如何调试加入了ptrace函数的程序


#1

原文链接:https://www.chenghu.me/?p=1350

如需转载,请注明: 本文来自:小虎的开发笔记
作者:小虎 2014-08-25

今天调试一个Mac下的App
刚挂好GDB
结果

在网上找了一下
看来该App添加了ptrace()函数防止调试
找了一下网上有一个方法突破的方法

在加载程序后,在ptrace方法上下断点
break ptrace
然后run起来

然后就会在ptrace方法处断下来
看一下堆栈

然后在这里输入 return 回车,然后c 继续运行

就可以调试了

突然想看一下ptrace 函数的参数列表

request:请求执行的行为
pid:目标进程标识。
addr:执行peek和poke操作的目标地址。
data:对于poke操作,存放数据的地方。对于peek操作,获取数据的地方。
其中request有如下选择:

#define PT_TRACE_ME 0 /* child declares it’s being traced /
#define PT_READ_I 1 /
read word in child’s I space /
#define PT_READ_D 2 /
read word in child’s D space /
#define PT_READ_U 3 /
read word in child’s user structure /
#define PT_WRITE_I 4 /
write word in child’s I space /
#define PT_WRITE_D 5 /
write word in child’s D space /
#define PT_WRITE_U 6 /
write word in child’s user structure /
#define PT_CONTINUE 7 /
continue the child /
#define PT_KILL 8 /
kill the child process /
#define PT_STEP 9 /
single step the child /
#define PT_ATTACH 10 /
trace some running process /
#define PT_DETACH 11 /
stop tracing a process /
#define PT_SIGEXC 12 /
signals as exceptions for current_proc /
#define PT_THUPDATE 13 /
signal for thread# /
#define PT_ATTACHEXC 14 /
attach to running process with signal exception */

#define PT_FORCEQUOTA 30 /* Enforce quota for root */
#define PT_DENY_ATTACH 31

#define PT_FIRSTMACH 32 /* for machine-specific requests */

一般使用方法

ptrace(PT_DENY_ATTACH, 0, 0, 0);
在反汇编下看到的是

0x1f == 31 == PT_DENY_ATTACH 拒绝附加调试
想想如果把 request 这个参数修改为 PT_ATTACH 允许附加调试呢
就把 BF1F000000 这一行的1F修改为0A (0A== 10 == PT_ATTACH)
即 BF0A000000

然后再挂上GDB就会看到


#2

楼主,我用gdb调试iOS App的时候遇到了这样的问题:用gdb去依附入了ptrace函数的程序时,gdb直接挂掉了。
有如下的log:
PM-iPod:~ root# gdb -p 1824
/usr/bin/gdb: line 55: awk: command not found
warning: unrecognized host cpusubtype , defaulting to host==armv7.
GNU gdb 6.3.50-20050815 (Apple version gdb-1708 + reverse.put.as patches v0.4) (Mon Apr 16 00:53:47 UTC 2012)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type “show copying” to see the conditions.
There is absolutely no warranty for GDB. Type “show warranty” for details.
This GDB was configured as “arm-apple-darwin”.
/private/var/root/1824: No such file or directory
Attaching to process 1824.
Segmentation fault: 11
PM-iPod:~ root#

请问大大这如何破?


closed #3

opened #4