Added injcode debugging flag

Allows developers to step through injcode with gdb
jonatron · Jan 9, 2021 · 6cc75ea · 6cc75ea
1 parent d35527e
commit 6cc75ea
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 4 deletions.
diff --git a/ezinject.c b/ezinject.c
@@ -171,6 +171,15 @@ uintptr_t remote_call_common(pid_t target, struct call_req call){
 				return -1;
 			}
 
+			/**
+			 * if we're debugging payload
+			 * we break early as the target should
+			 * now be in an endless loop
+			 **/
+			if(ctx.pl_debug){
+				return -1;
+			}
+
 			// wait for the children to stop
 			status = remote_wait(target);
 
@@ -444,6 +453,7 @@ struct injcode_bearing *prepare_bearing(struct ezinj_ctx *ctx, int argc, char *a
 	}
 	br->mapping_size = mapping_size;
 
+	br->pl_debug = ctx->pl_debug;
 
 	br->libdl_handle = (void *)ctx->libdl.remote;
 #ifdef HAVE_DL_LOAD_SHARED_LIBRARY
@@ -728,6 +738,13 @@ int ezinject_main(
 
 		CHECK(__RCALL(ctx, remote_trampoline_entry, 0));
 
+		/**
+		 * if payload debugging is on, skip any cleanup
+		 **/
+		if(ctx->pl_debug){
+			return -1;
+		}
+
 		ctx->num_wait_calls = 1;
 		ctx->syscall_stack.remote = 0;
 
@@ -758,7 +775,21 @@ int main(int argc, char *argv[]){
 		return 1;
 	}
 
-	const char *argPid = argv[1];
+	memset(&ctx, 0x00, sizeof(ctx));
+
+	{
+		int c;
+		while ((c = getopt (argc, argv, "d")) != -1){
+			switch(c){
+				case 'd':
+					WARN("payload debugging enabled, the target **WILL** freeze");
+					ctx.pl_debug = 1;
+					break;
+			}
+		}
+	}
+
+	const char *argPid = argv[optind++];
 	pid_t target = atoi(argPid);
 
 	if(ptrace(PTRACE_ATTACH, target, 0, 0) < 0){
@@ -793,11 +824,18 @@ int main(int argc, char *argv[]){
 		return 1;
 	}
 
-	err = ezinject_main(&ctx, argc - 2, &argv[2]);
+	err = ezinject_main(&ctx, argc - optind, &argv[optind]);
 
 	CHECK(ptrace(PTRACE_DETACH, target, 0, 0));
 
+	/**
+	 * skip IPC cleanup if we encountered any error
+	 * (payload debugging counts as failure)
+	 **/
 	if(err != 0){
+		if(ctx.pl_debug){
+			INFO("You may now attach with gdb for payload debugging");
+		}
 		return err;
 	}
 

diff --git a/ezinject.h b/ezinject.h
@@ -65,6 +65,7 @@ struct ezinj_pl {
 };
 
 struct ezinj_ctx {
+	int pl_debug;
 	int num_wait_calls;
 	pid_t target;
 	ez_addr libc;

diff --git a/ezinject_injcode.c b/ezinject_injcode.c
@@ -165,6 +165,11 @@ void injected_fn(struct injcode_bearing *br){
 	int signal = SIGTRAP;
 
 	do {
+
+		if(br->pl_debug){
+			inj_halt: goto inj_halt;
+		}
+
 		// entry
 		DBG('e');
 

diff --git a/ezinject_injcode.h b/ezinject_injcode.h
@@ -78,9 +78,8 @@ struct injcode_bearing
 {
 	size_t mapping_size;
 
+	int pl_debug;
 	pthread_t user_tid;
-	pid_t user_ft;
-
 	void *userlib;
 
 #if defined(HAVE_LIBC_DLOPEN_MODE)