Changing the EAX register with Python

Stefan Sonnenberg-Carstens stefan.sonnenberg at pythonmeister.com
Thu Nov 18 17:24:10 EST 2010 

Am 18.11.2010 21:20, schrieb dutche:
> Hi folks, I have a unusual question here.
>
> How can I change the value of EAX register under python under Linux??
> As paimei does under Windows.
>
> My project is to have a python program that loads a C program and sets
> a breakpoint at some address, and then with this breakpoint I change
> the EAX register and then continue the program execution.
>
> With Windows and paimei I did that, but under Linux I don't know yet.
>
> Any ideas?
>
> Thank you
You asked for it:

from ctypes import *
import time
import os
cdll.LoadLibrary('libc.so.6')
libc = CDLL('libc.so.6')

PTRACE_TRACEME = 0
PTRACE_GETREGS = 12
PTRACE_SETREGS = 13
PTRACE_SYSCALL = 24

SYS_WRITE =  4
SYS_IOCTL = 54

class user_regs_struct(Structure):
     _fields_ = [
         ('ebx',c_ulong),
         ('ecx',c_ulong),
         ('edx',c_ulong),
         ('esi',c_ulong),
         ('edi',c_ulong),
         ('ebp',c_ulong),
         ('eax',c_ulong),
         ('xds',c_ulong),
         ('xes',c_ulong),
         ('xfs',c_ulong),
         ('xgs',c_ulong),
         ('orig_eax',c_ulong),
         ('eip',c_ulong),
         ('xcs',c_ulong),
         ('eflags',c_ulong),
         ('esp',c_ulong),
         ('xss',c_ulong),
         ]

child = os.fork()
if child == 0:
     libc.ptrace(PTRACE_TRACEME,0,None,None)
     os.execl('/bin/ls','ls')
else:
     while True:
         pid,status = os.wait()
         if status != 0:
             reg = pointer(user_regs_struct())
             libc.ptrace(PTRACE_GETREGS,pid,None,reg)
             if reg.contents.orig_eax == SYS_IOCTL:
                 print 'IOCTL ebx,ecx = 0x%0x,0x%0x' % 
(reg.contents.ebx,reg.contents.ecx)
                 # replace IOCTL with SYS_WRITE
                 reg.contents.orig_eax = SYS_WRITE
                 libc.ptrace(PTRACE_SETREGS,pid,None,reg)
             libc.ptrace(PTRACE_SYSCALL,pid,None,None)
         else:
             os._exit(0)


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: debug.py
URL: <http://mail.python.org/pipermail/python-list/attachments/20101118/d1ee6501/attachment-0001.ksh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stefan_sonnenberg.vcf
Type: text/x-vcard
Size: 223 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/python-list/attachments/20101118/d1ee6501/attachment-0001.vcf>

More information about the Python-list mailing list