You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<spanclass="k">raise</span><spanclass="ne">TypeError</span><spanclass="p">(</span><spanclass="s2">"Invalid type for the value to write to memory. Expected bytes."</span><spanclass="p">)</span>
<spanclass="sa">f</span><spanclass="s2">"No backing file specified and no corresponding absolute address found for </span><spanclass="si">{</span><spanclass="nb">hex</span><spanclass="p">(</span><spanclass="n">address</span><spanclass="p">)</span><spanclass="si">}</span><spanclass="s2">. Assuming </span><spanclass="si">{</span><spanclass="n">backing_file</span><spanclass="si">}</span><spanclass="s2">."</span><spanclass="p">,</span>
Copy file name to clipboardExpand all lines: docs/0.5.0/_sources/basic_features.rst.txt
+30-3Lines changed: 30 additions & 3 deletions
Original file line number
Diff line number
Diff line change
@@ -148,7 +148,7 @@ You can force the addressing mode by using the following syntax:
148
148
d.memory[0x1000, 0x10, "absolute"]
149
149
d.memory[0x1000, 0x10, "hybrid"]
150
150
151
-
If you specify a full or a substring of a file name, libdebug will search for the memory map of the file and use the base address of the file as the base address for the relative addressing. If the file is not found or multiple matches are found, an exeption is raised.
151
+
If you specify a full or a substring of a file name, libdebug will search for the memory map of the file and use the base address of the file as the base address for the relative addressing. If the file is not found or multiple matches are found, an exception is raised.
152
152
153
153
.. code-block:: python
154
154
d.memory[0x1000, 0x10, "file_name"]
@@ -245,7 +245,7 @@ An alternative to running the program from the beginning and to resume libdebug
245
245
d.attach(pid)
246
246
247
247
Graceful Termination
248
-
====================================
248
+
====================
249
249
250
250
If you want to kill the process being debugged, you can use the `kill()` method. When repeatedly running new instances of debugged program, remember to call the `kill()` command on old instances to avoid large memory usage. The syntax is as follows:
251
251
@@ -259,7 +259,34 @@ When you are done with the debugger object, you can terminate the background thr
259
259
260
260
d.terminate()
261
261
262
+
263
+
Post Mortem Analysis
264
+
====================
265
+
You can check at every moment if the whole process (or a specific thread) is dead by using the `dead` property. The syntax is as follows:
266
+
267
+
.. code-block:: python
268
+
269
+
ifnot d.dead:
270
+
print("The process is not dead")
271
+
else:
272
+
print("The process is dead")
273
+
274
+
Moreover, after the process has died, you can check the exit code and the exit signal by using the `exit_code` and `exit_signal` properties, respectively. The syntax is as follows:
275
+
276
+
.. code-block:: python
277
+
278
+
if d.dead:
279
+
print(f"The process exited with code {d.exit_code}")
280
+
281
+
.. code-block:: python
282
+
283
+
if d.dead:
284
+
print(f"The process exited with signal {d.exit_signal}")
285
+
286
+
You can also access registers after the process has died. This is useful for *post-mortem* analysis.
287
+
288
+
262
289
Supported Architectures
263
-
====================================
290
+
=======================
264
291
265
292
libdebug currently only supports Linux under the x86_64 (AMD64) architecture. Support for other architectures is planned for future releases. Stay tuned.
Copy file name to clipboardExpand all lines: docs/0.5.0/_sources/catch_signals.rst.txt
+8-7Lines changed: 8 additions & 7 deletions
Original file line number
Diff line number
Diff line change
@@ -1,14 +1,15 @@
1
1
Signals
2
2
=======
3
3
4
-
libdebug supports catching of signals. You can, in fact, execute a callback or pause the script when a specific signal directed at the debugged process is intercepted by the tracer. \
4
+
libdebug supports catching of signals. You can, in fact, execute a callback or pause the script when a specific signal directed at the debugged process is intercepted by the tracer.
5
+
5
6
The following is the signature of the callback function:
along with the thread where the signal was intercepted from, the callback is also passed the `SignalCatcher` object. \
12
+
along with the thread where the signal was intercepted from, the callback is also passed the `SignalCatcher` object.
12
13
13
14
When registering a signal catcher, you can either specify the signal number or the conventional signal name (e.g. 'SIGINT').
14
15
@@ -52,17 +53,17 @@ As with breakpoints and syscall handlers, you can access the `hit_count` propert
52
53
53
54
Note: You cannot catch **SIGSTOP**, **SIGTRAP**, and **SIGKILL**.
54
55
55
-
These signals are internally used by the ptrace and the debugger, or are enforced by the kernel to be passed directly to the child process without the possibility of being caught.
56
+
These signals are internally used by ptrace and the debugger, or are enforced by the kernel to be passed directly to the child process without the possibility of being caught.
56
57
57
58
Just like with syscalls, there can be at most one user-defined catcher for each signal.
58
59
59
60
If a new catcher is defined for a signal that is already catched or hijacked, the new catcher will replace the old one, and a warning is printed.
60
61
61
62
Signal Filtering
62
63
----------------
63
-
Instead of setting a catcher on signals, you could want to filter which signals are not to be forwarded to the debugged process during execution.
64
+
Instead of setting a catcher on signals, you might want to filter which signals are not to be forwarded to the debugged process during execution.
64
65
65
-
By default, all signals not related to the libdebug's internals are forwarded. For example, SIGSTOP is never passed to the process.
66
+
By default, all signals not related to libdebug internals are forwarded. For example, SIGSTOP is never passed to the process.
66
67
67
68
.. code-block:: python
68
69
@@ -94,7 +95,7 @@ When registering a signal hijack, you can either specify the signal number or th
94
95
95
96
Note: Just like with catchers, you cannot hijack **SIGSTOP**, **SIGTRAP**, and **SIGKILL**.
96
97
97
-
These signals are internally used by the ptrace and the debugger, or are enforced by the kernel to be passed directly to the child process without the possibility of being caught.
98
+
These signals are internally used by ptrace and the debugger, or are enforced by the kernel to be passed directly to the child process without the possibility of being caught.
98
99
99
100
Hijacking Loop Detection
100
101
^^^^^^^^^^^^^^^^^^^^^^^^
@@ -108,7 +109,7 @@ For example, the following code raises a `RuntimeError`:
108
109
catcher2 = d.hijack_signal("SIGINT", "SIGPIPE")
109
110
110
111
Recursion
111
-
^^^^^^^^^^^^^^
112
+
^^^^^^^^^
112
113
Mixing signal catching and hijacking can become messy. Because of this, libdebug provides users with the choice of whether to execute the catcher for a signal that was triggered *by* a hijack.
113
114
114
115
This behavior is enabled by the parameter `recursive`, available when instantiating a hijack or a catcher. By default, the parameter is set to False.
Copy file name to clipboardExpand all lines: docs/0.5.0/_sources/handle_syscalls.rst.txt
+2-2Lines changed: 2 additions & 2 deletions
Original file line number
Diff line number
Diff line change
@@ -8,7 +8,7 @@ In the case of *handling*, the user can provide a callback function that will be
8
8
In the case of *hijacking*, the user can modify the syscall that was supposed to be executed, either by changing its parameters or replacing it with another syscall.
9
9
10
10
Handlers
11
-
-------
11
+
--------
12
12
When handling a syscall, the user can provide up to two callback functions that will be called whenever the handled syscall is executed. One that is called before executing the syscall (`on_enter`), the other is called after executing the syscall (`on_exit`).
13
13
14
14
Please note that it is not necessary to specify both `on_enter` and `on_exit` callbacks. It is sufficient to specify only one of them. The callback function must have the following signature:
@@ -106,7 +106,7 @@ For example, the following code raises a `RuntimeError`:
106
106
107
107
108
108
Recursion
109
-
^^^^^^^^^^^^^^
109
+
^^^^^^^^^
110
110
Mixing syscall handling and hijacking can become messy. Because of this, libdebug provides users with the choice of whether to execute the handler for a syscall that was triggered *by* a hijack.
111
111
112
112
This behavior is enabled by the parameter `recursive`, available when instantiating a hijack or a handler. By default, the parameter is set to False.
Copy file name to clipboardExpand all lines: docs/0.5.0/basic_features.html
+22-1Lines changed: 22 additions & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -529,7 +529,7 @@ <h2>Absolute and Relative Addressing<a class="headerlink" href="#absolute-and-re
529
529
<p>When accessing memory, you can use both absolute and relative addressing. Absolute addressing is the most common way to access memory, where you provide the exact address you want to access. Relative addressing is a more advanced way to access memory, where you provide an address relative to a base address.
530
530
By default, the memory access in libdebug is done using an hybrid addressing mode. This means that libdebug will try to resolve the address as an absolute address first. If the address is not found, libdebug will try to resolve the address as a relative address, using as base the one of the binary. In this case, a warning will be printed.
531
531
You can force the addressing mode by using the following syntax:</p>
532
-
<p>If you specify a full or a substring of a file name, libdebug will search for the memory map of the file and use the base address of the file as the base address for the relative addressing. If the file is not found or multiple matches are found, an exeption is raised.</p>
532
+
<p>If you specify a full or a substring of a file name, libdebug will search for the memory map of the file and use the base address of the file as the base address for the relative addressing. If the file is not found or multiple matches are found, an exception is raised.</p>
533
533
<p>You can also use the wildcard string “binary” to use the base address of the binary as the base address for the relative addressing. The same behavior is applied if you pass a string corresponding to the binary name.</p>
534
534
</section>
535
535
</section>
@@ -609,6 +609,26 @@ <h1>Graceful Termination<a class="headerlink" href="#graceful-termination" title
609
609
</pre></div>
610
610
</div>
611
611
</section>
612
+
<sectionid="post-mortem-analysis">
613
+
<h1>Post Mortem Analysis<aclass="headerlink" href="#post-mortem-analysis" title="Link to this heading">#</a></h1>
614
+
<p>You can check at every moment if the whole process (or a specific thread) is dead by using the <cite>dead</cite> property. The syntax is as follows:</p>
<spanclass="nb">print</span><spanclass="p">(</span><spanclass="s2">"The process is not dead"</span><spanclass="p">)</span>
617
+
<spanclass="k">else</span><spanclass="p">:</span>
618
+
<spanclass="nb">print</span><spanclass="p">(</span><spanclass="s2">"The process is dead"</span><spanclass="p">)</span>
619
+
</pre></div>
620
+
</div>
621
+
<p>Moreover, after the process has died, you can check the exit code and the exit signal by using the <cite>exit_code</cite> and <cite>exit_signal</cite> properties, respectively. The syntax is as follows:</p>
<spanclass="nb">print</span><spanclass="p">(</span><spanclass="sa">f</span><spanclass="s2">"The process exited with code </span><spanclass="si">{</span><spanclass="n">d</span><spanclass="o">.</span><spanclass="n">exit_code</span><spanclass="si">}</span><spanclass="s2">"</span><spanclass="p">)</span>
<spanclass="nb">print</span><spanclass="p">(</span><spanclass="sa">f</span><spanclass="s2">"The process exited with signal </span><spanclass="si">{</span><spanclass="n">d</span><spanclass="o">.</span><spanclass="n">exit_signal</span><spanclass="si">}</span><spanclass="s2">"</span><spanclass="p">)</span>
628
+
</pre></div>
629
+
</div>
630
+
<p>You can also access registers after the process has died. This is useful for <em>post-mortem</em> analysis.</p>
631
+
</section>
612
632
<sectionid="supported-architectures">
613
633
<h1>Supported Architectures<aclass="headerlink" href="#supported-architectures" title="Link to this heading">#</a></h1>
614
634
<p>libdebug currently only supports Linux under the x86_64 (AMD64) architecture. Support for other architectures is planned for future releases. Stay tuned.</p>
0 commit comments