How to modify EIP's tracee forked procee?

前端 未结 2 1431
小鲜肉
小鲜肉 2021-01-24 09:30

I\'m working on a Linux application incorporating ptrace to observe another process which had been created by fork() system call.

Strictly speaking: I want to implement

相关标签:
2条回答
  • 2021-01-24 10:09

    Yes, it is completely platform-specific. I read a lot of materials which described ptrace syscall and how we can use it to capture the EIP of the next instruction that is going to execute after the ptrace send some request (like PTRACE_CONT) to the suspended tracee. I always see that the EIP value is something like this :

     80484a6:
     80484a7:   
     80484ac:   
     80484b2:
     80484b4:
     80484b6:
     80484b8:
    

    I test a simple code (just print the value of EIP and the corresponding executed instruction). but the result was as you shown below:

    EIP: b773cbe0 Instruction executed: c3595a5d
    EIP: b773cbe1 Instruction executed: ccc3595a
    EIP: b773cbe0 Instruction executed: c3595a5d
    hello world 5
    EIP: b773cbe0 Instruction executed: c3595a5d
    EIP: b773cbe1 Instruction executed: ccc3595a
    EIP: b773cbe0 Instruction executed: c3595a5d
    hello world 6
    EIP: b773cbe0 Instruction executed: c3595a5d
    EIP: b773cbe1 Instruction executed: ccc3595a
    EIP: b773cbe0 Instruction executed: c3595a5d
    

    what is this (b773cbe0) ??!!! I moved to gdb and viewed the dump file using this command line (objdump -d a.out) the result is something different with previous results

     8048864:   8b 6c 24 20             mov    0x20(%esp),%ebp
     8048868:   8d b3 0c ff ff ff       lea    -0xf4(%ebx),%esi
     804886e:   e8 41 fb ff ff          call   80483b4 <_init>
     8048873:   8d 83 08 ff ff ff       lea    -0xf8(%ebx),%eax
     8048879:   29 c6                   sub    %eax,%esi
     804887b:   c1 fe 02                sar    $0x2,%esi
     804887e:   85 f6                   test   %esi,%esi
     8048880:   74 23                   je     80488a5 <__libc_csu_init+0x55>
     8048882:   8d b6 00 00 00 00       lea    0x0(%esi),%esi
     8048888:   83 ec 04                sub    $0x4,%esp
     804888b:   ff 74 24 2c             pushl  0x2c(%esp)
     804888f:   ff 74 24 2c             pushl  0x2c(%esp)
     8048893:   55                      push   %ebp
     8048894:   ff 94 bb 08 ff ff ff    call   *-0xf8(%ebx,%edi,4)
     804889b:   83 c7 01                add    $0x1,%edi
     804889e:   83 c4 10                add    $0x10,%esp
     80488a1:   39 f7                   cmp    %esi,%edi
     80488a3:   75 e3                   jne    8048888 <__libc_csu_init+0x38>
     80488a5:   83 c4 0c                add    $0xc,%esp
     80488a8:   5b                      pop    %ebx
     80488a9:   5e                      pop    %esi
     80488aa:   5f                      pop    %edi
     80488ab:   5d                      pop    %ebp
     80488ac:   c3                      ret    
     80488ad:   8d 76 00                lea    0x0(%esi),%esi
    

    I'm really confused about this.

    0 讨论(0)
  • 2021-01-24 10:16

    You're not modifying the EIP, you're adding something to the value of the instruction at EIP, and probably resulting in a bad address reference. To change EIP, use PTRACE_SETREGS

          wait(NULL);
          ptrace(PTRACE_GETREGS, child,NULL, &regs);
          printf("\n EIP @  0x %#lx\n",regs.eip);
          regs.eip += ???;
          ptrace(PTRACE_SETREGS, child, NULL, &regs);
          ptrace(PTRACE_CONT, child, NULL, NULL);
    
    0 讨论(0)
提交回复
热议问题