Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Add: support for dbg.follow.child option #6525

Merged
merged 1 commit into from
Jan 17, 2017
Merged

Add: support for dbg.follow.child option #6525

merged 1 commit into from
Jan 17, 2017

Conversation

leberus
Copy link
Contributor

@leberus leberus commented Jan 17, 2017

This patch adds support for dbg.follow.child option.
If this option is true, r2 cleans up the old environment and starts tracing the new PID. If not, r2 continues tracing the current PID.

PoC:

#include <stdio.h>
#include <unistd.h>

void function_child (void)
{
	int a;
	char c;

	printf ("function_child\n");
	c = 'd';
	a += 4;
}

int main(void)
{
	pid_t pid;

	pid = fork();
	if (pid > 0) {
		printf ("This is the parent\n");
	} else if (pid == 0) {
		printf ("This is the child\n");
		function_child ();
	} else {
		perror ("fork error");
	}

	printf ("bye\n");
	return pid;
}

$ r2 -d fork
Process with PID 20246 started...
= attach 20246 20246
bin.baddr 0x00400000
USING 400000
Assuming filepath /home/oscar/lab/r2/3549/fork
asm.bits 64
 -- Use 'rabin2 -ris' to get the import/export symbols of any binary.
[0x7f6fc6477190]> e dbg.follow.child
false
[0x7f6fc6477190]> db sym.function_child
[0x7f6fc6477190]> dc
Selecting and continuing: 20246
PTRACE_EVENT_FORK new_pid=20249
[0x7f6fc6185014]> dc
Selecting and continuing: 20246
This is the parent
bye
PTRACE_EVENT_EXIT pid=20246, status=0x1900
[0x7f6fc61852e9]>

We set up a breakpoint on child's function, but since we continue tracing the current pid we don't stop at that breakpoint.

Now, enabling this option:

$ r2 -d fork
Process with PID 20254 started...
= attach 20254 20254
bin.baddr 0x00400000
USING 400000
Assuming filepath /home/oscar/lab/r2/3549/fork
asm.bits 64
 -- radare2 is like windows 7 but even better.
[0x7f3e5c3f0190]> e dbg.follow.child=true
[0x7f3e5c3f0190]> e dbg.follow.child
true
[0x7f3e5c3f0190]> db sym.function_child
[0x7f3e5c3f0190]> dc
Selecting and continuing: 20254
PTRACE_EVENT_FORK new_pid=20255
This is the parent
bye
= attach 20255 20255
This is the child
hit breakpoint at: 400596
[0x00400596]> pd 4
            ;-- function_child:
            ;-- rip:
            0x00400596 b    55             push rbp
            0x00400597      4889e5         mov rbp, rsp
            0x0040059a      4883ec10       sub rsp, 0x10
            0x0040059e      bf94064000     mov edi, str.function_child ; "function_child" @ 0x400694

@radare radare merged commit 286ca4d into radareorg:master Jan 17, 2017
@radare radare mentioned this pull request Jan 31, 2017
Merged
@jduck
Copy link
Contributor

jduck commented Apr 29, 2017

How can you follow both the child and the parent after this change?

# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@leberus @jduck @radare