Opened 15 years ago
Last modified 15 years ago
#60 new enhancement
debugging module using ptrace
Reported by: | guest | Owned by: | Sam Hocevar |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | core | Version: | SVN |
Keywords: | Cc: | maheshebhole@gmail.com | |
Product: | zzuf |
Description (last modified by )
The main function of this ptrace module is to add debugging environment. At the same time its other task is find maximum possible locations where the application may crash and to find its location.
Ptrace module can be invoked using -d option i.e Debugging. zzuf -r0.12 -d ./mypgm2
If the application program crashes the following options are shown:- 1.Single Step 2.View Variable 3.Continue stop child 4.Modify Variable 5.View Registers 6.Modify Registers 7.Process Id 8.View Instuctions 9.View EIP 10.View Error Table 11.Set BreakPoint? 12.Help
- Restart Process
14.Exit
These are the various debugging options and also it will show the different functions with name and its start and the end eip. This can be used for setting the breakpoint.
example:- Name Of Function Start Eip End Eip libc_csu_fini 8048900 8048904 _start 80483c0 80483f2 _fini 80489a8 80489b6 libc_csu_init 8048910 804891c i686.get_pc_thunk.bx 8048979 804897c main 8048494 80488f5 _init 8048310 8048326
It will also show
ch.pid=6506 read count=4 crash=1 seed=0 sec_count=0 rerun=1
ch.pid represents the process id of current application which is under control zzuf. sec_count represents the number of system call(or fuzzing) that has been executed. After each run these sec_count is set to zero and its value is assigned to read count. Both read count and sec_count is used for controlling the fuzzing. If sec_count is greater than read count then only fuzzing occurs.
crash represents the number of crashes that can be occur in application. rerun is incremented whenever the application is restarted after crash.
These are the various options :-
1.Single Step
This option can be used for single stepping. It will show the eip (instruction pointer) of current statement.
2.View Variable
This option can be used to view the content of variable. Currently it is implemented only for global variables.For this name of variable is taken as input.
3.Continue stop child
Application program stops after executing the system call (which contains fuzzing). So to continue that program this option is used.
4.Modify Variable
This option can be used to modify the content of variable. Currently it is implemented only for global variables.For this name of variable is taken as input.
5.View Registers
This option can be used for viewing the content of following registers EAX,EBX,ECX,EDX,ESI,EDI,EBP,ESP,EIP of application program.
6.Modify Registers
This option can be used for modifying the content of following registers EAX,EBX,ECX,EDX,ESI,EDI,EBP,ESP,EIP of application program.
7.Process Id
This option shows the process id of current option.
8.View Instuctions
This option can be used for viewing the next few instructions.
9.View EIP
This option will show the content of instruction pointer.
10.View Error Table
This option will show the error table. example:-
Function Name Eip main 8048635 main 804883b
It will give the name of function as well as the exact instruction pointer where the program crashes. This can be then mapped with utilities like (objdump/readelf).
11.Set BreakPoint?
This option can be used for setting the break point. This option take eip as input(as a decimal value). So it will set the break point at that instruction pointer. Note: Please try to set the break point before any system call (where fuzzing occurs). Eip of application can be taken from utilities like (objdump/readelf).
12.Help
This option will show the help.
- Restart Process
This option is used to restart the application program when it crashes. If the following messages comes then give option 13 as input "Program Has Been Crashed !!!!! Please Give Option 13 so as to restart the Process" "Program Execution Is Over"
14.Exit
This option can terminate the whole application.
Attachments (1)
Change History (3)
Changed 15 years ago by
Attachment: | zzuf-0.12.patch added |
---|
comment:1 Changed 15 years ago by
Description: | modified (diff) |
---|---|
Summary: | The main function of this ptrace module is to add debugging environment. At the same time its other task is find maximum possible locations where the application may crash and to find its location. → debugging module using ptrace |
comment:2 Changed 15 years ago by
This is not exactly what I had in mind about zzuf having to use ptrace in order to be more robust. I believe we first need a robust ptrace controller that will divert read and write system calls, so that we can avoid the whole LD_PRELOAD
mechanism.
Nevertheless, there are interesting parts in this patch and I hope to be able to split it in meaningful parts.
Patch is attached.