-
Notifications
You must be signed in to change notification settings - Fork 563
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
attach injection on Linux #38
Comments
From [email protected] on April 09, 2012 11:59:07 xref issue #725 : attach feature on Windows |
From [email protected] on July 16, 2012 06:33:26 Another thing we have to think about for attach is, what do we do about stdio fds? If we're not present from the beginning, the app can close fds 0, 1, and 2, and use them for something else. I have a test app that gets the stderr stream pointing to a non-standard file descriptor: #include <stdio.h>
int main(void) {
fprintf(stdout, "stderr->_fileno: %d\n", stderr->_fileno);
fprintf(stderr, "this is to stderr\n");
fclose(stderr);
FILE _t2 = fopen("t2", "w"); /* Steals fd 2 */
freopen("t", "w", stderr);
fclose(t2);
fprintf(stdout, "stderr->_fileno: %d\n", stderr->_fileno); /* prints 3 on my system */
fprintf(stderr, "this is to t\n");
return 0;
} Currently, we'll come in and import stderr from libc and use its _fileno. When the app closes the fd, we'll dup it to keep it alive. However, for libc isolation we're going to cut this import and just use the standard fileno constants from unistd.h. So, for attach, we may want to do some poking for libc and try to find the current stream filenos. This is kind of a corner case, though. Most apps are likely to either close the stdio fds completely, or call freopen() on them without closing them and opening a new file first, which typically reuses the same fd number. If the app has totally closed fds, like if the user is trying to attach to a daemon, is there some way we can connect STDOUT and STDERR to the tty of the injector? |
From [email protected] on March 01, 2013 12:33:15 xref issue #764 : support attaching to processes with non-pthreads threads |
From [email protected] on March 01, 2013 12:33:24 Owner: [email protected] |
From [email protected] on March 02, 2013 13:53:01 Testing on modern distros is made more difficult by the ptrace_scope stuff that's been done recently. I want to add a test for attach, but I don't want to require devs to set /proc/sys/kernel/yama/ptrace_scope to 0 in order to get the test to pass. The new restrictions say that you can only ptrace a child process. I think I can adequately test our injection if I do the following:
|
From [email protected] on March 12, 2013 06:45:39 Oops, comment 5 is about ptrace injection, which is issue #37 . |
From [email protected] on October 25, 2013 11:46:28 xref issue #1305 |
Trying to summarize the status of attach: Attaching to an already-running process is not yet officially supported. There is a On Windows there are non-trivial technical obstacles (#725). What was implemented was ptrace injection into a fresh process (#37): As well as taking over all threads at DR init time (for #722): Rrecent work has made the start/stop API's attach and thread takeover more The remaining work would be extending the ptrace fresh injection to |
When is the attach feature expected to be completed and ready to be used in Linux systems? Thank you |
If you'd like to contribute to this feature it may be best to first coordinate with: |
(Xref #5019) Comment added per request After we ptrace a process, it is stopped with SIGSTOP. This is the point where we inject our code, but... There are 2 ways which we can handle this:
I put "wait" as the default option with wait_syscall=true, this won't break anything. if wait_syscall=false:
|
#5054 lists a number of issues to be improved here:
Tests are also missing.
That failure is not in the DR logs if I use -loglevel 2: so presumably Still TODO:
|
Fixes a number of issues with Linux attach: + Set xdi to zero for x86 _start relocation of libdynamorio. + Implement remote memset for .bss zeroing in elf_loader_map_phdrs(), fixing a crash in some builds such as Ubuntu20 release build. + Don't kill target if attach fails. + Fix crash if no pid passed. + Adds a useful error message on failure to look at ptrace permissions. + Adds a warning to use -skip_syscall if attach hangs. + Adds a test by porting the Windows client.attach test to Linux. Disables the mprotect syscall due to weird failures which need to be examined. Further tests of blocking syscalls and -skip_syscall are needed. Re-enables the attach help message for drrun and the deployment docs. Tested release build on Ubuntu20 where the .bss crash reproduced every run and is now gone. Tested "ctest --repeat-until-fail 100 -V -R client.attach" on Ubuntu20 and on a Debian-ish system: no failures. Issue: #38, #5054 Fixes #5054
Also TODO:
|
Fixes a number of issues with Linux attach: + Set xdi to zero for x86 _start relocation of libdynamorio. + Implement remote memset for .bss zeroing in elf_loader_map_phdrs(), fixing a crash in some builds such as Ubuntu20 release build. + Don't kill target if attach fails. + Fix crash if no pid passed. + Adds a useful error message on failure to look at ptrace permissions. + Adds a warning to use -skip_syscall if attach hangs. + Adds a test by porting the Windows client.attach test to Linux. Disables the mprotect syscall due to weird failures which need to be examined. Further tests of blocking syscalls and -skip_syscall are needed. Re-enables the attach help message for drrun and the deployment docs. Tested release build on Ubuntu20 where the .bss crash reproduced every run and is now gone. Tested "ctest --repeat-until-fail 100 -V -R client.attach" on Ubuntu20 and on a Debian-ish system: no failures. Issue: #38, #5054 Fixes #5054
Assigning temporarily to me as I'm adding AArch64 support |
I have AArch64 working, but as usual AArch32 is much more complex with the arm-vs-thumb transition woes. Plus I'm now blocked on an IT block bug which you'd think would have been hit before? #5459. Plus for AArch64 attaching to some target servers, SIGUSR2 is blocked: but that's filed separately as #5458. |
Also, for AArch32's client.attach test to infloop, I seem to need to pass -skip_syscall while the other arches don't need it (and deliberately don't pass it as it's considered experimental; though it seems necessary to attach to many apps). |
Implements missing functionality for ptrace attach on AArch64 and AArch32: generated code sequences were previously x86-only; -skip_syscall handling only supported x86; and AArch64 does not support PTRACE_POKEUSER or PTRACE_PEEKUSER. For AArch32, Thumb vs Arm mode require multiple steps: clearing LSB to point at the path used as data via a call; switching to Arm mode for DR's _start; setting the LSB of the initial app PC. For AArch32, additionally fixes an encoder error where the opcode is queried before copying a needs-no-encoding instruction. This is required for the instruction used to hold data for injection. Tweaks the disassembler to leave a level 0 instr alone, again to better handle the data-only insruction used for injection. Enables the client.attach test on AArch64 and AArch32. For AArch32, it needs -skip_syscall. Long-term we want that on by default everywhere but we want explicit tests that hit it on all platforms first. Issue: #38
Implements missing functionality for ptrace attach on AArch64 and AArch32: generated code sequences were previously x86-only; -skip_syscall handling only supported x86; and AArch64 does not support PTRACE_POKEUSER or PTRACE_PEEKUSER. For AArch32, Thumb vs Arm mode require multiple steps: clearing LSB to point at the path used as data via a call; switching to Arm mode for DR's _start; setting the LSB of the initial app PC. For AArch32, additionally fixes an encoder error where the opcode is queried before copying a needs-no-encoding instruction. This is required for the instruction used to hold data for injection. Tweaks the disassembler to leave a level 0 instr alone, again to better handle the data-only insruction used for injection. Enables the client.attach test on AArch64 and AArch32. For AArch32, it needs -skip_syscall. Long-term we want that on by default everywhere but we want explicit tests that hit it on all platforms first. Tested manually on an AArch32 machine. Unfortunately the client.attach test is not trival to set up under QEMU with its multiple command lines and background processes so that is left as beyond the scope of this PR and is instead considered part of #4719. Issue: #38
Makes interrupting a blocking syscall on attach the default behavior. Removes the -skip_syscall drrun/drinject parameter. Adds a test by adding an optional blocking syscall to infloop. Issue: #38
Re: the blocking syscall issues above and -skip_syscall: my plan is to make -skip_syscall on by default since I seem to need it most times that I attach, and it works. What's missing is handling auto-restart syscalls where we need to set the PC back to before the syscall: but we'd need to restore the syscall # which is difficult. Note that on AArch64 kernels, this syscall issue does not seem to exist: the takeover PC always re-executes the syscall. |
Makes interrupting a blocking syscall on attach the default behavior. Removes the -skip_syscall drrun/drinject parameter. Adds a test by adding an optional blocking syscall to infloop. Issue: #38
User-requested feature (https://groups.google.com/g/dynamorio-users/c/IgekzFu-Md0): also support adhoc detach. |
From [email protected] on February 24, 2009 10:01:18
this was PR 204490
focusing on Linux as Windows has issues that are best solved with a kernel
driver, unless we think we can rely on backward decoding heuristics or
don't mind losing control for a while
we do have some issues on Linux:
probably rely on ptrace (xref issue targeted injection on Linux via ptrace #37 )
probably use a modify-and-observe approach
Original issue: http://code.google.com/p/dynamorio/issues/detail?id=38
The text was updated successfully, but these errors were encountered: