-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathparent.c
59 lines (56 loc) · 2.11 KB
/
parent.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#define _GNU_SOURCE // needed for kill
#include <linux/elf.h>
#include <signal.h>
#include <stdio.h>
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/uio.h>
#include <sys/user.h>
#include <sys/wait.h>
#include <unistd.h>
int main(void)
{
struct user_regs_struct regs;
struct iovec iov;
iov.iov_base = ®s;
iov.iov_len = sizeof(regs);
int data;
pid_t pid = fork();
if (pid == 0) {
// To trace an existing process use PTRACE_ATTACH
ptrace(PTRACE_TRACEME, 0, NULL, NULL);
execl("./child", "child", (char *) 0);
} else {
wait(NULL);
ptrace(PTRACE_CONT, pid, NULL, NULL);
sleep(1);
kill(pid, SIGINT);
wait(NULL);
ptrace(PTRACE_GETREGSET, pid, (void *) NT_PRSTATUS, &iov);
#if defined(__amd64__)
printf("Register rbp = 0x%llx\n", regs.rbp);
data = (int) ptrace(PTRACE_PEEKDATA, pid, (void *) (regs.rbp - 0x14), NULL);
printf("arg1 = *(rbp - 0x14) = %d\n", data);
data = (int) ptrace(PTRACE_PEEKDATA, pid, (void *) (regs.rbp - 0x18), NULL);
printf("arg2 = *(rbp - 0x18) = %d\n", data);
ptrace(PTRACE_POKEDATA, pid, (void *) (regs.rbp - 0x14), (void *) 100);
#elif defined(__aarch64__)
printf("Register sp = 0x%llx\n", regs.sp);
data = (int) ptrace(PTRACE_PEEKDATA, pid, (void *) (regs.sp + 12), NULL);
printf("arg1 = *(sp + 12) = %d\n", data);
data = (int) ptrace(PTRACE_PEEKDATA, pid, (void *) (regs.sp + 8), NULL);
printf("arg2 = *(sp + 8) = %d\n", data);
ptrace(PTRACE_POKEDATA, pid, (void *) (regs.sp + 12), (void *) 100);
#endif
// ptrace(PTRACE_SINGLESTEP, pid, NULL, NULL);
// ptrace(PTRACE_GETREGSET, pid, (void *) NT_PRSTATUS, &iov);
// from here read data from the memory address stored in either
// regs.rip (amd64) or regs.pc (arm64)
// this is how you can tell a function is about to be called (call/bl)
// optionally use libcapstone to decode the bytes into a human-readable
// instruction
ptrace(PTRACE_CONT, pid, NULL, NULL);
wait(NULL);
}
return 0;
}