bool PCProcess::hideDebugger()
{
Dyninst::ProcControlAPI::Thread::const_ptr threadPtr_ = pcProc_->threads().getInitialThread();
if (!threadPtr_)
return false;
Address tibPtr = threadPtr_->getThreadInfoBlockAddr();
if (!tibPtr) {
return false;
}
// read in address of PEB
unsigned int pebPtr;
if (!readDataSpace((void*)(tibPtr+48), getAddressWidth(), (void*)&pebPtr, false)) {
fprintf(stderr, "%s[%d] Failed to read address of Process Environment "
"Block at 0x%x, which is TIB + 0x30\n", FILE__,__LINE__,tibPtr+48);
return false;
}
// patch up the processBeingDebugged flag in the PEB
unsigned char flag;
if (!readDataSpace((void*)(pebPtr+2), 1, (void*)&flag, true))
return false;
if (flag) {
flag = 0;
if (!writeDataSpace((void*)(pebPtr+2), 1, (void*)&flag))
return false;
}
//while we're at it, clear the NtGlobalFlag
if (!readDataSpace((void*)(pebPtr+0x68), 1, (void*)&flag, true))
return false;
if (flag) {
flag = flag & 0x8f;
if (!writeDataSpace((void*)(pebPtr+0x68), 1, (void*)&flag))
return false;
}
// clear the heap flags in the PEB
unsigned int heapBase;
unsigned int flagWord;
if (!readDataSpace((void*)(pebPtr+0x18), 4, (void*)&heapBase, true))
return false;
// clear the flags in the heap itself
if (!readDataSpace((void*)(heapBase+0x0c), 4, (void*)&flagWord, true))
return false;
flagWord = flagWord & (~0x50000062);
if (!writeDataSpace((void*)(heapBase+0x0c), 4, (void*)&flagWord))
return false;
if (!readDataSpace((void*)(heapBase+0x10), 4, (void*)&flagWord, true))
return false;
flagWord = flagWord & (~0x40000060);
if (!writeDataSpace((void*)(heapBase+0x10), 4, (void*)&flagWord))
return false;
return true;
}
bool process::clearSyscallTrapInternal(syscallTrap *trappedSyscall) {
// Decrement the reference count, and if it's 0 remove the trapped
// system call
assert(trappedSyscall->refcount > 0);
trappedSyscall->refcount--;
if (trappedSyscall->refcount > 0) {
bperr( "Syscall still has refcount %d\n",
trappedSyscall->refcount);
return true;
}
bperr( "Removing trapped syscall at 0x%lx\n",
trappedSyscall->syscall_id);
if (!writeDataSpace( (void *)trappedSyscall->syscall_id, 16, trappedSyscall->saved_insn))
return false;
// Now that we've reset the original behavior, remove this
// entry from the vector
pdvector<syscallTrap *> newSyscallTraps;
for (unsigned iter = 0; iter < syscallTraps_.size(); iter++) {
if (trappedSyscall != syscallTraps_[iter])
newSyscallTraps.push_back(syscallTraps_[iter]);
}
syscallTraps_ = newSyscallTraps;
delete trappedSyscall;
return true;
} /* end clearSyscallTrapInternal() */
int writeTask(FILE *outputFile, void *task){
int endedTasks, metaSize, taskState;
Task *auxTask = (Task *)task;
pthread_mutex_lock(&dependsOnMeMutex);
writeTaskIdList(outputFile, (void *)auxTask->dependsOnMe);
pthread_mutex_unlock(&dependsOnMeMutex);
writeTaskIdList(outputFile, auxTask->myDeps);
HashIntVoid *children = auxTask->children;
hashIntVoidSerialize(outputFile, children);
int id = getTaskId(auxTask);
WRITE_NUM(outputFile, "id", id);
endedTasks = getTaskEndedTasks(auxTask);
WRITE_NUM(outputFile, "endedTasks", endedTasks);
metaSize = getTaskMetasize(auxTask);
WRITE_NUM(outputFile, "metaSize", metaSize);
WRITE_BYTES(outputFile, getTaskMetadata(auxTask), metaSize);
taskState = getTaskState(auxTask);
WRITE_NUM(outputFile, "taskState", taskState);
writeDataSpace(outputFile, getTaskDataSpace(task));
return 1;
}