        puts("this is test.");
        puts("d41d8cd98f00b204e9800998ecf8427e");
        puts("program exited normally...");

        return 0;
}

## puts_test2.c
// $ gcc puts_test2.c -o puts_test2
#include <stdio.h>

int main(int argc, char *argv[])
{
        puts("this is test.");
        puts("9f900e2d14cbbff7536587baf3003f89");
        puts("program exited normally...");

        return 0;
}

## result.txt
$ ls
prevent_syscall_test.py   puts_test1.c   puts_test2.c

$ gcc puts_test1.c -o puts_test1
$ gcc puts_test2.c -o puts_test2
$ ./puts_test1
this is test.
d41d8cd98f00b204e9800998ecf8427e
program exited normally...

$ ./puts_test2
this is test.
9f900e2d14cbbff7536587baf3003f89
program exited normally...

$ python prevent_syscall_test.py ./puts_test1
this is test.
d41d8cd98f00b204e9800998ecf8427e
program exited normally...
[24074] exit() : exit process

$ python prevent_syscall_test.py ./puts_test2
this is test.
9f900e2d14cbbff7536587baf3003f89
IGNORE OPERATION!!
WARNING:root:Terminate <PtraceProcess #24078>
WARNING:root:waitpid() warning: Unknown PID 24078
	#!/usr/bin/python
	#
	# prevent_syscall_test.py - python-ptrace sample program
	#
	# python-ptrace
	# https://bitbucket.org/haypo/python-ptrace/wiki/Home
	#
	# Debian / Ubuntu
	# $ sudo apt-get install python-ptrace
	#
	from ptrace.debugger.debugger import PtraceDebugger
	from ptrace.debugger import (ProcessExit, ProcessSignal, NewProcessEvent, ProcessExecution)
	from ptrace.func_call import FunctionCallOptions
	from ptrace.ctypes_tools import formatAddress
	from ptrace.debugger.child import createChild
	from ptrace.tools import locateProgram
	from sys import stderr, argv, exit
	from os import getpid
	from pprint import pprint
	import re

	prevent_str = "9f900e2d14cbbff7536587baf3003f89"

	syscall_options = FunctionCallOptions(
	write_types=True,
	write_argname=True,
	string_max_length=8192,
	replace_socketcall=True,
	write_address=True,
	max_array_count=100,
	)

	def usage():
	print >>stderr, "usage: %s program [arg1 arg2 ...]" % argv[0]
	exit(1)

	def get_syscall_str(process):
	state = process.syscall_state
	syscall = state.event(syscall_options)
	if syscall and (syscall.result is not None):
	name = syscall.name
	text = syscall.format()
	prefix = []
	prefix.append("[%s]" % process.pid)
	text = ''.join(prefix) + ' ' + text
	return text
	else:
	return ""

	def loop(debugger):
	while True:
	try:
	event = debugger.waitSyscall()
	except ProcessExit, event:
	state = event.process.syscall_state
	if (state.next_event == "exit") and state.syscall:
	print("[%d] exit() : exit process" % event.process.pid)
	debugger.deleteProcess(pid=event.process.pid)
	continue
	except ProcessSignal, event:
	print("* SIGNAL pid=%s *" % event.process.pid)
	event.display()
	event.process.syscall(event.signum)
	continue
	except NewProcessEvent, event:
	print("* New process %s *" % event.process.pid)
	event.process.syscall()
	continue
	except ProcessExecution, event:
	print("* Process %s execution *" % event.process.pid)
	event.process.syscall()
	continue
	except:
	#print("all target processes finished...")
	return
	process = event.process

	# get syscall string
	str = get_syscall_str(process)

	# print systemcall
	#if len(str) > 0:
	# print(str)

	# prevent systemcall?
	if str.find(prevent_str) >= 0:
	print("IGNORE OPERATION!!")
	process.terminate(False)
	debugger.deleteProcess(pid=process.pid)
	continue
	process.syscall()

	def main():
	if len(argv) < 2: usage()

	# create process
	env = None
	arguments = argv[1:]
	arguments[0] = locateProgram(arguments[0])
	pid = createChild(arguments, False, env)

	# create debugger
	debugger = PtraceDebugger()
	debugger.enableSysgood()
	debugger.traceExec()
	debugger.traceFork()

	# attach process
	debugger.addProcess(pid, True)
	process = debugger[pid]
	process.syscall()

	# start event loop
	loop(debugger)

	debugger.quit()

	if __name__ == "__main__":
	main()
	// $ gcc puts_test1.c -o puts_test1
	#include <stdio.h>

	int main(int argc, char *argv[])
	{
	puts("this is test.");
	puts("d41d8cd98f00b204e9800998ecf8427e");
	puts("program exited normally...");

	return 0;
	}
	// $ gcc puts_test2.c -o puts_test2
	#include <stdio.h>

	int main(int argc, char *argv[])
	{
	puts("this is test.");
	puts("9f900e2d14cbbff7536587baf3003f89");
	puts("program exited normally...");

	return 0;
	}
	$ ls
	prevent_syscall_test.py puts_test1.c puts_test2.c

	$ gcc puts_test1.c -o puts_test1
	$ gcc puts_test2.c -o puts_test2
	$ ./puts_test1
	this is test.
	d41d8cd98f00b204e9800998ecf8427e
	program exited normally...

	$ ./puts_test2
	this is test.
	9f900e2d14cbbff7536587baf3003f89
	program exited normally...

	$ python prevent_syscall_test.py ./puts_test1
	this is test.
	d41d8cd98f00b204e9800998ecf8427e
	program exited normally...
	[24074] exit() : exit process

	$ python prevent_syscall_test.py ./puts_test2
	this is test.
	9f900e2d14cbbff7536587baf3003f89
	IGNORE OPERATION!!
	WARNING:root:Terminate <PtraceProcess #24078>
	WARNING:root:waitpid() warning: Unknown PID 24078