Add basic ptrace patcher for Anti2RE

Question

Add basic ptrace patcher for Anti2RE

R3x opened this issue 4 years ago · 7 comments

Basic ptrace patcher

Find out all the ptrace calls in a binary (with TRACE_ME)
Write a simple test program
Find ideal ways to patch the binary
Write a wrapper to execute and check again
Patch the binary (See if it's possible to permanently patch with PIN)

Answer 1 · 2020-04-17T12:07:27.000Z

We will be using pin/source/tools/Replay/call_function_natively.cpp as a reference to build the tool.
Most of the API Calls this tool uses are useful in building the final ptrace patch tool. I will be pushing the skeleton code for hooking the ptrace function soon.

Answer 2 · 2020-04-17T12:10:23.000Z

@R3x I would like to know how we would be proceeding with the tool. Will it be used for on the fly patching during runtime(by integrating into another tool)?

Answer 3 · 2020-04-17T15:30:58.000Z

@adityavardhanpadala I would prefer to see things patched using Intel pin itself. But if that's not possible please - dump the addresses that need to be patched and write a wrapper that does the patching.

Answer 4 · 2020-04-17T15:32:32.000Z

Understood.

Answer 5 · 2020-04-17T15:49:05.000Z

I will go through 'call_function_natively.cpp' . @R3x about dumping the addresses, how will we know that these addresses can't be patched, are there any exceptions that we need to handle?

Answer 6 · 2020-04-17T17:08:26.000Z

@masterugwee All you need to make sure is that you are not trying to patch a library function since we are not sure what all library functions may be using ptrace internally. However we need to patch all calls to ptrace@plt. There might be cases where the return value of ptrace is used but we can't do anything about that.

Other targets for patching would be calls to sleep, SIGALRM and also int3 instructions in the code. These may lead to issues in the code but its a risk we have to take.

Answer 7 · 2020-04-17T18:18:03.000Z

That makes sense. Thanks @R3x