Skip to content

Instantly share code, notes, and snippets.

@raylu

raylu/ptrace.py

Created July 26, 2018 07:57
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save raylu/c9e47a858b24f3d4fe7afcb34525257c to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save raylu/c9e47a858b24f3d4fe7afcb34525257c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ptrace.py
#!/usr/bin/env python3
import ctypes
import ctypes.util
import enum
import os
import sys
def main():
libc = ctypes.CDLL(ctypes.util.find_library('c'), use_errno=True)
pid = os.fork()
if pid == 0:
libc.ptrace(PTRACE.TRACEME, 0, 0, 0)
os.execvp(sys.argv[1], sys.argv[1:])
os.waitpid(pid, 0) # sync with TRACEME
libc.ptrace(PTRACE.SETOPTIONS, pid, 0, PTRACE.O_EXITKILL)
while True:
if libc.ptrace(PTRACE.SYSCALL, pid, 0, 0) == -1:
if ctypes.get_errno() == 3: # no such process
break
sys.exit('error waiting for syscall: ' + os.strerror(ctypes.get_errno()))
os.waitpid(pid, 0)
regs = UserRegs()
if libc.ptrace(PTRACE.GETREGS, pid, 0, ctypes.pointer(regs)) == -1:
sys.exit('error running syscall: ' + os.strerror(ctypes.get_errno()))
syscall = SYS[regs.orig_rax]
sys.stderr.write('%s(%ld, %ld, %ld, %ld, %ld, %ld)\n' % (
syscall, regs.rdi, regs.rsi, regs.rdx, regs.r10, regs.r8, regs.r9))
# run the syscall
if libc.ptrace(PTRACE.SYSCALL, pid, 0, 0) == -1:
sys.exit('error running syscall: ' + os.strerror(ctypes.get_errno()))
os.waitpid(pid, 0)
class PTRACE(enum.IntEnum):
TRACEME = 0
GETREGS = 12
SYSCALL = 24
SETOPTIONS = 0x4200
O_EXITKILL = 0x00100000
class UserRegs(ctypes.Structure):
_fields_ = [
('r15', ctypes.c_longlong),
('r14', ctypes.c_longlong),
('r13', ctypes.c_longlong),
('r12', ctypes.c_longlong),
('rbp', ctypes.c_longlong),
('rbx', ctypes.c_longlong),
('r11', ctypes.c_longlong),
('r10', ctypes.c_longlong),
('r9', ctypes.c_longlong),
('r8', ctypes.c_longlong),
('rax', ctypes.c_longlong),
('rcx', ctypes.c_longlong),
('rdx', ctypes.c_longlong),
('rsi', ctypes.c_longlong),
('rdi', ctypes.c_longlong),
('orig_rax', ctypes.c_longlong),
('rip', ctypes.c_longlong),
('cs', ctypes.c_longlong),
('eflags', ctypes.c_longlong),
('rsp', ctypes.c_longlong),
('ss', ctypes.c_longlong),
('fs_base', ctypes.c_longlong),
('gs_base', ctypes.c_longlong),
('ds', ctypes.c_longlong),
('es', ctypes.c_longlong),
('fs', ctypes.c_longlong),
('gs', ctypes.c_longlong),
]
SYS = {
0: 'read',
1: 'write',
2: 'open',
3: 'close',
4: 'stat',
5: 'fstat',
6: 'lstat',
7: 'poll',
8: 'lseek',
9: 'mmap',
10: 'mprotect',
11: 'munmap',
12: 'brk',
13: 'rt_sigaction',
14: 'rt_sigprocmask',
15: 'rt_sigreturn',
16: 'ioctl',
17: 'pread64',
18: 'pwrite64',
19: 'readv',
20: 'writev',
21: 'access',
22: 'pipe',
23: 'select',
24: 'sched_yield',
25: 'mremap',
26: 'msync',
27: 'mincore',
28: 'madvise',
29: 'shmget',
30: 'shmat',
31: 'shmctl',
32: 'dup',
33: 'dup2',
34: 'pause',
35: 'nanosleep',
36: 'getitimer',
37: 'alarm',
38: 'setitimer',
39: 'getpid',
40: 'sendfile',
41: 'socket',
42: 'connect',
43: 'accept',
44: 'sendto',
45: 'recvfrom',
46: 'sendmsg',
47: 'recvmsg',
48: 'shutdown',
49: 'bind',
50: 'listen',
51: 'getsockname',
52: 'getpeername',
53: 'socketpair',
54: 'setsockopt',
55: 'getsockopt',
56: 'clone',
57: 'fork',
58: 'vfork',
59: 'execve',
60: 'exit',
61: 'wait4',
62: 'kill',
63: 'uname',
64: 'semget',
65: 'semop',
66: 'semctl',
67: 'shmdt',
68: 'msgget',
69: 'msgsnd',
70: 'msgrcv',
71: 'msgctl',
72: 'fcntl',
73: 'flock',
74: 'fsync',
75: 'fdatasync',
76: 'truncate',
77: 'ftruncate',
78: 'getdents',
79: 'getcwd',
80: 'chdir',
81: 'fchdir',
82: 'rename',
83: 'mkdir',
84: 'rmdir',
85: 'creat',
86: 'link',
87: 'unlink',
88: 'symlink',
89: 'readlink',
90: 'chmod',
91: 'fchmod',
92: 'chown',
93: 'fchown',
94: 'lchown',
95: 'umask',
96: 'gettimeofday',
97: 'getrlimit',
98: 'getrusage',
99: 'sysinfo',
100: 'times',
101: 'ptrace',
102: 'getuid',
103: 'syslog',
104: 'getgid',
105: 'setuid',
106: 'setgid',
107: 'geteuid',
108: 'getegid',
109: 'setpgid',
110: 'getppid',
111: 'getpgrp',
112: 'setsid',
113: 'setreuid',
114: 'setregid',
115: 'getgroups',
116: 'setgroups',
117: 'setresuid',
118: 'getresuid',
119: 'setresgid',
120: 'getresgid',
121: 'getpgid',
122: 'setfsuid',
123: 'setfsgid',
124: 'getsid',
125: 'capget',
126: 'capset',
127: 'rt_sigpending',
128: 'rt_sigtimedwait',
129: 'rt_sigqueueinfo',
130: 'rt_sigsuspend',
131: 'sigaltstack',
132: 'utime',
133: 'mknod',
134: 'uselib',
135: 'personality',
136: 'ustat',
137: 'statfs',
138: 'fstatfs',
139: 'sysfs',
140: 'getpriority',
141: 'setpriority',
142: 'sched_setparam',
143: 'sched_getparam',
144: 'sched_setscheduler',
145: 'sched_getscheduler',
146: 'sched_get_priority_max',
147: 'sched_get_priority_min',
148: 'sched_rr_get_interval',
149: 'mlock',
150: 'munlock',
151: 'mlockall',
152: 'munlockall',
153: 'vhangup',
154: 'modify_ldt',
155: 'pivot_root',
156: '_sysctl',
157: 'prctl',
158: 'arch_prctl',
159: 'adjtimex',
160: 'setrlimit',
161: 'chroot',
162: 'sync',
163: 'acct',
164: 'settimeofday',
165: 'mount',
166: 'umount2',
167: 'swapon',
168: 'swapoff',
169: 'reboot',
170: 'sethostname',
171: 'setdomainname',
172: 'iopl',
173: 'ioperm',
174: 'create_module',
175: 'init_module',
176: 'delete_module',
177: 'get_kernel_syms',
178: 'query_module',
179: 'quotactl',
180: 'nfsservctl',
181: 'getpmsg',
182: 'putpmsg',
183: 'afs_syscall',
184: 'tuxcall',
185: 'security',
186: 'gettid',
187: 'readahead',
188: 'setxattr',
189: 'lsetxattr',
190: 'fsetxattr',
191: 'getxattr',
192: 'lgetxattr',
193: 'fgetxattr',
194: 'listxattr',
195: 'llistxattr',
196: 'flistxattr',
197: 'removexattr',
198: 'lremovexattr',
199: 'fremovexattr',
200: 'tkill',
201: 'time',
202: 'futex',
203: 'sched_setaffinity',
204: 'sched_getaffinity',
205: 'set_thread_area',
206: 'io_setup',
207: 'io_destroy',
208: 'io_getevents',
209: 'io_submit',
210: 'io_cancel',
211: 'get_thread_area',
212: 'lookup_dcookie',
213: 'epoll_create',
214: 'epoll_ctl_old',
215: 'epoll_wait_old',
216: 'remap_file_pages',
217: 'getdents64',
218: 'set_tid_address',
219: 'restart_syscall',
220: 'semtimedop',
221: 'fadvise64',
222: 'timer_create',
223: 'timer_settime',
224: 'timer_gettime',
225: 'timer_getoverrun',
226: 'timer_delete',
227: 'clock_settime',
228: 'clock_gettime',
229: 'clock_getres',
230: 'clock_nanosleep',
231: 'exit_group',
232: 'epoll_wait',
233: 'epoll_ctl',
234: 'tgkill',
235: 'utimes',
236: 'vserver',
237: 'mbind',
238: 'set_mempolicy',
239: 'get_mempolicy',
240: 'mq_open',
241: 'mq_unlink',
242: 'mq_timedsend',
243: 'mq_timedreceive',
244: 'mq_notify',
245: 'mq_getsetattr',
246: 'kexec_load',
247: 'waitid',
248: 'add_key',
249: 'request_key',
250: 'keyctl',
251: 'ioprio_set',
252: 'ioprio_get',
253: 'inotify_init',
254: 'inotify_add_watch',
255: 'inotify_rm_watch',
256: 'migrate_pages',
257: 'openat',
258: 'mkdirat',
259: 'mknodat',
260: 'fchownat',
261: 'futimesat',
262: 'newfstatat',
263: 'unlinkat',
264: 'renameat',
265: 'linkat',
266: 'symlinkat',
267: 'readlinkat',
268: 'fchmodat',
269: 'faccessat',
270: 'pselect6',
271: 'ppoll',
272: 'unshare',
273: 'set_robust_list',
274: 'get_robust_list',
275: 'splice',
276: 'tee',
277: 'sync_file_range',
278: 'vmsplice',
279: 'move_pages',
280: 'utimensat',
281: 'epoll_pwait',
282: 'signalfd',
283: 'timerfd_create',
284: 'eventfd',
285: 'fallocate',
286: 'timerfd_settime',
287: 'timerfd_gettime',
288: 'accept4',
289: 'signalfd4',
290: 'eventfd2',
291: 'epoll_create1',
292: 'dup3',
293: 'pipe2',
294: 'inotify_init1',
295: 'preadv',
296: 'pwritev',
297: 'rt_tgsigqueueinfo',
298: 'perf_event_open',
299: 'recvmmsg',
300: 'fanotify_init',
301: 'fanotify_mark',
302: 'prlimit64',
303: 'name_to_handle_at',
304: 'open_by_handle_at',
305: 'clock_adjtime',
306: 'syncfs',
307: 'sendmmsg',
308: 'setns',
309: 'getcpu',
310: 'process_vm_readv',
311: 'process_vm_writev',
312: 'kcmp',
313: 'finit_module',
}
if __name__ == '__main__':
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment