src/process-trace.cpp

Go to the documentation of this file.

#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/user.h>
#include <asm/unistd.h>
#include <signal.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include "process-trace.h"

ProcessTrace::ProcessTrace()
{
        before_syscall = false;
        replace_call = false;
        stopped = false;
}

std::string ProcessTrace::ChildOnFork()
{
        ptrace(PTRACE_TRACEME, 0, NULL, NULL);
        return std::string("");
}

std::string ProcessTrace::ParentOnFork()
{
        //if(ptrace(PTRACE_SETOPTIONS, GetPID(), NULL, PTRACE_O_TRACESYSGOOD) == -1)
        //      return std::string("ptrace failed: ") + std::string(strerror(errno));
        return std::string("");
}

std::string ProcessTrace::HandleEvents()
{
        if(stopped)
                return std::string("");

        if(GetExitCode() != -1)
                return std::string("");

        int status = 0;
        int r = waitpid(GetPID(), &status, WNOHANG);

        if(r == -1)
                return std::string("waitpid failed: ") + std::string(strerror(errno));

        if(r == 0)
                return std::string("");

        if(WIFEXITED(status))
        {
                exit_code = WEXITSTATUS(status);
                return std::string("");
        }

        if(!WIFSTOPPED(status))
                return std::string("");

        //siginfo_t sig;
        //if(ptrace(PTRACE_GETSIGINFO, GetPID(), NULL, &sig) == -1)
        //      return std::string("ptrace failed: ") + std::string(strerror(errno));

        //if(!(sig.si_signo & 0x80))
        //      return std::string("");

        struct user_regs_struct regs;
        if(ptrace(PTRACE_GETREGS, GetPID(), NULL, &regs) == -1)
                return std::string("ptrace failed: ") + std::string(strerror(errno));

#if __WORDSIZE == 64
        if(before_syscall && HandleSyscall(regs.orig_rax, (void*)regs.rdi, (void*)regs.rsi,
                                                (void*)regs.rdx, (void*)regs.r10, (void*)regs.r8, return_code))
#else
        if(before_syscall && HandleSyscall(regs.orig_eax, (void*)regs.ebx, (void*)regs.ecx,
                                                (void*)regs.edx, (void*)regs.esi, (void*)regs.edi, return_code))
#endif
        {
                // Do a getpid instead of the syscall
                replace_call = true;
                before_syscall = false;
#if __WORDSIZE == 64
                regs.orig_rax = __NR_getpid;
#else
                regs.orig_eax = __NR_getpid;
#endif
                if(ptrace(PTRACE_SETREGS, GetPID(), NULL, &regs) == -1)
                        return std::string("ptrace failed: ") + std::string(strerror(errno));
        }
        else
        {
                before_syscall = !before_syscall;
                if(replace_call)
                {
#if __WORDSIZE == 64
                        if((int)regs.rax != GetPID())
                                printf("Looks like the output could not be hijacked\n");
                        regs.rax = return_code;
#else
                        regs.eax = return_code;
#endif
                        if(ptrace(PTRACE_SETREGS, GetPID(), NULL, &regs) == -1)
                                return std::string("ptrace failed: ") + std::string(strerror(errno));
                }
                replace_call = false;
        }

        if(ptrace(PTRACE_SYSCALL, GetPID(), NULL, NULL) == -1)
                return std::string("ptrace failed: ") + std::string(strerror(errno));
        return std::string("");
}

std::string ProcessTrace::SetChildMem(char* addr, char* buf, size_t len)
{
        if(!pid)
                return std::string("No process started");

        while(len >= sizeof(int))
        {
                if(ptrace(PTRACE_POKEDATA, GetPID(), addr, *(int*)buf) != 0)
                        return std::string("Unable to write data: ") + std::string(strerror(errno));
                buf += sizeof(int);
                addr += sizeof(int);
                len -= sizeof(int);
        }

        if(len)
        {
                // Copy the remaining bytes
                int data = ptrace(PTRACE_PEEKDATA, GetPID(), addr, NULL);
                if(errno != 0)
                        return std::string("Unable to write data: ") + std::string(strerror(errno));
                
                char* c = (char*)&data;
                while(len)
                {
                        *c = *buf;
                        c++;
                        buf++;
                        len--;
                }
                if(ptrace(PTRACE_POKEDATA, GetPID(), addr, data) != 0)
                        return std::string("Unable to write data: ") + std::string(strerror(errno));
        }

        return std::string("");
}

std::string ProcessTrace::GetChildMem(char* addr, char* buf, size_t len)
{
        if(!pid)
                return std::string("No process started");

        while(len >= sizeof(int))
        {
                *(int*)buf = ptrace(PTRACE_PEEKDATA, GetPID(), addr, NULL);
                if(errno != 0)
                        return std::string("Unable to read data: ") + std::string(strerror(errno));
                buf += sizeof(int);
                addr += sizeof(int);
                len -= sizeof(int);
        }

        if(len)
        {
                // Copy the remaining bytes
                int data = ptrace(PTRACE_PEEKDATA, GetPID(), addr, NULL);
                if(errno != 0)
                        return std::string("Unable to write data: ") + std::string(strerror(errno));
                
                char* c = (char*)&data;
                while(len)
                {
                        *buf = *c;
                        c++;
                        buf++;
                        len--;
                }
        }

        return std::string("");
}

std::string ProcessTrace::Attach(pid_t p)
{
        if(ptrace(PTRACE_ATTACH, p, NULL, NULL) == -1)
                return std::string("ptrace failed: ") + std::string(strerror(errno));
        pid = p;
        return std::string("");
}

std::string ProcessTrace::Detach()
{
        if(!pid)
                return std::string("No process started");
        if(ptrace(PTRACE_DETACH, GetPID(), NULL, NULL) == -1)
                return std::string("ptrace failed: ") + std::string(strerror(errno));
        pid = 0;
        return std::string("");
}

std::string ProcessTrace::Stop()
{
        if(!pid)
                return std::string("No process started");

        if(stopped)
                return std::string("");

        if(kill(GetPID(), SIGSTOP) == -1)
                return std::string("kill failed: ") + std::string(strerror(errno));
        stopped = true;
        return std::string("");
}

std::string ProcessTrace::Continue()
{
        if(!pid)
                return std::string("No process started");

        if(!stopped)
                return std::string("");
        if(kill(GetPID(), SIGCONT) == -1)
                return std::string("kill failed: ") + std::string(strerror(errno));
        stopped = false;
        return std::string("");
}

std::string ProcessTrace::GetRegisters(struct user_regs_struct *regs)
{
        if(ptrace(PTRACE_GETREGS, GetPID(), NULL, &regs) == -1)
                return std::string("ptrace failed: ") + std::string(strerror(errno));
        return std::string("");
}

std::string ProcessTrace::SetRegisters(struct user_regs_struct *regs)
{
        if(ptrace(PTRACE_SETREGS, GetPID(), NULL, &regs) == -1)
                return std::string("ptrace failed: ") + std::string(strerror(errno));
        return std::string("");
}

---