Develop Reference

Inject code into process in ubuntu 64bit

I'm learning ptrace by the article "playing with ptrace".
Now I can set breakpoint by replacing tracee's instruction with "syscall" but can't inject code successfully.
In X86 , the print can use "int 80" then pause process by "int3".
How can I inject code that has instruction "syscall " and stop process when the inject code finish in x64 Thanks.
The code I inject is this
section .text
global main
main:
mov rax, 1
mov rdi, 1
mov rsi, message
mov rdx, 13
syscall
int3
message:
db "Hello world", 10
My code is
#include <sys/ptrace.h>
#include <sys/reg.h>
#include <sys/user.h>
#include <sys/wait.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define LONG_SIZE 8
void getdata(pid_t child, long addr,char *str,int len)
{
char *laddr = str;
int i = 0,j = len/LONG_SIZE;
union u{
long val;
char chars[LONG_SIZE];
} word;
while(i<j)
{
word.val = ptrace(PTRACE_PEEKDATA,child,addr + i*LONG_SIZE,NULL);
if(word.val == -1)
perror("trace error");
memcpy(laddr,word.chars,LONG_SIZE);
++i;
laddr += LONG_SIZE;
}
j = len %LONG_SIZE;
if(j!=0)
{
word.val == ptrace(PTRACE_PEEKDATA,child,addr + i*LONG_SIZE,NULL);
if(word.val == -1)
perror("trace error");
}
str[len] = '\0';
}
void putdata(pid_t child,long addr,char *str,int len)
{
char *laddr = str;
int i = 0, j = len/LONG_SIZE;
union u{
long val;
char chars[LONG_SIZE];
}word;
while(i<j)
{
memcpy(word.chars,laddr,LONG_SIZE);
if(ptrace(PTRACE_POKEDATA,child,addr+i*LONG_SIZE,word.val) == -1)
perror("trace error");
++i;
laddr += LONG_SIZE;
}
j = len % LONG_SIZE;
if(j != 0)
{
word.val = 0;
memcpy(word.chars,laddr,j);
if(ptrace(PTRACE_POKEDATA,child,addr+i*LONG_SIZE,word.val) == -1)
perror("trace error");
}
}
void printBytes(const char* tip,char* codes,int len)
{
int i;
printf("%s :",tip);
for(i = 0;i<len;++i)
{
printf("%02x ",(unsigned char)codes[i]);
}
puts("");
}
#define CODE_SIZE 48
int main(int argc ,char *argv[])
{
if(argc != 2)
{
puts("no pid input");
exit(1);
}
pid_t traced_process;
struct user_regs_struct regs;
long ins;
char code[CODE_SIZE] = {0xb8,0x01,0x00,0x00,0x00,0xbf,0x01,0x00,0x00,0x00,0x48,0xbe,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xba,0x0d,0x00,0x00,0x00,0x0f,0x05,0xcc,0x48,0x65,0x6c,0x6c,0x6f,0x20,0x77,0x6f,0x72,0x6c,0x64,0x0a};
char backup[CODE_SIZE];
traced_process = atoi(argv[1]);
printf("try to attach pid:%u\n",traced_process);
if(ptrace(PTRACE_ATTACH,traced_process,NULL,NULL) == -1)
{
perror("trace attach error");
}
wait(NULL);
if(ptrace(PTRACE_GETREGS,traced_process,NULL,&regs) == -1)
{
perror("trace get regs error");
}
//copy instructions into backup variable
getdata(traced_process,regs.rip,backup,CODE_SIZE);
printBytes("get tracee instuction",backup,CODE_SIZE);
puts("try to inject code");
putdata(traced_process,regs.rip,code,CODE_SIZE);
puts("inject success, tracee continue");
if(ptrace(PTRACE_CONT,traced_process,NULL,NULL) == -1)
{
perror("trace continue error");
}
//wait tracee to execute int3 to stop
wait(NULL);
puts("inject code finish, Press <Enter> to continue");
getchar();
printBytes("place inject instructions with backup instructions",backup,CODE_SIZE);
putdata(traced_process,regs.rip,backup,CODE_SIZE);
ptrace(PTRACE_SETREGS,traced_process,NULL,&regs);
ptrace(PTRACE_DETACH,traced_process,NULL,NULL);
return 0;
}
It doesn't work, only can make tracee stop and resume. what's wrong with it?
run it in ubuntu 16.04 64bit.

You said it yourself. Use a command that raises a signal.
Debuggers use int 3, for a very simple reason. While every single software interrupt you raise is a couple of bytes long (one for the int command, and another for the interrupt number), int 3 is a single byte instruction. It is that precisely so it can be easily injected (and then removed) by a debugger.
To summarize, since you are on x86_64, replace the int 80 injection with syscall, but leave the other software interrupt as they were.

I know the reason. the asm code that I post is not PIC, when it is injected into tracee's memory, string address is wrong, so it failed.
right asm code should be
section .text
global main
main:
jmp forward
backward:
pop rsi
mov rax, 1
mov rdi, 1
mov rdx, 13
syscall
int3
forward:
call backward
db "Hello world",0xa

Can't write to pseudo terminal master

I'm able to open a new pseudo terminal, and start a shell on the slave, but writing to the master doesn't seem to do anything, and trying to read after the shell has started ends in failure (-1). What am i doing wrong:
#include <stdlib.h>
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <signal.h>
#include <sys/ioctl.h>
int posix_openpt(int flags);
int grantpt(int fd);
int unlockpt(int fd);
char *ptsname(int fd);
static void execsh(void);
int main(int argc, char *argv[]) {
printf("Hiya\n");
// Open the Master Clone Device /dev/ptmx, return the fd
int master_fd = posix_openpt(O_RDWR);
printf("PTMaster = %d\n", master_fd);
// Change the permissions and ownership of the slave device
int grant_success = grantpt(master_fd);
printf("Grant success = %d\n", grant_success);
// Unlock the slave pseudoterminal device corresponding to master_fd
int unlock_success = unlockpt(master_fd);
printf("Unlock success = %d\n", unlock_success);
// Grab the name of the slave device
char *slave_name = ptsname(master_fd);
printf("Slave name = %s\n", slave_name);
// Open the slave pseudoterminal device
int slave_fd = open(slave_name, O_WRONLY);
printf("Slave fd = %d\n", slave_fd);
// Exec shell
pid_t pid;
switch (pid = fork()) {
case -1:
printf("Failed to fork\n");
break;
case 0:
// Child
setsid(); /* create a new process group */
dup2(slave_fd, STDIN_FILENO);
dup2(slave_fd, STDOUT_FILENO);
dup2(slave_fd, STDERR_FILENO);
ioctl(slave_fd, TIOCSCTTY, NULL); /* make this the controlling terminal for this process */
close(slave_fd);
close(master_fd);
// Start Shell
execsh();
break;
default:
// Parent
close(slave_fd);
}
// Read from master
sleep(1);
char buffer[200];
ssize_t read_bytes = read(master_fd, buffer, 200);
printf("read %ld from master\n", read_bytes);
printf("buffer = %s\n", buffer);
// ls
ssize_t written = write(master_fd, "ls\n", 3);
printf("wrote %ld to master\n", written);
// Read from master
read_bytes = read(master_fd, buffer, 200);
printf("read %ld from master\n", read_bytes);
printf("buffer = %s\n", buffer);
close(master_fd);
kill(pid, SIGKILL); // Kill the child, biblical
return 0;
}
void
execsh(void) {
char **args;
char *envshell = getenv("SHELL");
unsetenv("COLUMNS");
unsetenv("LINES");
unsetenv("TERMCAP");
signal(SIGCHLD, SIG_DFL);
signal(SIGHUP, SIG_DFL);
signal(SIGINT, SIG_DFL);
signal(SIGQUIT, SIG_DFL);
signal(SIGTERM, SIG_DFL);
signal(SIGALRM, SIG_DFL);
args = (char *[]){envshell, "-i", NULL};
printf("\nforked child starting terminal\n");
execvp(args[0], args);
printf("\nExited the shell\n");
exit(EXIT_FAILURE);
}
output looks like this:
Hiya
PTMaster = 3
Grant success = 0
Unlock success = 0
Slave name = /dev/pts/19
Slave fd = 4
read 130 from master
buffer =
forked child starting terminal
eric#vbox:~/Desktop/terminal$ exit
wrote 3 to master
read -1 from master
buffer =
forked child starting terminal
eric#vbox:~/Desktop/terminal$ exit
I'm not sure why it has the word exit there either. Thanks in advance for any pointers you might have!

ninjalj was right. I had the slave opened for writing only.
Thank you very much!

Linux simulate write() system call failure using ptrace()

I am trying to simulate failure of write() system call.
I have read that return value -1 (in EAX) indicates error in system call and errno gives the exact reason for failure.
I am trying to intercept system call write() return -1 in EAX register and set the "errno" to some error value.
puts() internally uses write(), which is system call number 4.
If i do perror("Error:") in the child, it should show the error corresponding to "errno" which i would like to set.
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <sys/reg.h> /* For constants ORIG_EAX etc */
#include <stdio.h>
#include <sys/user.h>
#include <errno.h>
int main()
{ pid_t child;
int status;
long orig_eax,eax,params[3];
int ret_val=-1,insyscall=0;
struct user_regs_struct regs;
child = fork();
if(child == 0) {
ptrace(PTRACE_TRACEME, 0, NULL, NULL);
execl("/home/kashi/Documents/2nd_Sem/MyPrgms/ptrace/ramana/write", "write", NULL);
//execl("/bin/ls","ls",NULL);
}
else {
while(1)
{
wait(&status);
if(WIFEXITED(status))
break;
orig_eax = ptrace(PTRACE_PEEKUSER,
child, 4 * ORIG_EAX, NULL);
if(orig_eax == 4)
{
ptrace( PTRACE_GETREGS, child, 0, &regs );
printf("Write called with %ld, %ld %ld\n",regs.ebx, regs.ecx,regs.edx);
if(insyscall == 0)
{
/* Syscall entry */
printf("In %d\n",insyscall);
insyscall = 1;
}
else
{
/* Syscall exit */
regs.orig_eax=-1;
**errno=11; //This errno should be set in the child process, how to do it?**
ptrace( PTRACE_SETREGS, child, 0, &regs );
eax = ptrace(PTRACE_PEEKUSER, child, 4 * ORIG_EAX, NULL);
printf("Write returned with %ld\n", eax);
insyscall = 0;
}
}
//printf("The child made a "
// "system call %ld\n", regs.orig_eax);
ptrace(PTRACE_SYSCALL, child, NULL, NULL);
}
}
return 0;
}
The tracee program (testwrite.c) is:
#include<stdio.h>
#include<unistd.h>
#include<sys/ptrace.h>
#include<signal.h>
#include<errno.h>
//int display(char *p);
int main()
{
printf("Hi Kashi\n");
perror("Error: ");
return 0;
}
output:
[kashi#localhost ramana]$ ./test.sh
In 0
Hi Kashi
Write returned with -1
In 0
**Error: : Success**
Write returned with -1
The perror("Error:") displays text message corresponding to "errno". I am not able to set this "errno" in child process, how can i do it?

pclose() returns SIGPIPE intermittently

When the following C program is executed, and SIGUSR1 is sent to the running process repeatedly, the pclose() call will sometimes return 13. 13 corresponds to SIGPIPE on my system.
Why does this happen?
I am using while true; do kill -SIGUSR1 <process-id>; done to send SIGUSR1 to the program. The program is executed on Ubuntu 14.04.
#include <pthread.h>
#include <signal.h>
#include <unistd.h>
#include <stdio.h>
void handler(int i) {}
void* task(void*)
{
FILE *s;
char b [BUFSIZ];
while (1) {
if ((s = popen("echo hello", "r")) == NULL) {
printf("popen() failed\n");
}
while (fgets(b, BUFSIZ, s) != NULL) ;
if (int r = pclose(s)) {
printf("pclose() failed (%d)\n", r);
}
}
return 0;
}
int main(int argc, char **argv)
{
struct sigaction action;
action.sa_handler = handler;
sigemptyset(&action.sa_mask);
action.sa_flags = 0;
sigaction(SIGUSR1, &action, NULL);
pthread_t tid;
pthread_create(&tid, 0, task, NULL);
pthread_join(tid, NULL);
}

This happens when fgets gets interrupted by the signal. The program doesn't read the pipe to the end and closes it. The other program then SIGPIPEs.
The correct pipe reading operation is:
do {
while (fgets(b, BUFSIZ, s) != NULL) ;
} while (errno == EINTR);

Segmentation Fault when using Threads and Semaphores, Mac Vs Linux

My problem deals with a segmentation fault that I get when I run this program on a linux machine versus my own mac computer. This program runs how I believe it should on my own mac computer, yet when I try to run it on my school's linux computers, I get a segmentation fault that doesn't appear on my mac computer. I'll give a brief background on the assignment and then go over the problem in more detail.
So I have this program which basically simulates baboons crossing a ravine with a single rope. Only one baboon can cross at a time and there are certain restraints on the number of baboons that can cross at a time, as well as how many baboons can cross from one direction before baboons from the other direction are allowed to cross. The implementation of the code.
I have searched for segmentation fault questions already here on stackoverflow, yet most of them deal with multiple processes whereas I am merely using different threads. The segmentation fault ends up coming from waiting on a semaphore that doesn't exist, yet when I checked to see whether it was initialized, it was successfully initialized. Again, this program works on my mac but then doesn't work when I try to run it on my Mac. Any help at all understanding why it can't run on the linux machines but can run on the mac. If any more information is needed, I would be happy to provide it. I did error check at one point but that code was deleted off the school computers. My error checking, as far as I remember, didn't show any errors.
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/time.h>
#include <time.h>
#include <pthread.h>
#include <semaphore.h>
#include <fcntl.h>
#include <sys/stat.h> //for mode flags, if needed for future use
#define ATOB_COUNT 20
#define BTOA_COUNT 20
#define RANDOM_SEED 2123
//semaphore names
#define MUTEX_SEM "/mutex"
#define TOB_SEM "/toB"
#define TOA_SEM "/toA"
//define methods here if needed
void *toAThread(void *threadId);
void *toBThread(void *threadId);
void my_sleep(int limit);
void sem_open_errorCheck(char *name, unsigned int startingValue, sem_t *result);
//defining semaphores and shared variables
sem_t *mutex, *toB, *toA;
int xingCount = 0;
int xedCount = 0;
int toBWaitCount = 0;
int toAWaitCount = 0;
enum xingDirectionTypes {
none,
aToB,
bToA
};
enum xingDirectionTypes xingDirection = none;
char orderLeaving[100];
struct threadInfo {
int threadId;
};
struct threadInfo atobIDs[ATOB_COUNT];
struct threadInfo btoaIDs[BTOA_COUNT];
int main(void) {
pthread_t atobPTHREADS[ATOB_COUNT];
pthread_t btoaPTHREADS[BTOA_COUNT];
pthread_attr_t attr;
void *status;
srandom(RANDOM_SEED);
//call helper method which creates semaphore and errorchecks
sem_open_errorCheck(MUTEX_SEM, (unsigned int)1, mutex);
sem_open_errorCheck(TOA_SEM, (unsigned int)0, toA);
sem_open_errorCheck(TOB_SEM, (unsigned int)0, toB);
//Creating a set of attributes to send to the threads
pthread_attr_init(&attr);
pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_JOINABLE);
//spawn toB baboons
int counter;
for (counter = 0; counter < BTOA_COUNT; counter++) {
atobIDs[counter].threadId = counter;
int result;
if ((result = pthread_create(&atobPTHREADS[counter], &attr, toBThread, (void*) &atobIDs[counter])) == -1) {
perror("Thread Creation Error: atob baboon");
exit(EXIT_FAILURE);
}
}
//spawn toA baboons
for (counter = 0; counter < ATOB_COUNT; counter++) {
btoaIDs[counter].threadId = counter + 20;
int result;
if ((result = pthread_create(&btoaPTHREADS[counter], &attr, toAThread, (void*) &btoaIDs[counter])) == -1) {
perror("Thread Creation Error: btoa baboon");
exit(EXIT_FAILURE);
}
}
//Wait for all the threads to finish
for(counter = 0; counter < ATOB_COUNT; counter++)
{
int result = pthread_join(atobPTHREADS[counter], &status);
if(result == -1)
{
perror("Thread Join: AtoB");
exit(EXIT_FAILURE);
}
}
for(counter = 0; counter < BTOA_COUNT; counter++)
{
int result = pthread_join(btoaPTHREADS[counter], &status);
if(result == -1)
{
perror("Thread Join: BtoA");
exit(EXIT_FAILURE);
}
}
printf("The order leaving %s", orderLeaving);
exit(EXIT_SUCCESS);
}
void *toBThread(void *threadId) {
struct threadInfo *info;
info = (struct threadInfo *)threadId;
int id = info->threadId;
my_sleep(100); //simulate being idle for 1-100ms
//for order checking
char *baboonOrder;
baboonOrder = "B ";
strcat(orderLeaving, baboonOrder);
sem_wait(mutex);
if ((xingDirection == aToB || xingDirection == none) && xingCount < 5 && (xedCount + xingCount) < 10) { //there is an extra parenthesis here in the solutions
xingDirection = aToB;
xingCount++;
printf("AtoB baboon (thread %d) got on the rope\n", id);
sem_post(mutex);
}
else {
toBWaitCount++;
sem_post(mutex);
sem_wait(toB);
toBWaitCount--;
xingCount++;
xingDirection = aToB;
printf("AtoB baboon (thread %d) got on the rope\n", id);
sem_post(mutex);
}
//CROSSING
sem_wait(mutex);
printf("AtoB baboon (thread %d) got off the rope\n", id);
xedCount++;
xingCount--;
if (toBWaitCount != 0 && (((xedCount+xingCount)<10) || ((xedCount+xingCount) >= 10 && toAWaitCount == 0))) {
sem_post(toB);
}
else {
if (xingCount == 0 && toAWaitCount != 0 && (toBWaitCount == 0 || (xedCount + xingCount)>=10)) {
xingDirection = bToA;
xedCount = 0;
sem_post(toA);
}
else {
if (xingCount == 0 && toBWaitCount == 0 && toAWaitCount == 0) {
xingDirection = none;
xedCount = 0;
sem_post(mutex);
}
else {
sem_post(mutex);
}
}
}
}
/*
baboons going from side a to side b
*/
void *toAThread(void *threadId) {
struct threadInfo *info;
info = (struct threadInfo *)threadId;
int id = info->threadId;
my_sleep(100);
//for order checking
char *baboonOrder;
baboonOrder = "A ";
strcat(orderLeaving, baboonOrder);
sem_wait(mutex);
if ((xingDirection == bToA || xingDirection == none) && xingCount < 5 && (xedCount + xingCount) < 10) { //there is an extra parenthesis here in the solutions
xingDirection = bToA;
xingCount++;
printf("BtoA baboon (thread %d) got on the rope\n", id);
sem_post(mutex);
}
else {
toAWaitCount++;
sem_post(mutex);
sem_wait(toA);
toAWaitCount--;
xingCount++;
xingDirection = bToA;
printf("BtoA baboon (thread %d) got on the rope\n", id);
sem_post(mutex);
}
//CROSSING
sem_wait(mutex);
printf("BtoA baboon (thread %d) got off the rope\n", id);
xedCount++;
xingCount--;
if (toAWaitCount != 0 && (((xedCount+xingCount)<10) || ((xedCount+xingCount) >= 10 && toBWaitCount == 0))) {
sem_post(toA);
}
else {
if (xingCount == 0 && toBWaitCount != 0 && (toAWaitCount == 0 || (xedCount + xingCount)>=10)) {
xingDirection = aToB;
xedCount = 0;
sem_post(toB);
}
else {
if (xingCount == 0 && toAWaitCount == 0 && toBWaitCount == 0) {
xingDirection = none;
xedCount = 0;
sem_post(mutex);
}
else {
sem_post(mutex);
}
}
}
}
//taken with permission from readers/writers problem
//Puts the calling thread to sleep to simulate both random start times and random workloads
void my_sleep(int limit) {
struct timespec time_ns;
int duration = random() % limit + 1;
time_ns.tv_sec = 0;
time_ns.tv_nsec = duration * 1000000;
int result = nanosleep(&time_ns, NULL);
if (result != 0)
{
perror("Nanosleep");
exit(EXIT_FAILURE);
}
}
void sem_open_errorCheck(char *name, unsigned int startingValue, sem_t *result) {
sem_unlink(name);
result = sem_open(name, O_CREAT, 0600, startingValue);
if (result == -1) {
perror("sem_open error: semaphore failed to open correctly");
exit(EXIT_FAILURE);
}
}

How to debug stuff like this
The best way to debug this is to run it using the gdb debugger. Like this:
gdb my-monkey-program
(gdb) run
Program received signal SIGSEGV, Segmentation fault.
(gdb) info threads
(gdb) bt
Another excellent idea is to run it with valgrind:
valgrind ./my-monkey-program
which will tell you about invalid memory accesses and all sorts of things.
Your specific problem
gdb reports that the call stack is:
#0 sem_wait () at ../nptl/sysdeps/unix/sysv/linux/x86_64/sem_wait.S:45
#1 0x0000000000400e8d in toAThread (threadId=0x602160) at test.c:190
#2 0x00007ffff7bc4e9a in start_thread (arg=0x7fffed7e9700) at pthread_create.c:308
#3 0x00007ffff78f1cbd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#4 0x0000000000000000 in ?? ()
Here are the line numbers from my compile:
187 baboonOrder = "A ";
188 strcat(orderLeaving, baboonOrder);
189
190 sem_wait(mutex);
This is because mutex is NULL.
Why it breaks
You're never actually assigning to the mutex variable. You're passing a pointer into sem_open_errorCheck, but what you really need to pass is a pointer-to-a-pointer. Presumably the same applies to toA and toB.
It's just luck that it worked on the Mac!