tduehr-ragweed 0.1.5

data/History.txt

@@ -0,0 +1,15 @@
+== 0.1.5 / 2009-06-18
+
+* more bug fixes
+
+== 0.1.1 / 2009-06-02
+
+* bug fixen and namespace changes
+
+== 0.1.0 / 2009-05-31
+
+* initial release
+
+== 0.0.1 / 2009-05-13
+
+* initial pull from svn

data/README.rdoc

@@ -0,0 +1,35 @@
+Ragweed
+    by tduehr, struct, and tqbf
+    http://matasano.com/log
+
+== DESCRIPTION:
+
+* Ragweed is a set of scriptable debugging tools written mostly in native ruby.
+
+* Where required the Ruby/DL and Win32API libraries are used to interface the machine
+and OS native system calls.
+
+== FEATURES/PROBLEMS:
+
+* This suite is currently fairly piecemeal. Each OS has it's own set of tools.
+The most complete set is for Win32.
+
+* Work is ongoing to complete and unify the OSX and Linux portions.
+
+== SYNOPSIS:
+
+  require 'debuggerosx'
+  d = Debuggerosx.new(514) # pid of process to trace
+
+== REQUIREMENTS:
+
+* NONE - no really, this is pure native ruby hooking system libraries. There are no other dependencies, none.
+
+== INSTALL:
+
+  gem sources -a http://gems.github.com
+  sudo gem install tduehr-ragweed
+
+== LICENSE:
+
+Copyright 2009 Matasano Security, LLC All Rights Reserved

data/README.txt

@@ -0,0 +1,9 @@
+Ragweed is a set of scriptable debugging tools written mostly in native ruby.
+
+Where required the Ruby/DL and Win32API libraries are used to interface the machine
+and OS native system calls.
+
+This suite is currently fairly piecemeal. Each OS has it's own set of tools.
+The most complete set is for Win32.
+
+Work is ongoing to complete and unify the OSX and Linux portions.

data/Rakefile

@@ -0,0 +1,30 @@
+# Look in the tasks/setup.rb file for the various options that can be
+# configured in this Rakefile. The .rake files in the tasks directory
+# are where the options are used.
+
+begin
+  require 'bones'
+  Bones.setup
+rescue LoadError
+  begin
+    load 'tasks/setup.rb'
+  rescue LoadError
+    raise RuntimeError, '### please install the "bones" gem ###'
+  end
+end
+
+ensure_in_path 'lib'
+require 'ragweed'
+
+task :default => 'spec:run'
+
+PROJ.name = 'ragweed'
+PROJ.authors = 'tduehr, tqbf, struct'
+PROJ.email = 'td@matasano.com'
+PROJ.url = 'github.com/tduehr/ragweed'
+PROJ.version = Ragweed::VERSION
+PROJ.rubyforge.name = 'ragweed'
+
+PROJ.spec.opts << '--color'
+
+# EOF

data/examples/hittracertux.rb

@@ -0,0 +1,48 @@
+#!/usr/bin/env ruby
+
+require 'debuggertux'
+require 'pp'
+require 'irb'
+include Ragweed
+
+filename = ARGV[0]
+pid = ARGV[1].to_i
+
+raise "hittracertux.rb FILE PID" if (ARGV.size < 2 or pid <= 0)
+
+d = Debuggertux.new(pid)
+d.attach
+
+File.open(filename, "r") do |fd|
+  lines = fd.readlines
+  lines.map {|x| x.chomp}
+  lines.each do |tl|
+    fn, addr = tl.split(",", 2)
+    d.breakpoint_set(addr.to_i(16), fn, (bpl = lambda do puts "hit - #{fn} #{addr}\n"; end))
+  end
+end
+
+d.install_bps
+d.continue
+catch(:throw) { d.loop }
+
+
+# An IDC script for generating the text file this hit tracer requires
+=begin
+#include <idc.idc>
+
+static main()
+{
+  auto entry, fname, outf, fd;
+  outf = AskFile(1, "*.txt", "Please select an output file");
+  fd = fopen(outf,"w");
+   
+	for(entry=NextFunction(0); entry  != BADADDR; entry=NextFunction(entry) )
+	{
+		fname = GetFunctionName(entry);
+		fprintf(fd, "%s,0x%x\n", fname, entry);
+ 	}
+
+  fclose(fd);
+}
+=end

data/examples/hittracerx.rb

@@ -0,0 +1,63 @@
+#!/usr/bin/env ruby
+
+# A simple hittracer to debug and test Debuggerosx.
+# FILE is CSV file,address
+# PID is the proces id to attach to.
+
+require 'debuggerosx'
+require 'pp'
+require 'irb'
+include Ragweed
+
+filename = ARGV[0]
+pid = ARGV[1].to_i
+
+raise "hittracerosx.rb FILE PID" if (ARGV.size < 2 or pid <= 0)
+
+class Debuggerosx
+  def on_exit
+    exit(1)
+  end
+
+  def on_single_step
+  end
+    
+  def on_segv(thread)
+    pp self.get_registers(thread)
+    pp self.threads
+    self.threads.each {|thread| puts Wraposx::ThreadContext.get(thread).dump}
+    self.threads.each {|thread| puts Wraposx::ThreadInfo.get(thread).dump}
+    throw(:break)
+  end
+    
+  def on_bus(thread)
+    throw(:break)
+  end
+end
+
+d = Debuggerosx.new(pid)
+d.attach
+
+File.open(filename, "r") do |fd|
+  lines = fd.readlines
+  lines.map {|x| x.chomp}
+  lines.each do |tl|
+    fn, addr = tl.split(",", 2)
+    d.breakpoint_set(addr.to_i(16), fn, (bpl = lambda do | t, r, s | puts "#{ s.breakpoints[r.eip].first.function } hit in thread #{ t }\n"; end))
+  end
+end
+
+d.install_bps
+d.continue
+catch(:throw) { d.loop }
+pp d.wait 1
+pp d.threads
+
+d.threads.each do |t|
+  r = Wraposx::ThreadContext.get(t)
+  i = Wraposx::ThreadInfo.get(t)
+  pp r
+  puts r.dump
+  pp i
+  puts i.dump
+end

data/examples/hook_notepad.rb

@@ -0,0 +1,9 @@
+require "ragweed"
+include Ragweed
+
+dbg = Debugger.find_by_regex /notepad/i
+raise "notepad not running" if dbg.nil?
+
+dbg.hook('kernel32!CreateFileW', 7) {|e,c,d,a| puts "#{d} CreateFileW for #{dbg.process.read(a[0],512).from_utf16_buffer}"}
+dbg.loop
+dbg.release

data/examples/snicker.rb

@@ -0,0 +1,183 @@
+#!/usr/bin/env ruby
+
+# This is a slightly more complex hit tracer implementation of
+# Debuggerosx. It does fork/exec and attempts, in a manner resembling
+# rocket surgery with a steamroller, to skip any call to ptrace.
+
+# This was last setup to debug the race condition in Debuggerosx#on_breakpoint
+# using ftp as the child.
+
+require 'rubygems'
+require 'ragweed'
+require 'pp'
+require 'ruby-debug'
+Debugger.start
+
+filename = ARGV[0]
+pid = ARGV[1].to_i
+ptraceloc = 0
+rd, wr = nil, nil
+
+class Snicker < Ragweed::Debuggerosx
+  attr_accessor :attached
+
+  def on_exit(status)
+    pp "Exited with status #{ status }"
+    @hooked = false
+    @attached = false
+    @exited = true
+    throw(:break)
+  end
+
+  def on_single_step
+  end
+
+  def on_sigsegv
+    pp "SEGV"
+    pp self.threads
+    self.threads.each do |t|
+      pp self.get_registers(t)
+      pp Ragweed::Wraposx::ThreadInfo.get(t)
+    end
+    debugger
+    @exited = true
+    throw(:break)
+  end
+
+  def on_sigbus
+    pp "sigbus"
+    # pp Ragweed::Wraposx::vm_read(@task,0x420f,169)
+    # # Kernel.debugger
+    # # Debugger.breakpoint
+    # # Debugger.catchpoint
+    # debugger
+    throw(:break)
+  end
+end
+
+if pid == 0
+  rd, wr = IO.pipe
+  pid = fork 
+end
+
+if pid.nil?
+  ptraceloc = Ragweed::Wraposx::LIBS['/usr/lib/libc.dylib'].sym("ptrace", "IIIII").to_ptr.ref.to_s(Ragweed::Wraposx::SIZEOFINT).unpack("I_").first
+
+  pp ptraceloc.to_s(16)
+  rd.close
+  wr.puts ptraceloc
+
+  Ragweed::Wraposx::ptrace(Ragweed::Wraposx::Ptrace::TRACE_ME, 0, 0, 0)
+  puts "Traced!"
+  # sleep(1)
+
+  puts "Execing #{ARGV[1]}"
+  exec(ARGV[1])
+  puts "it left"
+else
+  d = Snicker.new(pid)
+
+  if rd
+    wr.close
+    # d.attached = true
+    ptraceloc = rd.gets.chomp.to_i(0)
+
+    pp ptraceloc.to_s(16)
+    pp d
+    pp d.threads
+
+    raise "Fail!" if ptraceloc == 0
+
+    d.breakpoint_set(ptraceloc,"Ptrace",(bpl = lambda do |t, r, s|
+      puts "#{ s.breakpoints[r.eip].first.function } hit in thread #{ t }\n"
+      pp r
+      if Ragweed::Wraposx::vm_read(s.task,r.esp + 4,4).unpack("I").first == Ragweed::Wraposx::Ptrace::DENY_ATTACH
+        pp Ragweed::Wraposx::vm_read(s.task,r.esp-28,32).unpack("I_*").map{|x| x.to_s(16)}
+        pp Ragweed::Wraposx::vm_read(s.task,r.esp,32).unpack("I_*").map{|x| x.to_s(16)}
+        r.eax = 0
+        # r.esp = r.ebp
+        # r.ebp = Ragweed::Wraposx::vm_read(s.task,r.esp,4).unpack("I_").first
+        r.eip = Ragweed::Wraposx::vm_read(s.task,r.esp,4).unpack("V").first
+        # r.esp = Ragweed::Wraposx::vm_read(s.task,r.ebp,4).unpack("I_").first
+        # r.ebp +=4
+        # r.eip = Ragweed::Wraposx::vm_read(s.task,r.esp,4).unpack("I_").first
+        # r.esp+=4
+        pp "bounced"
+        return false
+      else
+        pp Ragweed::Wraposx::vm_read(s.task,r.esp-28,32).unpack("I_*").map{|x| x.to_s(16)}
+        pp Ragweed::Wraposx::vm_read(s.task,r.esp,32).unpack("I_*").map{|x| x.to_s(16)}
+        # pp Ragweed::Wraposx::dl_bignum_to_ulong(r.esp).ptr.to_s(4).unpack("I").first.to_s(16)
+        # pp Ragweed::Wraposx::dl_bignum_to_ulong(r.esp - 15*4).to_s(4*16).unpack("I*").map{|x| x.to_s(16)}
+        # pp Ragweed::Wraposx::dl_bignum_to_ulong(r.esp).to_s(15*4).unpack("I*").map{|x| x.to_s(16)}
+        return true
+      end
+    end))
+
+    d.install_bps
+
+    class Snicker < Ragweed::Debuggerosx    
+      def on_sigtrap
+        if not @first
+          @first = true
+          self.install_bps
+        end
+      end
+
+      def on_stop(signal)
+        pp "#Stopped with signal #{ signal } (on_stop)"
+      end
+    end
+
+  else
+    d.attach
+
+    class Snicker < Ragweed::Debuggerosx
+      def on_sigstop
+        if not @first
+          @first = true
+          self.install_bps
+        end
+      end
+
+      def on_stop(signal)
+        pp "#Stopped with signal #{ signal } (on_stop)"
+      end
+    end
+  end
+
+  # File.open(filename, "r") do |fd|
+  #   lines = fd.readlines
+  #   lines.map {|x| x.chomp!}
+  #   lines.each do |tl|
+  #     pp tl
+  #     fn, addr = tl.split(",", 2)
+  #     pp [fn, addr.to_i(16)]
+  #     if (not addr.nil? and addr.to_i(16) > 0)
+  #       d.breakpoint_set(addr.to_i(16), fn, (bpl = lambda do | t, r, s | 
+  #         puts "#{ s.breakpoints[r.eip].first.function } hit in thread #{ t }\n"
+  #         # pp r
+  #         # debugger
+  #       end))
+  #     end
+  #   end
+  # end
+  # 
+  # blpwd = Wraposx::vm_read(d.task,0x420f,16)
+  # bbus = Wraposx::vm_read(d.task,0x4220,32)
+
+  catch(:break) { d.loop() }
+
+  if not d.exited
+    pp d.threads
+
+    d.threads.each do |t|
+      r = Ragweed::Wraposx::ThreadContext.get(t)
+      i = Ragweed::Wraposx::ThreadInfo.get(t)
+      pp r
+      puts r.dump
+      pp i
+      puts i.dump
+    end
+  end
+end

data/examples/tux-example.rb

@@ -0,0 +1,23 @@
+#!/usr/bin/env ruby
+
+## Simple example of attaching to a process and letting it run
+
+require 'pp'
+require 'debuggertux'
+include Ragweed
+
+pid = Debuggertux.find_by_regex(/gcalctool/)
+
+begin
+	t = Debuggertux.get_thread_pids(pid)
+	puts "Which thread do you want to attach to?"
+	t.each do |h| puts h end
+	pid = STDIN.gets.chomp.to_i
+
+	d = Debuggertux.new(pid)
+	d.attach
+	d.continue
+	catch(:throw) { d.loop }
+rescue
+	puts "Maybe your PID is wrong?"
+end

data/lib/ragweed/arena.rb

@@ -0,0 +1,55 @@
+class Ragweed::Arena
+  # I want 3 lambdas:
+  # * "get" should take no arguments and result in the address of a fresh
+  #   4k page.
+  # * "free" should free any 4k page returned by "get"
+  # * "copy" should implement memcpy, copying a string into a 4k page.
+  def initialize(get, free, copy)
+    @get = get
+    @free = free
+    @copy = copy
+    @pages = []
+    @avail = 0
+    @off = 0
+  end
+
+  private
+
+  def get
+    p = @get.call
+    @pages << p
+    @cur = p
+    @avail = 4096
+    @off = 0
+  end
+
+  public
+
+  # Allocate any size less than 4090 from the arena.
+  def alloc(sz)
+    raise "can't handle > page size now" if sz > 4090
+    get if sz > @avail
+    ret = @off
+    @off += sz
+    round = 4 - (@off % 4)
+    if (@off + round) > 4096
+      @avail = 0
+      @off = 4096
+    else
+      @off += round
+      @avail -= (sz + round)
+    end
+
+    return Ptr.new(@cur + ret)
+  end
+
+  # Copy a buffer into the arena and return its new address.
+  def copy(buf)
+    ret = alloc(buf.size)
+    @copy.call(ret, buf)
+    return ret
+  end
+
+  # Release the whole arena all at once.
+  def release; @pages.each {|p| @free.call(p)}; end
+end

data/lib/ragweed/blocks.rb

@@ -0,0 +1,128 @@
+require 'ragweed/rasm'
+
+pushv = $VERBOSE
+$VERBOSE = nil
+
+module Ragweed::Blocks
+  include Ragweed::Rasm
+  extend Ragweed::Rasm
+
+  def remote_trampoline(argc, opts={})
+    i = Rasm::Subprogram.new
+
+    # drop directly to debugger
+    i << Int(3) if opts[:debug]
+
+    # psuedo-frame-pointer
+    i.<< Push(esi)
+    i.<< Mov(esi, esp)
+
+    # get the thread arg
+    i.<< Add(esi, 8)
+
+    # load it
+    i.<< Mov(esi, [esi])
+    i.<< Push(ebx)
+    i.<< Mov(ebx, [esi])
+    i.<< Push(ecx)
+
+    # harvest arguments out of the argument buffer
+    (0...argc).each do |n|
+      i.<< Mov(ecx, [esi+(4+(n*4))])
+      i.<< Push(ecx)
+    end
+
+    i.<< Call(ebx)
+
+    # stuff return value after args
+    i.<< Mov([esi + (4+(argc*4))], eax)
+    
+    # epilogue
+    i.<< Pop(ecx)
+    i.<< Pop(ebx)
+    i.<< Pop(esi)
+    i.<< Ret() # i think this is an artifact of my IRB, XXX clean up
+  end
+  module_function :remote_trampoline
+
+  def event_pair_stub(opts={})
+    i = Rasm::Subprogram.new
+
+    i << Int(3) if opts[:debug]
+
+    i.<< Push(ebp)
+    i.<< Mov(ebp, esp)
+    i.<< Sub(esp, 12)
+
+    i.<< Push(esi)
+    i.<< Mov(esi, [ebp+8])
+
+    i.<< Push(eax)
+    i.<< Push(ebx)
+    i.<< Push(edx)
+    
+    # OpenProcess
+    i.<< Mov(ebx, [esi]) # function ptr
+    i.<< Mov(eax, [esi+24]) 
+    i.<< Push(eax)
+    i.<< Xor(eax, eax)
+    i.<< Push(eax)
+    i.<< Or(eax, 0x1F0FFF)
+    i.<< Push(eax)
+    i.<< Call(ebx)
+    i.<< Mov([ebp-4], eax)
+    
+    # DuplicateHandle
+    i.<< Mov(ebx, [esi+4]) # function ptr
+    (1..2).each do |which|
+      i.<< Push(2) # flags
+      i.<< Push(0) # dunno
+      i.<< Push(0) # dunno 
+      i.<< Mov(edx, ebp)    # my LEA encoding is broken
+      i.<< Sub(edx, 8+(4*(which-1))) 
+      i.<< Lea(eax, [edx])
+      i.<< Push(eax) # handle out-arg
+      i.<< Xor(eax, eax)
+      i.<< Not(eax)
+      i.<< Push(eax) # target process
+      i.<< Mov(ecx, esi)
+      i.<< Add(ecx, (20 + (4 * which)))
+      i.<< Push([ecx])
+      i.<< Push([ebp-4]) # target process handle
+      i.<< Call(ebx)
+    end
+
+    # ResetHandle
+    i.<< Mov(ebx, [esi+8]) # function ptr
+    (0..1).each do |which|
+      i.<< Push([ebp-(8+(4*which))])
+      i.<< Call(ebx)
+    end
+
+    # SignalHandle
+    i.<< Mov(ebx, [esi+12]) # function ptr
+    i.<< Push([ebp-8])
+    i.<< Call(ebx)
+
+    # WaitForSingleObject
+    i.<< Mov(ebx, [esi+16])
+    i.<< Xor(eax, eax)
+    i.<< Not(eax)
+    i.<< Push(eax)
+    i.<< Push([ebp-12])
+    i.<< Call(ebx)
+ 
+    # All done!
+
+    i.<< Pop(edx)
+    i.<< Pop(ebx)
+    i.<< Pop(eax)
+    i.<< Pop(ecx)
+    i.<< Pop(esi)
+    i.<< Add(esp, 12)
+    i.<< Pop(ebp)
+    i.<< Ret()
+  end
+end
+
+$VERBOSE = pushv