yannweb
/
asmsh
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
A shell that runs x86_64 assembly
c
x86-64
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
40 Commits
2 Branches
Tree: 35a420d301
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '35a420d301'
${ noResults }
asmsh/asm_env.c

asm_env.c 10.0KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488 
  1. /* Copyright Yann Weber <asmsh@yannweb.net>

  2.    This file is part of asmsh.

  3. 

  4.    asmsh is free software: you can redistribute it and/or modify it under the

  5.    terms of the GNU General Public License as published by the Free Software

  6.    Foundation, either version 3 of the License, or any later version.

  7.    

  8.    asmsh is distributed in the hope that it will be useful, but WITHOUT ANY

  9.    WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS

  10.    FOR A PARTICULAR PURPOSE. See the GNU General Public License for more

  11.    details.

  12.    

  13.    You should have received a copy of the GNU General Public License along

  14.    with asmsh. If not, see <https://www.gnu.org/licenses/>.

  15. */

  16. #include "asm_env.h"

  17. 

  18. static int _asmsh_env_spawn(asmsh_env_t *asmenv);

  19. static void _asmsh_env_child(const char *childpath);

  20. /** Return a path (that should be freed) of a temporary executable

  21.  *  child that can be exec on */

  22. static char *asmsh_env_tmpexec();

  23. 

  24. /* binary buffer of the child elf */

  25. extern unsigned char _binary_child_start;

  26. extern unsigned char _binary_child_end;

  27. 

  28. asmsh_env_t* asmsh_env(const char *childpath)

  29. {

  30. 	asmsh_env_t *res;

  31. 	int err;

  32. 

  33. 	if((res = malloc(sizeof(*res))) == NULL)

  34. 	{

  35. 		err = errno;

  36. 		asmsh_log_perror("Unable to allocate env");

  37. 		errno = err;

  38. 		return NULL;

  39. 	}

  40. 	child_mmap_init(&(res->mmap));

  41. 

  42. 	res->childpath = NULL;

  43. 	if(childpath && (res->childpath = strdup(childpath)) == NULL)

  44. 	{

  45. 		err=errno;

  46. 		goto err_pathdup;

  47. 	}

  48. 

  49. 	if(_asmsh_env_spawn(res) < 0)

  50. 	{

  51. 		err = errno;

  52. 		goto err;

  53. 	}

  54. 

  55. 	if(asmsh_env_update(res) < 0)

  56. 	{

  57. 		err=errno;

  58. 		goto err;

  59. 	}

  60. 	

  61. 	res->txt_map_addr = (void*)res->regs.rax;

  62. 	res->txt_map_sz = res->regs.r14;

  63. 	res->stack_addr = (void*)res->regs.r15;

  64. 	res->stack_sz = (size_t)res->stack_addr - res->regs.rsp;

  65. 

  66. 	res->code_write_ptr = res->txt_map_addr;

  67. 

  68. 

  69. 	return res;

  70. err:

  71. 	if(res->childpath)

  72. 	{

  73. 		free(res->childpath);

  74. 	}

  75. err_pathdup:

  76. 	free(res);

  77. 	errno = err;

  78. 	return NULL;

  79. }

  80. 

  81. 

  82. void asmsh_env_free(asmsh_env_t *asmenv)

  83. {

  84. 	if(asmenv->mmap.maps)

  85. 	{

  86. 		free(asmenv->mmap.maps);

  87. 	}

  88. 	kill(asmenv->pid, SIGKILL);

  89. 	free(asmenv->childpath);

  90. 	free(asmenv);

  91. }

  92. 

  93. int asmsh_env_write_mem(asmsh_env_t *env, void *addr, const unsigned char *buf, size_t buf_sz)

  94. {

  95. 	int err;

  96. 	u_int64_t data;

  97. 	unsigned char written;

  98. 	char bleft  = (u_int64_t)addr % 8;

  99. 

  100. 	written = 0;

  101. 	if(bleft)

  102. 	{

  103. 		// First write to correct further write allignement

  104. 		void *wr_addr = (void*)(((u_int64_t)addr / 8) * 8);

  105. 		char towrite = 8 - bleft;

  106. 		towrite = (towrite > buf_sz)?buf_sz:towrite;

  107. 		

  108. 		errno = 0;

  109. 		data = ptrace(PTRACE_PEEKTEXT, env->pid, wr_addr, NULL);

  110. 		if(errno)

  111. 		{

  112. 			err = errno;

  113. 			asmsh_log_perror("Unable to peektext in order to allign write");

  114. 			errno = err;

  115. 			return -1;

  116. 		}

  117. 		memcpy(((unsigned char*)&data)+bleft, &(buf[written]), towrite);

  118. 		if(ptrace(PTRACE_POKETEXT, env->pid, wr_addr, data) < 0)

  119. 		{

  120. 			err = errno;

  121. 			asmsh_log_perror("Unable to poketext in order to allign write");

  122. 			errno = err;

  123. 			return -1;

  124. 		}

  125. 		written += towrite;

  126. 		env->code_write_ptr += towrite;

  127. 	}

  128. 	if(written >= buf_sz)

  129. 	{

  130. 		return 0;

  131. 	}

  132. 	// env->code_write_ptr is now word alligned and "written" bytes are

  133. 	// allready written

  134. 	while(written < buf_sz)

  135. 	{

  136. 		char towrite = buf_sz - written;

  137. 		if(towrite >= 8)

  138. 		{

  139. 			data = *(u_int64_t*)(&buf[written]);

  140. 		}

  141. 		else

  142. 		{

  143. 			data = 0;

  144. 			memcpy(&data, &buf[written], towrite);

  145. 		}

  146. 

  147. 		if(ptrace(PTRACE_POKETEXT, env->pid, env->code_write_ptr, data) < 0)

  148. 		{

  149. 			err = errno;

  150. 			asmsh_log_perror("Unable to poketext");

  151. 			errno = err;

  152. 			return -1;

  153. 		}

  154. 		written += towrite;

  155. 		env->code_write_ptr += towrite;

  156. 	}

  157. 	return 0;

  158. }

  159. 

  160. 

  161. int asmsh_env_write_code(asmsh_env_t *env, asmsh_bytecode_t *bcode)

  162. {

  163. 	return asmsh_env_write_mem(env, env->code_write_ptr,

  164. 			bcode->bytes, bcode->size);

  165. }

  166. 

  167. 

  168. int asmsh_env_step(asmsh_env_t *env, int *status)

  169. {

  170. 	int err;

  171. 

  172. 	if(status) { *status = 0; }

  173. 

  174. 	if(ptrace(PTRACE_SINGLESTEP, env->pid, NULL, 0) < 0)

  175. 	{

  176. 		err = errno;

  177. 		asmsh_log_perror("Unable to ptrace singlestep");

  178. 		goto err;

  179. 	}

  180. 	if(waitpid(env->pid, &env->status, 0) < 0)

  181. 	{

  182. 		err = errno;

  183. 		asmsh_log_perror("Unable to wait for child process to stop on step");

  184. 		goto err;

  185. 	}

  186. 	if(status) { *status = env->status; }

  187. 

  188. 	if(!WIFSTOPPED(env->status) || env->status >> 8 != 5)

  189. 	{

  190. 		goto err_wstatus;

  191. 	}

  192. 	

  193. 	return 0;

  194. 

  195. /// TODO replace by an utility function that logs ?

  196. err_wstatus:

  197. 	if(WIFEXITED(env->status))

  198. 	{

  199. 		dprintf(2, "Child exited with status %d\n", WEXITSTATUS(env->status));

  200. 	}

  201. 	else if(WIFSIGNALED(env->status))

  202. 	{

  203. 		if(WCOREDUMP(env->status))

  204. 		{

  205. 			dprintf(2, "Child segfault\n");

  206. 		}

  207. 		else

  208. 		{

  209. 			dprintf(2, "Child killed by sig %d\n", WTERMSIG(env->status));

  210. 		}

  211. 	}

  212. 	else if(WIFSTOPPED(env->status))

  213. 	{

  214. 		dprintf(2, "Child stopped by %s(sig#%d)\n",

  215. 				strsignal(WSTOPSIG(env->status)),

  216. 				WSTOPSIG(env->status));

  217. 	}

  218. 	else

  219. 	{

  220. 		dprintf(2, "Unexpected child status 0x%04X\n", env->status);

  221. 	}

  222. 	errno = ECHILD;

  223. 	return 1;

  224. err:

  225. 	errno = err;

  226. 	return -1;

  227. }

  228. 

  229. 

  230. int asmsh_env_update(asmsh_env_t *asmenv)

  231. {

  232. 	if(asmsh_env_update_regs(asmenv) < 0)

  233. 	{

  234. 		return -1;

  235. 	}

  236. 	return child_mmap_get(asmenv->pid, &(asmenv->mmap));

  237. }

  238. 

  239. 

  240. int asmsh_env_update_maps(asmsh_env_t *asmenv)

  241. {

  242. 	if(child_mmap_get(asmenv->pid, &(asmenv->mmap)) < 0)

  243. 	{

  244. 		return -1;

  245. 	}

  246. 

  247. 	return 0;

  248. }

  249. 

  250. 

  251. int asmsh_env_update_regs(asmsh_env_t *asmenv)

  252. {

  253. 	bzero(&(asmenv->regs), sizeof(asmenv->regs));

  254. 	if(ptrace(PTRACE_GETREGS, asmenv->pid, NULL, &(asmenv->regs)) < 0)

  255. 	{

  256. 		int err = errno;

  257. 		asmsh_log_perror("ptrace getregs error");

  258. 		errno = err;

  259. 		return -1;

  260. 	}

  261. 	return 0;

  262. }

  263. 

  264. 

  265. static int _asmsh_env_spawn(asmsh_env_t *env)

  266. {

  267. 	int err;

  268. 	int wstatus;

  269. 

  270. 	const char *childpath = env->childpath?env->childpath:asmsh_env_tmpexec();

  271. 

  272. 	if(!childpath)

  273. 	{

  274. 		return -1; // Error in asmsh_env_tmpexec()

  275. 	}

  276. 

  277. 	if((env->pid = fork()) == -1)

  278. 	{

  279. 		err = errno;

  280. 		asmsh_log_perror("Unable to fork!");

  281. 		goto err_fork;

  282. 	}

  283. 	else if(env->pid == 0)

  284. 	{

  285. 		_asmsh_env_child(childpath);

  286. 	}

  287. 

  288. 	if(waitpid(env->pid, &wstatus, WUNTRACED) < 0)

  289. 	{

  290. 		err=errno;

  291. 		asmsh_log_perror("Unable to wait for child process");

  292. 		goto err;

  293. 	}

  294. 	if(!WIFSTOPPED(wstatus))

  295. 	{

  296. 		dprintf(2, "child didn't stop as expected");

  297. 		goto err_wstatus;

  298. 	}

  299. 

  300. 	if(ptrace(PTRACE_ATTACH, env->pid, 0, 0) == -1)

  301. 	{

  302. 		err=errno;

  303. 		asmsh_log_perror("Unable to attach to child process");

  304. 		goto err;

  305. 	}

  306. 

  307. 	if(waitpid(env->pid, &wstatus, 0) < 0)

  308. 	{

  309. 		err=errno;

  310. 		asmsh_log_perror("Unable to wait for child process");

  311. 		goto err;

  312. 	}

  313. 	if(!WIFSTOPPED(wstatus))

  314. 	{

  315. 		dprintf(2, "child didn't stop as expected");

  316. 		goto err_wstatus;

  317. 	}

  318. 

  319. 	// Attached to child

  320. 	// tell child to stop on exec

  321. 	if(ptrace(PTRACE_SETOPTIONS, env->pid, NULL, PTRACE_O_TRACEEXEC) < 0)

  322. 	{

  323. 		err = errno;

  324. 		asmsh_log_perror("ptrace setoptions failed");

  325. 		goto err;

  326. 	}

  327. 

  328. 	for(int i=0; i<2; i++) // cont kill & ptrace

  329. 	{

  330. 		if(ptrace(PTRACE_CONT, env->pid, NULL, 0) < 0)

  331. 		{

  332. 			err = errno;

  333. 			asmsh_log_perror("ptrace CONT failed after attach");

  334. 			goto err;

  335. 		}

  336. 

  337. 		if(waitpid(env->pid, &wstatus, 0) < 0)

  338. 		{

  339. 			err = errno;

  340. 			asmsh_log_perror("Unable to wait for child process to stop after exec");

  341. 			goto err;

  342. 		}

  343. 		if(wstatus >> 8 != (SIGTRAP | (PTRACE_EVENT_EXEC<<8)) && \

  344. 				!WIFSTOPPED(wstatus))

  345. 		{

  346. 			goto err_wstatus;

  347. 		}

  348. 	}

  349. 

  350. 	// next child events are : execve ret, mmap in, mmap out

  351. 	for(int i=0; i<3; i++)

  352. 	{

  353. 		if(ptrace(PTRACE_SYSCALL, env->pid, NULL, 0) < 0)

  354. 		{

  355. 			err = errno;

  356. 			asmsh_log_error("Unable to ptrace syscall on %dth time : %s",

  357. 					i+1, strerror(errno));

  358. 			goto err;

  359. 		}

  360. 		if(waitpid(env->pid, &wstatus, 0) < 0)

  361. 		{

  362. 			err = errno;

  363. 			asmsh_log_perror("Unable to wait for child process to stop on syscall");

  364. 			goto err;

  365. 		}

  366. 		if(wstatus != 1407 && wstatus != 263551)

  367. 		{

  368. 			dprintf(2, "unexpected status after ptrace syscall %d\n", wstatus);

  369. 			goto err_wstatus;

  370. 		}

  371. 	}

  372. 	// mmap done by child process

  373. 	

  374. 	// WARNING totally depends on child.s source

  375. 	// right now there is only 4 instructions (the fourth is the jmp to the txt_map)

  376. 	// before reaching the start of the code mmap

  377. 	for(int i=0; i<4; i++)

  378. 	{

  379. 		/* // DEBUG to monitor placement in child exec

  380. 		asmsh_env_update_regs(env);

  381. 		dprintf(2, "%d) rax: %08X rip : %08X mmap_addr = %08X\n",

  382. 				i, env->regs.rax, env->regs.rip, env->txt_map_ptr);

  383. 		*/

  384. 		if(asmsh_env_step(env, NULL))

  385. 		{

  386. 			err=errno;

  387. 			goto err;

  388. 		}

  389. 	}

  390. 

  391. 	if(!env->childpath) { unlink(childpath); } // rm tmp child exec

  392. 

  393. 	return 0;

  394. 

  395. /// TODO replace by an utility function that logs ?

  396. err_wstatus:

  397. 	if(WIFEXITED(wstatus))

  398. 	{

  399. 		dprintf(2, "Child exited with status %d\n", WEXITSTATUS(wstatus));

  400. 	}

  401. 	else if(WIFSIGNALED(wstatus))

  402. 	{

  403. 		if(WCOREDUMP(wstatus))

  404. 		{

  405. 			dprintf(2, "Child segfault\n");

  406. 		}

  407. 		else

  408. 		{

  409. 			dprintf(2, "Child killed by sig %d\n", WTERMSIG(wstatus));

  410. 		}

  411. 	}

  412. 	else if(WIFSTOPPED(wstatus))

  413. 	{

  414. 		dprintf(2, "Child stopped by sig %d\n", WSTOPSIG(wstatus));

  415. 	}

  416. 	else

  417. 	{

  418. 		dprintf(2, "Unexpected child status 0x%04X\n", wstatus);

  419. 	}

  420. 	err = ECHILD;

  421. err:

  422. 	kill(env->pid, SIGKILL);

  423. err_fork:

  424. 

  425. 	if(!env->childpath) { unlink(childpath); } // rm tmp child exec

  426. 

  427. 	errno = err;

  428. 	return -1;

  429. }

  430. 

  431. static void _asmsh_env_child(const char *childpath)

  432. {

  433. 

  434. 	char *argv[] = {NULL, NULL};

  435. 	char *envp[] = {NULL};

  436. 	if(!(argv[0] = strdupa(childpath)))

  437. 	{

  438. 		int err = errno;

  439. 		perror("Unable to strdupa asmsh childpath :/");

  440. 		//asmsh_log_perror("Unable to strdupa asmsh childpath :/");

  441. 		///! @todo dump logs before exit !

  442. 		exit(err?err:-1);

  443. 	}

  444. 

  445. 	kill(getpid(), SIGSTOP);

  446. 	execve(childpath, argv, envp);

  447. 	int err = errno;

  448. 	perror("Unable to execve");

  449. 	//asmsh_log_perror("Child is unable to execve");

  450. 	///! @todo dump logs before exit !

  451. 	exit(err?err:-1);

  452. }

  453. 

  454. static char *asmsh_env_tmpexec()

  455. {

  456. 	char *ret = strdup("asmsh_child_XXXXXXXXX");

  457. 	int err;

  458. 	if(!ret)

  459. 	{

  460. 		err = errno;

  461. 		asmsh_log_perror("getting a temporary file name");

  462. 		errno = err;

  463. 		return NULL;

  464. 	}

  465. 	int tmpfd = mkstemp(ret);

  466. 	if(tmpfd < 0)

  467. 	{

  468. 		err = errno;

  469. 		asmsh_log_perror("Unable to mk temporary file");

  470. 		errno = err;

  471. 		return NULL;

  472. 	}

  473. 	const int sz = &_binary_child_end - &_binary_child_start;

  474. 	int rsz = write(tmpfd, &_binary_child_start, sz);

  475. 	if(rsz<sz)

  476. 	{

  477. 		// TODO : differenciate incomplete write & error !

  478. 		err = errno;

  479. 		asmsh_log_perror("Unable to write the child executable");

  480. 		free(ret);

  481. 		errno = err;

  482. 		return NULL;

  483. 	}

  484. 	fchmod(tmpfd, 0555);

  485. 	close(tmpfd);

  486. 	return ret;

  487. }