ptrace

Are there any guides or examples (especially ARM ones) or libraries of using ptrace to affect execution of other process? For example, to make it believe that some data is appeared on file descriptor (i.e. release select/poll with some result and "answer" the following read syscall before the kernel). Expecting something involving PTRACE_SYSEMU. Can it be done in portable way? I want something like libc-overriding LD_PRELOAD trick, but which can be attached at runtime. Can it be done with some gdb commands? Ideal variant would be if there is some library where I can easily and portably hook

Does anyone have any good explanations, tutorials, books, or guides on the use of PTRACE_SYSEMU ? What I found interesting: Example Implementation for ptrace Playing with ptrace, Part I - LinuxJournal.com Playing with ptrace, Part II - LinuxJournal.com And programming library that makes using ptrace easier : PinkTrace - ptrace() wrapper library. For pinktrace there are examples, sydbox sources are example of complex pinktrace usecase. In general, I've found author as good person to contact about using and testing pinktrace. There is small test from linux kernel sources which uses PTRACE_SYSEMU

I try to parse all the Calls and Rets from an executable with ptrace. Conforming the the x64opcode , I found opcodes for Calls: 0xe8 and for Rets: 0xc3, 0xc2, 0xca, 0xcb . Since I parsed them I found more Rets than Calls. There is the program I trace: void func() { write(1, "i", 1); } int main(int ac) { func(); return(0); } There is my tracer: int tracer(t_info *info) { int status; long ptr; int ret = 0; int call = 0; waitpid(info->pid, &status, 0); while (WIFSTOPPED(status)) { ptrace(PTRACE_GETREGS, info->pid, NULL, info->regs); ptr = ptrace(PTRACE_PEEKDATA, info->pid, info->regs->rip); if ((

I am trying to code a program that traces itself for system calls. I am having a difficult time making this work. I tried calling a fork() to create an instance of itself (the code), then monitor the resulting child process. The goal is for the parent process to return the index of every system call made by the child process and output it to the screen. Somehow it is not working as planned. Here is the code: #include <unistd.h> /* for read(), write(), close(), fork() */ #include <fcntl.h> /* for open() */ #include <stdio.h> #include <sys/ptrace.h> #include <sys/reg.h> #include <sys/wait.h>

Linux 系统gdb等调试器，都是通过ptrace系统调用实现。Android加固中，ptrace自身防止调试器附加是一种常用的反调试手段。 调试时一般需要手工在ptrace处下断点，通过修改ptrace返回值过掉反调试。下面提供另一种思路，降低手工操作复杂度： 测试代码（反调试程序）： #include <stdio.h> #include <stdlib.h> #include <sys/ptrace.h> void a() { if (ptrace(PTRACE_TRACEME, 0, 1, 0) == -1) { printf("don't trace me !!\n"); exit(1); } // normal execution puts("hello girl."); } int main() { a(); return 0; } 编写辅助库： /* Type of the REQUEST argument to `ptrace.' */ enum __ptrace_request { PTRACE_TRACEME = 0, #define PT_TRACE_ME PTRACE_TRACEME }; long ptrace(enum __ptrace_request request, unsigned long pid, void *addr, void

原理分析 动态库注入 inline hook 源码目录中的example则是一个使用ADBI进行hook epoll_wait的示例。 hijack hijack实现动态库注入功能，通过在目标进程插入dlopen()调用序列，加载指定so文件。要实现这个功能，主要做两件事情： 获得目标进程中dlopen()地址 在目标进程的栈空间上构造一处dlopen()调用 下面分别解决这两个问题 1. 获得目标进程中dlopen()地址 在ADBI中，通过下面代码来获得目标进程中dlopen()函数地址： void *ldl = dlopen("libdl.so", RTLD_LAZY); if (ldl) { dlopenaddr = (unsigned long)dlsym(ldl, "dlopen"); dlclose(ldl); } unsigned long int lkaddr; unsigned long int lkaddr2; find_linker(getpid(), &lkaddr); find_linker(pid, &lkaddr2); dlopenaddr = lkaddr2 + (dlopenaddr - lkaddr); 其中find_linker()函数功能是获取指定进程中linker的地址。 linker是Android提供的动态链接器