Re: TCT ported to HP-UX 10.20 (new release)

From: Knut Eckstein (knutat_private)
Date: Tue Mar 26 2002 - 14:25:29 PST
Next message: Keith Tyler: "RE: Installation date of Windows image"
Previous message: Mac Macavity: "Installation date of Windows image"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello all,

Knut Eckstein wrote:

> During the tests I found two interesting problems. Maybe
> a HP-UX expert out there can point me to a solution:
> 
> 1. The pcat program in TCT uses ptrace(READDATA) to copy the TEXT,
> DATA and STACK segment of a process. It returns with EIO when trying
> to read the STACK area of the init process (PID==1). Therefore pcat
> will only return the TEXT and DATA segment of that particular process.
> I observed similar behaviour with "/bin/sh" and
> "/usr/dt/bin/dtrc". The inital ptrace(ATTACH) works fine as do the
> read operations on the TEXT and DATA segments. I know that OpenBSD and
> Linux flat out refuse a ptrace(ATTACH) to the init process for
> security reasons, but this seems to be a slightly different issue
> here. I also looked at the pst_vm_status.pst_flags and the
> pst_vm_status.pst_permission bits returned for each segment by
> pstat_getprocvm, but I can't see any differences between these
> "troublemaking" processes and others.

Problem solved. Main cause was my stupidity. I blindly assumed that
the STACK segment would grow "downstairs" from the given start address
which is simply not the case. So I was copying the wrong things, in this case
mmapped files related to shared libraries. In rare cases where there were less
pages for mmapped files than for the stack, the above error occured.
My initial test program was poor and I didn't look hard enough at
the hexdump of the pcat output to realize I wasn't getting the stack
at all. Now I have an improved test program with a nice recursive
subroutine which generates massive strings on stack and heap which can't
be overlooked :-) It's name is callme.c and it can be downloaded
like all the rest from http://www.isd.uni-stuttgart.de/~knut.eckstein/tct-hp.html

Also pcat only tried to copy TEXT, DATA and STACK. Now it copies all
region types including SHMEM, MMFILE, MMIO etc. The only region that
cannot be copied is the u_area.

I substantially improved the verbose output of pcat. Now it gives quite
some interesting information, including device number and inode number
for those memory regions that are associated with files (TEXT, DATA,
MMFILE) Example of the X server process, which gets nicely copied
without crashing...

myhp 20# ./pcat -v 750 > /dev/null
Status: 2 (1=SLEEP,2=RUN,3=STOP,4=ZOMBIE,5=OTHER,6=IDLE)
Flags: INCORE:::::::
Incore Pages TEXT: 0xaa DATA: 0x183 STACK: 0x5
   SH_MEM: 0x580 MMFILES: 0x516 U_AREA+K_STACK: 0x4 I/O_MAP: 0x0
Virtual Pages Text: 0xaa Data: 0x183 0xStack: 5
   SH_MEM: 0x580 MMFILES: 0x516 U_AREA+K_STACK: 0x4 I/O_MAP: 0x1f41
pre_attach_signal = 0
map entry: 0x00001000 0x000ab000  TEXT   r-x Flags :EXE:SHARED: 40000003:9219
map entry: 0x40001000 0x40184000  DATA   rw- Flags ::: 40000003:9219
map entry: 0x7afb1000 0x7afb3000  MMFILE rwx Flags :::SHLIB 40000003:37
map entry: 0x7afb3000 0x7afb6000  MMFILE rwx Flags :::SHLIB 40000003:2555
map entry: 0x7afb6000 0x7afb7000  MMFILE rwx Flags :::SHLIB 40000003:2553
map entry: 0x7afb7000 0x7afbb000  MMFILE rwx Flags :::SHLIB 40000003:2550
map entry: 0x7afbb000 0x7afc4000  MMFILE rwx Flags :::SHLIB 40000003:2544
map entry: 0x7afc4000 0x7afc5000  MMFILE rwx Flags ::: 0:-1
map entry: 0x7afc5000 0x7afc8000  MMFILE rwx Flags :::SHLIB 40000003:2542
map entry: 0x7afc8000 0x7afca000  MMFILE rwx Flags :::SHLIB 40000003:2543
map entry: 0x7afca000 0x7afcd000  MMFILE rwx Flags ::: 0:-1
map entry: 0x7afe3000 0x7afe4000  MMFILE rwx Flags :::SHLIB 40000003:25022
map entry: 0x7afe4000 0x7afe6000  MMFILE rwx Flags ::: 0:-1
map entry: 0x7afe6000 0x7afeb000  MMFILE rwx Flags :::SHLIB 40000003:15856
map entry: 0x7afeb000 0x7afec000  MMFILE rwx Flags :::SHLIB 40000003:25033
map entry: 0x7afec000 0x7afee000  MMFILE rwx Flags :::SHLIB 40000003:12525
map entry: 0x7afee000 0x7afef000  MMFILE rwx Flags :::SHLIB 40000003:30826
map entry: 0x7afef000 0x7b004000  MMFILE rwx Flags :::SHLIB 40000003:30824
map entry: 0x7b004000 0x7b005000  MMFILE rwx Flags :::SHLIB 40000003:15824
map entry: 0x7b005000 0x7b010000  MMFILE rwx Flags :::SHLIB 40000003:15819
map entry: 0x7b010000 0x7b031000  MMFILE rwx Flags ::: 0:-1
map entry: 0x7b031000 0x7b035000  MMFILE rwx Flags ::: 0:-1
map entry: 0x7b035000 0x7b037000  MMFILE rwx Flags ::: 0:-1
map entry: 0x7b037000 0x7b03a000  MMFILE rwx Flags :::SHLIB 40000003:15854
map entry: 0x7b03a000 0x7b03f000  STACK  rw- Flags ::: 0:-1
user area at 0x7ffe6000 (4 pages) skipped
map entry: 0xc0002000 0xc0003000  GRAPHC rw- Flags MEMLOCK::SHARED: 0:-1
map entry: 0xc0003000 0xc0016000  MMFILE r-x Flags :EXE:SHARED:SHLIB 40000003:15854
map entry: 0xc0016000 0xc017a000  MMFILE r-x Flags :EXE:SHARED:SHLIB 40000003:15819
map entry: 0xc017a000 0xc017b000  MMFILE r-x Flags :EXE:SHARED:SHLIB 40000003:15824
map entry: 0xc078a000 0xc079d000  MMFILE r-x Flags :EXE:SHARED:SHLIB 40000003:15856
map entry: 0xc07ad000 0xc07c6000  MMFILE r-x Flags :EXE:SHARED:SHLIB 40000003:12525
map entry: 0xc07c6000 0xc07c8000  MMFILE r-x Flags :EXE:SHARED:SHLIB 40000003:25033
map entry: 0xc07c8000 0xc07cd000  MMFILE r-x Flags :EXE:SHARED:SHLIB 40000003:25022
map entry: 0xc0864000 0xc087d000  MMFILE rw- Flags ::SHARED: 40000003:83394
map entry: 0xc0881000 0xc08c0000  MMFILE r-x Flags :EXE:SHARED:SHLIB 40000003:2543
map entry: 0xc08c0000 0xc08e8000  MMFILE r-x Flags :EXE:SHARED:SHLIB 40000003:2542
map entry: 0xc08e8000 0xc091e000  MMFILE r-x Flags :EXE:SHARED:SHLIB 40000003:2550
map entry: 0xc091e000 0xc0935000  MMFILE r-x Flags :EXE:SHARED:SHLIB 40000003:2553
map entry: 0xc0935000 0xc0936000  MMFILE r-x Flags :EXE:SHARED:SHLIB 40000003:37
map entry: 0xc098c000 0xc09a5000  MMFILE rw- Flags ::SHARED: 40000003:83395
map entry: 0xc09a5000 0xc09be000  MMFILE rw- Flags ::SHARED: 40000003:83396
map entry: 0xc09fe000 0xc0ae8000  MMFILE r-x Flags :EXE:SHARED:SHLIB 40000003:30824
map entry: 0xc0ae8000 0xc0af5000  MMFILE r-x Flags :EXE:SHARED:SHLIB 40000003:30826
map entry: 0xc0af5000 0xc0b7a000  MMFILE r-x Flags :EXE:SHARED:SHLIB 40000003:2544
map entry: 0xc0b7a000 0xc0bc4000  MMFILE r-x Flags :EXE:SHARED:SHLIB 40000003:2555
map entry: 0xc0bc4000 0xc1144000  SH_MEM rwx Flags ::SHARED: 0:-1
map entry: 0xc1144000 0xc115d000  MMFILE rw- Flags ::SHARED: 40000003:83397
map entry: 0xc115d000 0xc1176000  MMFILE rw- Flags ::SHARED: 40000003:83398
map entry: 0xf8000000 0xf8040000  IO     rw- Flags ::SHARED: 0:-1
map entry: 0xf8100000 0xf9000000  IO     rw- Flags ::SHARED: 0:-1
map entry: 0xf9000000 0xfa000000  IO     rw- Flags ::SHARED: 0:-1
map entry: 0xfffbc000 0xfffbd000  IO     rw- Flags ::SHARED: 0:-1

Best regards,

Knut

PS: Thanks to Ralf Hildebrandt for pointing out that when compiling with gcc-3.x several warnings 
regarding __STDC_EXT__ are generated. By removing the -D__STDC_EXT__ arguments in the makedef files, 
this problem is solved.


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Next message: Keith Tyler: "RE: Installation date of Windows image"
Previous message: Mac Macavity: "Installation date of Windows image"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Thu Mar 28 2002 - 04:27:27 PST