summaryrefslogtreecommitdiff
path: root/other/burneye/src/debug
diff options
context:
space:
mode:
authorRoot THC2026-02-24 12:42:47 +0000
committerRoot THC2026-02-24 12:42:47 +0000
commitc9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
treeaefc355416b561111819de159ccbd86c3004cf88 /other/burneye/src/debug
parent073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)
initial
Diffstat (limited to 'other/burneye/src/debug')
-rw-r--r--other/burneye/src/debug/memdump.c249
-rw-r--r--other/burneye/src/debug/memdump.c.old164
-rw-r--r--other/burneye/src/debug/ptrace-legitbin0 -> 7236 bytes
-rw-r--r--other/burneye/src/debug/ptrace-legit.c143
4 files changed, 556 insertions, 0 deletions
diff --git a/other/burneye/src/debug/memdump.c b/other/burneye/src/debug/memdump.c
new file mode 100644
index 0000000..3215d20
--- /dev/null
+++ b/other/burneye/src/debug/memdump.c
@@ -0,0 +1,249 @@
1/* memory dump utility
2 * -scut
3 */
4
5#include <sys/types.h>
6#include <sys/ptrace.h>
7#include <sys/wait.h>
8#include <sys/user.h>
9#include <errno.h>
10#include <unistd.h>
11#include <stdlib.h>
12#include <stdio.h>
13#include <libgen.h> /* basename */
14
15
16void
17hexdump (unsigned char *data, unsigned int amount);
18
19
20int
21main (int argc, char *argv[])
22{
23 pid_t fpid; /* child pid, gets ptraced */
24 char * argv0;
25 struct user regs; /* PTRACE pulled registers */
26 unsigned long int addr, /* segment start address */
27 addr_end, /* segment end address */
28 len; /* length of segment */
29 unsigned long int addr_walker, /* walker to dump memory */
30 eip; /* current childs eip */
31
32 /* array to temporarily store data into */
33 unsigned char data_saved[sizeof (unsigned long int)];
34
35 /* file to read mapping information */
36 FILE * map_f; /* /proc/<pid>/maps stream */
37 unsigned char map_line[256]; /* one line each from map */
38
39 /* data for the dump files */
40 FILE * dump_f; /* stream */
41 char dump_name[64]; /* filename buffer */
42
43
44 if (argc < 3 || sscanf (argv[1], "0x%lx", &eip) != 1) {
45 printf ("usage: %s <eip> <argv0 [argv1 [...]]>\n\n", argv[0]);
46 printf ("will run 'argv0' as program with given arguments, "
47 "until 'eip' is reached, then\n"
48 "dumping 'len' bytes from 'addr'.\n\n"
49 "example: %s 0x08049014 0x08048000 0x100 /bin/ls "
50 "-l\n\n", argv[0]);
51
52 exit (EXIT_FAILURE);
53 }
54
55 argv0 = argv[2];
56
57 fpid = fork ();
58 if (fpid < 0) {
59 perror ("fork");
60 exit (EXIT_FAILURE);
61 }
62 if (fpid == 0) { /* child */
63 if (ptrace (PTRACE_TRACEME, 0, NULL, NULL) != 0) {
64 perror ("ptrace PTRACE_TRACEME");
65 exit (EXIT_FAILURE);
66 }
67 fprintf (stderr, " child: TRACEME set\n");
68
69 fprintf (stderr, " child: executing: %s\n", argv[2]);
70 close (1);
71 dup2 (2, 1);
72 execve (argv[2], &argv[2], NULL);
73
74 /* failed ? */
75 perror ("execve");
76 exit (EXIT_FAILURE);
77 }
78
79 wait (NULL);
80
81 memset (&regs, 0, sizeof (regs));
82
83 if (ptrace (PTRACE_GETREGS, fpid, NULL, &regs) < 0) {
84 perror ("ptrace PTRACE_GETREGS");
85 exit (EXIT_FAILURE);
86 }
87 fprintf (stderr, "[0x%08lx] first stop\n", regs.regs.eip);
88
89 /* now single step until given eip is reached */
90 do {
91 if (ptrace (PTRACE_SINGLESTEP, fpid, NULL, NULL) < 0) {
92 perror ("ptrace PTRACE_SINGLESTEP");
93 exit (EXIT_FAILURE);
94 }
95 wait (NULL);
96
97 memset (&regs, 0, sizeof (regs));
98 if (ptrace (PTRACE_GETREGS, fpid, NULL, &regs) < 0) {
99 perror ("ptrace PTRACE_GETREGS");
100 exit (EXIT_FAILURE);
101 }
102 } while (regs.regs.eip != eip);
103
104 fprintf (stderr, "MEMDUMP: eip @ 0x%08lx, dumping...\n", eip);
105
106 snprintf (dump_name, sizeof (dump_name), "%s.regs",
107 basename (argv0));
108 dump_name[sizeof (dump_name) - 1] = '\0';
109 dump_f = fopen (dump_name, "w");
110 if (dump_f == NULL) {
111 perror ("fopen dumpfile regs");
112 exit (EXIT_FAILURE);
113 }
114 fprintf (dump_f, "eax = 0x%08lx\n", regs.regs.eax);
115 fprintf (dump_f, "ebx = 0x%08lx\n", regs.regs.ebx);
116 fprintf (dump_f, "ecx = 0x%08lx\n", regs.regs.ecx);
117 fprintf (dump_f, "edx = 0x%08lx\n", regs.regs.edx);
118 fprintf (dump_f, "esi = 0x%08lx\n", regs.regs.esi);
119 fprintf (dump_f, "edi = 0x%08lx\n", regs.regs.edi);
120 fprintf (dump_f, "ebp = 0x%08lx\n", regs.regs.ebp);
121 fprintf (dump_f, "esp = 0x%08lx\n", regs.regs.esp);
122 fprintf (dump_f, "eflags = 0x%08lx\n", regs.regs.eflags);
123 fprintf (dump_f, "xcs = 0x%08lx\n", regs.regs.xcs);
124 fprintf (dump_f, "xds = 0x%08lx\n", regs.regs.xds);
125 fprintf (dump_f, "xes = 0x%08lx\n", regs.regs.xes);
126 fprintf (dump_f, "xss = 0x%08lx\n", regs.regs.xss);
127 fclose (dump_f);
128
129 snprintf (map_line, sizeof (map_line), "/proc/%d/maps", fpid);
130 map_line[sizeof (map_line) - 1] = '\0';
131 map_f = fopen (map_line, "r");
132 if (map_f == NULL) {
133 perror ("fopen map-file");
134
135 exit (EXIT_FAILURE);
136 }
137
138 while (fgets (map_line, sizeof (map_line), map_f) != NULL) {
139 char map_perm[8];
140
141 if (sscanf (map_line, "%08lx-%08lx %7[rwxp-] ",
142 &addr, &addr_end, map_perm) != 3)
143 {
144 perror ("invalid map-line");
145
146 exit (EXIT_FAILURE);
147 }
148 if (addr_end < addr) {
149 fprintf (stderr, "sanity required, not so: "
150 "addr = 0x%08lx, addr_end = 0x%08lx",
151 addr, addr_end);
152
153 exit (EXIT_FAILURE);
154 }
155 len = addr_end - addr;
156 map_perm[sizeof (map_perm) - 1] = '\0'; /* ;-) */
157
158 fprintf (stderr, "MEMDUMP: -> 0x%08lx (0x%08lx bytes, "
159 "perm %s)\n", addr, len, map_perm);
160
161 snprintf (dump_name, sizeof (dump_name),
162 "%s.0x%08lx.0x%08lx.%s",
163 basename (argv0), addr, len, map_perm);
164 dump_name[sizeof (dump_name) - 1] = '\0';
165 dump_f = fopen (dump_name, "wb");
166 if (dump_f == NULL) {
167 perror ("fopen dumpfile");
168
169 exit (EXIT_FAILURE);
170 }
171
172 /* save data, assuming addr is page aligned */
173 for (addr_walker = 0 ; addr_walker < len ;
174 addr_walker += sizeof (data_saved))
175 {
176 errno = 0;
177
178 *((unsigned long int *) &data_saved[0]) =
179 ptrace (PTRACE_PEEKDATA, fpid,
180 addr + addr_walker, NULL);
181
182 if (errno == 0 && fwrite (&data_saved[0], 1, 4,
183 dump_f) != 4)
184 {
185 perror ("fwrite dumpfile");
186
187 exit (EXIT_FAILURE);
188 } else if (errno != 0) {
189 fprintf (stderr,
190 "[0x%08lx] invalid PTRACE_PEEKDATA\n",
191 addr + addr_walker);
192
193 exit (EXIT_FAILURE);
194 }
195 }
196
197 fclose (dump_f);
198 }
199 fclose (map_f);
200
201 if (ptrace (PTRACE_DETACH, fpid, NULL, NULL) < 0) {
202 perror ("ptrace PTRACE_DETACH");
203 exit (EXIT_FAILURE);
204 }
205
206 fprintf (stderr, "MEMDUMP: success. terminating.\n");
207 exit (EXIT_SUCCESS);
208}
209
210
211
212void
213hexdump (unsigned char *data, unsigned int amount)
214{
215 unsigned int dp, p; /* data pointer */
216 const char trans[] =
217 "................................ !\"#$%&'()*+,-./0123456789"
218 ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
219 "nopqrstuvwxyz{|}~...................................."
220 "....................................................."
221 "........................................";
222
223 for (dp = 1; dp <= amount; dp++) {
224 printf ("%02x ", data[dp-1]);
225 if ((dp % 8) == 0)
226 printf (" ");
227 if ((dp % 16) == 0) {
228 printf ("| ");
229 p = dp;
230 for (dp -= 16; dp < p; dp++)
231 printf ("%c", trans[data[dp]]);
232 printf ("\n");
233 }
234 }
235 if ((amount % 16) != 0) {
236 p = dp = 16 - (amount % 16);
237 for (dp = p; dp > 0; dp--) {
238 printf (" ");
239 if (((dp % 8) == 0) && (p != 8))
240 printf (" ");
241 }
242 printf (" | ");
243 for (dp = (amount - (16 - p)); dp < amount; dp++)
244 printf ("%c", trans[data[dp]]);
245 }
246 printf ("\n");
247
248 return;
249}
diff --git a/other/burneye/src/debug/memdump.c.old b/other/burneye/src/debug/memdump.c.old
new file mode 100644
index 0000000..eda7963
--- /dev/null
+++ b/other/burneye/src/debug/memdump.c.old
@@ -0,0 +1,164 @@
1
2#include <sys/types.h>
3#include <sys/ptrace.h>
4#include <sys/wait.h>
5#include <sys/user.h>
6#include <errno.h>
7#include <unistd.h>
8#include <stdlib.h>
9#include <stdio.h>
10
11void
12hexdump (unsigned char *data, unsigned int amount);
13
14int
15main (int argc, char *argv[])
16{
17 pid_t fpid;
18 struct user regs;
19 unsigned long int addr,
20 len;
21 unsigned long int addr_walker,
22 eip;
23 unsigned char data_saved[256];
24
25 if (argc < 5 || sscanf (argv[1], "0x%lx", &eip) != 1 ||
26 sscanf (argv[2], "0x%lx", &addr) != 1 ||
27 sscanf (argv[3], "0x%lx", &len) != 1)
28 {
29 printf ("usage: %s <eip> <addr> <len> <argv0 [argv1 [...]]>\n\n", argv[0]);
30 printf ("will run 'argv0' as program with given arguments, until 'eip' is reached, then\n"
31 "dumping 'len' bytes from 'addr'.\n\n"
32 "example: %s 0x08049014 0x08048000 0x100 /bin/ls -l\n\n", argv[0]);
33 exit (EXIT_FAILURE);
34 }
35
36 fpid = fork ();
37 if (fpid < 0) {
38 perror ("fork");
39 exit (EXIT_FAILURE);
40 }
41 if (fpid == 0) { /* child */
42 if (ptrace (PTRACE_TRACEME, 0, NULL, NULL) != 0) {
43 perror ("ptrace PTRACE_TRACEME");
44 exit (EXIT_FAILURE);
45 }
46 fprintf (stderr, " child: TRACEME set\n");
47
48 fprintf (stderr, " child: executing: %s\n", argv[4]);
49 close (1);
50 dup2 (2, 1);
51 execve (argv[4], &argv[4], NULL);
52
53 /* failed ? */
54 perror ("execve");
55 exit (EXIT_FAILURE);
56 }
57
58#if 0
59 if (ptrace (PTRACE_ATTACH, fpid, NULL, NULL) < 0) {
60 perror ("ptrace");
61 exit (EXIT_FAILURE);
62 }
63 fprintf (stderr, "attached to pid %d (from us, the parent, pid %d)\n", fpid, getpid ());
64#endif
65// sleep (1);
66
67#if 0
68 /* trace until trap'ed */
69 if (ptrace (PTRACE_CONT, fpid, NULL, NULL) < 0) {
70 perror ("ptrace PTRACE_CONT");
71 exit (EXIT_FAILURE);
72 }
73#endif
74 fprintf (stderr, "it should execve now\n");
75 sleep (1);
76
77 memset (&regs, 0, sizeof (regs));
78
79 if (ptrace (PTRACE_GETREGS, fpid, NULL, &regs) < 0) {
80 perror ("ptrace PTRACE_GETREGS");
81 exit (EXIT_FAILURE);
82 }
83 fprintf (stderr, "[0x%08lx] first stop\n", regs.regs.eip);
84
85 /* now single step until given eip is reached */
86 do {
87 if (ptrace (PTRACE_SINGLESTEP, fpid, NULL, NULL) < 0) {
88 perror ("ptrace PTRACE_SINGLESTEP");
89 exit (EXIT_FAILURE);
90 }
91 wait (NULL);
92
93 memset (&regs, 0, sizeof (regs));
94 if (ptrace (PTRACE_GETREGS, fpid, NULL, &regs) < 0) {
95 perror ("ptrace PTRACE_GETREGS");
96 exit (EXIT_FAILURE);
97 }
98 } while (regs.regs.eip != eip);
99
100 fprintf (stderr, "hook traped @ 0x%08lx\n", eip);
101 fprintf (stderr, "dumping 0x%lx bytes @ 0x%08lx\n", len, addr);
102
103 /* save data */
104 for (addr_walker = 0 ; addr_walker < len ; ++addr_walker) {
105 errno = 0;
106 *((unsigned long int *) &data_saved[0]) = ptrace (PTRACE_PEEKDATA, fpid,
107 addr + addr_walker, NULL);
108 if (errno == 0)
109 write (1, &data_saved[0], 1);
110 else
111 fprintf (stderr, "- [0x%08lx] invalid PTRACE_PEEKDATA\n",
112 addr + addr_walker), _exit(1);
113 }
114// hexdump (data_saved, sizeof (data_saved));
115
116 if (ptrace (PTRACE_DETACH, fpid, NULL, NULL) < 0) {
117 perror ("ptrace PTRACE_DETACH");
118 exit (EXIT_FAILURE);
119 }
120
121 fprintf (stderr, "success. terminating.\n");
122 exit (EXIT_SUCCESS);
123}
124
125
126
127void
128hexdump (unsigned char *data, unsigned int amount)
129{
130 unsigned int dp, p; /* data pointer */
131 const char trans[] =
132 "................................ !\"#$%&'()*+,-./0123456789"
133 ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
134 "nopqrstuvwxyz{|}~...................................."
135 "....................................................."
136 "........................................";
137
138 for (dp = 1; dp <= amount; dp++) {
139 printf ("%02x ", data[dp-1]);
140 if ((dp % 8) == 0)
141 printf (" ");
142 if ((dp % 16) == 0) {
143 printf ("| ");
144 p = dp;
145 for (dp -= 16; dp < p; dp++)
146 printf ("%c", trans[data[dp]]);
147 printf ("\n");
148 }
149 }
150 if ((amount % 16) != 0) {
151 p = dp = 16 - (amount % 16);
152 for (dp = p; dp > 0; dp--) {
153 printf (" ");
154 if (((dp % 8) == 0) && (p != 8))
155 printf (" ");
156 }
157 printf (" | ");
158 for (dp = (amount - (16 - p)); dp < amount; dp++)
159 printf ("%c", trans[data[dp]]);
160 }
161 printf ("\n");
162
163 return;
164}
diff --git a/other/burneye/src/debug/ptrace-legit b/other/burneye/src/debug/ptrace-legit
new file mode 100644
index 0000000..85bc5a1
--- /dev/null
+++ b/other/burneye/src/debug/ptrace-legit
Binary files differ
diff --git a/other/burneye/src/debug/ptrace-legit.c b/other/burneye/src/debug/ptrace-legit.c
new file mode 100644
index 0000000..a6c53d7
--- /dev/null
+++ b/other/burneye/src/debug/ptrace-legit.c
@@ -0,0 +1,143 @@
1/* -scutstyle */
2
3#include <sys/types.h>
4#include <sys/ptrace.h>
5#include <sys/wait.h>
6#include <sys/user.h>
7#include <unistd.h>
8#include <stdlib.h>
9#include <stdio.h>
10
11void
12hexdump (unsigned char *data, unsigned int amount);
13
14unsigned char shellcode[] = "\x90\x90\xcc\x73";
15
16int
17main (int argc, char *argv[])
18{
19 pid_t cpid;
20 struct user regs;
21 unsigned long int safed_eip;
22 unsigned long int addr,
23 addr_walker;
24 unsigned char data_saved[256];
25
26
27#if 1
28 if (argc != 2 || sscanf (argv[1], "%d", &cpid) != 1) {
29 printf ("usage: %s <pid>\n", argv[0]);
30 exit (EXIT_FAILURE);
31 }
32#else
33 cpid = getppid();
34#endif
35
36 printf ("pid = %d\n", cpid);
37
38 printf ("exploiting\n\n");
39
40 if (ptrace (PTRACE_ATTACH, cpid, NULL, NULL) < 0) {
41 perror ("ptrace");
42 exit (EXIT_FAILURE);
43 }
44
45 /* save data */
46 addr = 0xbffff010;
47 for (addr_walker = 0 ; addr_walker < 256 ; ++addr_walker) {
48 data_saved[addr_walker] = ptrace (PTRACE_PEEKDATA, cpid,
49 addr + addr_walker, NULL);
50 }
51 hexdump (data_saved, sizeof (data_saved));
52
53 /* write */
54 for (addr_walker = 0 ; addr_walker < sizeof (shellcode) ;
55 ++addr_walker)
56 {
57 ptrace (PTRACE_POKEDATA, cpid, addr + addr_walker,
58 shellcode[addr_walker] & 0xff);
59 }
60
61 /* redirect eip */
62 memset (&regs, 0, sizeof (regs));
63 if (ptrace (PTRACE_GETREGS, cpid, NULL, &regs) < 0) {
64 perror ("ptrace PTRACE_GETREGS");
65 exit (EXIT_FAILURE);
66 }
67 // write eip */
68 safed_eip = regs.regs.eip;
69 regs.regs.eip = 0xbffff010;
70 if (ptrace (PTRACE_SETREGS, cpid, NULL, &regs) < 0) {
71 perror ("ptrace PTRACE_GETREGS");
72 exit (EXIT_FAILURE);
73 }
74
75 if (ptrace (PTRACE_CONT, cpid, NULL, NULL) < 0) {
76 perror ("ptrace PTRACE_CONT");
77 exit (EXIT_FAILURE);
78 }
79
80 wait (NULL);
81 printf ("detrap\n");
82
83 /* restore */
84 for (addr_walker = 0 ; addr_walker < 256 ; ++addr_walker) {
85 ptrace (PTRACE_POKEDATA, cpid, addr + addr_walker,
86 data_saved[addr_walker] & 0xff);
87 }
88
89 /* restore regs */
90 regs.regs.eip = safed_eip;
91 if (ptrace (PTRACE_SETREGS, cpid, NULL, &regs) < 0) {
92 perror ("ptrace PTRACE_GETREGS");
93 exit (EXIT_FAILURE);
94 }
95
96 if (ptrace (PTRACE_DETACH, cpid, NULL, NULL) < 0) {
97 perror ("ptrace PTRACE_DETACH");
98 exit (EXIT_FAILURE);
99 }
100
101 exit (EXIT_SUCCESS);
102}
103
104
105
106void
107hexdump (unsigned char *data, unsigned int amount)
108{
109 unsigned int dp, p; /* data pointer */
110 const char trans[] =
111 "................................ !\"#$%&'()*+,-./0123456789"
112 ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
113 "nopqrstuvwxyz{|}~...................................."
114 "....................................................."
115 "........................................";
116
117 for (dp = 1; dp <= amount; dp++) {
118 printf ("%02x ", data[dp-1]);
119 if ((dp % 8) == 0)
120 printf (" ");
121 if ((dp % 16) == 0) {
122 printf ("| ");
123 p = dp;
124 for (dp -= 16; dp < p; dp++)
125 printf ("%c", trans[data[dp]]);
126 printf ("\n");
127 }
128 }
129 if ((amount % 16) != 0) {
130 p = dp = 16 - (amount % 16);
131 for (dp = p; dp > 0; dp--) {
132 printf (" ");
133 if (((dp % 8) == 0) && (p != 8))
134 printf (" ");
135 }
136 printf (" | ");
137 for (dp = (amount - (16 - p)); dp < amount; dp++)
138 printf ("%c", trans[data[dp]]);
139 }
140 printf ("\n");
141
142 return;
143}