Handle pie executables

Author: bjorn3

Cargo.toml

@@ -26,5 +26,9 @@ memmap = "0.7.0"
 mach = "0.3"
 security-framework-sys = "1.0"
 
+# Dependencies specific to Linux
+[target.'cfg(target_os="linux")'.dependencies]
+procfs = "0.8.0"
+
 [dev-dependencies]
 rustyline = "6.2.0"

src/symbol/mod.rs

@@ -3,13 +3,14 @@
 
 use gimli::read::{EvaluationResult, Reader as _};
 use object::{
-    read::{Object, ObjectSection, Symbol},
+    read::{Object, ObjectSection, ObjectSegment, Symbol},
     SymbolKind,
 };
 use std::{
     borrow::Cow,
     collections::{BTreeMap, HashMap},
     fs::File,
+    path::Path,
     rc::Rc,
 };
 
@@ -223,7 +224,9 @@ mod inner {
         // todo: impl loader struct instead of taking 'path' as an argument.
         // It will be required to e.g. load coredumps, or external debug info, or to
         // communicate with rustc/lang servers.
-        pub fn new(path: &str) -> Result<Dwarf, Box<dyn std::error::Error>> {
+        pub fn new<P: AsRef<std::path::Path>>(
+            path: P,
+        ) -> Result<Dwarf, Box<dyn std::error::Error>> {
             // Load ELF/Mach-O object file
             let file = File::open(path)?;
 
@@ -277,3 +280,132 @@ impl Dwarf {
         self.rent(|parsed| parsed.get_var_address(name))
     }
 }
+
+pub struct RelocatedDwarf(Vec<RelocatedDwarfEntry>);
+
+struct RelocatedDwarfEntry {
+    address_range: (u64, u64),
+    file_range: (u64, u64),
+    bias: u64,
+    dwarf: Dwarf,
+}
+
+impl std::fmt::Debug for RelocatedDwarfEntry {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("RelocatedDwarfEntry")
+            .field(
+                "address_range",
+                &format!(
+                    "{:016x}..{:016x}",
+                    self.address_range.0, self.address_range.1
+                ),
+            )
+            .field(
+                "file_range",
+                &format!("{:016x}..{:016x}", self.file_range.0, self.file_range.1),
+            )
+            .field("bias", &format!("{:016x}", self.bias))
+            .field(
+                "stated_range",
+                &format!(
+                    "{:016x}..{:016x}",
+                    self.address_range.0 - self.bias,
+                    self.address_range.1 - self.bias
+                ),
+            )
+            .finish()
+    }
+}
+
+impl RelocatedDwarfEntry {
+    fn from_file_and_offset(
+        address: (u64, u64),
+        file: &Path,
+        offset: u64,
+    ) -> Result<Self, Box<dyn std::error::Error>> {
+        match Dwarf::new(file) {
+            Ok(dwarf) => {
+                let (file_range, stated_address) = dwarf
+                    .rent(|parsed| {
+                        let object: &object::File = &parsed.object;
+                        object.segments().find_map(|segment: object::Segment| {
+                            // Sometimes the offset is just before the start file offset of the segment.
+                            if offset <= segment.file_range().0 {
+                                Some((
+                                    segment.file_range(),
+                                    segment.address() - (segment.file_range().0 - offset),
+                                ))
+                            } else {
+                                None
+                            }
+                        })
+                    })
+                    .ok_or_else(|| {
+                        format!(
+                            "Couldn't find segment for `{}`+0x{:x}",
+                            file.display(),
+                            offset
+                        )
+                    })?;
+                Ok(RelocatedDwarfEntry {
+                    address_range: address,
+                    file_range,
+                    bias: address.0 - stated_address,
+                    dwarf,
+                })
+            }
+            Err(err) => Err(err),
+        }
+    }
+}
+
+impl RelocatedDwarf {
+    pub fn from_maps(
+        maps: &[crate::target::MemoryMap],
+    ) -> Result<Self, Box<dyn std::error::Error>> {
+        let vec: Result<Vec<_>, _> = maps
+            .iter()
+            .filter_map(|map| {
+                map.backing_file.as_ref().map(|&(ref file, offset)| {
+                    RelocatedDwarfEntry::from_file_and_offset(map.address, file, offset)
+                })
+            })
+            .collect();
+        let vec = vec?;
+        Ok(RelocatedDwarf(vec))
+    }
+
+    pub fn get_symbol_address(&self, name: &str) -> Option<usize> {
+        for entry in &self.0 {
+            if let Some(addr) = entry.dwarf.get_symbol_address(name) {
+                if addr as u64 + entry.bias >= entry.address_range.1 {
+                    continue;
+                }
+                return Some(addr + entry.bias as usize);
+            }
+        }
+        None
+    }
+
+    pub fn get_address_symbol(&self, addr: usize) -> Option<String> {
+        for entry in &self.0 {
+            if (addr as u64) < entry.address_range.0 || addr as u64 >= entry.address_range.1 {
+                continue;
+            }
+            return entry.dwarf.get_address_symbol(addr - entry.bias as usize);
+        }
+        None
+    }
+
+    pub fn get_var_address(&self, name: &str) -> Option<usize> {
+        for entry in &self.0 {
+            if let Some(addr) = entry.dwarf.get_var_address(name) {
+                if addr as u64 + entry.bias >= entry.address_range.1 {
+                    continue;
+                }
+                return Some(addr + entry.bias as usize);
+            }
+        }
+        None
+    }
+}

src/target/linux.rs

@@ -123,6 +123,20 @@ impl LinuxTarget {
             offset as _,
         )
     }
+
+    pub fn memory_maps(&self) -> Result<Vec<super::MemoryMap>, Box<dyn std::error::Error>> {
+        Ok(procfs::process::Process::new(self.pid.as_raw())?
+            .maps()?
+            .into_iter()
+            .map(|map| super::MemoryMap {
+                address: map.address,
+                backing_file: match map.pathname {
+                    procfs::process::MMapPath::Path(path) => Some((path, map.offset)),
+                    _ => None,
+                },
+            })
+            .collect())
+    }
 }
 
 /// A single memory read operation.

src/target/mod.rs

@@ -12,3 +12,11 @@ pub use linux::*;
 mod macos;
 #[cfg(target_os = "macos")]
 pub use macos::*;
+
+#[derive(Debug)]
+pub struct MemoryMap {
+    /// Start and end range of the mapped memory.
+    pub address: (u64, u64),
+    /// The file and file offset backing the mapped memory if any.
+    pub backing_file: Option<(std::path::PathBuf, u64)>,
+}

src/target/unix.rs

@@ -13,6 +13,7 @@ pub trait UnixTarget {
     /// Continues execution of a debuggee.
     fn unpause(&self) -> Result<(), Box<dyn std::error::Error>> {
         ptrace::cont(self.pid(), None)?;
+        waitpid(self.pid(), None).unwrap();
         Ok(())
     }
 }
@@ -32,6 +33,12 @@ pub(crate) fn launch(path: &str) -> Result<Pid, Box<dyn std::error::Error>> {
         ForkResult::Child => {
             ptrace::traceme()?;
 
+            // Disable ASLR
+            #[cfg(target_os = "linux")]
+            unsafe {
+                libc::personality(0x0040000 /*ADDR_NO_RANDOMIZE*/);
+            }
+
             let path = CString::new(path)?;
             execv(&path, &[path.as_ref()])?;
 

tests/readmem.rs

@@ -3,7 +3,7 @@
 mod test_utils;
 
 #[cfg(target_os = "linux")]
-use headcrab::{symbol::Dwarf, target::LinuxTarget, target::UnixTarget};
+use headcrab::{symbol::RelocatedDwarf, target::LinuxTarget, target::UnixTarget};
 
 static BIN_PATH: &str = concat!(env!("CARGO_MANIFEST_DIR"), "/tests/testees/hello");
 
@@ -20,29 +20,29 @@ static MAC_DSYM_PATH: &str = concat!(
 fn read_memory() -> Result<(), Box<dyn std::error::Error>> {
     test_utils::ensure_testees();
 
-    #[cfg(target_os = "macos")]
-    let debuginfo = Dwarf::new(MAC_DSYM_PATH)?;
-    #[cfg(not(target_os = "macos"))]
-    let debuginfo = Dwarf::new(BIN_PATH)?;
+    let target = LinuxTarget::launch(BIN_PATH)?;
+
+    println!("{:#?}", target.memory_maps()?);
+    let debuginfo = RelocatedDwarf::from_maps(&target.memory_maps()?)?;
 
     // Test that `a_function` resolves to a function.
-    let addr = debuginfo.get_symbol_address("a_function");
-    assert!(addr.is_some());
+    let breakpoint_addr = debuginfo.get_symbol_address("breakpoint");
+    assert!(breakpoint_addr.is_some());
 
     // Test that the address of `a_function` and one byte further both resolves back to that symbol.
     assert_eq!(
         debuginfo
-            .get_address_symbol(addr.unwrap())
+            .get_address_symbol(breakpoint_addr.unwrap())
             .as_ref()
             .map(|name| &**name),
-        Some("a_function")
+        Some("breakpoint")
     );
     assert_eq!(
         debuginfo
-            .get_address_symbol(addr.unwrap() + 1)
+            .get_address_symbol(breakpoint_addr.unwrap() + 1)
             .as_ref()
             .map(|name| &**name),
-        Some("a_function")
+        Some("breakpoint")
     );
 
     // Test that invalid addresses don't resolve to a symbol.
@@ -59,12 +59,38 @@ fn read_memory() -> Result<(), Box<dyn std::error::Error>> {
         None,
     );
 
+    // Write breakpoint to the `breakpoint` function.
+    let mut pause_inst = 0 as libc::c_ulong;
+    unsafe {
+        target
+            .read()
+            .read(&mut pause_inst, breakpoint_addr.unwrap())
+            .apply()?;
+    }
+    // pause (rep nop); ...
+    assert_eq!(&pause_inst.to_ne_bytes()[0..2], &[0xf3, 0x90]);
+    let mut breakpoint_inst = pause_inst.to_ne_bytes();
+    // int3; nop; ...
+    breakpoint_inst[0] = 0xcc;
+    nix::sys::ptrace::write(
+        target.pid(),
+        breakpoint_addr.unwrap() as *mut _,
+        libc::c_ulong::from_ne_bytes(breakpoint_inst) as *mut _,
+    )?;
+
+    // Wait for the breakpoint to get hit.
+    target.unpause().unwrap();
+
+    let ip = target.read_regs().unwrap().rip;
+    assert_eq!(
+        debuginfo.get_address_symbol(ip as usize).as_deref(),
+        Some("breakpoint")
+    );
+
     let str_addr = debuginfo
         .get_var_address("STATICVAR")
         .expect("Expected static var has not been found in the target binary");
 
-    let target = LinuxTarget::launch(BIN_PATH)?;
-
     // Read pointer
     let mut ptr_addr: usize = 0;
     unsafe {

tests/testees/Makefile

@@ -1,5 +1,5 @@
 CC       = rustc
-CC_FLAGS = -g -C relocation-model=dynamic-no-pic
+CC_FLAGS = -g -Copt-level=2
 SRCS = $(wildcard *.rs)
 BINS = $(patsubst %.rs,%,$(SRCS))
 

tests/testees/hello.rs

@@ -2,9 +2,13 @@ static STATICVAR: &str = "Hello, world!\n";
 
 #[no_mangle]
 #[inline(never)]
-fn a_function() {}
+fn breakpoint() {
+    // This will be patched by the debugger to be a breakpoint
+    unsafe { core::arch::x86_64::_mm_pause(); }
+}
+
 
 pub fn main() {
-    a_function();
+    breakpoint();
     println!("{}", STATICVAR);
 }