tahaconfiant
/ follow-fork-child-breakpoints.py
Created
December 10, 2019 09:15
follow-fork-child-breakpoints
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def custom_breakpoints(debugger, command, result, internal_dict): | |
| target = debugger.GetSelectedTarget() | |
| breakpoint = target.BreakpointCreateByName("fork") | |
| breakpoint.SetScriptCallbackFunction('follow_fork_child.fork_callback') | |
| breakpoint = target.BreakpointCreateByName("waitpid") | |
| breakpoint.SetScriptCallbackFunction('follow_fork_child.waitpid_callback') |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def get_child_pid(process_name, parent_pid): | |
| child_pid = 0 | |
| for pid in check_output(["pgrep", process_name]).split(): | |
| print ("found new pid: %i\n" % int(pid)) | |
| if parent_pid == int(pid): | |
| continue | |
| elif int(pid) > parent_pid: | |
| child_pid = int(pid) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # by [email protected] | |
| # LLDB custom command follow-fork-child, equivalent to GDB "follow-fork-mode child" | |
| # tested on $lldb --version | |
| # lldb-1100.0.30.6 | |
| # Apple Swift version 5.1.2 (swiftlang-1100.0.278 clang-1100.0.33.9) | |
| # (lldb) script | |
| # Python Interactive Interpreter. To exit, type 'quit()', 'exit()' or Ctrl-D. | |
| # >>> import sys | |
| # >>> print(sys.version) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def waitpid_callback(frame, bp_loc, dict): | |
| global backup_bytes | |
| global patch_address | |
| print ("waitpid() detected!") | |
| # let's attach to the child process: | |
| # Get the current debugged process pid | |
| curr_target = frame.thread.process.GetTarget() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Let's attempt to attach to the child process | |
| listener = lldb.SBListener('listener') | |
| error = lldb.SBError() | |
| child = curr_target.AttachToProcessWithID(listener, child_pid, error) | |
| if not error.Success(): | |
| print ("error %s\n" % error.GetCString()) | |
| raise Exception('Failed to attach to the process.') | |
| assert child.IsValid() | |
| else: | |
| print ("sucessfully attached to child, with pid : %s\n" % str(child.GetProcessID())) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # we are attached to the child, we running on the child context: | |
| # lets recover our backup_bytes | |
| print('backup_bytes recovered : 0x%x' % backup_bytes) | |
| # let's write the original backup_byte | |
| new_value = struct.pack('h', backup_bytes) | |
| error = lldb.SBError() | |
| result = child.WriteMemory(patch_address, new_value, error) | |
| if not error.Success() or result != len(new_value): | |
| print('SBProcess.WriteMemory() failed!') |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # by [email protected] | |
| # LLDB custom command follow-fork-child, equivalent to GDB "follow-fork-mode child" | |
| # tested on $lldb --version | |
| # lldb-1100.0.30.6 | |
| # Apple Swift version 5.1.2 (swiftlang-1100.0.278 clang-1100.0.33.9) | |
| # (lldb) script | |
| # Python Interactive Interpreter. To exit, type 'quit()', 'exit()' or Ctrl-D. | |
| # >>> import sys | |
| # >>> print(sys.version) |
tahaconfiant
/ waitpid_callback_kill_child.py
Created
December 10, 2019 09:38
waitpid_callback_kill_child
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def waitpid_callback(frame, bp_loc, dict): | |
| print ("waitpid() detected!") | |
| # let's attach to the child process: | |
| # get the current process id | |
| curr_target = frame.thread.process.GetTarget() | |
| pid = frame.thread.process.GetProcessID() | |
| print ("current pid is %s\n" % str(pid)) | |
| # let get the current filename of the current target |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from unicorn import * | |
| from unicorn.x86_const import * |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| mu = Uc (UC_ARCH_X86, UC_MODE_64) |