#ptrace #hacking #android #trace #linux

ptrace-do

Featureful library for interacting with unix processes through ptrace, supports x86_64, i686, arm, aarch64 remote function calls

3 releases

0.1.2 Nov 23, 2024
0.1.1 May 14, 2023
0.1.0 May 13, 2023

#265 in Unix APIs

Download history 33/week @ 2024-09-23 3/week @ 2024-09-30 4/week @ 2024-10-14 126/week @ 2024-11-18 24/week @ 2024-11-25

150 downloads per month
Used in yaui

MIT license

33KB
672 lines

PTRACE-DO

Provides ability to use ptrace to execute functions in remote processes. Mostly for runtime shared library injection.

Support

Look at all these chickens targets

  • i686-unknown-linux-gnu
  • x86_64-unknown-linux-gnu
  • aarch64-unknown-linux-gnu
  • arm-unknown-linux-gnueabi
  • i686-linux-android
  • x86_64-linux-android
  • aarch64-linux-android
  • arm-linux-androideabi
  • armv7-linux-androideabi

Relevant

Yaui (Yet another unix injector...)

https://github.com/ohchase/yaui

Example

Invoking Libc Getpid in a remote process

use libc::pid_t;
use proc_maps::MapRange;
use ptrace_do::{ProcessIdentifier, RawProcess, TracedProcess};

fn find_mod_map_fuzzy(mod_name: &str, process: &impl ProcessIdentifier) -> Option<MapRange> {
    use proc_maps::get_process_maps;
    let maps = get_process_maps(process.pid()).expect("alive");
    maps.into_iter().find(|m| match m.filename() {
        Some(p) => p.to_str().map(|s| s.contains(mod_name)).unwrap_or(false),
        None => false,
    })
}

pub fn find_remote_procedure(
    mod_name: &str,
    owned_process: &impl ProcessIdentifier,
    remote_process: &impl ProcessIdentifier,
    function_address: usize,
) -> Option<usize> {
    let internal_module = find_mod_map_fuzzy(mod_name, owned_process)?;
    tracing::info!(
        "Identifed internal range {mod_name:?} ({:?}) at {:X?}",
        internal_module.filename(),
        internal_module.start()
    );

    let remote_module = find_mod_map_fuzzy(mod_name, remote_process)?;
    tracing::info!(
        "Identifed remote range {mod_name:?} ({:?}) at {:X?}",
        remote_module.filename(),
        remote_module.start()
    );

    Some(function_address - internal_module.start() + remote_module.start())
}

fn main() -> Result<(), Box<dyn std::error::Error>> {
    tracing_subscriber::fmt().init();

    let target_pid: pid_t = 7777;
    let traced_process = TracedProcess::attach(RawProcess::new(target_pid))?;

    tracing::info!("Successfully attached to the process");
    let libc_path = "libc";
    let getpid_remote_procedure = find_remote_procedure(
        libc_path,
        &RawProcess::new(std::process::id() as pid_t),
        &traced_process,
        libc::getpid as usize,
    )
    .unwrap();
    tracing::info!("Found remote getpid procedure at : {getpid_remote_procedure:X?}");

    let frame = traced_process.next_frame()?;
    tracing::info!("Successfully waited for a frame");

    let (regs, _frame) = frame.invoke_remote(getpid_remote_procedure, 0, &[])?;
    tracing::info!("Successfully executed remote getpid");

    let traceed_pid = regs.return_value() as pid_t;
    tracing::info!("The return value (Traceed Pid) was {}", traceed_pid);

    Ok(())
}

Dependencies

~0.6–1.2MB
~23K SLoC