[fuzzing] Python binding of ptrace for Linux and FreeBSD
Victor Stinner
victor.stinner at haypocalc.com
Thu Feb 7 19:29:58 CST 2008
Hi,
I wrote a Python binding of ptrace library for Linux and FreeBSD working on
i386 and x86_64 (only i386 for FreeBSD). It supports quite all ptrace
features and has nice Python objects. There are also two scripts to show
binding features:
* strace.py: clone of strace command
* gdb.py: debugger similar to gdb (but in alpha stage)
The debugger supports multiple processes (attach new children using ptrace
events), single step execution and hardware breakpoint. It uses distorm
disassembler (optional).
The source code is distributed under GNU GPLv2 license.
Website: http://fusil.hachoir.org/trac/wiki/Ptrace
---
The PtraceProcess class has many methods:
* disassemble() / disassembleOne(): disassemble some instructions
* readStruct() / readArray() / readCString(): read data as Python objects
* readBytes() / writeBytes(): use /proc/pid/mem (Linux only) or ptrace
peek/poke methods, take care of memory align and split in CPU words
* cont() / waitTrap()
* getregs() / setreg() / setregs()
* getInstrPointer() / setInstrPointer()
* getStackPointer()
* findStack(): find stack start/end (use /proc/pid/maps)
* terminate(): kill the process
* etc.
---
PtraceProcess guess reason why it receives a signal, examples:
(a) Signal: SIGFPE
Division by zero! edi=0x00000000
ASM: IDIV EDI
(b) Signal: SIGSEGV
FAULT ADDRESS: 0x08328000
INVALID READ, registers: edi=0x00006110, ecx=0x08321ef0
ASM: TEST [EDI+ECX], DL
---
Example of strace.py output:
$ ./strace.py /bin/ls
execve(/bin/ls, ['/bin/ls'], [/* 40 vars */]) = 756
brk(0) = 0x0805c000
access('/etc/ld.so.nohwcap', 0) = -2 (No such file or directory)
mmap2(NULL, 8192, 3, 34, -1, 0) = 0xb7f56000
access('/etc/ld.so.preload', 4) = -2 (No such file or directory)
(...)
close(1) = 0
munmap(0xb7c5c000, 4096) = 0
exit_group(0)
Victor Stinner aka haypo
More information about the fuzzing
mailing list