rnicro 0.3.0

A Linux x86_64 debugger and exploit development toolkit written in Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241

//! Linux procfs utilities for inspecting tracee state.
//!
//! Corresponds to book Ch.4 (Pipes, procfs, and Automated Testing).
//!
//! Provides access to `/proc/[pid]/maps`, `/proc/[pid]/status`,
//! and other procfs entries useful for debugging.

use nix::unistd::Pid;
use std::path::PathBuf;

use crate::error::Result;
use crate::types::VirtAddr;

/// A single memory region from `/proc/[pid]/maps`.
#[derive(Debug, Clone)]
pub struct MemoryRegion {
    pub start: VirtAddr,
    pub end: VirtAddr,
    pub perms: Permissions,
    pub offset: u64,
    pub pathname: String,
}

/// Memory region permissions (rwxp/s).
#[derive(Debug, Clone, Copy)]
pub struct Permissions {
    pub read: bool,
    pub write: bool,
    pub execute: bool,
    pub private: bool,
}

impl std::fmt::Display for Permissions {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(
            f,
            "{}{}{}{}",
            if self.read { 'r' } else { '-' },
            if self.write { 'w' } else { '-' },
            if self.execute { 'x' } else { '-' },
            if self.private { 'p' } else { 's' },
        )
    }
}

/// Parse `/proc/[pid]/maps` into a list of memory regions.
pub fn read_memory_maps(pid: Pid) -> Result<Vec<MemoryRegion>> {
    let content = std::fs::read_to_string(format!("/proc/{}/maps", pid))?;
    Ok(parse_maps(&content))
}

/// Parse the contents of a maps file.
///
/// Separated from `read_memory_maps` for testability.
pub fn parse_maps(content: &str) -> Vec<MemoryRegion> {
    content.lines().filter_map(parse_map_line).collect()
}

fn parse_map_line(line: &str) -> Option<MemoryRegion> {
    // Format: 7f8a1000-7f8a2000 r-xp 00000000 08:01 12345  /lib/libc.so.6
    let mut parts = line.splitn(6, char::is_whitespace);

    let addr_range = parts.next()?;
    let perms_str = parts.next()?;
    let offset_str = parts.next()?;
    let _dev = parts.next()?;
    let _inode = parts.next()?;
    let pathname = parts.next().unwrap_or("").trim().to_string();

    let (start_str, end_str) = addr_range.split_once('-')?;
    let perms = perms_str.as_bytes();
    if perms.len() < 4 {
        return None;
    }

    Some(MemoryRegion {
        start: VirtAddr(u64::from_str_radix(start_str, 16).ok()?),
        end: VirtAddr(u64::from_str_radix(end_str, 16).ok()?),
        perms: Permissions {
            read: perms[0] == b'r',
            write: perms[1] == b'w',
            execute: perms[2] == b'x',
            private: perms[3] == b'p',
        },
        offset: u64::from_str_radix(offset_str, 16).ok()?,
        pathname,
    })
}

/// Get the executable path for a process via `/proc/[pid]/exe`.
pub fn get_exe_path(pid: Pid) -> Result<PathBuf> {
    let path = std::fs::read_link(format!("/proc/{}/exe", pid))?;
    Ok(path)
}

/// Find the base load address of a binary in the process's memory map.
///
/// For PIE executables, the actual load address differs from the
/// addresses in the ELF file. This function finds the first executable
/// mapping of the given binary to determine the load bias.
pub fn find_load_address(maps: &[MemoryRegion], binary_path: &str) -> Option<VirtAddr> {
    maps.iter()
        .find(|r| r.perms.execute && r.pathname.ends_with(binary_path))
        .map(|r| r.start)
}

/// Find which memory region contains a given address.
pub fn find_region_containing(maps: &[MemoryRegion], addr: VirtAddr) -> Option<&MemoryRegion> {
    maps.iter().find(|r| addr >= r.start && addr < r.end)
}

/// An entry from `/proc/[pid]/auxv` (the ELF auxiliary vector).
#[derive(Debug, Clone, Copy)]
pub struct AuxvEntry {
    pub key: u64,
    pub value: u64,
}

// Well-known AT_* constants.
pub const AT_PHDR: u64 = 3;
pub const AT_PHENT: u64 = 4;
pub const AT_PHNUM: u64 = 5;

/// Read the ELF auxiliary vector from `/proc/[pid]/auxv`.
///
/// Returns a list of (type, value) pairs. Useful for finding
/// AT_PHDR, AT_PHNUM, etc. to locate program headers at runtime.
pub fn read_auxv(pid: Pid) -> Result<Vec<AuxvEntry>> {
    let data = std::fs::read(format!("/proc/{}/auxv", pid))?;
    let mut entries = Vec::new();
    for chunk in data.chunks(16) {
        if chunk.len() < 16 {
            break;
        }
        let key = u64::from_le_bytes(chunk[0..8].try_into().unwrap());
        let value = u64::from_le_bytes(chunk[8..16].try_into().unwrap());
        if key == 0 {
            break; // AT_NULL
        }
        entries.push(AuxvEntry { key, value });
    }
    Ok(entries)
}

/// Look up a specific entry in the auxiliary vector.
pub fn auxv_lookup(entries: &[AuxvEntry], key: u64) -> Option<u64> {
    entries.iter().find(|e| e.key == key).map(|e| e.value)
}

#[cfg(test)]
mod tests {
    use super::*;

    const SAMPLE_MAPS: &str = "\
564756400000-564756401000 r--p 00000000 08:01 1234567  /usr/bin/hello
564756401000-564756402000 r-xp 00001000 08:01 1234567  /usr/bin/hello
564756402000-564756403000 r--p 00002000 08:01 1234567  /usr/bin/hello
564756403000-564756404000 r--p 00002000 08:01 1234567  /usr/bin/hello
564756404000-564756405000 rw-p 00003000 08:01 1234567  /usr/bin/hello
7f8a12000000-7f8a12022000 r--p 00000000 08:01 2345678  /usr/lib/x86_64-linux-gnu/libc.so.6
7f8a12022000-7f8a121b7000 r-xp 00022000 08:01 2345678  /usr/lib/x86_64-linux-gnu/libc.so.6
7ffd5e371000-7ffd5e392000 rw-p 00000000 00:00 0        [stack]
7ffd5e3f2000-7ffd5e3f6000 r--p 00000000 00:00 0        [vvar]
7ffd5e3f6000-7ffd5e3f8000 r-xp 00000000 00:00 0        [vdso]";

    #[test]
    fn parse_maps_basic() {
        let regions = parse_maps(SAMPLE_MAPS);
        assert_eq!(regions.len(), 10);
    }

    #[test]
    fn parse_maps_addresses() {
        let regions = parse_maps(SAMPLE_MAPS);
        assert_eq!(regions[0].start, VirtAddr(0x564756400000));
        assert_eq!(regions[0].end, VirtAddr(0x564756401000));
    }

    #[test]
    fn parse_maps_permissions() {
        let regions = parse_maps(SAMPLE_MAPS);
        // r--p
        assert!(regions[0].perms.read);
        assert!(!regions[0].perms.write);
        assert!(!regions[0].perms.execute);
        assert!(regions[0].perms.private);
        // r-xp
        assert!(regions[1].perms.execute);
        // rw-p
        assert!(regions[4].perms.write);
        assert!(!regions[4].perms.execute);
    }

    #[test]
    fn parse_maps_pathnames() {
        let regions = parse_maps(SAMPLE_MAPS);
        assert_eq!(regions[0].pathname, "/usr/bin/hello");
        assert_eq!(regions[8].pathname, "[vvar]");
        assert_eq!(regions[7].pathname, "[stack]");
    }

    #[test]
    fn find_load_address_works() {
        let regions = parse_maps(SAMPLE_MAPS);
        let addr = find_load_address(&regions, "/usr/bin/hello");
        // First executable mapping of hello
        assert_eq!(addr, Some(VirtAddr(0x564756401000)));
    }

    #[test]
    fn find_load_address_not_found() {
        let regions = parse_maps(SAMPLE_MAPS);
        assert_eq!(find_load_address(&regions, "/nonexistent"), None);
    }

    #[test]
    fn find_region_containing_works() {
        let regions = parse_maps(SAMPLE_MAPS);
        let region = find_region_containing(&regions, VirtAddr(0x564756401500));
        assert!(region.is_some());
        assert_eq!(region.unwrap().pathname, "/usr/bin/hello");
        assert!(region.unwrap().perms.execute);
    }

    #[test]
    fn find_region_containing_none() {
        let regions = parse_maps(SAMPLE_MAPS);
        assert!(find_region_containing(&regions, VirtAddr(0x1000)).is_none());
    }

    #[test]
    fn permissions_display() {
        let perms = Permissions {
            read: true,
            write: false,
            execute: true,
            private: true,
        };
        assert_eq!(format!("{}", perms), "r-xp");
    }
}