如何修改EIP的Tracee分叉过程? [英] How to modify EIP's tracee forked procee?

问题描述

我正在研究一个包含ptrace的Linux应用程序，以观察由fork()系统调用创建的另一个进程.

I'm working on a Linux application incorporating ptrace to observe another process which had been created by fork() system call.

严格来说:我想在分支过程(智利过程或踪迹")中实现故障注入.

Strictly speaking: I want to implement a fault injection into forked process (chile process or "tracee").

如下图所示:

跟踪器通过使用PTRACE_GETREGS请求从跟踪中获取regs(struct_user_regs)结构.之后，跟踪器修改被跟踪对象的EIP值(当内核切换为被跟踪对象时，将违反所谓的控制流错误CFE的命令执行).然后PTRAC E_CONT请求将发送到tracee以继续执行.

the tracer gets the regs (struct_user_regs) structure from the tracee by using PTRACE_GETREGS request. after that, tracer modifies the EIP value of the tracee (when kernel switch into tracee, order execution will be violate so-called control flow error CFE). then PTRAC E_CONT request will send to tracee to continue its execution.

不幸的是，在修改了EPI的跟踪之后，由于(分段错误)，该跟踪不会继续执行. 如何为示踪EIP提供另一个合适的解决方案?

Unfortunately, after modifying the EPI's tracee, the tracee doesn't continue its execution due to (segmentation fault). How I can give an another suitable vaule to the tracee EIP?

这是代码

#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include<sys/user.h>
#include<sys/reg.h>
#include<stdlib.h>
#include<stdio.h>
#include <asm/ptrace-abi.h>

 int main()

 { 

  pid_t child;
  int status;
  int sum=0;
  struct user_regs_struct regs;


    child = fork();
    if(child == 0) {
        ptrace(PTRACE_TRACEME, 0, NULL, NULL);

         printf("hello world 1\n");
         printf("hello world 2\n");
         raise (SIGINT); // just to move control to the tracer 
         printf("hello world 3\n");
         printf("hello world 4\n");
         printf("hello world 5\n");

         exit(EXIT_SUCCESS);
     }
    else {

          wait(NULL);
          ptrace(PTRACE_GETREGS, child,NULL, &regs);
          printf("\n EIP @  0x %#lx\n",regs.eip);
          //get the tracee EIP
          long int new_eip=ptrace(PTRACE_PEEKTEXT, child,regs.eip,NULL);
          //chabge EIP and poke it again
          new_eip += ???; // make change that let to jump to another tracee instruction address (say to print hello world 5)
          ptrace(PTRACE_POKETEXT, child,regs.eip,new_eip);
          ptrace(PTRACE_CONT, child, NULL, NULL);

          }

    return 0;
}

有什么想法吗? 谢谢您的协助.

Any thoughts? Thank you for all your assistance.

推荐答案

您没有修改EIP，而是在EIP的指令值中添加了一些内容，并可能导致错误的地址引用.要更改EIP，请使用PTRACE_SETREGS

You're not modifying the EIP, you're adding something to the value of the instruction at EIP, and probably resulting in a bad address reference. To change EIP, use PTRACE_SETREGS

      wait(NULL);
      ptrace(PTRACE_GETREGS, child,NULL, &regs);
      printf("\n EIP @  0x %#lx\n",regs.eip);
      regs.eip += ???;
      ptrace(PTRACE_SETREGS, child, NULL, &regs);
      ptrace(PTRACE_CONT, child, NULL, NULL);

这篇关于如何修改EIP的Tracee分叉过程?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！