1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163

/*
 * MUST BE RUN AS ROOT
 * trecc/measure.c:	- dump memory ranges of target processes via ptrace()
 *			- SHA1 those ranges
 *			- store these hashes in trecc.sqlite
 *
 * Copyright:	2010 Paul Makowski
 * License:	GPLv2
 * Contact:	my.hndl@gmail.com | http://paulmakowski.wordpress.com
 *
 * ptrace portion adapted from: Dolda2000 @ http://www.linuxforums.org/forum/linux-programming-scripting/52375-reading-memory-other-processes.html
 *
 * Usage:
 * $ gcc [-Wall -ggdb] measure.c -lcrypto -lsqlite3 -o measure
 * $ ./measure [pid] [start address] [end address]
 *
 * Bugs:
 * - errors print out 1 char per line (wtf?)
 *
*/
#include <stdio.h>
#include <unistd.h>	 // for sysconf(3)
#include <stdlib.h>
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>	 // for waitpid()
#include <errno.h>
#include <openssl/sha.h> // for SHA1()
#include <stdint.h>	 // for uint32_t
#include <sqlite3.h>
#include <ctype.h>	 // for isprint()

#define SHA1HashSize 20

/* globals */
int	debug = 0;
char	debugMsg[1024]; 

void debugLog(char *debugMsg) { if (debug) printf("%s\n", debugMsg); }

int main(int argc, char **argv)
{	
	/* locals */
	char		query[1024]; // longer than we'll need		
	pid_t		pid;
	unsigned long	pageSize = sysconf(_SC_PAGESIZE);


	/* check if root */
	if (getuid())	{ snprintf(debugMsg, sizeof(debugMsg), "must be run as root; exiting..."); debugLog(debugMsg); return(1); }


	/* parse & validate args */
	int			c, imageID = 0, trustedMeasurements = 0;
	long unsigned int	startAddr = 0, endAddr = 0;
	while ((c = getopt (argc, argv, "dti:p:s:e:")) != -1)
		switch (c)
           	{
			case 'd': debug =		1;						break; // no output unless this is flagged			
			case 'i': imageID =		strtol(optarg, NULL, 0);			break; // imageID
			case 'p': pid =			strtoul(optarg, NULL, 0);			break; // PID
			case 's': startAddr =		(unsigned long)strtoul(optarg, NULL, 0);	break; // start address
			case 'e': endAddr =		(unsigned long)strtoul(optarg, NULL, 0);	break; // end address
			case 't': trustedMeasurements = 1; 						break; // store measurements as trusted
			case '?':
				if (isprint(optopt))	{ snprintf(debugMsg, sizeof(debugMsg), "unknown option `-%c'.", optopt); debugLog(debugMsg); }
				else 			{ snprintf(debugMsg, sizeof(debugMsg), "unknown option character `\\x%x'.", optopt); debugLog(debugMsg); }
				return 1;

			default: abort();
		}
	if (endAddr-startAddr != pageSize) { snprintf(debugMsg, sizeof(debugMsg), "[!] FATAL: range must be exactly 1 page large (%ld bytes).", pageSize); debugLog(debugMsg); return(1); }


	/* attempt attach, wait for process to stop after being attached (there's a brief period of time where the pid won't exist in the pool) */
	if(ptrace(PTRACE_ATTACH, pid, NULL, NULL)) 
	{
		snprintf(debugMsg, sizeof(debugMsg), "[!] ERROR: PID %d, PTRACE_ATTACH", pid);	
		debugLog(debugMsg); return(1); 
	} 
	waitpid(pid, NULL, 0); 


	/* extract page one int (32 bits) at a time */
	unsigned long	currAddr = startAddr;
	int		offset = 0, buf, page[pageSize / sizeof(int)];
	for(; currAddr < endAddr; currAddr += sizeof(int))
	{
		errno = 0;
		
		/* read sizeof(int) @ currAddr into buf; detach if ptrace call == -1 and errno set */
		if(((buf = ptrace(PTRACE_PEEKDATA, pid, (void *)currAddr, NULL)) == -1) && errno)
		{
			/* PTRACE_PEEKDATA failed; print errors, PTRACE_DETACH and exit */
			snprintf(debugMsg, sizeof(debugMsg), "PTRACE_PEEKDATA call failed; errno is %d; exiting...", errno); debugLog(debugMsg);			
			if (ptrace(PTRACE_DETACH, pid, NULL, NULL)) 
			{ 
				snprintf(debugMsg, sizeof(debugMsg), "PTRACE_DETACH call failed; errno is %d; exiting...", errno);		
				debugLog(debugMsg); 
			}
		    	exit(1);
		}
		
		/* write the PEEKDATA into page[] */
		page[offset++] = buf;
	}


	/* detach; print problem if there is one */
	if (ptrace(PTRACE_DETACH, pid, NULL, NULL)) 
	{ 
		snprintf(debugMsg, sizeof(debugMsg), "PTRACE_DETACH call failed; errno is %d", errno);		
		debugLog(debugMsg);
	}


	/* hash the page, convert binary hash to hex string (easier to deal with/verify if ASCII armored; this may change later for speed) */
	unsigned char	hashBin[SHA1HashSize];
	char		hashString[41];
	SHA1 (		(const unsigned char *)&page, 	// cast page as an unsigned char (binary) and send to SHA1 for hashing
			pageSize, 			// page will be pageSize long
			(unsigned char *)&hashBin );	// store it in hashBin
	int i; for (i = 0; i < 20; i++) { sprintf(hashString+(i*2), "%02x", hashBin[i]); }
	hashString[40] = '\0'; // make sure it's NULL terminated

	/* connect to DB; wait up to 5 seconds for lock */
	sqlite3		*db;
	char		*errMsg = 0;
	int		resultCode = sqlite3_open("/etc/trecc/trecc.sqlite", &db);
	sqlite3_busy_timeout(db, 5000);
	if (resultCode) { 
		snprintf(debugMsg, sizeof(debugMsg), "can't open database: %s; exiting...", sqlite3_errmsg(db)); debugLog(debugMsg);
		sqlite3_close(db); exit(1);
	}


	/* remove all measurements matching the PID, imageID, startAddr & endAddr we're measuring (there should only be 1) */
	if (!trustedMeasurements) {
		snprintf(query, sizeof(query), "DELETE FROM measurements WHERE imageID=%d AND pid=%d AND startAddr='0x%lx' AND endAddr='0x%lx'", imageID, pid, startAddr, endAddr);
	
		resultCode = sqlite3_exec(db, query, NULL, 0, &errMsg); // no callback required
		if (resultCode != SQLITE_OK) {
			snprintf(debugMsg, sizeof(debugMsg), "can't remove current measurements for imageID=%d, pid=%d; SQL error: %s; exiting...", imageID, pid, errMsg); debugLog(debugMsg);
			sqlite3_close(db); exit(1); 
		}
	}	


	/* add the measurement we just took */
	if (trustedMeasurements) { snprintf(query, sizeof(query), "INSERT INTO trusted_measurements (imageID, startAddr, endAddr, sha1) VALUES (%d,'0x%lx','0x%lx','%s')", imageID, startAddr, endAddr, hashString); }
	else			 { snprintf(query, sizeof(query), "INSERT INTO measurements (PID, imageID, startAddr, endAddr, sha1) VALUES (%d,%d,'0x%lx','0x%lx','%s')", pid, imageID, startAddr, endAddr, hashString); }
	
	resultCode = sqlite3_exec(db, query, NULL, 0, &errMsg); // no callback required
	if (resultCode != SQLITE_OK) { 
		snprintf(debugMsg, sizeof(debugMsg), "failed inserting new measurements for imageID=%d, pid=%d @ mem range: 0x%lx-0x%lx; exiting...", imageID, pid, startAddr, endAddr); debugLog(debugMsg);
		sqlite3_close(db); exit(1); 
	}

	/* done */
	sqlite3_close(db);
	return(0);
}