iZsh-ragweed 0.1.8

data/History.txt

@@ -0,0 +1,29 @@
+== 0.1.8 / 2009-07-24
+
+* lib/ragweed/wraposx/constants.rb (Vm::Sm): Add shared_mode constants.
+* lib/ragweed/wraposx/region_info.rb: Add real support for
+  REGION_EXTENDED_INFO and REGION_TOP_INFO.
+
+== 0.1.7 / 2009-07-24
+
+* lib/ragweed/wraposx/region_info.rb: Add the returned address of the region.
+
+== 0.1.6 / 2009-07-13
+
+* bug fixes and API work
+
+== 0.1.5 / 2009-06-18
+
+* more bug fixes
+
+== 0.1.1 / 2009-06-02
+
+* bug fixen and namespace changes
+
+== 0.1.0 / 2009-05-31
+
+* initial release
+
+== 0.0.1 / 2009-05-13
+
+* initial pull from svn

data/README.rdoc

@@ -0,0 +1,35 @@
+Ragweed
+    by tduehr, struct, tqbf and iZsh
+    http://matasano.com/log
+
+== DESCRIPTION:
+
+* Ragweed is a set of scriptable debugging tools written mostly in native ruby.
+
+* Where required the Ruby/DL and Win32API libraries are used to interface the machine
+and OS native system calls.
+
+== FEATURES/PROBLEMS:
+
+* This suite is currently fairly piecemeal. Each OS has it's own set of tools.
+The most complete set is for Win32.
+
+* Work is ongoing to complete and unify the OSX and Linux portions.
+
+== SYNOPSIS:
+
+  require 'debuggerosx'
+  d = Debuggerosx.new(514) # pid of process to trace
+
+== REQUIREMENTS:
+
+* NONE - no really, this is pure native ruby hooking system libraries. There are no other dependencies, none.
+
+== INSTALL:
+
+  gem sources -a http://gems.github.com
+  sudo gem install izsh-ragweed
+
+== LICENSE:
+
+Copyright 2009 Matasano Security, LLC All Rights Reserved

data/README.txt

@@ -0,0 +1,9 @@
+Ragweed is a set of scriptable debugging tools written mostly in native ruby.
+
+Where required the Ruby/DL and Win32API libraries are used to interface the machine
+and OS native system calls.
+
+This suite is currently fairly piecemeal. Each OS has it's own set of tools.
+The most complete set is for Win32.
+
+Work is ongoing to complete and unify the OSX and Linux portions.

data/Rakefile

@@ -0,0 +1,30 @@
+# Look in the tasks/setup.rb file for the various options that can be
+# configured in this Rakefile. The .rake files in the tasks directory
+# are where the options are used.
+
+begin
+  require 'bones'
+  Bones.setup
+rescue LoadError
+  begin
+    load 'tasks/setup.rb'
+  rescue LoadError
+    raise RuntimeError, '### please install the "bones" gem ###'
+  end
+end
+
+ensure_in_path 'lib'
+require 'ragweed'
+
+task :default => 'spec:run'
+
+PROJ.name = 'ragweed'
+PROJ.authors = 'tduehr, tqbf, struct, iZsh'
+PROJ.email = 'izsh@iphone-dev.com'
+PROJ.url = 'github.com/iZsh/ragweed'
+PROJ.version = Ragweed::VERSION
+PROJ.rubyforge.name = 'ragweed'
+
+PROJ.spec.opts << '--color'
+
+# EOF

data/examples/hittracertux.rb

@@ -0,0 +1,49 @@
+#!/usr/bin/env ruby
+
+require 'ragweed'
+require 'debuggertux'
+require 'pp'
+require 'irb'
+#include Ragweed
+
+filename = ARGV[0]
+pid = ARGV[1].to_i
+
+raise "hittracertux.rb FILE PID" if (ARGV.size < 2 or pid <= 0)
+
+d = Debuggertux.new(pid)
+d.attach
+
+File.open(filename, "r") do |fd|
+  lines = fd.readlines
+  lines.map {|x| x.chomp}
+  lines.each do |tl|
+    fn, addr = tl.split(",", 2)
+    d.breakpoint_set(addr.to_i(16), fn, (bpl = lambda do puts "hit - #{fn} #{addr}\n"; end))
+  end
+end
+
+d.install_bps
+d.continue
+catch(:throw) { d.loop }
+
+
+# An IDC script for generating the text file this hit tracer requires
+=begin
+#include <idc.idc>
+
+static main()
+{
+  auto entry, fname, outf, fd;
+  outf = AskFile(1, "*.txt", "Please select an output file");
+  fd = fopen(outf,"w");
+   
+	for(entry=NextFunction(0); entry  != BADADDR; entry=NextFunction(entry) )
+	{
+		fname = GetFunctionName(entry);
+		fprintf(fd, "%s,0x%x\n", fname, entry);
+ 	}
+
+  fclose(fd);
+}
+=end

data/examples/hittracerx.rb

@@ -0,0 +1,63 @@
+#!/usr/bin/env ruby
+
+# A simple hittracer to debug and test Debuggerosx.
+# FILE is CSV file,address
+# PID is the proces id to attach to.
+
+require 'debuggerosx'
+require 'pp'
+require 'irb'
+include Ragweed
+
+filename = ARGV[0]
+pid = ARGV[1].to_i
+
+raise "hittracerosx.rb FILE PID" if (ARGV.size < 2 or pid <= 0)
+
+class Debuggerosx
+  def on_exit
+    exit(1)
+  end
+
+  def on_single_step
+  end
+    
+  def on_segv(thread)
+    pp self.get_registers(thread)
+    pp self.threads
+    self.threads.each {|thread| puts Wraposx::ThreadContext.get(thread).dump}
+    self.threads.each {|thread| puts Wraposx::ThreadInfo.get(thread).dump}
+    throw(:break)
+  end
+    
+  def on_bus(thread)
+    throw(:break)
+  end
+end
+
+d = Debuggerosx.new(pid)
+d.attach
+
+File.open(filename, "r") do |fd|
+  lines = fd.readlines
+  lines.map {|x| x.chomp}
+  lines.each do |tl|
+    fn, addr = tl.split(",", 2)
+    d.breakpoint_set(addr.to_i(16), fn, (bpl = lambda do | t, r, s | puts "#{ s.breakpoints[r.eip].first.function } hit in thread #{ t }\n"; end))
+  end
+end
+
+d.install_bps
+d.continue
+catch(:throw) { d.loop }
+pp d.wait 1
+pp d.threads
+
+d.threads.each do |t|
+  r = Wraposx::ThreadContext.get(t)
+  i = Wraposx::ThreadInfo.get(t)
+  pp r
+  puts r.dump
+  pp i
+  puts i.dump
+end

data/examples/hook_notepad.rb

@@ -0,0 +1,9 @@
+require "ragweed"
+include Ragweed
+
+dbg = Debugger.find_by_regex /notepad/i
+raise "notepad not running" if dbg.nil?
+
+dbg.hook('kernel32!CreateFileW', 7) {|e,c,d,a| puts "#{d} CreateFileW for #{dbg.process.read(a[0],512).from_utf16_buffer}"}
+dbg.loop
+dbg.release

data/examples/snicker.rb

@@ -0,0 +1,183 @@
+#!/usr/bin/env ruby
+
+# This is a slightly more complex hit tracer implementation of
+# Debuggerosx. It does fork/exec and attempts, in a manner resembling
+# rocket surgery with a steamroller, to skip any call to ptrace.
+
+# This was last setup to debug the race condition in Debuggerosx#on_breakpoint
+# using ftp as the child.
+
+require 'rubygems'
+require 'ragweed'
+require 'pp'
+require 'ruby-debug'
+Debugger.start
+
+filename = ARGV[0]
+pid = ARGV[1].to_i
+ptraceloc = 0
+rd, wr = nil, nil
+
+class Snicker < Ragweed::Debuggerosx
+  attr_accessor :attached
+
+  def on_exit(status)
+    pp "Exited with status #{ status }"
+    @hooked = false
+    @attached = false
+    @exited = true
+    throw(:break)
+  end
+
+  def on_single_step
+  end
+
+  def on_sigsegv
+    pp "SEGV"
+    pp self.threads
+    self.threads.each do |t|
+      pp self.get_registers(t)
+      pp Ragweed::Wraposx::ThreadInfo.get(t)
+    end
+    debugger
+    @exited = true
+    throw(:break)
+  end
+
+  def on_sigbus
+    pp "sigbus"
+    # pp Ragweed::Wraposx::vm_read(@task,0x420f,169)
+    # # Kernel.debugger
+    # # Debugger.breakpoint
+    # # Debugger.catchpoint
+    # debugger
+    throw(:break)
+  end
+end
+
+if pid == 0
+  rd, wr = IO.pipe
+  pid = fork 
+end
+
+if pid.nil?
+  ptraceloc = Ragweed::Wraposx::LIBS['/usr/lib/libc.dylib'].sym("ptrace", "IIIII").to_ptr.ref.to_s(Ragweed::Wraposx::SIZEOFINT).unpack("I_").first
+
+  pp ptraceloc.to_s(16)
+  rd.close
+  wr.puts ptraceloc
+
+  Ragweed::Wraposx::ptrace(Ragweed::Wraposx::Ptrace::TRACE_ME, 0, 0, 0)
+  puts "Traced!"
+  # sleep(1)
+
+  puts "Execing #{ARGV[1]}"
+  exec(ARGV[1])
+  puts "it left"
+else
+  d = Snicker.new(pid)
+
+  if rd
+    wr.close
+    # d.attached = true
+    ptraceloc = rd.gets.chomp.to_i(0)
+
+    pp ptraceloc.to_s(16)
+    pp d
+    pp d.threads
+
+    raise "Fail!" if ptraceloc == 0
+
+    d.breakpoint_set(ptraceloc,"Ptrace",(bpl = lambda do |t, r, s|
+      puts "#{ s.breakpoints[r.eip].first.function } hit in thread #{ t }\n"
+      pp r
+      if Ragweed::Wraposx::vm_read(s.task,r.esp + 4,4).unpack("I").first == Ragweed::Wraposx::Ptrace::DENY_ATTACH
+        pp Ragweed::Wraposx::vm_read(s.task,r.esp-28,32).unpack("I_*").map{|x| x.to_s(16)}
+        pp Ragweed::Wraposx::vm_read(s.task,r.esp,32).unpack("I_*").map{|x| x.to_s(16)}
+        r.eax = 0
+        # r.esp = r.ebp
+        # r.ebp = Ragweed::Wraposx::vm_read(s.task,r.esp,4).unpack("I_").first
+        r.eip = Ragweed::Wraposx::vm_read(s.task,r.esp,4).unpack("V").first
+        # r.esp = Ragweed::Wraposx::vm_read(s.task,r.ebp,4).unpack("I_").first
+        # r.ebp +=4
+        # r.eip = Ragweed::Wraposx::vm_read(s.task,r.esp,4).unpack("I_").first
+        # r.esp+=4
+        pp "bounced"
+        return false
+      else
+        pp Ragweed::Wraposx::vm_read(s.task,r.esp-28,32).unpack("I_*").map{|x| x.to_s(16)}
+        pp Ragweed::Wraposx::vm_read(s.task,r.esp,32).unpack("I_*").map{|x| x.to_s(16)}
+        # pp Ragweed::Wraposx::dl_bignum_to_ulong(r.esp).ptr.to_s(4).unpack("I").first.to_s(16)
+        # pp Ragweed::Wraposx::dl_bignum_to_ulong(r.esp - 15*4).to_s(4*16).unpack("I*").map{|x| x.to_s(16)}
+        # pp Ragweed::Wraposx::dl_bignum_to_ulong(r.esp).to_s(15*4).unpack("I*").map{|x| x.to_s(16)}
+        return true
+      end
+    end))
+
+    d.install_bps
+
+    class Snicker < Ragweed::Debuggerosx    
+      def on_sigtrap
+        if not @first
+          @first = true
+          self.install_bps
+        end
+      end
+
+      def on_stop(signal)
+        pp "#Stopped with signal #{ signal } (on_stop)"
+      end
+    end
+
+  else
+    d.attach
+
+    class Snicker < Ragweed::Debuggerosx
+      def on_sigstop
+        if not @first
+          @first = true
+          self.install_bps
+        end
+      end
+
+      def on_stop(signal)
+        pp "#Stopped with signal #{ signal } (on_stop)"
+      end
+    end
+  end
+
+  # File.open(filename, "r") do |fd|
+  #   lines = fd.readlines
+  #   lines.map {|x| x.chomp!}
+  #   lines.each do |tl|
+  #     pp tl
+  #     fn, addr = tl.split(",", 2)
+  #     pp [fn, addr.to_i(16)]
+  #     if (not addr.nil? and addr.to_i(16) > 0)
+  #       d.breakpoint_set(addr.to_i(16), fn, (bpl = lambda do | t, r, s | 
+  #         puts "#{ s.breakpoints[r.eip].first.function } hit in thread #{ t }\n"
+  #         # pp r
+  #         # debugger
+  #       end))
+  #     end
+  #   end
+  # end
+  # 
+  # blpwd = Wraposx::vm_read(d.task,0x420f,16)
+  # bbus = Wraposx::vm_read(d.task,0x4220,32)
+
+  catch(:break) { d.loop() }
+
+  if not d.exited
+    pp d.threads
+
+    d.threads.each do |t|
+      r = Ragweed::Wraposx::ThreadContext.get(t)
+      i = Ragweed::Wraposx::ThreadInfo.get(t)
+      pp r
+      puts r.dump
+      pp i
+      puts i.dump
+    end
+  end
+end

data/examples/tux-example.rb

@@ -0,0 +1,23 @@
+#!/usr/bin/env ruby
+
+## Simple example of attaching to a process and letting it run
+
+require 'pp'
+require 'ragweed'
+
+pid = Ragweed::Debuggertux.find_by_regex(/gcalctool/)
+
+begin
+	t = Ragweed::Debuggertux.threads(pid)
+	puts "Available pid/tdpids\n"
+	t.each do |h| puts h end
+	puts "Which thread do you want to attach to?"
+	pid = STDIN.gets.chomp.to_i
+
+	d = Ragweed::Debuggertux.new(pid)
+	d.attach
+	d.continue
+	catch(:throw) { d.loop }
+rescue
+	puts "Maybe your PID is wrong?"
+end

data/lib/ragweed.rb

@@ -0,0 +1,84 @@
+
+module Ragweed
+
+  # :stopdoc:
+  VERSION = '0.1.6'
+  LIBPATH = ::File.expand_path(::File.dirname(__FILE__)) + ::File::SEPARATOR
+  PATH = ::File.dirname(LIBPATH) + ::File::SEPARATOR
+  # :startdoc:
+
+  # Returns the version string for the library.
+  #
+  def self.version
+    VERSION
+  end
+
+  # Returns the library path for the module. If any arguments are given,
+  # they will be joined to the end of the libray path using
+  # <tt>File.join</tt>.
+  #
+  def self.libpath( *args )
+    args.empty? ? LIBPATH : ::File.join(LIBPATH, args.flatten)
+  end
+
+  # Returns the lpath for the module. If any arguments are given,
+  # they will be joined to the end of the path using
+  # <tt>File.join</tt>.
+  #
+  def self.path( *args )
+    args.empty? ? PATH : ::File.join(PATH, args.flatten)
+  end
+
+  # Utility method used to require all files ending in .rb that lie in the
+  # directory below this file that has the same name as the filename passed
+  # in. Optionally, a specific _directory_ name can be passed in such that
+  # the _filename_ does not have to be equivalent to the directory.
+  #
+  def self.require_all_libs_relative_to( fname, dir = nil )
+    dir ||= ::File.basename(fname, '.*')
+    search_me = ::File.expand_path(
+        ::File.join(::File.dirname(fname), dir, '**', '*.rb'))
+
+    # Don't want to load wrapper or debugger here.
+    Dir.glob(search_me).sort.reject{|rb| rb =~ /(wrap|debugger|rasm[^.])/}.each {|rb| require rb}
+    # require File.dirname(File.basename(__FILE__)) + "/#{x}"d
+  end
+
+  def self.require_os_libs_relative_to( fname, dir= nil )
+    dir ||= ::File.basename(fname, '.*')
+    pkgs = ""
+    dbg = ""
+    case
+    when RUBY_PLATFORM =~ /win(dows|32)/i
+      pkgs = '32'
+    when RUBY_PLATFORM =~ /darwin/i
+      pkgs = 'osx'
+    when RUBY_PLATFORM =~ /linux/i
+      pkgs = 'tux'
+    # when RUBY_PLATFORM =~ /java/i
+      # XXX -TODO
+    else
+      warn "Platform not supported no wrapper libraries loaded."
+    end
+    
+    if not pkgs.empty?
+      search_me = File.expand_path(File.join(File.dirname(fname), dir,"**", "*#{pkgs}.rb"))
+      Dir.glob(search_me).sort.each {|rb| require rb}
+    end
+  end
+end  # module Ragweed
+
+
+# pkgs = %w[arena sbuf ptr process event rasm blocks detour trampoline device debugger hooks]
+# pkgs << 'wrap32' if RUBY_PLATFORM =~ /win(dows|32)/i
+# pkgs << 'wraposx' if RUBY_PLATFORM =~ /darwin/i
+# pkgs << 'wraptux' if RUBY_PLATFORM =~ /linux/i
+# pkgs.each do |x|
+#   require File.dirname(__FILE__) + "/#{x}"
+# end
+
+
+Ragweed.require_os_libs_relative_to(__FILE__)
+Ragweed.require_all_libs_relative_to(__FILE__)
+
+# EOF