PDA

View Full Version : Linux debugger


LaptoniC
May 5th, 2006, 06:41
Hi,
I am very newbie when it comes to linux RCE.I need to debug linux binaries.I need your help to get it started.First of all what linux distro is debugger friendly.I think to install ubuntu.I have tried to download knoppix|Re but couldn't found the download link at http://woodmann.com/knoppix-re/index.php?Download Second what debugger is more userfriendly(ollydbg style gui etc) and easy to install.I never used IDA in linux envrionment but I guess it has linux debugger too.I have read 0xf001's page and there are several debuggers so if you can help I will appreciate.Thanks.

0xf001
May 5th, 2006, 09:31
hi,

you have given the answer to yourself a bit. the quick answer would be
to use linice, it is a softice clone. so i guess you want to get some personal opinions

distro: any. they are "all the same" and not , tools run everywhere i mean. the command to get them varies (apt-get / rpm / urpmi ....).
oh when you use linice, make sure your X-server is xf86, it doesn't work with x.org

I would encourage you to play around with linux, read the "linux on the half elf" and some introductional work which i listed on the homepage.

my personal "favorite" is gdb though, as its everywhere. kernel debugging is less often required from a "cracking" point of view. and if it is .....

what i want to tell you is to not directly compare gnu/linux with windows, or to expect too similar tools. this is probably the most difficult part. and very hard to describe for me.

the whole approach under linux is somehow all a bit different. the whole situation is different. a lot of things you "need" in win, you "don't need it"
in linux, as you have a broader range of generic tools available.
explore the proc filesystem for example.
ls /proc/processnumber/
should give you a lot of info like the memory ranges it uses etc

all i have cr*cked so far (for linux/UN*X) - and that were also really _not_ trivial stuff, i did
with gdb, IDA (freeware, disassembler), and self written stuff.
in linux you will see, and hopefully soon be able to utilize its developer
friendlyness. i hope. that makes many tools obsolete.
most basic tasks you can do w/o any tool and code some lines of C or perl
or ... yes C and perl are available on win, too - but still it takes far less
time to quickly test a little prog/script on linux, as it is all abt development
there. windows not per default, and .... well .... its a different world.

i see i can not express myself as i want to make my points clear and understandable - so i post a follow up l8er when i have more time

regards, 0xf001

blabberer
May 5th, 2006, 12:01
linux debuggers ;-}

well at the moment there is no debugger that would fit in ollydbgs class

top of the class but pain in the ass debugger (if you want to use it for reverse engineering ie debugging source less binaries) is GDB the great
it really rocks for source level debugging but would ultimately kill you
if you want to do x/x *(long *)$esp+0x28

i am not counting those innumerable half baked front end gui implementations
for gdb (insight and thier gang ) i keep a pretty long distance from them

you can check out ald (assembly level debugger neat slim but misses lot of nifty features)

teddybear (slang based tui again incomplete and possibly discontinued)

cgdb by bobby brasko again source level but seems it is being developed
there is a latest realese dated this month

e2dbg (from elfsh package) non ptrace implementation but its beta

PizzaPan
May 5th, 2006, 12:13
i started with debugging on linux a few days ago also after reading the information in this section it was pretty easy to get started.

I choose to use gdb with the ddd GUI, i am getting quite used to it the main problem with transition is getting used to all the commands especially when you are addicted to ollydbg, which i am.

Thanks for the work here 0xf001 and the rest of the people that helped

0xf001
May 5th, 2006, 12:31
heya,

I agree with all of you

I also hate the gui frontends for gdb, i did not find 1 yet to which i like to stick to. ddd is "ok" i agree. a bit i disagree with you blabberer, but also agree at the same time - see:

its true that gdb on the commandline for sourceless binaries looks scary and also is scary. on the other side - when using mammon_'s gdbinit script that makes it a hell lot easier! *recommend*

PizzaPan - for your feedback I am ultimately happy when my "efforts" actually help some people!

i can't really say 100% its a pitty there is no ollydbg for linux, but I also would probably be the 1st user of it
I mean it makes you more familar with the OS and low level concepts, and makes you creative if you have to use ie gdb. ok this might not be seen as an advantage haha

i am glad linice was started. i am honest and tell either it works or you have
troubles getting it running.

i am thinking of writing a gui usermode debugger in the future, but i think i won't have the time for it ;( (or somebody puts money on my account for it haha). maybe we organize a small team for it .... i think it would be worth it somehow.

back to the topic - suse is doing sthg on that subject i read some time ago.
http://forge.novell.com/modules/xfmod/project/?nlkd, but i dont know why
they call the debugger via

left shift + right shift + left alt + esc ????

regards, 0xf001

naides
May 5th, 2006, 15:22
1. what are the major hurdles to make/port an ollydbg clone into Linux? (appart from lack of motivation).
What would it take to do it?

Olly sources are available, and the inner working of Linux is not kept secret.

My question is out of sheer ignorance, and wishful thinking,
that should be understood. . .


2. What motivated Oleg to make Olly???

0xf001
May 5th, 2006, 15:38
naides,

good point!

ad 1.) personally I would not like to try to port a debugger. If then I personally would write it specifically for gnu+linux. the major hurdle probably is time - or money as you want to see it imho.

"Olly sources are available, and the inner working of Linux is not kept secret."

true. i think olly sources won't give too much reusable code, but of course its good to have them available.


ad 2) i think a similar situation as we face here :]

let's see how much time will be "free", i have allready too much to do with review (no, its not too much, its too little free time). i am also thinking of putting a debugger engine into it. however i think dedicated debugger project would be better.

i also ask "stupid" - would there be sbdy who likes to work on it? i think a group of max 1-5 poeple would be good. i don't want to raise hopes now, too - but what do you say?

regards, 0xf001

LaptoniC
May 5th, 2006, 17:17
I appreciate all the answers.I will debug binaries without source code.It doesn't have any gui code in it, just console binary.I will run the binary via debugger bpx on some code and trace it to understand what it is doing.I hope gdb and ddd GUI works for me.I will try it.Thanks again.

0xf001
May 5th, 2006, 17:43
LaptoniC,

yeah go ahead that should work. you can also try mammon_s gdbinit script (just put in your homedir as .gdbinit) to have a kind of softice looknfeel. at least this is how i do the most
debugging.

if in doubt ... just ask!

regards, 0xf001

blabberer
May 6th, 2006, 10:04
oleh was probably motivated by TD the borland turbodebugger
ollydbg interface wise is almost identical to TD including all those nifty right click context menus

as to port to linux

assuming we want to port it to console mode all those text user intefaces ncurses,slang,newt are well ill equipped to handle
try programming with ncurses some simple say a messagebox
you will see how much time and effort it takes
you will have to assemble code to make a button
you will have to assemble code to make text
you will have to assemble code for the infinite loop
you will have to assemble code for the window behind it
you will have to assemble code to every bullcrap that it takes
no simple api MessageBox(whatever);

and apart from this you can be sure as hell that the terminfo tty whtatever
on different distros,packages,versions,vendors, clans, gangs, brigades,
will be absolutely different and you can be sure that some thing that works on your comp wont be working on other comps its a circus out there

and the real x guis like gtk ,qt, wxwidgets,gimp etc arent normally
available every where

apart from that the basic apis (lets say the equivalent of debugging apis)
ptrace too is apparently a pain to work with

and you can be sure that if you have some trouble you would get the stock answer saying hey its free source implement the functionality
or post a bug in some bugtraq that no one would care about
or worse still some guy would start another halfbaked project
implement only this functionality
with his source full of comments like
/* oh this is easy to implement just have to use blah.c from foo pakage */
and open a source forge project with some queer screen shots
no documentation and unreadable source
and thats the end of it

its free source you take it and implement .
why are you bugging me with bug reports

0xf001
May 6th, 2006, 10:58
hi blabberer,

i see some aspects a bit different, overall in your message i read frustration a bit, or?
in general i agree a lot with your post. though some statements, when bringing back
to the topic as i see it, i'd answer this:

a bit unimportant but when you say it like this then oleh was probably inspired by TD, not motivated by it, or? simple word picking, i know i'd assume he was motivated by the
lack of a good usermode debugger? well.... does it matter at all what he thought?

console mode - well .... ollydgb is not console mode - and a gui has its advantages.
now i must disclaim that i say this as a gnu+linux guy and mean it. back to context,
my imagination of an ollydbg clone would not be in text mode.
i don't know what you want to say with your list about how much code is to assemble? coding a textmode gui is fairly easy.
even if you need assembly - what i doubt, whats the issue with it?
please don't forget we talk abt a user mode debugger here, so we avoid a lot of problems.
also ie with dialog you make a messagebox by calling 1 function.

regarding the terminfo - i agree there are differences, but again - i ignore this, since at least
I am talking about a gui debugger - ie with qt or gtk (no, i know i wouldn't go with gtk for technical reasons). else it would be a poor clone, as not everywhere you'd find textmodes with a reasonable text resolution - though 1024x768 is assumed by me as a standard. ok 800x600 probably, too - but when doing a project right now, i would like to orientate on the future, not the stone age (text mode) hehe
ok the whole point again i don't talk abt text mode.

now you might want to say: but i have a server and it has no x gui and ......
2 opinions to that: still i dont care abt it, since the xlibs are installed in a second, no you dont even need a gfx card to have a gfx session over the network and ... blah
it might not be an option for servers to install there xlibs. still i don't care, the factor gui to me personally
brings too many advantages. in a next step or in parallel sbdy can code a text gui, no big deal.

the ptrace() intertface imho is not difficult. more the opposite, its fairly easy to use. what
i don't like abt it, is - to quote mammon_:
Quote:
The ptrace(1) interface is unreliable, easy to fool and insecure to boot. Friends don't let friends use ptrace(1).


so i would code an own solution. and again - no i am not afraid to code anything, and am not shy abt efforts. and i don't see it as disadvantage to have to code new code.
as you say below with reusing code there sometimes are more problems than writing it yourself. its my general approach.

you say "and the real x guis like gtk ,qt, wxwidgets,gimp etc arent normally available every where "
well ... imho they are available everywhere. available. installed probably not
btw gtk is the one used by gimp and gnome, qt by kde ...
wxwidgets - please all opinions are my personal: just sucks
the only state of the art gui toolkit is qt. i'd go for it. personally.

Quote:
and you can be sure that if you have some trouble you would get the stock answer saying hey its free source implement the functionality
or post a bug in some bugtraq that no one would care about
or worse still some guy would start another halfbaked project
implement only this functionality
with his source full of comments like
/* oh this is easy to implement just have to use blah.c from foo pakage */
and open a source forge project with some queer screen shots
no documentation and unreadable source
and thats the end of it

i think i know what you want to say. and i read your frustration i agree a lot there are some aspects in the community (_the community_ ? i think there is more than 1), that
lead to shit.
i've done it myself, half baked, not completed project, no documentation, simply let it die.
it happened i think to a lot of ppl. even mammon's dude for example. almost libdisasm, too not to speak from the bastard. now think why?

not because we are morons. think that it takes quite some time to do a project like this. even if you have free time, there always happen things in real life and time gets short.
you are under permanent time pressure, ppl want to see sthg, want to have updates and blah.
so the standard situation is: 1 coder, 1000000 people requesting. also nobody joins a project, almost nobody gives reasonable feedback, its more frustrating from the coder side - believe me.
all ppl are the greatest coders and blaaah, but when it comes to free software projects (yes, not opensource haha) then they can only point their fingers and say:

look this is undocumented, look at this, this i could code far better .... you get it.
they forget abt the circumstances. in my job i code robust with all kinds of standards, which
i set to myself. free software - well ... i want to get sthg _done_, and i know nobody will
code a single line in my project - so i skip documentation. sbdy who could contribute
understands my code i am sure. period. when its all working as i want i lean back and
start proper commenting and documenting. if i want. yes thats my right, and i do as much
of it as much time i have.

that as an insight from the coders perspective. so in general i would complain that people have the mentality of wanting all, but giving nothing. and this is i think the problem.
or you say - its time. or money. as you like. if sbdy would pay me i'd code 24h a day on
opensource projects with a different code quality. i'd love that even haha.
now i have maybe 1-2 hours a day, if at all.

regards, 0xf001

blabberer
May 6th, 2006, 11:37
aha its not frusturation its the fact
well i wont like to have a console mode user interface too

assemble means as in assembling putting it all together that has nothing to do with using x86 assembly

Quote:

so i would code an own solution. and again - no i am not afraid to code anything, and am not shy abt efforts. and i don't see it as disadvantage to have to code new code.


yeah me too i am also not afraid to code my own solution

but understand your solution is unique to you and my solution is unique to me but they are never going to usable unique to linux unix as a whole

an IsDebuggerPresent api cant and wouldnt be able to replace

twenty thousand varieties of antidebugging tricks spawned by
some of the cleverest sharpest brains

0xf001
May 7th, 2006, 12:41
oook, I understand

I still pray for an ollydbg for linux
and i like anti debugging!

cheers, 0xf001

homersux
May 16th, 2006, 23:03
Quote:
[Originally Posted by naides]1. what are the major hurdles to make/port an ollydbg clone into Linux? (appart from lack of motivation).
What would it take to do it?

Olly sources are available, and the inner working of Linux is not kept secret.

My question is out of sheer ignorance, and wishful thinking,
that should be understood. . .


2. What motivated Oleg to make Olly???


Hmm..where is olly source? I can't find it or it's privately release?

On Linux, use totalview, this is a very cool debugger but it's very expensive (we all know what that means, don't we?). I once submitted an article to code breakers about using totalview to debug compilers and got rejected. It's not a widely known tool, but it's a really good one. It works on almost all kinds of platforms.

naides
May 17th, 2006, 01:09
At http://www.ollydbg.de/ click the link Sources

0xf001
May 17th, 2006, 06:22
hi,

i also only find sources for dis-/assembling stuff, which is quite well covered allready in the OSS/FS world, I think these sources don't give too much for a new linux debugger imho.

regards, 0xf001

homersux
May 17th, 2006, 20:08
Quote:
[Originally Posted by naides]At http://www.ollydbg.de/ click the link Sources


THat's just the sources for an assembler and disassembler. It's far from a complete debugger. It's useful but similar materials are available on the internet.

user
June 6th, 2006, 17:36
Quote:
[Originally Posted by LaptoniC]Hi,
I am very newbie when it comes to linux RCE.I need to debug linux binaries.I need your help to get it started.First of all what linux distro is debugger friendly.I think to install ubuntu.I have tried to download knoppix|Re but couldn't found the download link at http://woodmann.com/knoppix-re/index.php?Download Second what debugger is more userfriendly(ollydbg style gui etc) and easy to install.I never used IDA in linux envrionment but I guess it has linux debugger too.I have read 0xf001's page and there are several debuggers so if you can help I will appreciate.Thanks.
for a userland debugger w/ 'GUI', check out gdbtui (part of every gdb 6.x release i think), for a kernel debugger there's rr0d (multi-OS).

yosh64
June 11th, 2006, 13:31
hey

Well I ditched WinXP alltogether, and switched to Linux full time around the start of this year. Anyhows my most missed Win32 app is OllyDbg :\.

Anyhows I just started looking into reversing on Linux again, and are quite interested in coding my own Debugger, kinda like OllyDbg. Well I don't think I could do something as good as OllyDbg, it's just great. I'm not to sure about things yet, kinda got another project to work on.

For the GUI, I think I'd use FLTK (http://www.fltk.org), checkout these nice tutorials for learning it. See http://www3.telus.net/public/robark/.

BTW, I just ran into these (what I think) are nice tutorials for reversing in Linux, well have not gone through them properly yet. See http://www.securityfocus.com/infocus/1637 AND http://www.securityfocus.com/infocus/1641 (look at em in the Print View ). Hmm, maybe they have already been mentioned on these forums?

cyas

0xf001
June 11th, 2006, 13:59
heya,

thx for the links, to be honest the securityfocus articles are very disappointing, I did not find this teaches anything
[edit] ok, the 2nd link is better

check maybe this one http://www.woodmann.com/0xf001
and this one: http://www.uninformed.org

GUI was meant here as the GUI for the debugger. gdbtui is a bit very text mode, and I'd prefer
gdb with mammon_s gdbinit file - is far more usable than anything else
(ie http://www.beastiebytes.de/index.php/a.gdbinit)

regards, 0xf001

yosh64
June 11th, 2006, 14:59
hey

Thanks for your concern and posting them links for me . Well I looked into reversing on Linux a little bit ages ago (when just getting into Linux full time), and had come accross your page, and mammon_'s gdbinit at the time . Even so, I did find it tricky, coming from OllyDbg... so yea kinda lost interest, well until now. Hopefully I can continue futher, I'd really like to beable to do Win32 crackmes in Linux.

Well at the time I also ran into... http://packetstormsecurity.org/linux/reverse-engineering/index.html (btw, after just taking a peek at "SecurityWarrior.pdf", I found this website refered at the bottom also), AND http://www.reversing.be/article.php?story=20050910164439169&query=linux AND http://www.reversing.be/article.php?story=2005030218170966&query=linux. So maybe these will be useful to someone? or maybe yas know of em already?

BTW, I had never come accross http://www.uninformed.org before , hehe.

cya

0xf001
June 11th, 2006, 17:44
yosh64,

I like that, please keep posting interesting links as you find them!

And its true, when beeing used to sthg like _ollydbg_ then ... its a bit hard to find something similar, on the other side its "just another learning curve" to get used to more textmode work, and "utility chains" - if one would consider this as an option
however, it's cool you give linux another shot hehehe

cheers, 0xf001

quasar
June 12th, 2006, 01:34
try Totalview

proxy
June 13th, 2006, 23:37
Hey everyone, I'm relativly new to this forum, but I do do work in the reverse engineering field. Ollydbg is clearly the debugger of choice for windows, but like you I have found no linux debugger which really steps up to the plate.

So i am making my own debugger, and it is designed from the start to be cross platform (a single c++ class defines all debugger primitives which are OS specific, the rest is all QT).

I don't know when I will be releasing my first version, but i really hope sometime in the next 2 months I'll have _something_ worth using out the door.

For some more basic info, and screenshots of what I have so far, check out my page:

http://www.codef00.com/projects.php#Debugger

Visually it's always there, I'm working on my custom QDissasemblyView widget at the moment, and it currently has a ptrace impementation for the basic functionality.

Once I am nearing a 1.0 release, I plan to open source it, and hopefully make a very positive contribution the RE community

proxy

linhanshi
June 14th, 2006, 02:45
I try it.thx.

0xf001
June 14th, 2006, 06:18
hi proxy

Quote:
http://www.codef00.com/projects.php#Debugger
==

i hope you finish this project!!! (this is what ppl tell me also )

ok I see you use ptrace() - which is .... well ... mabye checkout this:
http://the-dude.sourceforge.net/, I think it's worth an evaluation, but
of course just code as you like it!!

respect ,

0xf001

Silkut
June 14th, 2006, 06:35
proxy > Wow ! Really good idea, you're courageous.
Hope this will be out soon
keep up the good work

0xf001
June 14th, 2006, 07:17
hi again,

proxy - check this http://www.woodmann.com/0xf001/review - i saw you plan to work on things like

- code analysis
- byte pattern search

well I have an "independent" implementation of a quite nice code search etc allready ... maybe you'd be interested in that? I have the idea to make a libreview - which provides you with an API for that. Only dependency is libdisasm from mammon_. did you check that out? i am interested how you decode opcodes, too
I'd like to share thoughts, it seems you are a good coder. I use Qt3 still btw


regards, 0xf001

proxy
June 14th, 2006, 09:29
linhanshi: sorry, no release yet, I wanna take my time and make sure it's worth using before I put it out the door, but i'll post in this forum as soon as I do

0xf001: firstly, remember, that all the core debugger functionality is isolated from the rest of the debugger, so using ptrace is more of a "get off the ground" thing, not perminent. beating anti-debugging techniques is not on the top of my todo list, but it's in there, so maybe once the rest of the debugger is up to speed, i'll replace the ptrace core with a more robust one (does linux's proc debugging interface have the same diffiencies?)

also, yes i DO use libdisasm, it's a good lib.

I've also read about your review project and i like it. I would definitely be intererested in a library version of it. I already have implemented a basic byte pattern searcher called bgrep (it's a command line utility) found on my coding page: http://www.codef00.com/coding.php. But as far as code analysis, i definitely will need some help in the future.

thanks for the support guys, it's a real motivator. I'll keep this forum up to do date on my progress as things move along.

proxy

yosh64
June 23rd, 2006, 13:31
hey

@proxy: I hope your debugger is coming along well .

Anyhows I just wanted to say that I am about to start on my own Linux ELF debugger. Personally I just hope to beable to reverse Win32 CrackMes with it through Wine, in a manner alike OllyDbg.

I'm firstly gonna start with a linux ELF disassembler, then move onto the actual debugger. I hope to make it alike OllyDbg, well maybe a few changes. One pretty cool idea I got is to beable to take and compare snapshots on a specified range of memory, or just on a specific section. Well in Win32 I just used TSearch for such things. But I won't worry about anything special until I have the basics down solid. Anyhows I think the disassembler is gonna take some time, as there are alot of x86 instructions.

One thing I thought was interesting about debugging Win32 apps through Wine on Linux, is that I think a few of Win32 specific anti-debugger tricks will be gone? Well just a quick thought, maybe I'm wrong... I don't really know to much on the subject, maybe it will just be IsDebuggerPresent()???

I do have a question about brakepoints... Well I think this would answer a number of questions I have... I was wondering how brakepoints were set on memory, as done in OllyDbg? Well it makes me think that every instruction executed is done through the debugger (so the debugger would beable to check on every byte to be MOV'd to/from memory, and everything else). It's just that I used to do (made a little few loaders) alike seen at http://www.yates2k.net/lad.txt. Where you set hooks at the address you wish to break at by changing the instructions to EB FE (so gets stuck in tiny'est loop), and you constantly read in the registers and check if EIP has hit the address of your breakpoint.

Anyhows that's all, hopefully I can stay with this project .

cyas

proxy
June 25th, 2006, 01:16
Firstly, the most basic linux anti-debugging technique is for an app to call ptrace on itself, if it is being debugged by ptrace, this call will fail (a process may only be ptraced by one other process at a time). I imagine that the win32 debugging API, if it's implemented at all in WINE would be based on ptrace. Though i really dont see a huge need for doing so, maybe fore visual studio support.

Snapshot idea isn't bad, fairly trivial to implement too.

Anyway, to answer your question on memory access breakpoints in ollydbg, according to the help file he simply marks the ENTIRE region in which the address resides as having no-access. When ollydbg gets the page fault, it checks the location, if it's in a memory access breakpoint region, it pauses execution, and restores the original permissions so that it may continue.

As for execution based breakpoints, it simply replaces the byte at the address to 0xcc (int 3) which causes a trap exeption which the debugger can catch.

PS, why not use one of the MANY existing dissasemblers that are out there?

proxy

proxy
August 3rd, 2006, 19:39
Hey everyone, just wanted to post some progress

The debugger is coming along very nicely. I have implemented plugins which are very easy to code. Even the debugging core is a plugin, so you can drop in a new one as long as it implements the correct API.

I have implemented some pretty cool features, most recently the ability to search for opcodes in a similar fashion as metasploit.

Many of the "issues which could block release" are resolved as well, so I think I am getting close to a pre-1.0 release to the public sometime this month (I hope).

Anyway, just wanted to give everyone a heads up. As always you can check out the current progress at:

http://www.codef00.com/projects.php#Debugger

proxy

yosh64
August 13th, 2006, 06:26
hey

I'm really looking forward to more progress and the release . I got side tracked before I really even started mine , I think I will wait and see yours before even thinking about starting over with mine, as yours looks to be quite impressive .

cyas

Tesmovrog
September 30th, 2006, 11:51
Too early...

proxy
November 9th, 2006, 23:58
just wanted to let anyone know who was following this thread, that I have officially released a pre-1.0 version to get the ball rolling.

Hope you all enjoy

http://www.codef00.com/projects.php#Debugger

proxy

homersux
November 11th, 2006, 18:12
Hey, keep up the good work! Try put this on sourceforge and opensource it. Then we can all contribute.

proxy
November 11th, 2006, 19:01
well it is open source under a GPL-2 license I'll probably make a sourceforge entry for it, but nothing stopping people from downloading it and contributing.

I personally would be more than happy to add any good plugins to the official source tree and try to get a ton of features in it.

proxy