yannweb
/
asmsh
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
A shell that runs x86_64 assembly
c
x86-64
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
54 Commits
2 Branches
Tree: 32ffdfbd8a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '32ffdfbd8a'
${ noResults }
asmsh/asm_env.c

asm_env.c 10KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515 
  1. /* Copyright Yann Weber <asmsh@yannweb.net>

  2.    This file is part of asmsh.

  3. 

  4.    asmsh is free software: you can redistribute it and/or modify it under the

  5.    terms of the GNU General Public License as published by the Free Software

  6.    Foundation, either version 3 of the License, or any later version.

  7.    

  8.    asmsh is distributed in the hope that it will be useful, but WITHOUT ANY

  9.    WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS

  10.    FOR A PARTICULAR PURPOSE. See the GNU General Public License for more

  11.    details.

  12.    

  13.    You should have received a copy of the GNU General Public License along

  14.    with asmsh. If not, see <https://www.gnu.org/licenses/>.

  15. */

  16. #include "asm_env.h"

  17. 

  18. static int _asmsh_env_spawn(asmsh_env_t *asmenv);

  19. static void _asmsh_env_child(const char *childpath);

  20. /** Return a path (that should be freed) of a temporary executable

  21.  *  child that can be exec on */

  22. static char *asmsh_env_tmpexec();

  23. 

  24. /* binary buffer of the child elf */

  25. extern unsigned char _binary_child_start;

  26. extern unsigned char _binary_child_end;

  27. 

  28. asmsh_env_t* asmsh_env(const char *childpath)

  29. {

  30. 	asmsh_env_t *res;

  31. 	int err;

  32. 

  33. 	if((res = malloc(sizeof(*res))) == NULL)

  34. 	{

  35. 		err = errno;

  36. 		asmsh_log_perror("Unable to allocate env");

  37. 		errno = err;

  38. 		return NULL;

  39. 	}

  40. 	child_mmap_init(&(res->mmap));

  41. 

  42. 	asmsh_brk_init(&res->brks);

  43. 

  44. 	res->childpath = NULL;

  45. 	if(childpath && (res->childpath = strdup(childpath)) == NULL)

  46. 	{

  47. 		err=errno;

  48. 		goto err_pathdup;

  49. 	}

  50. 

  51. 	if(_asmsh_env_spawn(res) < 0)

  52. 	{

  53. 		err = errno;

  54. 		goto err;

  55. 	}

  56. 

  57. 	if(asmsh_env_update(res) < 0)

  58. 	{

  59. 		err=errno;

  60. 		goto err;

  61. 	}

  62. 	

  63. 	res->txt_map_addr = (void*)res->regs.rax;

  64. 	res->txt_map_sz = res->regs.r14;

  65. 	res->stack_addr = (void*)res->regs.r15;

  66. 	res->stack_sz = (size_t)res->stack_addr - res->regs.rsp;

  67. 

  68. 	res->code_write_ptr = res->txt_map_addr;

  69. 

  70. 

  71. 	return res;

  72. err:

  73. 	if(res->childpath)

  74. 	{

  75. 		free(res->childpath);

  76. 	}

  77. err_pathdup:

  78. 	free(res);

  79. 	errno = err;

  80. 	return NULL;

  81. }

  82. 

  83. 

  84. void asmsh_env_free(asmsh_env_t *asmenv)

  85. {

  86. 	if(asmenv->mmap.maps)

  87. 	{

  88. 		free(asmenv->mmap.maps);

  89. 	}

  90. 	kill(asmenv->pid, SIGKILL);

  91. 	asmsh_brk_free(&asmenv->brks);

  92. 	free(asmenv->childpath);

  93. 	free(asmenv);

  94. }

  95. 

  96. int asmsh_env_write_mem(asmsh_env_t *env, void *addr, const unsigned char *buf, size_t buf_sz)

  97. {

  98. 	int err;

  99. 	u_int64_t data;

  100. 	unsigned char written;

  101. 	char bleft  = (u_int64_t)addr % 8;

  102. 

  103. 	written = 0;

  104. 	if(bleft)

  105. 	{

  106. 		// First write to correct further write allignement

  107. 		void *wr_addr = (void*)(((u_int64_t)addr / 8) * 8);

  108. 		char towrite = 8 - bleft;

  109. 		towrite = (towrite > buf_sz)?buf_sz:towrite;

  110. 		

  111. 		errno = 0;

  112. 		data = ptrace(PTRACE_PEEKTEXT, env->pid, wr_addr, NULL);

  113. 		if(errno)

  114. 		{

  115. 			err = errno;

  116. 			asmsh_log_perror("Unable to peektext in order to allign write");

  117. 			errno = err;

  118. 			return -1;

  119. 		}

  120. 		memcpy(((unsigned char*)&data)+bleft, &(buf[written]), towrite);

  121. 		if(ptrace(PTRACE_POKETEXT, env->pid, wr_addr, data) < 0)

  122. 		{

  123. 			err = errno;

  124. 			asmsh_log_perror("Unable to poketext in order to allign write");

  125. 			errno = err;

  126. 			return -1;

  127. 		}

  128. 		written += towrite;

  129. 		env->code_write_ptr += towrite;

  130. 	}

  131. 	if(written >= buf_sz)

  132. 	{

  133. 		return 0;

  134. 	}

  135. 	// env->code_write_ptr is now word alligned and "written" bytes are

  136. 	// allready written

  137. 	while(written < buf_sz)

  138. 	{

  139. 		char towrite = buf_sz - written;

  140. 		if(towrite >= 8)

  141. 		{

  142. 			data = *(u_int64_t*)(&buf[written]);

  143. 		}

  144. 		else

  145. 		{

  146. 			data = 0;

  147. 			memcpy(&data, &buf[written], towrite);

  148. 		}

  149. 

  150. 		if(ptrace(PTRACE_POKETEXT, env->pid, env->code_write_ptr, data) < 0)

  151. 		{

  152. 			err = errno;

  153. 			asmsh_log_perror("Unable to poketext");

  154. 			errno = err;

  155. 			return -1;

  156. 		}

  157. 		written += towrite;

  158. 		env->code_write_ptr += towrite;

  159. 	}

  160. 	return 0;

  161. }

  162. 

  163. 

  164. int asmsh_env_write_code(asmsh_env_t *env, asmsh_bytecode_t *bcode)

  165. {

  166. 	return asmsh_env_write_mem(env, env->code_write_ptr,

  167. 			bcode->bytes, bcode->size);

  168. }

  169. 

  170. 

  171. int asmsh_env_step(asmsh_env_t *env, int *status)

  172. {

  173. 	int err;

  174. 

  175. 	if(status) { *status = 0; }

  176. 

  177. 	if(ptrace(PTRACE_SINGLESTEP, env->pid, NULL, 0) < 0)

  178. 	{

  179. 		err = errno;

  180. 		asmsh_log_perror("Unable to ptrace singlestep");

  181. 		goto err;

  182. 	}

  183. 	if(waitpid(env->pid, &env->status, 0) < 0)

  184. 	{

  185. 		err = errno;

  186. 		asmsh_log_perror("Unable to wait for child process to stop on step");

  187. 		goto err;

  188. 	}

  189. 	if(status) { *status = env->status; }

  190. 

  191. 	if(!WIFSTOPPED(env->status) || env->status >> 8 != 5)

  192. 	{

  193. 		goto err_wstatus;

  194. 	}

  195. 	

  196. 	return 0;

  197. 

  198. /// TODO replace by an utility function that logs ?

  199. err_wstatus:

  200. 	if(WIFEXITED(env->status))

  201. 	{

  202. 		dprintf(2, "Child exited with status %d\n", WEXITSTATUS(env->status));

  203. 	}

  204. 	else if(WIFSIGNALED(env->status))

  205. 	{

  206. 		if(WCOREDUMP(env->status))

  207. 		{

  208. 			dprintf(2, "Child segfault\n");

  209. 		}

  210. 		else

  211. 		{

  212. 			dprintf(2, "Child killed by sig %d\n", WTERMSIG(env->status));

  213. 		}

  214. 	}

  215. 	else if(WIFSTOPPED(env->status))

  216. 	{

  217. 		dprintf(2, "Child stopped by %s(sig#%d)\n",

  218. 				strsignal(WSTOPSIG(env->status)),

  219. 				WSTOPSIG(env->status));

  220. 	}

  221. 	else

  222. 	{

  223. 		dprintf(2, "Unexpected child status 0x%04X\n", env->status);

  224. 	}

  225. 	errno = ECHILD;

  226. 	return 1;

  227. err:

  228. 	errno = err;

  229. 	return -1;

  230. }

  231. 

  232. 

  233. int asmsh_env_run(asmsh_env_t *env, int *status)

  234. {

  235. 	while(1)

  236. 	{

  237. 		int ret;

  238. 		if((ret = asmsh_env_update_regs(env)) < 0)

  239. 		{

  240. 			return ret;

  241. 		}

  242. 		const unsigned long rip = env->regs.rip;

  243. 		if(asmsh_brk_isset(&(env->brks), rip))

  244. 		{

  245. 			asmsh_log_info("Breakpoint %016lx reached", rip);

  246. 			*status = 0;

  247. 			return 0;

  248. 		}

  249. 		if((ret = asmsh_env_step(env, status)) != 0)

  250. 		{

  251. 			return ret;

  252. 		}

  253. 	}

  254. }

  255. 

  256. 

  257. int asmsh_env_update(asmsh_env_t *asmenv)

  258. {

  259. 	if(asmsh_env_update_regs(asmenv) < 0)

  260. 	{

  261. 		return -1;

  262. 	}

  263. 	return child_mmap_get(asmenv->pid, &(asmenv->mmap));

  264. }

  265. 

  266. 

  267. int asmsh_env_update_maps(asmsh_env_t *asmenv)

  268. {

  269. 	if(child_mmap_get(asmenv->pid, &(asmenv->mmap)) < 0)

  270. 	{

  271. 		return -1;

  272. 	}

  273. 

  274. 	return 0;

  275. }

  276. 

  277. 

  278. int asmsh_env_update_regs(asmsh_env_t *asmenv)

  279. {

  280. 	bzero(&(asmenv->regs), sizeof(asmenv->regs));

  281. 	if(ptrace(PTRACE_GETREGS, asmenv->pid, NULL, &(asmenv->regs)) < 0)

  282. 	{

  283. 		int err = errno;

  284. 		asmsh_log_perror("ptrace getregs error");

  285. 		errno = err;

  286. 		return -1;

  287. 	}

  288. 	return 0;

  289. }

  290. 

  291. 

  292. static int _asmsh_env_spawn(asmsh_env_t *env)

  293. {

  294. 	int err;

  295. 	int wstatus;

  296. 

  297. 	const char *childpath = env->childpath?env->childpath:asmsh_env_tmpexec();

  298. 

  299. 	if(!childpath)

  300. 	{

  301. 		return -1; // Error in asmsh_env_tmpexec()

  302. 	}

  303. 

  304. 	if((env->pid = fork()) == -1)

  305. 	{

  306. 		err = errno;

  307. 		asmsh_log_perror("Unable to fork!");

  308. 		goto err_fork;

  309. 	}

  310. 	else if(env->pid == 0)

  311. 	{

  312. 		_asmsh_env_child(childpath);

  313. 	}

  314. 

  315. 	if(waitpid(env->pid, &wstatus, WUNTRACED) < 0)

  316. 	{

  317. 		err=errno;

  318. 		asmsh_log_perror("Unable to wait for child process");

  319. 		goto err;

  320. 	}

  321. 	if(!WIFSTOPPED(wstatus))

  322. 	{

  323. 		dprintf(2, "child didn't stop as expected");

  324. 		goto err_wstatus;

  325. 	}

  326. 

  327. 	if(ptrace(PTRACE_ATTACH, env->pid, 0, 0) == -1)

  328. 	{

  329. 		err=errno;

  330. 		asmsh_log_perror("Unable to attach to child process");

  331. 		goto err;

  332. 	}

  333. 

  334. 	if(waitpid(env->pid, &wstatus, 0) < 0)

  335. 	{

  336. 		err=errno;

  337. 		asmsh_log_perror("Unable to wait for child process");

  338. 		goto err;

  339. 	}

  340. 	if(!WIFSTOPPED(wstatus))

  341. 	{

  342. 		dprintf(2, "child didn't stop as expected");

  343. 		goto err_wstatus;

  344. 	}

  345. 

  346. 	// Attached to child

  347. 	// tell child to stop on exec

  348. 	if(ptrace(PTRACE_SETOPTIONS, env->pid, NULL, PTRACE_O_TRACEEXEC) < 0)

  349. 	{

  350. 		err = errno;

  351. 		asmsh_log_perror("ptrace setoptions failed");

  352. 		goto err;

  353. 	}

  354. 

  355. 	for(int i=0; i<2; i++) // cont kill & ptrace

  356. 	{

  357. 		if(ptrace(PTRACE_CONT, env->pid, NULL, 0) < 0)

  358. 		{

  359. 			err = errno;

  360. 			asmsh_log_perror("ptrace CONT failed after attach");

  361. 			goto err;

  362. 		}

  363. 

  364. 		if(waitpid(env->pid, &wstatus, 0) < 0)

  365. 		{

  366. 			err = errno;

  367. 			asmsh_log_perror("Unable to wait for child process to stop after exec");

  368. 			goto err;

  369. 		}

  370. 		if(wstatus >> 8 != (SIGTRAP | (PTRACE_EVENT_EXEC<<8)) && \

  371. 				!WIFSTOPPED(wstatus))

  372. 		{

  373. 			goto err_wstatus;

  374. 		}

  375. 	}

  376. 

  377. 	// next child events are : execve ret, mmap in, mmap out

  378. 	for(int i=0; i<3; i++)

  379. 	{

  380. 		if(ptrace(PTRACE_SYSCALL, env->pid, NULL, 0) < 0)

  381. 		{

  382. 			err = errno;

  383. 			asmsh_log_error("Unable to ptrace syscall on %dth time : %s",

  384. 					i+1, strerror(errno));

  385. 			goto err;

  386. 		}

  387. 		if(waitpid(env->pid, &wstatus, 0) < 0)

  388. 		{

  389. 			err = errno;

  390. 			asmsh_log_perror("Unable to wait for child process to stop on syscall");

  391. 			goto err;

  392. 		}

  393. 		if(wstatus != 1407 && wstatus != 263551)

  394. 		{

  395. 			dprintf(2, "unexpected status after ptrace syscall %d\n", wstatus);

  396. 			goto err_wstatus;

  397. 		}

  398. 	}

  399. 	// mmap done by child process

  400. 	

  401. 	// WARNING totally depends on child.s source

  402. 	// right now there is only 4 instructions (the fourth is the jmp to the txt_map)

  403. 	// before reaching the start of the code mmap

  404. 	for(int i=0; i<4; i++)

  405. 	{

  406. 		/* // DEBUG to monitor placement in child exec

  407. 		asmsh_env_update_regs(env);

  408. 		dprintf(2, "%d) rax: %08X rip : %08X mmap_addr = %08X\n",

  409. 				i, env->regs.rax, env->regs.rip, env->txt_map_ptr);

  410. 		*/

  411. 		if(asmsh_env_step(env, NULL))

  412. 		{

  413. 			err=errno;

  414. 			goto err;

  415. 		}

  416. 	}

  417. 

  418. 	if(!env->childpath) { unlink(childpath); } // rm tmp child exec

  419. 

  420. 	return 0;

  421. 

  422. /// TODO replace by an utility function that logs ?

  423. err_wstatus:

  424. 	if(WIFEXITED(wstatus))

  425. 	{

  426. 		dprintf(2, "Child exited with status %d\n", WEXITSTATUS(wstatus));

  427. 	}

  428. 	else if(WIFSIGNALED(wstatus))

  429. 	{

  430. 		if(WCOREDUMP(wstatus))

  431. 		{

  432. 			dprintf(2, "Child segfault\n");

  433. 		}

  434. 		else

  435. 		{

  436. 			dprintf(2, "Child killed by sig %d\n", WTERMSIG(wstatus));

  437. 		}

  438. 	}

  439. 	else if(WIFSTOPPED(wstatus))

  440. 	{

  441. 		dprintf(2, "Child stopped by sig %d\n", WSTOPSIG(wstatus));

  442. 	}

  443. 	else

  444. 	{

  445. 		dprintf(2, "Unexpected child status 0x%04X\n", wstatus);

  446. 	}

  447. 	err = ECHILD;

  448. err:

  449. 	kill(env->pid, SIGKILL);

  450. err_fork:

  451. 

  452. 	if(!env->childpath) { unlink(childpath); } // rm tmp child exec

  453. 

  454. 	errno = err;

  455. 	return -1;

  456. }

  457. 

  458. static void _asmsh_env_child(const char *childpath)

  459. {

  460. 

  461. 	char *argv[] = {NULL, NULL};

  462. 	char *envp[] = {NULL};

  463. 	if(!(argv[0] = strdupa(childpath)))

  464. 	{

  465. 		int err = errno;

  466. 		perror("Unable to strdupa asmsh childpath :/");

  467. 		//asmsh_log_perror("Unable to strdupa asmsh childpath :/");

  468. 		///! @todo dump logs before exit !

  469. 		exit(err?err:-1);

  470. 	}

  471. 

  472. 	kill(getpid(), SIGSTOP);

  473. 	execve(childpath, argv, envp);

  474. 	int err = errno;

  475. 	perror("Unable to execve");

  476. 	//asmsh_log_perror("Child is unable to execve");

  477. 	///! @todo dump logs before exit !

  478. 	exit(err?err:-1);

  479. }

  480. 

  481. static char *asmsh_env_tmpexec()

  482. {

  483. 	char *ret = strdup("asmsh_child_XXXXXXXXX");

  484. 	int err;

  485. 	if(!ret)

  486. 	{

  487. 		err = errno;

  488. 		asmsh_log_perror("getting a temporary file name");

  489. 		errno = err;

  490. 		return NULL;

  491. 	}

  492. 	int tmpfd = mkstemp(ret);

  493. 	if(tmpfd < 0)

  494. 	{

  495. 		err = errno;

  496. 		asmsh_log_perror("Unable to mk temporary file");

  497. 		errno = err;

  498. 		return NULL;

  499. 	}

  500. 	const int sz = &_binary_child_end - &_binary_child_start;

  501. 	int rsz = write(tmpfd, &_binary_child_start, sz);

  502. 	if(rsz<sz)

  503. 	{

  504. 		// TODO : differenciate incomplete write & error !

  505. 		err = errno;

  506. 		asmsh_log_perror("Unable to write the child executable");

  507. 		free(ret);

  508. 		errno = err;

  509. 		return NULL;

  510. 	}

  511. 	fchmod(tmpfd, 0555);

  512. 	close(tmpfd);

  513. 	return ret;

  514. }