coreminer 0.5.2

A debugger which can be used to debug programs that do not want to be debugged
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207

//! # SIGTRAP Guard Plugin
//!
//! A plugin that prevents detection of the debugger by programs that use
//! `SIGTRAP` signals and register a signal handler for them for anti-debugging techniques.
//!
//! ## Overview
//!
//! Some programs implement anti-debugging techniques by inserting `int3` instructions
//! (which generate SIGTRAP signals) into their own code and registering signal handlers
//! for them. They can then detect if they're being debugged by checking if their signal
//! handler was called - if it wasn't, a debugger likely intercepted the signal.
//!
//! This plugin detects whether a SIGTRAP signal was generated by a debugger breakpoint
//! or by the debuggee itself. If the signal originated from the debuggee, the plugin
//! forwards the signal to the debuggee's own signal handler, making the debugger
//! transparent to these detection techniques.
//!
//! ## How It Works
//!
//! When a `SIGTRAP` is received, the plugin:
//! 1. Checks if there's a breakpoint at the current instruction pointer
//! 2. If there is a breakpoint, lets the debugger handle it normally
//! 3. If there isn't a breakpoint, forwards the `SIGTRAP` to the debuggee
//!
//! ## Examples
//!
//! The plugin is automatically loaded and enabled by the default plugin manager:
//!
//! ```no_run
//! use coreminer::plugins::default_plugin_manager;
//!
//! // Create a plugin manager with the SIGTRAP guard enabled
//! let plugin_manager = default_plugin_manager();
//! ```
//!
//! For a program using anti-debugging techniques:
//!
//! ```c
//! #include <signal.h>
//! #include <stdio.h>
//! #include <unistd.h>
//!
//! static int g_sigterm_selftrigger = 0;
//!
//! void handle_sigtrap(int signum) {
//!   if (signum == SIGTRAP) {
//!     g_sigterm_selftrigger++;
//!   }
//! }
//!
//! int main(int argc, char **argv) {
//!
//!   signal(SIGTRAP, handle_sigtrap);
//!
//!   __asm__("int3;");
//!
//!   if (g_sigterm_selftrigger != 1) {
//!     fprintf(stderr, "NONONO EVIL DEBUGGER DETECTED\n");
//!     return 1;
//!   } else {
//!     printf("OK :) No evil debugger.\n");
//!   }
//! }
//! ```
//!
//! (See `examples/sigtrap_self.c`)
//!
//! With the SIGTRAP guard plugin enabled, the debuggee's handler will be called
//! and the anti-debugging check will be bypassed.

use nix::sys::signal::Signal::SIGTRAP;
use steckrs::simple_plugin;
use tracing::{info, trace, warn};

use crate::addr::Addr;
use crate::breakpoint::Breakpoint;
use crate::feedback::{Feedback, Status};

use super::extension_points::{EPreSigtrap, EPreSigtrapF};

simple_plugin!(
    /// This plugin detects if a `SIGTRAP` comes from the debugger or the debuggee.
    ///
    /// The plugin distinguishes between `SIGTRAP` signals that are generated by debugger
    /// breakpoints (which should be handled by the debugger) and `SIGTRAP`s that
    /// are generated by the debuggee itself (which should be forwarded to the
    /// debuggee's signal handler).
    ///
    /// This functionality prevents the detection of the debugger by programs that
    /// insert `int3` instructions into their own code, register a signal handler,
    /// and check if their handler was executed. By forwarding legitimate `SIGTRAP`s
    /// to the debuggee, the debugger becomes transparent to these detection mechanisms.
    SigtrapGuardPlugin,
    "sigtrap_guard",
    "Handles programs that use int3 on their own and register their own signal handler for SIGTRAP",
    hooks: [(EPreSigtrap, SigtrapInjectionGuard::default())]
);

/// The hook implementation of the `SIGTRAP` guard extension point
///
/// This hook tracks the instruction pointer and determines whether a `SIGTRAP`
/// was generated by a debugger breakpoint or by the debuggee itself.
///
/// # Fields
///
/// * `rip` - The current instruction pointer address, cached to avoid repeated lookups
/// * `bp` - The breakpoint at the current instruction pointer, if any
#[derive(Default)]
struct SigtrapInjectionGuard {
    /// Cached instruction pointer address
    rip: Option<Addr>,
    /// Breakpoint at the current instruction pointer, if any
    ///
    /// This is a nested Option because we need to distinguish between:
    /// - `None`: We haven't checked for a breakpoint yet
    /// - `Some(None)`: We checked and there is no breakpoint
    /// - `Some(Some(bp))`: We checked and found a breakpoint
    #[allow(clippy::option_option)]
    bp: Option<Option<Breakpoint>>,
}

impl EPreSigtrapF for SigtrapInjectionGuard {
    /// Processes a SIGTRAP signal to determine its origin and whether it should be forwarded
    ///
    /// This function is repeatedly called by the debugger when a SIGTRAP signal is received. It
    /// determines whether the signal was generated by a debugger breakpoint or by the
    /// debuggee itself, and returns an appropriate status to the debugger.
    ///
    /// # Parameters
    ///
    /// * `feedback` - Current feedback from the debugger
    /// * `siginfo` - Signal information structure from the operating system
    /// * `sig` - The signal type that was received
    ///
    /// # Returns
    ///
    /// A tuple containing:
    /// * The next status for the debugger
    /// * A boolean indicating whether to return early from signal handling
    ///
    /// # Errors
    ///
    /// This function will return any errors propagated from the debugger operations.
    ///
    /// # State Machine
    ///
    /// This function implements a small state machine:
    /// 1. If not a SIGTRAP, return immediately
    /// 2. If we don't have the instruction pointer, request it with `Status::DumpRegisters`
    /// 3. If we don't have breakpoint information, request it with `Status::GetBreakpoint`
    /// 4. If a breakpoint exists at the location, let the debugger handle it normally
    /// 5. If no breakpoint exists, forward the signal to the debuggee
    fn pre_handle_sigtrap(
        &mut self,
        feedback: &crate::feedback::Feedback,
        siginfo: &nix::libc::siginfo_t,
        sig: &nix::sys::signal::Signal,
    ) -> crate::errors::Result<(crate::feedback::Status, bool)> {
        if *sig != SIGTRAP {
            return Ok((Status::PluginContinue, false));
        }

        let rip = match (feedback, self.rip) {
            (_, Some(addr)) => {
                trace!("using stored rip");
                addr
            }
            (crate::feedback::Feedback::Registers(regs), None) => {
                self.rip = Some(regs.rip.into());
                self.rip.unwrap()
            }
            (_, _) => return Ok((Status::DumpRegisters, false)),
        };

        let maybe_bp: Option<&Breakpoint> = match (feedback, &self.bp) {
            (_, Some(bp)) => {
                trace!("using stored bp");
                bp.as_ref()
            }
            (crate::feedback::Feedback::Breakpoint(bp), None) => {
                self.bp = Some(bp.clone());
                bp.as_ref()
            }
            _ => {
                return Ok((
                    Status::GetBreakpoint(
                        rip - 1, /* need to check the addr that was last executed, not the one that would get executed next */
                    ),
                    false,
                ));
            }
        };

        if let Some(bp) = maybe_bp {
            info!("It's just a regular breakpoint: {bp:?}");
            Ok((Status::PluginContinue, false))
        } else if matches!(feedback, Feedback::Ok) {
            // we're done
            Ok((Status::PluginContinue, true))
        } else {
            warn!("The debugger stopped with SIGTRAP, but there is no breakpoint there!");
            warn!("This is likely a self inserted interrupt by the debuggee program!");
            warn!("Forwarding the SIGTRAP to the debuggee");
            Ok((Status::SetLastSignal(siginfo.si_signo), false))
        }
    }
}