Get thread activity from the OS

Rather than use a heuristic to figure out if a thread is active, query the OS to see if the thread is running. This should provide a more accurate view on what's actually happening. The tricky part here is matching the OS thread id to the python thread id, which we were already doing for the native code unwinding. This refactors to allow getting the native thread id even when not getting the native stack.
benfred · Jul 7, 2019 · 3ef940a · 3ef940a · earonesty · May 13, 2022
1 parent 288189d
commit 3ef940a
Show file tree

Hide file tree

Showing 17 changed files with 783 additions and 345 deletions.
diff --git a/remoteprocess/examples/trace.rs b/remoteprocess/examples/trace.rs
@@ -11,7 +11,7 @@ fn get_backtrace(pid: remoteprocess::Pid) -> Result<(), remoteprocess::Error> {
     // Create a stack unwind object, and use it to get the stack for each thread
     let unwinder = process.unwinder()?;
     for thread in process.threads()?.iter() {
-        println!("Thread 0x{:0x} - {}", thread.id()?, if thread.active()? { "running" } else { "idle" });
+        println!("Thread {} - {}", thread.id()?, if thread.active()? { "running" } else { "idle" });
 
         // lock the thread to get a consistent snapshot (unwinding will fail otherwise)
         // Note: the thread will appear idle when locked, so wee are calling
@@ -24,8 +24,8 @@ fn get_backtrace(pid: remoteprocess::Pid) -> Result<(), remoteprocess::Error> {
 
             // Lookup the current stack frame containing a filename/function/linenumber etc
             // for the current address
-            unwinder.symbolicate(ip, &mut |sf| {
-                println!("{}", sf);
+            unwinder.symbolicate(ip, true, &mut |sf| {
+                println!("\t{}", sf);
             })?;
         }
     }

diff --git a/remoteprocess/src/dylib.rs b/remoteprocess/src/dylib.rs
@@ -43,7 +43,7 @@ macro_rules! dlsym {
         static $name: self::dylib::Symbol<unsafe extern fn($($t),*) -> $ret> =
             self::dylib::Symbol {
                 name: concat!(stringify!($name), "\0"),
-                addr: ::std::sync::atomic::ATOMIC_USIZE_INIT,
+                addr: ::std::sync::atomic::AtomicUsize::new(0),
                 _marker: ::std::marker::PhantomData,
             };
     )*)

diff --git a/remoteprocess/src/linux/gimli_unwinder.rs b/remoteprocess/src/linux/gimli_unwinder.rs
@@ -10,7 +10,6 @@ use proc_maps;
 
 use gimli::{EhFrame, BaseAddresses, Pointer, NativeEndian, EhFrameHdr};
 use goblin::elf::program_header::*;
-use gimli;
 
 use gimli::EndianRcSlice;
 type RcReader = EndianRcSlice<NativeEndian>;
@@ -166,11 +165,11 @@ impl Unwinder {
         Ok(Cursor{registers: thread.registers()?, parent: self, initial_frame: true})
     }
 
-    pub fn symbolicate(&self, addr: u64, callback: &mut FnMut(&StackFrame)) -> Result<(), Error> {
+    pub fn symbolicate(&self, addr: u64, line_info: bool, callback: &mut FnMut(&StackFrame)) -> Result<(), Error> {
         let binary = match self.get_binary(addr) {
             Some(binary) => binary,
             None => {
-                return Err(gimli::Error::NoUnwindInfoForAddress.into());
+                return Err(Error::NoBinaryForAddress(addr));
             }
         };
         if binary.filename != "[vdso]" {
@@ -180,7 +179,7 @@ impl Unwinder {
                 *symbols = Some(SymbolData::new(&binary.filename, binary.offset));
             }
             match symbols.as_ref() {
-                Some(Ok(symbols)) => symbols.symbolicate(addr, callback),
+                Some(Ok(symbols)) => symbols.symbolicate(addr, line_info, callback),
                 _ => {
                     // we probably failed to load the symbols (maybe goblin v0.15 dependency causing error
                     // in gimli/object crate). Rather than fail add a stub

diff --git a/remoteprocess/src/linux/mod.rs b/remoteprocess/src/linux/mod.rs
@@ -4,7 +4,9 @@ pub mod libunwind;
 mod gimli_unwinder;
 #[cfg(unwind)]
 mod symbolication;
-use libc::{c_void, pid_t};
+use libc::pid_t;
+#[cfg(unwind)]
+use libc::c_void;
 
 use nix::{self, sys::wait, sys::ptrace, {sched::{setns, CloneFlags}}};
 use std::io::Read;
@@ -25,6 +27,7 @@ pub use self::libunwind::{LibUnwind};
 use read_process_memory::{CopyAddress};
 
 pub type Pid = pid_t;
+pub type Tid = pid_t;
 
 pub struct Process {
     pub pid: Pid,
@@ -106,8 +109,8 @@ impl super::ProcessMemory for Process {
 }
 
 impl Thread {
-    pub fn new(threadid: i32) -> Thread{
-        Thread{tid: nix::unistd::Pid::from_raw(threadid)}
+    pub fn new(threadid: i32) -> Result<Thread, Error> {
+        Ok(Thread{tid: nix::unistd::Pid::from_raw(threadid)})
     }
 
     pub fn lock(&self) -> Result<ThreadLock, Error> {
@@ -128,8 +131,8 @@ impl Thread {
         }
     }
 
-    pub fn id(&self) -> Result<u64, Error> {
-        Ok(self.tid.as_raw() as u64)
+    pub fn id(&self) -> Result<Tid, Error> {
+        Ok(self.tid.as_raw())
     }
 
     pub fn active(&self) -> Result<bool, Error> {

diff --git a/remoteprocess/src/linux/symbolication.rs b/remoteprocess/src/linux/symbolication.rs
@@ -51,36 +51,41 @@ impl SymbolData {
         Ok(SymbolData{ctx, offset, dynamic_symbols, symbols, filename: filename.to_owned()})
     }
 
-    pub fn symbolicate(&self, addr: u64, callback: &mut FnMut(&StackFrame)) -> Result<(), Error> {
+    pub fn symbolicate(&self, addr: u64, line_info: bool, callback: &mut FnMut(&StackFrame)) -> Result<(), Error> {
         let mut ret = StackFrame{line:None, filename: None, function: None, addr, module: self.filename.clone()};
 
         // get the address before relocations
         let offset = addr - self.offset;
-        let mut has_debug_info = false;
-
-        // addr2line0.8 uses an older version of gimli (0.0.19) than we are using here (0.0.21),
-        // this means we can't use the type of the error returned ourselves here since the
-        // type alias is private. hack by re-mapping the error
-        let error_handler = |e| Error::Other(format!("addr2line error: {:?}", e));
-
-        // if we have debugging info, get the appropiate stack frames for the adresss
-        let mut frames = self.ctx.find_frames(offset).map_err(error_handler)?;
-        while let Some(frame) = frames.next().map_err(error_handler)? {
-            has_debug_info = true;
-            if let Some(func) = frame.function {
-                ret.function = Some(func.raw_name().map_err(error_handler)?.to_string());
-            }
-            if let Some(loc) = frame.location {
-                ret.line = loc.line;
-                if let Some(file) = loc.file.as_ref() {
-                    ret.filename = Some(file.to_string());
+
+        // if we are being asked for line information, sue gimli addr2line to look up the debug info
+        // (this is slow, and not necessary all the time which is why we are skipping)
+        if line_info {
+            let mut has_debug_info = false;
+
+            // addr2line0.8 uses an older version of gimli (0.0.19) than we are using here (0.0.21),
+            // this means we can't use the type of the error returned ourselves here since the
+            // type alias is private. hack by re-mapping the error
+            let error_handler = |e| Error::Other(format!("addr2line error: {:?}", e));
+
+            // if we have debugging info, get the appropiate stack frames for the adresss
+            let mut frames = self.ctx.find_frames(offset).map_err(error_handler)?;
+            while let Some(frame) = frames.next().map_err(error_handler)? {
+                has_debug_info = true;
+                if let Some(func) = frame.function {
+                    ret.function = Some(func.raw_name().map_err(error_handler)?.to_string());
                 }
+                if let Some(loc) = frame.location {
+                    ret.line = loc.line;
+                    if let Some(file) = loc.file.as_ref() {
+                        ret.filename = Some(file.to_string());
+                    }
+                }
+                callback(&ret);
             }
-            callback(&ret);
-        }
 
-        if has_debug_info {
-            return Ok(())
+            if has_debug_info {
+                return Ok(())
+            }
         }
 
         // otherwise try getting the function name from the symbols

diff --git a/remoteprocess/src/osx/mod.rs b/remoteprocess/src/osx/mod.rs
@@ -27,6 +27,7 @@ pub use self::unwinder::Unwinder;
 use libproc::libproc::proc_pid::{pidpath, pidinfo, PIDInfo, PidInfoFlavor};
 
 pub type Pid = pid_t;
+pub type Tid = u32;
 
 pub struct Process {
     pub pid: Pid,
@@ -35,7 +36,7 @@ pub struct Process {
 
 #[derive(Eq, PartialEq, Hash, Copy, Clone)]
 pub struct Thread {
-    pub tid: u32
+    pub tid: Tid
 }
 
 impl Process {
@@ -95,7 +96,15 @@ use self::mach_thread_bindings::{thread_info, thread_basic_info, thread_identifi
 
 
 impl Thread {
-    pub fn id(&self) -> Result<u64, Error> {
+    pub fn new(tid: Tid) -> Result<Thread, Error> {
+        Ok(Thread{tid})
+    }
+
+    pub fn id(&self) -> Result<Tid, Error> {
+        Ok(self.tid)
+    }
+
+    pub fn thread_handle(&self) -> Result<u64, Error> {
         let thread_id = self.get_thread_identifier_info()?;
         Ok(thread_id.thread_handle)
     }

diff --git a/remoteprocess/src/osx/unwinder.rs b/remoteprocess/src/osx/unwinder.rs
@@ -87,7 +87,7 @@ impl Unwinder {
         Ok(Cursor{registers: thread.registers()?, parent: self, initial_frame: true})
     }
 
-    pub fn symbolicate(&self, addr: u64, callback: &mut FnMut(&StackFrame)) -> Result<(), Error> {
+    pub fn symbolicate(&self, addr: u64, _line_info: bool, callback: &mut FnMut(&StackFrame)) -> Result<(), Error> {
         // Get the symbols for the current address
         let symbol = unsafe { self.cs.resolve(addr) };
 

diff --git a/remoteprocess/src/windows/generate_syscall.py b/remoteprocess/src/windows/generate_syscall.py
@@ -0,0 +1,115 @@
+""" Generates the syscall.rs code """
+import argparse
+import os
+import sys
+import json
+
+# We need to map to major/minor/build to the names used in the syscall table
+# https://www.gaijin.at/en/infos/windows-version-numbers
+OS_VERSION_LOOKUP = {
+    ("Windows Vista", "SP0"): (6, 0, 6000),
+    ("Windows Vista", "SP1"): (6, 0, 6001),
+    ("Windows Vista", "SP2"): (6, 0, 6002),
+    ("Windows 7", "SP0"): (6, 1, 7600),
+    ("Windows 7", "SP1"): (6, 1, 7601),
+    ("Windows 8", "8.0"): (6, 2, 9200),
+    ("Windows 8", "8.1"): (6, 3, 9600),
+    ("Windows 10", "1507"): (10, 0, 10240),
+    ("Windows 10", "1511"): (10, 0, 10586),
+    ("Windows 10", "1607"): (10, 0, 14393),
+    ("Windows 10", "1703"): (10, 0, 15063),
+    ("Windows 10", "1709"): (10, 0, 16299),
+    ("Windows 10", "1803"): (10, 0, 17134),
+    ("Windows 10", "1809"): (10, 0, 17763),
+    ("Windows 10", "1903"): (10, 0, 18362),
+}
+
+# I'm not supporting anything prior to vista here
+UNSUPPORTED_OS = {"Windows XP", "Windows Server 2003"}
+
+# these seem to have the same NT syscall as the consumer versions
+SERVER_OS = {"Windows Server 2008", "Windows Server 2012"}
+
+# how different are the syscall tables here?
+OS_SERVER_LOOKUP = {
+    ("Windows Server 2008", "SP0"): (6, 0, 6001),
+    ("Windows Server 2008", "SP2"): (6, 0, 6002),
+    ("Windows Server 2008", "R2"): (6, 1, 7600),
+    ("Windows Server 2012", "SP0"): (6, 2, 9200),
+    ("Windows Server 2012", "R2"): (6, 3, 9600),
+    ("Windows Server 2008", "R2 SP1"): (6, 1, 7601),
+}
+
+
+def generate(inputpath, arch="x64", namefilter=lambda s: not s.startswith("NtWait")):
+    nt = json.load(open(os.path.join(inputpath, arch, "json", "nt-per-system.json")))
+    win32k = json.load(open(os.path.join(inputpath, arch, "json", "win32k-per-system.json")))
+    outputpath = os.path.dirname(os.path.realpath(__file__))
+    outputfilename = os.path.join(outputpath, f"syscalls_{arch}.rs")
+
+    syscallnames = set()
+    matches = []
+
+    for ((osname, osversion), (major, minor, build)) in OS_VERSION_LOOKUP.items():
+        syscalls = nt[osname][osversion]
+        syscalls.update(win32k[osname][osversion])
+        for syscallname, syscallnumber in syscalls.items():
+            if namefilter and namefilter(syscallname):
+                continue
+
+            matches.append((major, minor, build, syscallnumber, syscallname))
+            syscallnames.add(syscallname)
+
+    matches.sort()
+    syscallnames = sorted(syscallnames)
+
+    print(outputfilename)
+    with open(outputfilename, "w") as o:
+        o.write(f"// Automatically generated by '{__file__}' - do not edit\n")
+        if namefilter:
+            o.write("// Note that this is a subset of the syscalls, run again with no namefilter\n")
+            o.write("//   for the complete list (which takes forever to compile)\n")
+        o.write("\n")
+        o.write("#[allow(non_camel_case_types)]\n\n")
+
+        o.write("pub enum Syscall {\n")
+        for syscall in syscallnames:
+            o.write(f"    {syscall},\n")
+        o.write("}\n\n")
+
+        o.write("pub fn lookup_syscall(major: u32, minor: u32, build: u32, syscall: u32)")
+        o.write(" -> Option<Syscall> {\n")
+        o.write("    match (major, minor, build, syscall) {\n")
+        for major, minor, build, syscallnumber, syscallname in matches:
+            o.write(f"        ({major}, {minor}, {build}, {syscallnumber})")
+            o.write(f" => Some(Syscall::{syscallname}),\n")
+        o.write("        _ => None\n")
+        o.write("    }\n")
+        o.write("}\n\n")
+
+
+if __name__ == "__main__":
+
+    if sys.platform.startswith("win"):
+        default_syscall_path = os.path.join(os.getenv("userprofile"), "code", "windows-syscalls")
+    else:
+        default_syscall_path = os.path.join(os.getenv("HOME"), "code", "windows-syscalls")
+
+    parser = argparse.ArgumentParser(
+        description="generates syscall.rs", formatter_class=argparse.ArgumentDefaultsHelpFormatter
+    )
+    parser.add_argument(
+        "--syscallpath",
+        type=str,
+        default=default_syscall_path,
+        dest="syscallpath",
+        help="path to syscall repo https://github.com/j00ru/windows-syscalls",
+    )
+    args = parser.parse_args()
+
+    if not os.path.isdir(args.syscallpath):
+        print(f"Directory '{args.syscallpath}' doesn't exist!")
+        print("Pass a valid path to the j00ru/windows-syscalls in with --syscallpath <pathname>")
+        sys.exit(1)
+
+    generate(args.syscallpath)