1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2018 The FreeBSD Foundation 5 * All rights reserved. 6 * 7 * This software was developed by Konstantin Belousov <kib@FreeBSD.org> 8 * under sponsorship from the FreeBSD Foundation. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 * 31 * $Id: popss.c,v 1.28 2018/05/09 21:35:29 kostik Exp kostik $ 32 * $FreeBSD$ 33 * 34 * cc -m32 -Wall -Wextra -O2 -g -o popss popss.c 35 * Use as "popss <instruction>", where instruction is one of 36 * bound, into, int1, int3, int80, syscall, sysenter. 37 */ 38 39 #include <sys/param.h> 40 #include <sys/ptrace.h> 41 #include <sys/wait.h> 42 #include <err.h> 43 #include <signal.h> 44 #include <stdio.h> 45 #include <stdlib.h> 46 #include <string.h> 47 #include <unistd.h> 48 #include <machine/reg.h> 49 50 static u_long *stk; 51 52 #define ITERATIONS 4 53 54 static void 55 setup(pid_t child) 56 { 57 struct reg r; 58 struct dbreg dbr; 59 int error, i, status; 60 61 error = waitpid(child, &status, WTRAPPED | WEXITED); 62 if (error == -1) 63 err(1, "waitpid 1"); 64 error = ptrace(PT_GETREGS, child, (caddr_t)&r, 0); 65 if (error == -1) 66 err(1, "ptrace PT_GETREGS"); 67 printf("child %d stopped eip %#x esp %#x\n", child, r.r_eip, r.r_esp); 68 69 error = ptrace(PT_GETDBREGS, child, (caddr_t)&dbr, 0); 70 if (error != 0) 71 err(1, "ptrace PT_GETDBREGS"); 72 dbr.dr[7] &= ~DBREG_DR7_MASK(0); 73 dbr.dr[7] |= DBREG_DR7_SET(0, DBREG_DR7_LEN_4, DBREG_DR7_RDWR, 74 DBREG_DR7_LOCAL_ENABLE | DBREG_DR7_GLOBAL_ENABLE); 75 dbr.dr[0] = (uintptr_t)stk; 76 error = ptrace(PT_SETDBREGS, child, (caddr_t)&dbr, 0); 77 if (error != 0) 78 err(1, "ptrace PT_SETDBREGS"); 79 error = ptrace(PT_CONTINUE, child, (caddr_t)1, 0); 80 if (error != 0) 81 err(1, "ptrace PT_CONTINUE fire"); 82 83 for (i = 0; i < ITERATIONS; i++) { 84 error = waitpid(child, &status, WTRAPPED | WEXITED); 85 if (error == -1) 86 err(1, "waitpid 2"); 87 if (WIFEXITED(status)) 88 break; 89 error = ptrace(PT_GETREGS, child, (caddr_t)&r, 0); 90 if (error == -1) 91 err(1, "ptrace PT_GETREGS"); 92 error = ptrace(PT_GETDBREGS, child, (caddr_t)&dbr, 0); 93 if (error != 0) 94 err(1, "ptrace PT_GETDBREGS"); 95 printf("child %d stopped eip %#x esp %#x dr0 %#x " 96 "dr6 %#x dr7 %#x\n", child, r.r_eip, r.r_esp, 97 dbr.dr[0], dbr.dr[6], dbr.dr[7]); 98 error = ptrace(PT_CONTINUE, child, (caddr_t)1, 0); 99 if (error == -1) 100 err(1, "ptrace PT_CONTINUE tail"); 101 } 102 if (i == ITERATIONS) { 103 kill(child, SIGKILL); 104 ptrace(PT_DETACH, child, NULL, 0); 105 } 106 } 107 108 static u_long tmpstk[1024 * 128]; 109 110 static u_int 111 read_ss(void) 112 { 113 u_int res; 114 115 __asm volatile("movl\t%%ss,%0" : "=r" (res)); 116 return (res); 117 } 118 119 #define PROLOGUE "int3;movl\t%0,%%esp;popl\t%%ss;" 120 121 static void 122 act(const char *cmd) 123 { 124 int error; 125 static const int boundx[2] = {0, 1}; 126 127 printf("child pid %d, stk at %p\n", getpid(), stk); 128 *stk = read_ss(); 129 130 error = ptrace(PT_TRACE_ME, 0, NULL, 0); 131 if (error != 0) 132 err(1, "ptrace PT_TRACE_ME"); 133 134 if (strcmp(cmd, "bound") == 0) { 135 /* XXX BOUND args order clang ias bug */ 136 __asm volatile("int3;movl\t$11,%%eax;" 137 "movl\t%0,%%esp;popl\t%%ss;bound\t%1,%%eax" 138 : : "r" (stk), "m" (boundx) : "memory"); 139 } else if (strcmp(cmd, "int1") == 0) { 140 __asm volatile(PROLOGUE ".byte 0xf1" 141 : : "r" (stk) : "memory"); 142 } else if (strcmp(cmd, "int3") == 0) { 143 __asm volatile(PROLOGUE "int3" 144 : : "r" (stk) : "memory"); 145 } else if (strcmp(cmd, "into") == 0) { 146 __asm volatile("int3;movl\t$0x80000000,%%eax;" 147 "addl\t%%eax,%%eax;movl\t%0,%%esp;popl\t%%ss;into" 148 : : "r" (stk) : "memory"); 149 } else if (strcmp(cmd, "int80") == 0) { 150 __asm volatile(PROLOGUE "int\t$0x80" 151 : : "r" (stk) : "memory"); 152 } else if (strcmp(cmd, "syscall") == 0) { 153 __asm volatile(PROLOGUE "syscall" 154 : : "r" (stk) : "memory"); 155 } else if (strcmp(cmd, "sysenter") == 0) { 156 __asm volatile(PROLOGUE "sysenter" 157 : : "r" (stk) : "memory"); 158 } else { 159 fprintf(stderr, "unknown instruction\n"); 160 exit(1); 161 } 162 printf("ho\n"); 163 } 164 165 int 166 main(int argc, char *argv[]) 167 { 168 int child; 169 170 if (argc != 2) { 171 printf( 172 "Usage: popss [bound|int1|int3|into|int80|syscall|sysenter]\n"); 173 exit(1); 174 } 175 stk = &tmpstk[nitems(tmpstk) - 1]; 176 child = fork(); 177 if (child == -1) 178 err(1, "fork"); 179 if (child == 0) 180 act(argv[1]); 181 else 182 setup(child); 183 } 184