Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. A debugger from scratch Liz Rice @lizrice

2 @lizrice ptrace The ptrace() system call provides a means by which one process (the "tracer") may observe and control the execution of another process (the "tracee"), and examine and change the tracee's memory and registers. It is primarily used to implement breakpoint debugging and system call tracing.

3 @lizrice ptrace

4 @lizrice func f3() int { var j int j = 0x44444444 return i + j } Source code MOVQ BP, 0x8(SP) LEAQ 0x8(SP), BP MOVQ $0x0, 0x20(SP) MOVQ $0x0, 0(SP) MOVQ $0x44444444, 0(SP) MOVQ 0x18(SP), AX ADDQ $0x44444444, AX MOVQ AX, 0x20(SP) MOVQ 0x8(SP), BP ADDQ $0x10, SP SUBQ $0x10, SP JMP main.f2(SB) Machine code

5 @lizrice MOVQ BP, 0x8(SP) LEAQ 0x8(SP), BP MOVQ $0x0, 0x20(SP) MOVQ $0x0, 0(SP) MOVQ $0x44444444, 0(SP) MOVQ 0x18(SP), AX ADDQ $0x44444444, AX MOVQ AX, 0x20(SP) MOVQ 0x8(SP), BP ADDQ $0x10, SP Program Counter CPU Registers SUBQ $0x10, SP JMP main.f2(SB) Machine code

6 @lizrice MOVQ BP, 0x8(SP) LEAQ 0x8(SP), BP MOVQ $0x0, 0x20(SP) MOVQ $0x0, 0(SP) MOVQ 0x18(SP), AX ADDQ $0x44444444, AX MOVQ AX, 0x20(SP) MOVQ 0x8(SP), BP ADDQ $0x10, SP Program Counter CPU Registers 0xCC SUBQ $0x10, SP JMP main.f2(SB) Machine code

7 @lizrice MOVQ BP, 0x8(SP) LEAQ 0x8(SP), BP MOVQ $0x0, 0x20(SP) MOVQ $0x0, 0(SP) MOVQ 0x18(SP), AX ADDQ $0x44444444, AX MOVQ AX, 0x20(SP) MOVQ 0x8(SP), BP ADDQ $0x10, SP 0xCC SUBQ $0x10, SP JMP main.f2(SB) Machine code func f3() int { var j int j = 0x44444444 return i + j } Source code

8 @lizrice address to return to parameters & return values local variables CPU Registers Base Pointer address to return to Stack Pointer Program Counter Program Counter Base Pointer Call Stack Previous stack frame Previous stack frame address to return to parameters & return values

Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. github.com/lizrice/debugger-from-scratch with thanks to @mlowicki & @philpearl @lizrice