Opened 8 years ago

Last modified 8 years ago

#60 new enhancement

debugging module using ptrace

Reported by: guest Owned by: Sam Hocevar
Priority: major Milestone:
Component: core Version: SVN
Keywords: Cc: maheshebhole@gmail.com
Product: zzuf

Description (last modified by Sam Hocevar)

The main function of this ptrace module is to add debugging environment. At the same time its other task is find maximum possible locations where the application may crash and to find its location.

Ptrace module can be invoked using -d option i.e Debugging. zzuf -r0.12 -d ./mypgm2

If the application program crashes the following options are shown:- 1.Single Step 2.View Variable 3.Continue stop child 4.Modify Variable 5.View Registers 6.Modify Registers 7.Process Id 8.View Instuctions 9.View EIP 10.View Error Table 11.Set BreakPoint? 12.Help

  1. Restart Process

14.Exit

These are the various debugging options and also it will show the different functions with name and its start and the end eip. This can be used for setting the breakpoint.

example:- Name Of Function Start Eip End Eip libc_csu_fini 8048900 8048904 _start 80483c0 80483f2 _fini 80489a8 80489b6 libc_csu_init 8048910 804891c i686.get_pc_thunk.bx 8048979 804897c main 8048494 80488f5 _init 8048310 8048326

It will also show

ch.pid=6506 read count=4 crash=1 seed=0 sec_count=0 rerun=1

ch.pid represents the process id of current application which is under control zzuf. sec_count represents the number of system call(or fuzzing) that has been executed. After each run these sec_count is set to zero and its value is assigned to read count. Both read count and sec_count is used for controlling the fuzzing. If sec_count is greater than read count then only fuzzing occurs.

crash represents the number of crashes that can be occur in application. rerun is incremented whenever the application is restarted after crash.

These are the various options :-

1.Single Step

This option can be used for single stepping. It will show the eip (instruction pointer) of current statement.

2.View Variable

This option can be used to view the content of variable. Currently it is implemented only for global variables.For this name of variable is taken as input.

3.Continue stop child

Application program stops after executing the system call (which contains fuzzing). So to continue that program this option is used.

4.Modify Variable

This option can be used to modify the content of variable. Currently it is implemented only for global variables.For this name of variable is taken as input.

5.View Registers

This option can be used for viewing the content of following registers EAX,EBX,ECX,EDX,ESI,EDI,EBP,ESP,EIP of application program.

6.Modify Registers

This option can be used for modifying the content of following registers EAX,EBX,ECX,EDX,ESI,EDI,EBP,ESP,EIP of application program.

7.Process Id

This option shows the process id of current option.

8.View Instuctions

This option can be used for viewing the next few instructions.

9.View EIP

This option will show the content of instruction pointer.

10.View Error Table

This option will show the error table. example:-

Function Name Eip main 8048635 main 804883b

It will give the name of function as well as the exact instruction pointer where the program crashes. This can be then mapped with utilities like (objdump/readelf).

11.Set BreakPoint?

This option can be used for setting the break point. This option take eip as input(as a decimal value). So it will set the break point at that instruction pointer. Note: Please try to set the break point before any system call (where fuzzing occurs). Eip of application can be taken from utilities like (objdump/readelf).

12.Help

This option will show the help.

  1. Restart Process

This option is used to restart the application program when it crashes. If the following messages comes then give option 13 as input "Program Has Been Crashed !!!!! Please Give Option 13 so as to restart the Process" "Program Execution Is Over"

14.Exit

This option can terminate the whole application.

Attachments (1)

zzuf-0.12.patch (343.7 KB) - added by guest 8 years ago.
Patch is attached.

Download all attachments as: .zip

Change History (3)

Changed 8 years ago by guest

Attachment: zzuf-0.12.patch added

Patch is attached.

comment:1 Changed 8 years ago by Sam Hocevar

Description: modified (diff)
Summary: The main function of this ptrace module is to add debugging environment. At the same time its other task is find maximum possible locations where the application may crash and to find its location.debugging module using ptrace

comment:2 Changed 8 years ago by Sam Hocevar

This is not exactly what I had in mind about zzuf having to use ptrace in order to be more robust. I believe we first need a robust ptrace controller that will divert read and write system calls, so that we can avoid the whole LD_PRELOAD mechanism.

Nevertheless, there are interesting parts in this patch and I hope to be able to split it in meaningful parts.

Note: See TracTickets for help on using tickets.