• ptrace 反调试


     

    前言:

      在动手尝试MBE系列课程第一天中的小程序时,遇到了一个ptrace反调试的问题,当然简单的做一次patch也是可以的。但是本着打破沙锅问到底的精神,到网上查看了一些资料,整理到这里。

      分别转载自 如何调试加入了ptrace的程序 以及 玩转ptrace。 

      以及,一下内容我并未亲自尝试。难免会有不足之处,后面会慢慢补充,有错之处请大家指出,谢谢分享。

    ptrace 简介:

      你想过怎么实现对系统调用的拦截吗?你尝试过通过改变系统调用的参数来愚弄你的系统kernel吗?你想过调试器是如何使运行中的进程暂停并且控制它吗?

      你可能会开始考虑怎么使用复杂的kernel编程来达到目的,那么,你错了。实际上Linux提供了一种优雅的机制来完成这些:ptrace系统函数。 ptrace提供了一种使父进程得以监视和控制其它进程的方式,它还能够改变子进程中的寄存器和内核映像,因而可以实现断点调试和系统调用的跟踪。

      使用ptrace,你可以在用户层拦截和修改系统调用(sys call),修改它的参数,插入代码给正在运行的程序以及偷窥和篡改进程的寄存器和数据段。

      具体的使用暂不深究,有兴趣的同学可以点进上方链接去学习学习;

      ptrace函数原型

      

      request:请求执行的行为

      pid:目标进程标识。
      addr:执行peek和poke操作的目标地址。 
      data:对于poke操作,存放数据的地方。对于peek操作,获取数据的地方。

      其中request有如下选择:

    #define PT_TRACE_ME 0 /* child declares it's being traced */
    
    #define PT_READ_I 1 /* read word in child's I space */
    
    #define PT_READ_D 2 /* read word in child's D space */
    
    #define PT_READ_U 3 /* read word in child's user structure */
    
    #define PT_WRITE_I 4 /* write word in child's I space */
    
    #define PT_WRITE_D 5 /* write word in child's D space */
    
    #define PT_WRITE_U 6 /* write word in child's user structure */
    
    #define PT_CONTINUE 7 /* continue the child */
    
    #define PT_KILL 8 /* kill the child process */
    
    #define PT_STEP 9 /* single step the child */
    
    #define PT_ATTACH 10 /* trace some running process */
    
    #define PT_DETACH 11 /* stop tracing a process */
    
    #define PT_SIGEXC 12 /* signals as exceptions for current_proc */
    
    #define PT_THUPDATE 13 /* signal for thread# */
    
    #define PT_ATTACHEXC 14 /* attach to running process with signal exception */
    
    
    #define PT_FORCEQUOTA 30 /* Enforce quota for root */
    
    #define PT_DENY_ATTACH 31
    
    #define PT_FIRSTMACH 32 /* for machine-specific requests */
    View Code

      其中addr我理解为系统调用号,其详细内容可以查看 /usr/include/asm/unistd.h

      此处给出unistd_32.h的内容

    #ifndef _ASM_X86_UNISTD_32_H
    #define _ASM_X86_UNISTD_32_H 1
    
    #define __NR_restart_syscall 0
    #define __NR_exit 1
    #define __NR_fork 2
    #define __NR_read 3
    #define __NR_write 4
    #define __NR_open 5
    #define __NR_close 6
    #define __NR_waitpid 7
    #define __NR_creat 8
    #define __NR_link 9
    #define __NR_unlink 10
    #define __NR_execve 11
    #define __NR_chdir 12
    #define __NR_time 13
    #define __NR_mknod 14
    #define __NR_chmod 15
    #define __NR_lchown 16
    #define __NR_break 17
    #define __NR_oldstat 18
    #define __NR_lseek 19
    #define __NR_getpid 20
    #define __NR_mount 21
    #define __NR_umount 22
    #define __NR_setuid 23
    #define __NR_getuid 24
    #define __NR_stime 25
    #define __NR_ptrace 26
    #define __NR_alarm 27
    #define __NR_oldfstat 28
    #define __NR_pause 29
    #define __NR_utime 30
    #define __NR_stty 31
    #define __NR_gtty 32
    #define __NR_access 33
    #define __NR_nice 34
    #define __NR_ftime 35
    #define __NR_sync 36
    #define __NR_kill 37
    #define __NR_rename 38
    #define __NR_mkdir 39
    #define __NR_rmdir 40
    #define __NR_dup 41
    #define __NR_pipe 42
    #define __NR_times 43
    #define __NR_prof 44
    #define __NR_brk 45
    #define __NR_setgid 46
    #define __NR_getgid 47
    #define __NR_signal 48
    #define __NR_geteuid 49
    #define __NR_getegid 50
    #define __NR_acct 51
    #define __NR_umount2 52
    #define __NR_lock 53
    #define __NR_ioctl 54
    #define __NR_fcntl 55
    #define __NR_mpx 56
    #define __NR_setpgid 57
    #define __NR_ulimit 58
    #define __NR_oldolduname 59
    #define __NR_umask 60
    #define __NR_chroot 61
    #define __NR_ustat 62
    #define __NR_dup2 63
    #define __NR_getppid 64
    #define __NR_getpgrp 65
    #define __NR_setsid 66
    #define __NR_sigaction 67
    #define __NR_sgetmask 68
    #define __NR_ssetmask 69
    #define __NR_setreuid 70
    #define __NR_setregid 71
    #define __NR_sigsuspend 72
    #define __NR_sigpending 73
    #define __NR_sethostname 74
    #define __NR_setrlimit 75
    #define __NR_getrlimit 76
    #define __NR_getrusage 77
    #define __NR_gettimeofday 78
    #define __NR_settimeofday 79
    #define __NR_getgroups 80
    #define __NR_setgroups 81
    #define __NR_select 82
    #define __NR_symlink 83
    #define __NR_oldlstat 84
    #define __NR_readlink 85
    #define __NR_uselib 86
    #define __NR_swapon 87
    #define __NR_reboot 88
    #define __NR_readdir 89
    #define __NR_mmap 90
    #define __NR_munmap 91
    #define __NR_truncate 92
    #define __NR_ftruncate 93
    #define __NR_fchmod 94
    #define __NR_fchown 95
    #define __NR_getpriority 96
    #define __NR_setpriority 97
    #define __NR_profil 98
    #define __NR_statfs 99
    #define __NR_fstatfs 100
    #define __NR_ioperm 101
    #define __NR_socketcall 102
    #define __NR_syslog 103
    #define __NR_setitimer 104
    #define __NR_getitimer 105
    #define __NR_stat 106
    #define __NR_lstat 107
    #define __NR_fstat 108
    #define __NR_olduname 109
    #define __NR_iopl 110
    #define __NR_vhangup 111
    #define __NR_idle 112
    #define __NR_vm86old 113
    #define __NR_wait4 114
    #define __NR_swapoff 115
    #define __NR_sysinfo 116
    #define __NR_ipc 117
    #define __NR_fsync 118
    #define __NR_sigreturn 119
    #define __NR_clone 120
    #define __NR_setdomainname 121
    #define __NR_uname 122
    #define __NR_modify_ldt 123
    #define __NR_adjtimex 124
    #define __NR_mprotect 125
    #define __NR_sigprocmask 126
    #define __NR_create_module 127
    #define __NR_init_module 128
    #define __NR_delete_module 129
    #define __NR_get_kernel_syms 130
    #define __NR_quotactl 131
    #define __NR_getpgid 132
    #define __NR_fchdir 133
    #define __NR_bdflush 134
    #define __NR_sysfs 135
    #define __NR_personality 136
    #define __NR_afs_syscall 137
    #define __NR_setfsuid 138
    #define __NR_setfsgid 139
    #define __NR__llseek 140
    #define __NR_getdents 141
    #define __NR__newselect 142
    #define __NR_flock 143
    #define __NR_msync 144
    #define __NR_readv 145
    #define __NR_writev 146
    #define __NR_getsid 147
    #define __NR_fdatasync 148
    #define __NR__sysctl 149
    #define __NR_mlock 150
    #define __NR_munlock 151
    #define __NR_mlockall 152
    #define __NR_munlockall 153
    #define __NR_sched_setparam 154
    #define __NR_sched_getparam 155
    #define __NR_sched_setscheduler 156
    #define __NR_sched_getscheduler 157
    #define __NR_sched_yield 158
    #define __NR_sched_get_priority_max 159
    #define __NR_sched_get_priority_min 160
    #define __NR_sched_rr_get_interval 161
    #define __NR_nanosleep 162
    #define __NR_mremap 163
    #define __NR_setresuid 164
    #define __NR_getresuid 165
    #define __NR_vm86 166
    #define __NR_query_module 167
    #define __NR_poll 168
    #define __NR_nfsservctl 169
    #define __NR_setresgid 170
    #define __NR_getresgid 171
    #define __NR_prctl 172
    #define __NR_rt_sigreturn 173
    #define __NR_rt_sigaction 174
    #define __NR_rt_sigprocmask 175
    #define __NR_rt_sigpending 176
    #define __NR_rt_sigtimedwait 177
    #define __NR_rt_sigqueueinfo 178
    #define __NR_rt_sigsuspend 179
    #define __NR_pread64 180
    #define __NR_pwrite64 181
    #define __NR_chown 182
    #define __NR_getcwd 183
    #define __NR_capget 184
    #define __NR_capset 185
    #define __NR_sigaltstack 186
    #define __NR_sendfile 187
    #define __NR_getpmsg 188
    #define __NR_putpmsg 189
    #define __NR_vfork 190
    #define __NR_ugetrlimit 191
    #define __NR_mmap2 192
    #define __NR_truncate64 193
    #define __NR_ftruncate64 194
    #define __NR_stat64 195
    #define __NR_lstat64 196
    #define __NR_fstat64 197
    #define __NR_lchown32 198
    #define __NR_getuid32 199
    #define __NR_getgid32 200
    #define __NR_geteuid32 201
    #define __NR_getegid32 202
    #define __NR_setreuid32 203
    #define __NR_setregid32 204
    #define __NR_getgroups32 205
    #define __NR_setgroups32 206
    #define __NR_fchown32 207
    #define __NR_setresuid32 208
    #define __NR_getresuid32 209
    #define __NR_setresgid32 210
    #define __NR_getresgid32 211
    #define __NR_chown32 212
    #define __NR_setuid32 213
    #define __NR_setgid32 214
    #define __NR_setfsuid32 215
    #define __NR_setfsgid32 216
    #define __NR_pivot_root 217
    #define __NR_mincore 218
    #define __NR_madvise 219
    #define __NR_getdents64 220
    #define __NR_fcntl64 221
    #define __NR_gettid 224
    #define __NR_readahead 225
    #define __NR_setxattr 226
    #define __NR_lsetxattr 227
    #define __NR_fsetxattr 228
    #define __NR_getxattr 229
    #define __NR_lgetxattr 230
    #define __NR_fgetxattr 231
    #define __NR_listxattr 232
    #define __NR_llistxattr 233
    #define __NR_flistxattr 234
    #define __NR_removexattr 235
    #define __NR_lremovexattr 236
    #define __NR_fremovexattr 237
    #define __NR_tkill 238
    #define __NR_sendfile64 239
    #define __NR_futex 240
    #define __NR_sched_setaffinity 241
    #define __NR_sched_getaffinity 242
    #define __NR_set_thread_area 243
    #define __NR_get_thread_area 244
    #define __NR_io_setup 245
    #define __NR_io_destroy 246
    #define __NR_io_getevents 247
    #define __NR_io_submit 248
    #define __NR_io_cancel 249
    #define __NR_fadvise64 250
    #define __NR_exit_group 252
    #define __NR_lookup_dcookie 253
    #define __NR_epoll_create 254
    #define __NR_epoll_ctl 255
    #define __NR_epoll_wait 256
    #define __NR_remap_file_pages 257
    #define __NR_set_tid_address 258
    #define __NR_timer_create 259
    #define __NR_timer_settime 260
    #define __NR_timer_gettime 261
    #define __NR_timer_getoverrun 262
    #define __NR_timer_delete 263
    #define __NR_clock_settime 264
    #define __NR_clock_gettime 265
    #define __NR_clock_getres 266
    #define __NR_clock_nanosleep 267
    #define __NR_statfs64 268
    #define __NR_fstatfs64 269
    #define __NR_tgkill 270
    #define __NR_utimes 271
    #define __NR_fadvise64_64 272
    #define __NR_vserver 273
    #define __NR_mbind 274
    #define __NR_get_mempolicy 275
    #define __NR_set_mempolicy 276
    #define __NR_mq_open 277
    #define __NR_mq_unlink 278
    #define __NR_mq_timedsend 279
    #define __NR_mq_timedreceive 280
    #define __NR_mq_notify 281
    #define __NR_mq_getsetattr 282
    #define __NR_kexec_load 283
    #define __NR_waitid 284
    #define __NR_add_key 286
    #define __NR_request_key 287
    #define __NR_keyctl 288
    #define __NR_ioprio_set 289
    #define __NR_ioprio_get 290
    #define __NR_inotify_init 291
    #define __NR_inotify_add_watch 292
    #define __NR_inotify_rm_watch 293
    #define __NR_migrate_pages 294
    #define __NR_openat 295
    #define __NR_mkdirat 296
    #define __NR_mknodat 297
    #define __NR_fchownat 298
    #define __NR_futimesat 299
    #define __NR_fstatat64 300
    #define __NR_unlinkat 301
    #define __NR_renameat 302
    #define __NR_linkat 303
    #define __NR_symlinkat 304
    #define __NR_readlinkat 305
    #define __NR_fchmodat 306
    #define __NR_faccessat 307
    #define __NR_pselect6 308
    #define __NR_ppoll 309
    #define __NR_unshare 310
    #define __NR_set_robust_list 311
    #define __NR_get_robust_list 312
    #define __NR_splice 313
    #define __NR_sync_file_range 314
    #define __NR_tee 315
    #define __NR_vmsplice 316
    #define __NR_move_pages 317
    #define __NR_getcpu 318
    #define __NR_epoll_pwait 319
    #define __NR_utimensat 320
    #define __NR_signalfd 321
    #define __NR_timerfd_create 322
    #define __NR_eventfd 323
    #define __NR_fallocate 324
    #define __NR_timerfd_settime 325
    #define __NR_timerfd_gettime 326
    #define __NR_signalfd4 327
    #define __NR_eventfd2 328
    #define __NR_epoll_create1 329
    #define __NR_dup3 330
    #define __NR_pipe2 331
    #define __NR_inotify_init1 332
    #define __NR_preadv 333
    #define __NR_pwritev 334
    #define __NR_rt_tgsigqueueinfo 335
    #define __NR_perf_event_open 336
    #define __NR_recvmmsg 337
    #define __NR_fanotify_init 338
    #define __NR_fanotify_mark 339
    #define __NR_prlimit64 340
    #define __NR_name_to_handle_at 341
    #define __NR_open_by_handle_at 342
    #define __NR_clock_adjtime 343
    #define __NR_syncfs 344
    #define __NR_sendmmsg 345
    #define __NR_setns 346
    #define __NR_process_vm_readv 347
    #define __NR_process_vm_writev 348
    #define __NR_kcmp 349
    #define __NR_finit_module 350
    #define __NR_sched_setattr 351
    #define __NR_sched_getattr 352
    #define __NR_renameat2 353
    #define __NR_seccomp 354
    
    #endif /* _ASM_X86_UNISTD_32_H */
    View Code

      反调试中一般使用方法

       ptrace(PT_DENY_ATTACH000);

       在反汇编下看到的是

      

      0x1f == 31 == PT_DENY_ATTACH   拒绝附加调试

      想想如果把 request 这个参数修改为 PT_ATTACH 允许附加调试呢

      就把 BF1F000000 这一行的1F修改为0A (0A== 10 == PT_ATTACH)

      即 BF0A000000

      

      然后再挂上GDB就会看到

      

      

      但是实际中我在MBE中lab1A的小程序中,看到的是PT_TRACEME,依然起到了反调试的作用,具体原因暂未知,以后知道了再来补充

      

       3.7 更新:

        ptrace还可以监控syscall函数的使用,相关代码如下:

    /* grab the syscall # */
     syscall = ptrace(PTRACE_PEEKUSER, child, 4 * ORIG_EAX, NULL);
    
     /* filter out syscall 11, exec */
     if(syscall == 11)
     {
          printf("no exec() for you
    ");
          return 0;
     }
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • 相关阅读:
    .net C# 利用Session防重复点击防重复提交
    子报表修改后需要重新导入,0.00显示.00的调整方法
    svn错误 svnserve.conf:12: Option expected解决办法
    mysql远程访问 登录ERROR 1130: is not allowed to connect to this MySQL server解决办法
    phpmyadmin新加用户登陆不了,测试解决方案。
    自己封装的php Curl并发处理,欢迎提出问题优化。
    js和php计算图片自适应宽高算法实现
    jquery获取浏览器宽高
    swftools中的pdf2swf转换Error overflow ID 65535 解决办法
    php 根据ip获取城市以及网络运营商名称(利用qqwry.dat)
  • 原文地址:https://www.cnblogs.com/echo579/p/6236075.html
Copyright © 2020-2023  润新知