initial

author: Root THC 2026-02-24 12:42:47 +0000
committer: Root THC 2026-02-24 12:42:47 +0000
commit: c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree: aefc355416b561111819de159ccbd86c3004cf88 /other/burneye/src/debug
parent: 073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)
4 files changed, 556 insertions, 0 deletions
diff --git a/other/burneye/src/debug/memdump.c b/other/burneye/src/debug/memdump.c
new file mode 100644
index 0000000..3215d20
--- /dev/null
+++ b/other/burneye/src/debug/memdump.c
@@ -0,0 +1,249 @@
+/* memory dump utility
+ * -scut
+ */
+#include <sys/types.h>
+#include <sys/ptrace.h>
+#include <sys/wait.h>
+#include <sys/user.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <libgen.h>     /* basename */
+void
+hexdump (unsigned char *data, unsigned int amount);
+int
+main (int argc, char *argv[])
+{
+        pid_t                   fpid;           /* child pid, gets ptraced */
+        char *                  argv0;
+        struct user             regs;           /* PTRACE pulled registers */
+        unsigned long int       addr,           /* segment start address */
+                                addr_end,       /* segment end address */
+                                len;            /* length of segment */
+        unsigned long int       addr_walker,    /* walker to dump memory */
+                                eip;            /* current childs eip */
+        /* array to temporarily store data into */
+        unsigned char           data_saved[sizeof (unsigned long int)];
+        /* file to read mapping information */
+        FILE *                  map_f;          /* /proc/<pid>/maps stream */
+        unsigned char           map_line[256];  /* one line each from map */
+        /* data for the dump files */
+        FILE *                  dump_f;         /* stream */
+        char                    dump_name[64];  /* filename buffer */
+        if (argc < 3 || sscanf (argv[1], "0x%lx", &eip) != 1) {
+                printf ("usage: %s <eip> <argv0 [argv1 [...]]>\n\n", argv[0]);
+                printf ("will run 'argv0' as program with given arguments, "
+                                "until 'eip' is reached, then\n"
+                        "dumping 'len' bytes from 'addr'.\n\n"
+                        "example: %s 0x08049014 0x08048000 0x100 /bin/ls "
+                                "-l\n\n", argv[0]);
+                exit (EXIT_FAILURE);
+        }
+        argv0 = argv[2];
+        fpid = fork ();
+        if (fpid < 0) {
+                perror ("fork");
+                exit (EXIT_FAILURE);
+        }
+        if (fpid == 0) {        /* child */
+                if (ptrace (PTRACE_TRACEME, 0, NULL, NULL) != 0) {
+                        perror ("ptrace PTRACE_TRACEME");
+                        exit (EXIT_FAILURE);
+                }
+                fprintf (stderr, "  child: TRACEME set\n");
+                fprintf (stderr, "  child: executing: %s\n", argv[2]);
+                close (1);
+                dup2 (2, 1);
+                execve (argv[2], &argv[2], NULL);
+                /* failed ? */
+                perror ("execve");
+                exit (EXIT_FAILURE);
+        }
+        wait (NULL);
+        memset (&regs, 0, sizeof (regs));
+        if (ptrace (PTRACE_GETREGS, fpid, NULL, &regs) < 0) {
+                perror ("ptrace PTRACE_GETREGS");
+                exit (EXIT_FAILURE);
+        }
+        fprintf (stderr, "[0x%08lx] first stop\n", regs.regs.eip);
+        /* now single step until given eip is reached */
+        do {
+                if (ptrace (PTRACE_SINGLESTEP, fpid, NULL, NULL) < 0) {
+                        perror ("ptrace PTRACE_SINGLESTEP");
+                        exit (EXIT_FAILURE);
+                }
+                wait (NULL);
+                memset (&regs, 0, sizeof (regs));
+                if (ptrace (PTRACE_GETREGS, fpid, NULL, &regs) < 0) {
+                        perror ("ptrace PTRACE_GETREGS");
+                        exit (EXIT_FAILURE);
+                }
+        } while (regs.regs.eip != eip);
+        fprintf (stderr, "MEMDUMP: eip @ 0x%08lx, dumping...\n", eip);
+        snprintf (dump_name, sizeof (dump_name), "%s.regs",
+                basename (argv0));
+        dump_name[sizeof (dump_name) - 1] = '\0';
+        dump_f = fopen (dump_name, "w");
+        if (dump_f == NULL) {
+                perror ("fopen dumpfile regs");
+                exit (EXIT_FAILURE);
+        }
+        fprintf (dump_f, "eax = 0x%08lx\n", regs.regs.eax);
+        fprintf (dump_f, "ebx = 0x%08lx\n", regs.regs.ebx);
+        fprintf (dump_f, "ecx = 0x%08lx\n", regs.regs.ecx);
+        fprintf (dump_f, "edx = 0x%08lx\n", regs.regs.edx);
+        fprintf (dump_f, "esi = 0x%08lx\n", regs.regs.esi);
+        fprintf (dump_f, "edi = 0x%08lx\n", regs.regs.edi);
+        fprintf (dump_f, "ebp = 0x%08lx\n", regs.regs.ebp);
+        fprintf (dump_f, "esp = 0x%08lx\n", regs.regs.esp);
+        fprintf (dump_f, "eflags = 0x%08lx\n", regs.regs.eflags);
+        fprintf (dump_f, "xcs = 0x%08lx\n", regs.regs.xcs);
+        fprintf (dump_f, "xds = 0x%08lx\n", regs.regs.xds);
+        fprintf (dump_f, "xes = 0x%08lx\n", regs.regs.xes);
+        fprintf (dump_f, "xss = 0x%08lx\n", regs.regs.xss);
+        fclose (dump_f);
+        snprintf (map_line, sizeof (map_line), "/proc/%d/maps", fpid);
+        map_line[sizeof (map_line) -  1] = '\0';
+        map_f = fopen (map_line, "r");
+        if (map_f == NULL) {
+                perror ("fopen map-file");
+                exit (EXIT_FAILURE);
+        }
+        while (fgets (map_line, sizeof (map_line), map_f) != NULL) {
+                char            map_perm[8];
+                if (sscanf (map_line, "%08lx-%08lx %7[rwxp-] ",
+                        &addr, &addr_end, map_perm) != 3)
+                {
+                        perror ("invalid map-line");
+                        exit (EXIT_FAILURE);
+                }
+                if (addr_end < addr) {
+                        fprintf (stderr, "sanity required, not so: "
+                                "addr = 0x%08lx, addr_end = 0x%08lx",
+                                addr, addr_end);
+                        exit (EXIT_FAILURE);
+                }
+                len = addr_end - addr;
+                map_perm[sizeof (map_perm) - 1] = '\0'; /* ;-) */
+                fprintf (stderr, "MEMDUMP: -> 0x%08lx (0x%08lx bytes, "
+                        "perm %s)\n", addr, len, map_perm);
+                snprintf (dump_name, sizeof (dump_name),
+                        "%s.0x%08lx.0x%08lx.%s",
+                        basename (argv0), addr, len, map_perm);
+                dump_name[sizeof (dump_name) - 1] = '\0';
+                dump_f = fopen (dump_name, "wb");
+                if (dump_f == NULL) {
+                        perror ("fopen dumpfile");
+                        exit (EXIT_FAILURE);
+                }
+                /* save data, assuming addr is page aligned */
+                for (addr_walker = 0 ; addr_walker < len ;
+                        addr_walker += sizeof (data_saved))
+                {
+                        errno = 0;
+                        *((unsigned long int *) &data_saved[0]) =
+                                ptrace (PTRACE_PEEKDATA, fpid,
+                                        addr + addr_walker, NULL);
+                        if (errno == 0 && fwrite (&data_saved[0], 1, 4,
+                                dump_f) != 4)
+                        {
+                                perror ("fwrite dumpfile");
+                                exit (EXIT_FAILURE);
+                        } else if (errno != 0) {
+                                fprintf (stderr,
+                                        "[0x%08lx] invalid PTRACE_PEEKDATA\n",
+                                        addr + addr_walker);
+                                exit (EXIT_FAILURE);
+                        }
+                }
+                fclose (dump_f);
+        }
+        fclose (map_f);
+        if (ptrace (PTRACE_DETACH, fpid, NULL, NULL) < 0) {
+                perror ("ptrace PTRACE_DETACH");
+                exit (EXIT_FAILURE);
+        }
+        fprintf (stderr, "MEMDUMP: success. terminating.\n");
+        exit (EXIT_SUCCESS);
+}
+void
+hexdump (unsigned char *data, unsigned int amount)
+{
+        unsigned int    dp, p;  /* data pointer */
+        const char      trans[] =
+                "................................ !\"#$%&'()*+,-./0123456789"
+                ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
+                "nopqrstuvwxyz{|}~...................................."
+                "....................................................."
+                "........................................";
+        for (dp = 1; dp <= amount; dp++) {
+                printf ("%02x ", data[dp-1]);
+                if ((dp % 8) == 0)
+                        printf (" ");
+                if ((dp % 16) == 0) {
+                        printf ("| ");
+                        p = dp;
+                        for (dp -= 16; dp < p; dp++)
+                                printf ("%c", trans[data[dp]]);
+                        printf ("\n");
+                }
+        }
+        if ((amount % 16) != 0) {
+                p = dp = 16 - (amount % 16);
+                for (dp = p; dp > 0; dp--) {
+                        printf ("   ");
+                        if (((dp % 8) == 0) && (p != 8))
+                                printf (" ");
+                }
+                printf (" | ");
+                for (dp = (amount - (16 - p)); dp < amount; dp++)
+                        printf ("%c", trans[data[dp]]);
+        }
+        printf ("\n");
+        return;
+}
diff --git a/other/burneye/src/debug/memdump.c.old b/other/burneye/src/debug/memdump.c.old
new file mode 100644
index 0000000..eda7963
--- /dev/null
+++ b/other/burneye/src/debug/memdump.c.old
@@ -0,0 +1,164 @@
+#include <sys/types.h>
+#include <sys/ptrace.h>
+#include <sys/wait.h>
+#include <sys/user.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+void
+hexdump (unsigned char *data, unsigned int amount);
+int
+main (int argc, char *argv[])
+{
+        pid_t                   fpid;
+        struct user             regs;
+        unsigned long int       addr,
+                                len;
+        unsigned long int       addr_walker,
+                                eip;
+        unsigned char           data_saved[256];
+        if (argc < 5 || sscanf (argv[1], "0x%lx", &eip) != 1 ||
+                sscanf (argv[2], "0x%lx", &addr) != 1 ||
+                sscanf (argv[3], "0x%lx", &len) != 1)
+        {
+                printf ("usage: %s <eip> <addr> <len> <argv0 [argv1 [...]]>\n\n", argv[0]);
+                printf ("will run 'argv0' as program with given arguments, until 'eip' is reached, then\n"
+                        "dumping 'len' bytes from 'addr'.\n\n"
+                        "example: %s 0x08049014 0x08048000 0x100 /bin/ls -l\n\n", argv[0]);
+                exit (EXIT_FAILURE);
+        }
+        fpid = fork ();
+        if (fpid < 0) {
+                perror ("fork");
+                exit (EXIT_FAILURE);
+        }
+        if (fpid == 0) {        /* child */
+                if (ptrace (PTRACE_TRACEME, 0, NULL, NULL) != 0) {
+                        perror ("ptrace PTRACE_TRACEME");
+                        exit (EXIT_FAILURE);
+                }
+                fprintf (stderr, "  child: TRACEME set\n");
+                fprintf (stderr, "  child: executing: %s\n", argv[4]);
+                close (1);
+                dup2 (2, 1);
+                execve (argv[4], &argv[4], NULL);
+                /* failed ? */
+                perror ("execve");
+                exit (EXIT_FAILURE);
+        }
+#if 0
+        if (ptrace (PTRACE_ATTACH, fpid, NULL, NULL) < 0) {
+                perror ("ptrace");
+                exit (EXIT_FAILURE);
+        }
+        fprintf (stderr, "attached to pid %d (from us, the parent, pid %d)\n", fpid, getpid ());
+#endif
+//      sleep (1);
+#if 0
+        /* trace until trap'ed */
+        if (ptrace (PTRACE_CONT, fpid, NULL, NULL) < 0) {
+                perror ("ptrace PTRACE_CONT");
+                exit (EXIT_FAILURE);
+        }
+#endif
+        fprintf (stderr, "it should execve now\n");
+        sleep (1);
+        memset (&regs, 0, sizeof (regs));
+        if (ptrace (PTRACE_GETREGS, fpid, NULL, &regs) < 0) {
+                perror ("ptrace PTRACE_GETREGS");
+                exit (EXIT_FAILURE);
+        }
+        fprintf (stderr, "[0x%08lx] first stop\n", regs.regs.eip);
+        /* now single step until given eip is reached */
+        do {
+                if (ptrace (PTRACE_SINGLESTEP, fpid, NULL, NULL) < 0) {
+                        perror ("ptrace PTRACE_SINGLESTEP");
+                        exit (EXIT_FAILURE);
+                }
+                wait (NULL);
+                memset (&regs, 0, sizeof (regs));
+                if (ptrace (PTRACE_GETREGS, fpid, NULL, &regs) < 0) {
+                        perror ("ptrace PTRACE_GETREGS");
+                        exit (EXIT_FAILURE);
+                }
+        } while (regs.regs.eip != eip);
+        fprintf (stderr, "hook traped @ 0x%08lx\n", eip);
+        fprintf (stderr, "dumping 0x%lx bytes @ 0x%08lx\n", len, addr);
+        /* save data */
+        for (addr_walker = 0 ; addr_walker < len ; ++addr_walker) {
+                errno = 0;
+                *((unsigned long int *) &data_saved[0]) = ptrace (PTRACE_PEEKDATA, fpid,
+                        addr + addr_walker, NULL);
+                if (errno == 0)
+                        write (1, &data_saved[0], 1);
+                else
+                        fprintf (stderr, "- [0x%08lx] invalid PTRACE_PEEKDATA\n",
+                                addr + addr_walker), _exit(1);
+        }
+//      hexdump (data_saved, sizeof (data_saved));
+        if (ptrace (PTRACE_DETACH, fpid, NULL, NULL) < 0) {
+                perror ("ptrace PTRACE_DETACH");
+                exit (EXIT_FAILURE);
+        }
+        fprintf (stderr, "success. terminating.\n");
+        exit (EXIT_SUCCESS);
+}
+void
+hexdump (unsigned char *data, unsigned int amount)
+{
+        unsigned int    dp, p;  /* data pointer */
+        const char      trans[] =
+                "................................ !\"#$%&'()*+,-./0123456789"
+                ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
+                "nopqrstuvwxyz{|}~...................................."
+                "....................................................."
+                "........................................";
+        for (dp = 1; dp <= amount; dp++) {
+                printf ("%02x ", data[dp-1]);
+                if ((dp % 8) == 0)
+                        printf (" ");
+                if ((dp % 16) == 0) {
+                        printf ("| ");
+                        p = dp;
+                        for (dp -= 16; dp < p; dp++)
+                                printf ("%c", trans[data[dp]]);
+                        printf ("\n");
+                }
+        }
+        if ((amount % 16) != 0) {
+                p = dp = 16 - (amount % 16);
+                for (dp = p; dp > 0; dp--) {
+                        printf ("   ");
+                        if (((dp % 8) == 0) && (p != 8))
+                                printf (" ");
+                }
+                printf (" | ");
+                for (dp = (amount - (16 - p)); dp < amount; dp++)
+                        printf ("%c", trans[data[dp]]);
+        }
+        printf ("\n");
+        return;
+}
diff --git a/other/burneye/src/debug/ptrace-legit b/other/burneye/src/debug/ptrace-legit
new file mode 100644
index 0000000..85bc5a1
--- /dev/null
+++ b/other/burneye/src/debug/ptrace-legit
Binary files differ
diff --git a/other/burneye/src/debug/ptrace-legit.c b/other/burneye/src/debug/ptrace-legit.c
new file mode 100644
index 0000000..a6c53d7
--- /dev/null
+++ b/other/burneye/src/debug/ptrace-legit.c
@@ -0,0 +1,143 @@
+/* -scutstyle */
+#include <sys/types.h>
+#include <sys/ptrace.h>
+#include <sys/wait.h>
+#include <sys/user.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+void
+hexdump (unsigned char *data, unsigned int amount);
+unsigned char   shellcode[] = "\x90\x90\xcc\x73";
+int
+main (int argc, char *argv[])
+{
+        pid_t                   cpid;
+        struct user             regs;
+        unsigned long int       safed_eip;
+        unsigned long int       addr,
+                                addr_walker;
+        unsigned char           data_saved[256];
+#if 1
+        if (argc != 2 || sscanf (argv[1], "%d", &cpid) != 1) {
+                printf ("usage: %s <pid>\n", argv[0]);
+                exit (EXIT_FAILURE);
+        }
+#else
+        cpid = getppid();
+#endif
+        printf ("pid = %d\n", cpid);
+        printf ("exploiting\n\n");
+        if (ptrace (PTRACE_ATTACH, cpid, NULL, NULL) < 0) {
+                perror ("ptrace");
+                exit (EXIT_FAILURE);
+        }
+        /* save data */
+        addr = 0xbffff010;
+        for (addr_walker = 0 ; addr_walker < 256 ; ++addr_walker) {
+                data_saved[addr_walker] = ptrace (PTRACE_PEEKDATA, cpid,
+                        addr + addr_walker, NULL);
+        }
+        hexdump (data_saved, sizeof (data_saved));
+        /* write */
+        for (addr_walker = 0 ; addr_walker < sizeof (shellcode) ;
+                ++addr_walker)
+        {
+                ptrace (PTRACE_POKEDATA, cpid, addr + addr_walker,
+                        shellcode[addr_walker] & 0xff);
+        }
+        /* redirect eip */
+        memset (&regs, 0, sizeof (regs));
+        if (ptrace (PTRACE_GETREGS, cpid, NULL, &regs) < 0) {
+                perror ("ptrace PTRACE_GETREGS");
+                exit (EXIT_FAILURE);
+        }
+        // write eip */
+        safed_eip = regs.regs.eip;
+        regs.regs.eip = 0xbffff010;
+        if (ptrace (PTRACE_SETREGS, cpid, NULL, &regs) < 0) {
+                perror ("ptrace PTRACE_GETREGS");
+                exit (EXIT_FAILURE);
+        }
+        if (ptrace (PTRACE_CONT, cpid, NULL, NULL) < 0) {
+                perror ("ptrace PTRACE_CONT");
+                exit (EXIT_FAILURE);
+        }
+        wait (NULL);
+        printf ("detrap\n");
+        /* restore */
+        for (addr_walker = 0 ; addr_walker < 256 ; ++addr_walker) {
+                ptrace (PTRACE_POKEDATA, cpid, addr + addr_walker,
+                        data_saved[addr_walker] & 0xff);
+        }
+        /* restore regs */
+        regs.regs.eip = safed_eip;
+        if (ptrace (PTRACE_SETREGS, cpid, NULL, &regs) < 0) {
+                perror ("ptrace PTRACE_GETREGS");
+                exit (EXIT_FAILURE);
+        }
+        if (ptrace (PTRACE_DETACH, cpid, NULL, NULL) < 0) {
+                perror ("ptrace PTRACE_DETACH");
+                exit (EXIT_FAILURE);
+        }
+        exit (EXIT_SUCCESS);
+}
+void
+hexdump (unsigned char *data, unsigned int amount)
+{
+        unsigned int    dp, p;  /* data pointer */
+        const char      trans[] =
+                "................................ !\"#$%&'()*+,-./0123456789"
+                ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
+                "nopqrstuvwxyz{|}~...................................."
+                "....................................................."
+                "........................................";
+        for (dp = 1; dp <= amount; dp++) {
+                printf ("%02x ", data[dp-1]);
+                if ((dp % 8) == 0)
+                        printf (" ");
+                if ((dp % 16) == 0) {
+                        printf ("| ");
+                        p = dp;
+                        for (dp -= 16; dp < p; dp++)
+                                printf ("%c", trans[data[dp]]);
+                        printf ("\n");
+                }
+        }
+        if ((amount % 16) != 0) {
+                p = dp = 16 - (amount % 16);
+                for (dp = p; dp > 0; dp--) {
+                        printf ("   ");
+                        if (((dp % 8) == 0) && (p != 8))
+                                printf (" ");
+                }
+                printf (" | ");
+                for (dp = (amount - (16 - p)); dp < amount; dp++)
+                        printf ("%c", trans[data[dp]]);
+        }
+        printf ("\n");
+        return;
+}
author	Root THC	2026-02-24 12:42:47 +0000
committer	Root THC	2026-02-24 12:42:47 +0000
commit	c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree	aefc355416b561111819de159ccbd86c3004cf88 /other/burneye/src/debug
parent	073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)

diff --git a/other/burneye/src/debug/memdump.c b/other/burneye/src/debug/memdump.c new file mode 100644 index 0000000..3215d20 --- /dev/null +++ b/other/burneye/src/debug/memdump.c
@@ -0,0 +1,249 @@
	1	/* memory dump utility
	2	* -scut
	3	*/
	4
	5	#include <sys/types.h>
	6	#include <sys/ptrace.h>
	7	#include <sys/wait.h>
	8	#include <sys/user.h>
	9	#include <errno.h>
	10	#include <unistd.h>
	11	#include <stdlib.h>
	12	#include <stdio.h>
	13	#include <libgen.h> /* basename */
	14
	15
	16	void
	17	hexdump (unsigned char *data, unsigned int amount);
	18
	19
	20	int
	21	main (int argc, char *argv[])
	22	{
	23	pid_t fpid; /* child pid, gets ptraced */
	24	char * argv0;
	25	struct user regs; /* PTRACE pulled registers */
	26	unsigned long int addr, /* segment start address */
	27	addr_end, /* segment end address */
	28	len; /* length of segment */
	29	unsigned long int addr_walker, /* walker to dump memory */
	30	eip; /* current childs eip */
	31
	32	/* array to temporarily store data into */
	33	unsigned char data_saved[sizeof (unsigned long int)];
	34
	35	/* file to read mapping information */
	36	FILE * map_f; /* /proc/<pid>/maps stream */
	37	unsigned char map_line[256]; /* one line each from map */
	38
	39	/* data for the dump files */
	40	FILE * dump_f; /* stream */
	41	char dump_name[64]; /* filename buffer */
	42
	43
	44	if (argc < 3 \|\| sscanf (argv[1], "0x%lx", &eip) != 1) {
	45	printf ("usage: %s <eip> <argv0 [argv1 [...]]>\n\n", argv[0]);
	46	printf ("will run 'argv0' as program with given arguments, "
	47	"until 'eip' is reached, then\n"
	48	"dumping 'len' bytes from 'addr'.\n\n"
	49	"example: %s 0x08049014 0x08048000 0x100 /bin/ls "
	50	"-l\n\n", argv[0]);
	51
	52	exit (EXIT_FAILURE);
	53	}
	54
	55	argv0 = argv[2];
	56
	57	fpid = fork ();
	58	if (fpid < 0) {
	59	perror ("fork");
	60	exit (EXIT_FAILURE);
	61	}
	62	if (fpid == 0) { /* child */
	63	if (ptrace (PTRACE_TRACEME, 0, NULL, NULL) != 0) {
	64	perror ("ptrace PTRACE_TRACEME");
	65	exit (EXIT_FAILURE);
	66	}
	67	fprintf (stderr, " child: TRACEME set\n");
	68
	69	fprintf (stderr, " child: executing: %s\n", argv[2]);
	70	close (1);
	71	dup2 (2, 1);
	72	execve (argv[2], &argv[2], NULL);
	73
	74	/* failed ? */
	75	perror ("execve");
	76	exit (EXIT_FAILURE);
	77	}
	78
	79	wait (NULL);
	80
	81	memset (&regs, 0, sizeof (regs));
	82
	83	if (ptrace (PTRACE_GETREGS, fpid, NULL, &regs) < 0) {
	84	perror ("ptrace PTRACE_GETREGS");
	85	exit (EXIT_FAILURE);
	86	}
	87	fprintf (stderr, "[0x%08lx] first stop\n", regs.regs.eip);
	88
	89	/* now single step until given eip is reached */
	90	do {
	91	if (ptrace (PTRACE_SINGLESTEP, fpid, NULL, NULL) < 0) {
	92	perror ("ptrace PTRACE_SINGLESTEP");
	93	exit (EXIT_FAILURE);
	94	}
	95	wait (NULL);
	96
	97	memset (&regs, 0, sizeof (regs));
	98	if (ptrace (PTRACE_GETREGS, fpid, NULL, &regs) < 0) {
	99	perror ("ptrace PTRACE_GETREGS");
	100	exit (EXIT_FAILURE);
	101	}
	102	} while (regs.regs.eip != eip);
	103
	104	fprintf (stderr, "MEMDUMP: eip @ 0x%08lx, dumping...\n", eip);
	105
	106	snprintf (dump_name, sizeof (dump_name), "%s.regs",
	107	basename (argv0));
	108	dump_name[sizeof (dump_name) - 1] = '\0';
	109	dump_f = fopen (dump_name, "w");
	110	if (dump_f == NULL) {
	111	perror ("fopen dumpfile regs");
	112	exit (EXIT_FAILURE);
	113	}
	114	fprintf (dump_f, "eax = 0x%08lx\n", regs.regs.eax);
	115	fprintf (dump_f, "ebx = 0x%08lx\n", regs.regs.ebx);
	116	fprintf (dump_f, "ecx = 0x%08lx\n", regs.regs.ecx);
	117	fprintf (dump_f, "edx = 0x%08lx\n", regs.regs.edx);
	118	fprintf (dump_f, "esi = 0x%08lx\n", regs.regs.esi);
	119	fprintf (dump_f, "edi = 0x%08lx\n", regs.regs.edi);
	120	fprintf (dump_f, "ebp = 0x%08lx\n", regs.regs.ebp);
	121	fprintf (dump_f, "esp = 0x%08lx\n", regs.regs.esp);
	122	fprintf (dump_f, "eflags = 0x%08lx\n", regs.regs.eflags);
	123	fprintf (dump_f, "xcs = 0x%08lx\n", regs.regs.xcs);
	124	fprintf (dump_f, "xds = 0x%08lx\n", regs.regs.xds);
	125	fprintf (dump_f, "xes = 0x%08lx\n", regs.regs.xes);
	126	fprintf (dump_f, "xss = 0x%08lx\n", regs.regs.xss);
	127	fclose (dump_f);
	128
	129	snprintf (map_line, sizeof (map_line), "/proc/%d/maps", fpid);
	130	map_line[sizeof (map_line) - 1] = '\0';
	131	map_f = fopen (map_line, "r");
	132	if (map_f == NULL) {
	133	perror ("fopen map-file");
	134
	135	exit (EXIT_FAILURE);
	136	}
	137
	138	while (fgets (map_line, sizeof (map_line), map_f) != NULL) {
	139	char map_perm[8];
	140
	141	if (sscanf (map_line, "%08lx-%08lx %7[rwxp-] ",
	142	&addr, &addr_end, map_perm) != 3)
	143	{
	144	perror ("invalid map-line");
	145
	146	exit (EXIT_FAILURE);
	147	}
	148	if (addr_end < addr) {
	149	fprintf (stderr, "sanity required, not so: "
	150	"addr = 0x%08lx, addr_end = 0x%08lx",
	151	addr, addr_end);
	152
	153	exit (EXIT_FAILURE);
	154	}
	155	len = addr_end - addr;
	156	map_perm[sizeof (map_perm) - 1] = '\0'; /* ;-) */
	157
	158	fprintf (stderr, "MEMDUMP: -> 0x%08lx (0x%08lx bytes, "
	159	"perm %s)\n", addr, len, map_perm);
	160
	161	snprintf (dump_name, sizeof (dump_name),
	162	"%s.0x%08lx.0x%08lx.%s",
	163	basename (argv0), addr, len, map_perm);
	164	dump_name[sizeof (dump_name) - 1] = '\0';
	165	dump_f = fopen (dump_name, "wb");
	166	if (dump_f == NULL) {
	167	perror ("fopen dumpfile");
	168
	169	exit (EXIT_FAILURE);
	170	}
	171
	172	/* save data, assuming addr is page aligned */
	173	for (addr_walker = 0 ; addr_walker < len ;
	174	addr_walker += sizeof (data_saved))
	175	{
	176	errno = 0;
	177
	178	((unsigned long int ) &data_saved[0]) =
	179	ptrace (PTRACE_PEEKDATA, fpid,
	180	addr + addr_walker, NULL);
	181
	182	if (errno == 0 && fwrite (&data_saved[0], 1, 4,
	183	dump_f) != 4)
	184	{
	185	perror ("fwrite dumpfile");
	186
	187	exit (EXIT_FAILURE);
	188	} else if (errno != 0) {
	189	fprintf (stderr,
	190	"[0x%08lx] invalid PTRACE_PEEKDATA\n",
	191	addr + addr_walker);
	192
	193	exit (EXIT_FAILURE);
	194	}
	195	}
	196
	197	fclose (dump_f);
	198	}
	199	fclose (map_f);
	200
	201	if (ptrace (PTRACE_DETACH, fpid, NULL, NULL) < 0) {
	202	perror ("ptrace PTRACE_DETACH");
	203	exit (EXIT_FAILURE);
	204	}
	205
	206	fprintf (stderr, "MEMDUMP: success. terminating.\n");
	207	exit (EXIT_SUCCESS);
	208	}
	209
	210
	211
	212	void
	213	hexdump (unsigned char *data, unsigned int amount)
	214	{
	215	unsigned int dp, p; /* data pointer */
	216	const char trans[] =
	217	"................................ !\"#$%&'()*+,-./0123456789"
	218	":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
	219	"nopqrstuvwxyz{\|}~...................................."
	220	"....................................................."
	221	"........................................";
	222
	223	for (dp = 1; dp <= amount; dp++) {
	224	printf ("%02x ", data[dp-1]);
	225	if ((dp % 8) == 0)
	226	printf (" ");
	227	if ((dp % 16) == 0) {
	228	printf ("\| ");
	229	p = dp;
	230	for (dp -= 16; dp < p; dp++)
	231	printf ("%c", trans[data[dp]]);
	232	printf ("\n");
	233	}
	234	}
	235	if ((amount % 16) != 0) {
	236	p = dp = 16 - (amount % 16);
	237	for (dp = p; dp > 0; dp--) {
	238	printf (" ");
	239	if (((dp % 8) == 0) && (p != 8))
	240	printf (" ");
	241	}
	242	printf (" \| ");
	243	for (dp = (amount - (16 - p)); dp < amount; dp++)
	244	printf ("%c", trans[data[dp]]);
	245	}
	246	printf ("\n");
	247
	248	return;
	249	}


diff --git a/other/burneye/src/debug/memdump.c.old b/other/burneye/src/debug/memdump.c.old new file mode 100644 index 0000000..eda7963 --- /dev/null +++ b/other/burneye/src/debug/memdump.c.old
@@ -0,0 +1,164 @@
	1
	2	#include <sys/types.h>
	3	#include <sys/ptrace.h>
	4	#include <sys/wait.h>
	5	#include <sys/user.h>
	6	#include <errno.h>
	7	#include <unistd.h>
	8	#include <stdlib.h>
	9	#include <stdio.h>
	10
	11	void
	12	hexdump (unsigned char *data, unsigned int amount);
	13
	14	int
	15	main (int argc, char *argv[])
	16	{
	17	pid_t fpid;
	18	struct user regs;
	19	unsigned long int addr,
	20	len;
	21	unsigned long int addr_walker,
	22	eip;
	23	unsigned char data_saved[256];
	24
	25	if (argc < 5 \|\| sscanf (argv[1], "0x%lx", &eip) != 1 \|\|
	26	sscanf (argv[2], "0x%lx", &addr) != 1 \|\|
	27	sscanf (argv[3], "0x%lx", &len) != 1)
	28	{
	29	printf ("usage: %s <eip> <addr> <len> <argv0 [argv1 [...]]>\n\n", argv[0]);
	30	printf ("will run 'argv0' as program with given arguments, until 'eip' is reached, then\n"
	31	"dumping 'len' bytes from 'addr'.\n\n"
	32	"example: %s 0x08049014 0x08048000 0x100 /bin/ls -l\n\n", argv[0]);
	33	exit (EXIT_FAILURE);
	34	}
	35
	36	fpid = fork ();
	37	if (fpid < 0) {
	38	perror ("fork");
	39	exit (EXIT_FAILURE);
	40	}
	41	if (fpid == 0) { /* child */
	42	if (ptrace (PTRACE_TRACEME, 0, NULL, NULL) != 0) {
	43	perror ("ptrace PTRACE_TRACEME");
	44	exit (EXIT_FAILURE);
	45	}
	46	fprintf (stderr, " child: TRACEME set\n");
	47
	48	fprintf (stderr, " child: executing: %s\n", argv[4]);
	49	close (1);
	50	dup2 (2, 1);
	51	execve (argv[4], &argv[4], NULL);
	52
	53	/* failed ? */
	54	perror ("execve");
	55	exit (EXIT_FAILURE);
	56	}
	57
	58	#if 0
	59	if (ptrace (PTRACE_ATTACH, fpid, NULL, NULL) < 0) {
	60	perror ("ptrace");
	61	exit (EXIT_FAILURE);
	62	}
	63	fprintf (stderr, "attached to pid %d (from us, the parent, pid %d)\n", fpid, getpid ());
	64	#endif
	65	// sleep (1);
	66
	67	#if 0
	68	/* trace until trap'ed */
	69	if (ptrace (PTRACE_CONT, fpid, NULL, NULL) < 0) {
	70	perror ("ptrace PTRACE_CONT");
	71	exit (EXIT_FAILURE);
	72	}
	73	#endif
	74	fprintf (stderr, "it should execve now\n");
	75	sleep (1);
	76
	77	memset (&regs, 0, sizeof (regs));
	78
	79	if (ptrace (PTRACE_GETREGS, fpid, NULL, &regs) < 0) {
	80	perror ("ptrace PTRACE_GETREGS");
	81	exit (EXIT_FAILURE);
	82	}
	83	fprintf (stderr, "[0x%08lx] first stop\n", regs.regs.eip);
	84
	85	/* now single step until given eip is reached */
	86	do {
	87	if (ptrace (PTRACE_SINGLESTEP, fpid, NULL, NULL) < 0) {
	88	perror ("ptrace PTRACE_SINGLESTEP");
	89	exit (EXIT_FAILURE);
	90	}
	91	wait (NULL);
	92
	93	memset (&regs, 0, sizeof (regs));
	94	if (ptrace (PTRACE_GETREGS, fpid, NULL, &regs) < 0) {
	95	perror ("ptrace PTRACE_GETREGS");
	96	exit (EXIT_FAILURE);
	97	}
	98	} while (regs.regs.eip != eip);
	99
	100	fprintf (stderr, "hook traped @ 0x%08lx\n", eip);
	101	fprintf (stderr, "dumping 0x%lx bytes @ 0x%08lx\n", len, addr);
	102
	103	/* save data */
	104	for (addr_walker = 0 ; addr_walker < len ; ++addr_walker) {
	105	errno = 0;
	106	((unsigned long int ) &data_saved[0]) = ptrace (PTRACE_PEEKDATA, fpid,
	107	addr + addr_walker, NULL);
	108	if (errno == 0)
	109	write (1, &data_saved[0], 1);
	110	else
	111	fprintf (stderr, "- [0x%08lx] invalid PTRACE_PEEKDATA\n",
	112	addr + addr_walker), _exit(1);
	113	}
	114	// hexdump (data_saved, sizeof (data_saved));
	115
	116	if (ptrace (PTRACE_DETACH, fpid, NULL, NULL) < 0) {
	117	perror ("ptrace PTRACE_DETACH");
	118	exit (EXIT_FAILURE);
	119	}
	120
	121	fprintf (stderr, "success. terminating.\n");
	122	exit (EXIT_SUCCESS);
	123	}
	124
	125
	126
	127	void
	128	hexdump (unsigned char *data, unsigned int amount)
	129	{
	130	unsigned int dp, p; /* data pointer */
	131	const char trans[] =
	132	"................................ !\"#$%&'()*+,-./0123456789"
	133	":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
	134	"nopqrstuvwxyz{\|}~...................................."
	135	"....................................................."
	136	"........................................";
	137
	138	for (dp = 1; dp <= amount; dp++) {
	139	printf ("%02x ", data[dp-1]);
	140	if ((dp % 8) == 0)
	141	printf (" ");
	142	if ((dp % 16) == 0) {
	143	printf ("\| ");
	144	p = dp;
	145	for (dp -= 16; dp < p; dp++)
	146	printf ("%c", trans[data[dp]]);
	147	printf ("\n");
	148	}
	149	}
	150	if ((amount % 16) != 0) {
	151	p = dp = 16 - (amount % 16);
	152	for (dp = p; dp > 0; dp--) {
	153	printf (" ");
	154	if (((dp % 8) == 0) && (p != 8))
	155	printf (" ");
	156	}
	157	printf (" \| ");
	158	for (dp = (amount - (16 - p)); dp < amount; dp++)
	159	printf ("%c", trans[data[dp]]);
	160	}
	161	printf ("\n");
	162
	163	return;
	164	}


diff --git a/other/burneye/src/debug/ptrace-legit b/other/burneye/src/debug/ptrace-legit new file mode 100644 index 0000000..85bc5a1 --- /dev/null +++ b/other/burneye/src/debug/ptrace-legit
Binary files differ


diff --git a/other/burneye/src/debug/ptrace-legit.c b/other/burneye/src/debug/ptrace-legit.c new file mode 100644 index 0000000..a6c53d7 --- /dev/null +++ b/other/burneye/src/debug/ptrace-legit.c
@@ -0,0 +1,143 @@
	1	/* -scutstyle */
	2
	3	#include <sys/types.h>
	4	#include <sys/ptrace.h>
	5	#include <sys/wait.h>
	6	#include <sys/user.h>
	7	#include <unistd.h>
	8	#include <stdlib.h>
	9	#include <stdio.h>
	10
	11	void
	12	hexdump (unsigned char *data, unsigned int amount);
	13
	14	unsigned char shellcode[] = "\x90\x90\xcc\x73";
	15
	16	int
	17	main (int argc, char *argv[])
	18	{
	19	pid_t cpid;
	20	struct user regs;
	21	unsigned long int safed_eip;
	22	unsigned long int addr,
	23	addr_walker;
	24	unsigned char data_saved[256];
	25
	26
	27	#if 1
	28	if (argc != 2 \|\| sscanf (argv[1], "%d", &cpid) != 1) {
	29	printf ("usage: %s <pid>\n", argv[0]);
	30	exit (EXIT_FAILURE);
	31	}
	32	#else
	33	cpid = getppid();
	34	#endif
	35
	36	printf ("pid = %d\n", cpid);
	37
	38	printf ("exploiting\n\n");
	39
	40	if (ptrace (PTRACE_ATTACH, cpid, NULL, NULL) < 0) {
	41	perror ("ptrace");
	42	exit (EXIT_FAILURE);
	43	}
	44
	45	/* save data */
	46	addr = 0xbffff010;
	47	for (addr_walker = 0 ; addr_walker < 256 ; ++addr_walker) {
	48	data_saved[addr_walker] = ptrace (PTRACE_PEEKDATA, cpid,
	49	addr + addr_walker, NULL);
	50	}
	51	hexdump (data_saved, sizeof (data_saved));
	52
	53	/* write */
	54	for (addr_walker = 0 ; addr_walker < sizeof (shellcode) ;
	55	++addr_walker)
	56	{
	57	ptrace (PTRACE_POKEDATA, cpid, addr + addr_walker,
	58	shellcode[addr_walker] & 0xff);
	59	}
	60
	61	/* redirect eip */
	62	memset (&regs, 0, sizeof (regs));
	63	if (ptrace (PTRACE_GETREGS, cpid, NULL, &regs) < 0) {
	64	perror ("ptrace PTRACE_GETREGS");
	65	exit (EXIT_FAILURE);
	66	}
	67	// write eip */
	68	safed_eip = regs.regs.eip;
	69	regs.regs.eip = 0xbffff010;
	70	if (ptrace (PTRACE_SETREGS, cpid, NULL, &regs) < 0) {
	71	perror ("ptrace PTRACE_GETREGS");
	72	exit (EXIT_FAILURE);
	73	}
	74
	75	if (ptrace (PTRACE_CONT, cpid, NULL, NULL) < 0) {
	76	perror ("ptrace PTRACE_CONT");
	77	exit (EXIT_FAILURE);
	78	}
	79
	80	wait (NULL);
	81	printf ("detrap\n");
	82
	83	/* restore */
	84	for (addr_walker = 0 ; addr_walker < 256 ; ++addr_walker) {
	85	ptrace (PTRACE_POKEDATA, cpid, addr + addr_walker,
	86	data_saved[addr_walker] & 0xff);
	87	}
	88
	89	/* restore regs */
	90	regs.regs.eip = safed_eip;
	91	if (ptrace (PTRACE_SETREGS, cpid, NULL, &regs) < 0) {
	92	perror ("ptrace PTRACE_GETREGS");
	93	exit (EXIT_FAILURE);
	94	}
	95
	96	if (ptrace (PTRACE_DETACH, cpid, NULL, NULL) < 0) {
	97	perror ("ptrace PTRACE_DETACH");
	98	exit (EXIT_FAILURE);
	99	}
	100
	101	exit (EXIT_SUCCESS);
	102	}
	103
	104
	105
	106	void
	107	hexdump (unsigned char *data, unsigned int amount)
	108	{
	109	unsigned int dp, p; /* data pointer */
	110	const char trans[] =
	111	"................................ !\"#$%&'()*+,-./0123456789"
	112	":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
	113	"nopqrstuvwxyz{\|}~...................................."
	114	"....................................................."
	115	"........................................";
	116
	117	for (dp = 1; dp <= amount; dp++) {
	118	printf ("%02x ", data[dp-1]);
	119	if ((dp % 8) == 0)
	120	printf (" ");
	121	if ((dp % 16) == 0) {
	122	printf ("\| ");
	123	p = dp;
	124	for (dp -= 16; dp < p; dp++)
	125	printf ("%c", trans[data[dp]]);
	126	printf ("\n");
	127	}
	128	}
	129	if ((amount % 16) != 0) {
	130	p = dp = 16 - (amount % 16);
	131	for (dp = p; dp > 0; dp--) {
	132	printf (" ");
	133	if (((dp % 8) == 0) && (p != 8))
	134	printf (" ");
	135	}
	136	printf (" \| ");
	137	for (dp = (amount - (16 - p)); dp < amount; dp++)
	138	printf ("%c", trans[data[dp]]);
	139	}
	140	printf ("\n");
	141
	142	return;
	143	}