ragweed 0.1.7.2

data/lib/ragweed/debuggertux.rb

@@ -0,0 +1,346 @@
+require ::File.join(::File.dirname(__FILE__),'wraptux')
+## Modeled after wraposx written by tduehr
+
+module Ragweed; end
+
+## Debugger class for Linux
+## You can use this class in 2 ways:
+##
+## (1) You can create instances of Debuggertux and use them to set and handle
+##     breakpoints.
+##
+## (2) If you want to do more advanced event handling, you can subclass from
+##     debugger and define your own on_whatever events. If you handle an event
+##     that Debuggertux already handles, call "super", too.
+class Ragweed::Debuggertux
+  # include Ragweed
+
+  attr_reader :pid
+  attr_reader :status
+  attr_reader :exited
+  attr_accessor :breakpoints
+
+  ## Class to handle installing/uninstalling breakpoints
+  class Breakpoint
+
+    INT3 = 0xCC ## obviously x86 specific debugger here
+
+    attr_accessor :orig
+    attr_reader :addr
+    attr_accessor :function
+
+    ## bp: parent for method_missing calls
+    ## ip: insertion point
+    ## callable: lambda to be called when breakpoint is hit
+    ## name: name of breakpoint
+    def initialize(bp, ip, callable, name = "")
+      @@bpid ||= 0
+      @bp = bp
+      @function = name
+      @addr = ip
+      @callable = callable
+      @installed = false
+      @orig = 0
+      @bpid = (@@bpid += 1)
+    end ## breakpoint initialize
+
+    ## Install a breakpoint (replace instruction with int3)
+    def install
+      ## Replace the original instruction with an int3
+      @orig = Ragweed::Wraptux::ptrace(Ragweed::Wraptux::Ptrace::PEEK_TEXT, $ppid, @addr, 0)   ## Backup the old inst
+      if @orig != -1
+        new = (@orig & ~0xff) | INT3;
+        Ragweed::Wraptux::ptrace(Ragweed::Wraptux::Ptrace::POKE_TEXT, $ppid, @addr, new)
+        @installed = true
+      else
+        @installed = false
+      end
+    end
+
+    ## Uninstall the breakpoint
+    def uninstall
+      ## Put back the original instruction
+      if @orig != INT3
+        Ragweed::Wraptux::ptrace(Ragweed::Wraptux::Ptrace::POKE_TEXT, $ppid, @addr, @orig)
+        @installed = false
+      end
+    end
+
+    def installed?; @installed; end
+    def call(*args); @callable.call(*args) if @callable != nil; end
+    def method_missing(meth, *args); @bp.send(meth, *args); end
+  end ## Breakpoint Class
+
+  ## init object
+  ## p: pid of process to be debugged
+  ## opts: default options for automatically doing things (attach and install)
+  def initialize(pid,opts={}) ## Debuggertux Class
+    @pid = pid
+
+    ## FIXME - globals are bad...
+    $ppid = @pid ## temporary work around
+    @opts = opts
+
+    default_opts(opts)
+    @installed = false
+    @attached = false
+
+    ## Store all breakpoints in this hash
+    @breakpoints = Hash.new do |h, k|
+        bps = Array.new
+        def bps.call(*args); each {|bp| bp.call(*args)}; end
+        def bps.install; each {|bp| bp.install}; end
+        def bps.uninstall; each {|bp| bp.uninstall}; end
+        def bps.orig; each {|bp| dp.orig}; end
+        h[k] = bps
+    end
+    @opts.each {|k, v| try(k) if v}
+  end
+
+  ## This is crude!
+  def self.find_by_regex(rx)
+    a = Dir.entries("/proc/")
+    a.delete_if do |x| x == '.'; end
+    a.delete_if do |x| x == '..'; end
+    a.delete_if do |x| x =~ /[a-z]/; end
+    a.each do |x|
+      f = File.read("/proc/#{x}/cmdline")
+      if f =~ rx
+        return x
+      end
+    end
+  end
+
+  def install_bps
+    @breakpoints.each do |k,v|
+      v.install
+    end
+    @installed = true
+  end
+
+  def uninstall_bps
+    @breakpoints.each do |k,v|
+      v.uninstall
+    end
+    @installed = false
+  end
+
+  ## Attach calls install_bps so dont forget to call breakpoint_set
+  ## BEFORE attach or explicitly call install_bps
+  def attach(opts=@opts)
+    Ragweed::Wraptux::ptrace(Ragweed::Wraptux::Ptrace::ATTACH, @pid, 0, 0)
+    @attached = true
+    self.install_bps if (opts[:install] and not @installed)
+  end
+
+  def continue
+    on_continue
+    Ragweed::Wraptux::ptrace(Ragweed::Wraptux::Ptrace::CONTINUE, @pid, 0, 0)
+  end
+
+  def detach
+    on_detach
+    Ragweed::Wraptux::ptrace(Ragweed::Wraptux::Ptrace::DETACH, @pid, 0, 0)
+  end
+
+  def stepp
+	on_stepp
+    ret = Ragweed::Wraptux::ptrace(Ragweed::Wraptux::Ptrace::STEP, @pid, 1, 0)
+  end
+
+  ## Adds a breakpoint to be installed
+  ## ip: Insertion point
+  ## name: name of breakpoint
+  ## callable: object to .call at breakpoint
+  def breakpoint_set(ip, name="", callable=nil, &block)
+    if not callable and block_given?
+      callable = block
+    end
+    @breakpoints[ip] << Breakpoint.new(self, ip, callable, name)
+  end
+
+  ## remove breakpoint with id bpid at insertion point or
+  ## remove all breakpoints at insertion point if bpid not given
+  ## ip: Insertion point
+  ## bpid: id of breakpoint to be removed
+  def breakpoint_clear(ip, bpid=nil)
+    if not bpid
+      @breakpoints[ip].uninstall
+      @breakpoints[ip].delete ip
+    else
+      found = nil
+      @breakpoints[ip].each_with_index do |bp, i|
+        if bp.bpid == bpid
+          found = i
+          if bp.orig != Breakpoint::INT3
+            if @breakpoints[op][i+1]
+              @breakpoints[ip][i + 1].orig = bp.orig
+            else
+              bp.uninstall
+            end
+          end
+        end
+      end
+      raise "could not find bp ##{bpid} at ##{ip}" if not found
+      @breakpoints[ip].delete_at(found) if found
+    end
+  end
+
+  ##loop for wait()
+  ##times: the number of wait calls to make
+  ##       if nil loop will continue indefinitely
+  def loop(times=nil)
+    if times.kind_of? Numeric
+      times.times do
+        self.wait
+      end
+    elsif times.nil?
+      self.wait while not @exited
+    end
+  end
+
+  ## This wait must be smart, it has to wait for a signal
+  ## when SIGTRAP is received we need to see if one of our
+  ## breakpoints has fired. If it has then execute the block
+  ## originally stored with it. If its a different signal,
+  ## then process it accordingly and move on
+  def wait(opts = 0)
+    r = Ragweed::Wraptux::waitpid(@pid,opts)
+    status = r[1]
+    wstatus = status & 0x7f
+    signal = status >> 8
+    found = false
+    if r[0] != 0    ## Check the ret
+      case  ## FIXME - I need better logic (use Signal module)
+      when wstatus == 0 ##WIFEXITED
+        @exited = true
+        self.on_exit
+      when wstatus != 0x7f ##WIFSIGNALED
+        @exited = false
+        self.on_signal
+      when signal == Ragweed::Wraptux::Signal::SIGINT
+        self.continue
+      when signal == Ragweed::Wraptux::Signal::SIGSEGV
+        self.on_segv
+      when signal == Ragweed::Wraptux::Signal::SIGILL
+        self.on_illegalinst
+      when signal == Ragweed::Wraptux::Signal::SIGTRAP
+        ## Check if EIP matches a breakpoint we have set
+        r = self.get_registers
+        eip = r[:eip]
+        eip -= 1
+        if @breakpoints.has_key?(eip)
+          found = true
+          self.on_breakpoint
+        else
+          puts "We got a SIGTRAP but not at our breakpoint... continuing"
+        end
+        self.continue
+      when signal == Ragweed::Wraptux::Signal::SIGCONT
+        self.continue
+      when signal == Ragweed::Wraptux::Signal::SIGSTOP
+        self.continue
+      else
+        raise "Add more signal handlers (##{signal})"
+      end
+    end
+  end
+
+  ## Return an array of thread PIDs
+  def self.threads(pid)
+    a = Dir.entries("/proc/#{pid}/task/")
+    a.delete_if { |x| x == '.' }
+    a.delete_if { |x| x == '..' }
+  end
+
+  ## Gets the registers for the given process
+  def get_registers
+    size = Ragweed::Wraptux::SIZEOFLONG * 17
+    regs = Array.new(size)
+    regs = regs.to_ptr
+    regs.struct!('LLLLLLLLLLLLLLLLL', :ebx,:ecx,:edx,:esi,:edi,:ebp,:eax,:xds,:xes,:xfs,:xgs,:orig_eax,:eip,:xcs,:eflags,:esp,:xss)
+    Ragweed::Wraptux::ptrace(Ragweed::Wraptux::Ptrace::GETREGS, @pid, 0, regs.to_i)
+    return regs
+  end
+
+  ## Sets registers for the given process
+  def set_registers(r)
+    Ragweed::Wraptux::ptrace(Ragweed::Wraptux::Ptrace::SETREGS, @pid, 0, r.to_i)
+  end
+
+  ## Here we need to do something about the bp
+  ## we just hit. We have a block to execute
+  def on_breakpoint
+    r = self.get_registers
+    eip = r[:eip]
+    eip -= 1
+
+    ## Call the block associated with the breakpoint
+    @breakpoints[eip].call(r, self)
+
+    if @breakpoints[eip].first.installed?
+      @breakpoints[eip].first.uninstall
+      r[:eip] = eip
+      set_registers(r)
+      stepp
+      ## ptrace peektext returns -1 upon reinstallation of bp without calling
+      ## waitpid() if that occurs the breakpoint cannot be reinstalled
+      Ragweed::Wraptux::waitpid(@pid, 0)
+      @breakpoints[eip].first.install
+    end
+  end
+
+  def print_regs
+    regs = self.get_registers
+    puts "eip %08x" % regs[:eip]
+    puts "edi %08x" % regs[:esi]
+    puts "edi %08x" % regs[:edi]
+    puts "esp %08x" % regs[:esp]
+    puts "eax %08x" % regs[:eax]
+    puts "ebx %08x" % regs[:ebx]
+    puts "ecx %08x" % regs[:ecx]
+    puts "edx %08x" % regs[:edx]
+  end
+
+  def on_exit
+    #puts "process exited"
+  end
+
+  def on_illegalinst
+    #puts "illegal instruction"
+    exit
+  end
+
+  def on_attach
+    #puts "attached to process"
+  end
+
+  def on_detach
+    #puts "process detached"
+  end
+
+  def on_continue
+    #puts "process continued"
+  end
+
+  def on_stopped
+    #puts "process stopped"
+  end
+
+  def on_signal
+    #puts "process received signal"
+  end
+
+  def on_stepp
+    #puts "single stepping"
+  end
+
+  def on_segv
+    print_regs
+    exit
+  end
+
+  def default_opts(opts)
+    @opts = @opts.merge(opts)
+  end
+end

data/lib/ragweed/detour.rb

@@ -0,0 +1,223 @@
+class Ragweed::Detour
+  # "Ghetto Detours", as Scott Stender might say. Patch subprograms
+  # in to running programs as a hooking mechanism.
+  class Detour
+    attr_reader :snarfed
+    attr_reader :dpoint
+    attr_reader :stack
+
+    # Easiest way to do this is just to ask WinProcess#detour. Wants
+    # "p" to be a pointer into the process, presumable returned from
+    # WinProcess#get_proc.
+    # 
+    # In theory, "p" should be OK anywhere as long as there are 5
+    # bytes of instructions before the end of the basic block its
+    # in. In practice, this only really stands a chance of working
+    # if "p" points to a function prologue.
+    def initialize(p, opts={})      
+      @p = p.p
+      @dpoint = p
+      @opts = opts
+      @a = @opts[:arena] || @p.arena
+      @stack = @a.alloc(2048)
+      @snarfed = snarf_prologue
+    end
+
+    # Release the detour and its associated memory, unpatch the
+    # target function.
+    def release
+      @dpoint.write(@snarfed)
+      @a.release if not @opts[:arena]
+    end
+
+    # Patch the target function. There is a 70% chance this will
+    # totally fuck your process. 
+    #
+    # You would be wise to have the threads in the process suspended
+    # while you do this, but I'm not going to do it for you.
+    def call
+      # a Detours-style trampoline --- the location we patch the
+      # target function to jump to --- consists of:
+      #
+      # - A stack switch (to push/pop w/o fucking the program)
+      # - A context save
+      # - The Detour code
+      # - A context restore
+      # - A stack restore
+      # - The code we patched out of the target
+      # - A jump back to the target function (after the prologue)
+
+      # Do this now to make room for the (probably 5 byte) jump. 
+      # We don't know what the address will be until we allocate.
+      jumpback = (Jmp 0xDEADBEEF) # patch back later
+
+      # Build the trampoline
+      tramp = trampoline(@stack).assemble
+
+      # Figure out how big the whole mess will be, allocate it
+      tsz = tramp.size + @snarfed.size + jumpback.to_s.size
+      tbuf = @a.alloc(tsz + 10)
+      
+      # assume trampoline is ahead of the patched program text;
+      # jump to [dpoint+patch]
+      jumpback.dst = (@dpoint.to_i + @snarfed.size) - (tbuf + tsz)
+      
+      # Write it into memory. It's not "live" yet because we haven't
+      # patched the target function.
+      @p.write(tbuf, tramp + @snarfed + jumpback.to_s)
+
+      # But now it is. =)
+      @p.write(@dpoint, injection(tbuf).assemRASble)
+    end
+
+    # Hook function. Override this in subclasses to provide different
+    # behavior.
+    def inner_block
+      i = Rasm::Subprogram.new
+      i.<< Int(3)
+    end
+
+    private
+
+    # No user-servicable parts below.
+
+    # Pull at least 5 bytes of instructions out of the prologue, using
+    # the disassembler, to make room for our patch jump. Save it, so 
+    # we can unpatch later.
+    def snarf_prologue
+      i = 0
+      (buf = @dpoint.read(20)).distorm.each do |insn|
+        i += insn.size
+        break if i >= 5
+      end
+      buf[0...i]      
+    end
+
+    # Create the Jmp instruction that implements the patch; you can't
+    # do this until you know where the trampoline was actually injected
+    # into the process.
+    def injection(tramp)
+      here = @dpoint
+      there = tramp
+
+      if there < here
+        goto = -((here - there) + 5)
+      else
+        goto = there - here
+      end
+
+      i = Rasm::Subprogram.new
+      i.<< Rasm::Jmp(goto.to_i)
+    end
+
+    # Create the detours trampoline:
+    def trampoline(stack)
+      i = Rasm::Subprogram.new
+      i.concat push_stack(stack)   # 1. Give us a new stack
+      i.concat save_all            # 2. Save all the GPRs just in case
+      i.concat inner_block         # 3. The hook function
+      i.concat restore_all         # 4. Restore all the GPRs.
+      i.concat pop_stack           # 5. Restore the stack
+      return i
+    end
+
+    # Swap in a new stack, pushing the old stack address 
+    # onto the top of it.
+    def push_stack(addr, sz=2048)
+      i = Rasm::Subprogram.new
+      i.<< Rasm::Push(eax)
+      i.<< Rasm::Mov(eax, addr+(sz-4))
+      i.<< Rasm::Mov([eax], esp)
+      i.<< Rasm::Pop(eax)
+      i.<< Rasm::Mov(esp, addr+(sz-4))
+    end
+
+    # Swap out the new stack.
+    def pop_stack
+      i = Rasm::Subprogram.new
+      i.<< Rasm::Pop(esp)
+      i.<< Rasm::Add(esp, 4)
+    end
+
+    # Just push all the registers in order
+    def save_all
+      i = Rasm::Subprogram.new
+      [eax,ecx,edx,ebx,ebp,esi,edi].each do |r|
+        i.<< Rasm::Push(r)
+      end
+      i
+    end
+
+    # Just pop all the registers
+    def restore_all
+      i = Rasm::Subprogram.new
+      [edi,esi,ebp,ebx,edx,ecx,eax].each do |r|
+        i.<< Rasm::Pop(r)
+      end
+      i
+    end    
+  end
+
+  # A breakpoint implemented as a Detour. TODO not tested.
+  class Dbreak < Detour
+    attr_reader :ev1, :ev2 
+
+    # accepts:
+    # :ev1:     reuse events from somewhere else 
+    # :ev2: 
+    def initialize(*args)
+      super 
+      @ev1 = @opts[:ev1] || WinEvent.new
+      @ev2 = @opts[:ev2] || WinEvent.new
+
+      # create the state block that the eventpair shim wants:
+      mem = @a.alloc(100)
+      @data = mem
+
+      # ghetto vtbl
+      swch = ["OpenProcess",                   
+              "DuplicateHandle", 
+              "ResetEvent", 
+              "SetEvent", 
+              "WaitForSingleObject",
+              "GetCurrentThreadId"].
+        map {|x| @p.get_proc("kernel32!#{x}").to_i}.
+        pack("LLLLLL")
+
+      # ghetto instance vars
+      state = [@p.w.get_current_process_id, @ev1.handle, @ev2.handle].
+        pack("LLL")
+      @data.write(swch + state)
+    end
+
+    def inner_block      
+      i = Rasm::Subprogram.new      
+      i.<< Push(eax)
+      i.<< Xor(eax, eax)
+      i.<< Or(eax, @data)
+      i.<< Push(eax) 
+      i.<< Call(1)            # cheesy in the extreme: fake a call
+                              # so I don't have to change my event shim
+      i.<< Nop.new
+      i.<< Nop.new
+      i.<< Nop.new
+      i.<< Nop.new
+      i.<< Nop.new
+      s = event_pair_stub
+      s[-1] = Add(esp, 4)
+      i.concat(s)
+      i.<< Pop(eax)
+      return i
+    end
+
+    # in theory, loop on this breakpoint
+    def on(&block)
+      puts "#{ @p.pid }: #{ @ev1.handle }" # in case we need to release
+      loop do
+        @ev1.wait
+        yield 
+        @ev2.signal
+      end
+    end
+  end
+end

data/lib/ragweed/ptr.rb

@@ -0,0 +1,48 @@
+# TODO: make read/write work for other oses
+
+class Ragweed::Ptr
+  # A dubious achievement. Wrap Integers in a pointer class, which,
+  # when you call to_s, returns the marshalled type, and which exports
+  # read/write methods.
+  attr_accessor :p
+  attr_reader :val
+
+  # ptr-to-zero?
+  def null?
+    @val == 0
+  end
+
+  # initialize with a number or another pointer (implements copy-ctor)
+  def initialize(i)
+    if i.kind_of? self.class
+      @val = i.val
+      @p = i.p
+    elsif not i
+      @val = 0
+    else
+      @val = i
+    end
+  end
+
+  # return the raw pointer bits
+  def to_s; @val.to_l32; end
+
+  # return the underlying number
+  def to_i; @val; end
+
+  # only works if you attach a process 
+  def write(arg); p.write(self, arg); end
+  def read(sz); p.read(self, sz); end
+
+  # everything else: work like an integer --- also, where these
+  # calls return numbers, turn them back into pointers, so pointer
+  # math doesn't shed the class wrapper
+  def method_missing(meth, *args) 
+    ret = @val.send meth, *args
+    if ret.kind_of? Numeric
+      ret = Ptr.new(ret)
+      ret.p = self.p
+    end
+    ret
+  end
+end

data/lib/ragweed/rasm/bblock.rb

@@ -0,0 +1,73 @@
+module Ragweed; end
+module Ragweed::Rasm
+  # Ruby inline assembler.
+  class Bblock
+    # Don't call this directly; use Bblock#make
+    def initialize
+      @insns = Ragweed::Rasm::Subprogram.new
+    end
+
+    # Wrap the methods of Rasm::Subprogram we care about:
+
+    # Assemble the instructions, which also calculates appropriate
+    # jump labels.
+    def assemble; @insns.assemble; end
+
+    # Disassemble the block (after it's been assembled) into
+    # Frasm objects.
+    def disassemble; @insns.disassemble; end
+
+    # Generate a human-readable assembly listing.
+    def listing; @insns.dump_disassembly; end
+
+    # Append more instructions to a previously created block;
+    # see Bblock#make
+    def append(&block)
+      instance_eval(&block)
+    end
+
+    # Takes a block argument, containing (mostly) assembly
+    # instructions, as interpreted by Rasm. For example:
+    #
+    #     Bblock.make {
+    #         push ebp
+    #         mov  ebp, esp
+    #         push ebx
+    #         xor ebx, ebx
+    #         addl esp, 4
+    #         pop ebp
+    #         ret
+    #     }
+    #
+    # Each of those instructions is in fact the name of a class
+    # in Rasm, lowercased; Bblock has a method_missing that catches
+    # and instantiates them.
+    #
+    # Your block can contain arbitrary Ruby, but remember that it
+    # runs in the scope of an anonymous class and so cannot directly
+    # reference instance variables.
+    def self.make(&block)
+      c = Bblock.new
+      c.instance_eval(&block)
+      c
+    end
+
+    # method to fix collision with Kernel#sub properly
+    def sub(*args)
+      Ragweed::Rasm::Sub.new(*args)
+    end
+
+    def method_missing(meth, *args)
+      k = Ragweed::Rasm.const_get(meth.to_s.capitalize)
+
+      # If it's a class, it's an assembly opcode; otherwise,
+      # it's a register or operand.
+      if k.class == Class
+        @insns << (k = k.new(*args))
+      else
+        k
+      end
+      k
+    end
+  end
+end