Merge pull request #123 from benfred/os_thread_activity

Get thread activity from the OS

remoteprocess/examples/trace.rs

@@ -11,7 +11,7 @@ fn get_backtrace(pid: remoteprocess::Pid) -> Result<(), remoteprocess::Error> {
     // Create a stack unwind object, and use it to get the stack for each thread
     let unwinder = process.unwinder()?;
     for thread in process.threads()?.iter() {
-        println!("Thread 0x{:0x} - {}", thread.id()?, if thread.active()? { "running" } else { "idle" });
+        println!("Thread {} - {}", thread.id()?, if thread.active()? { "running" } else { "idle" });
 
         // lock the thread to get a consistent snapshot (unwinding will fail otherwise)
         // Note: the thread will appear idle when locked, so wee are calling
@@ -24,8 +24,8 @@ fn get_backtrace(pid: remoteprocess::Pid) -> Result<(), remoteprocess::Error> {
 
             // Lookup the current stack frame containing a filename/function/linenumber etc
             // for the current address
-            unwinder.symbolicate(ip, &mut |sf| {
-                println!("{}", sf);
+            unwinder.symbolicate(ip, true, &mut |sf| {
+                println!("\t{}", sf);
             })?;
         }
     }

remoteprocess/src/dylib.rs

@@ -43,7 +43,7 @@ macro_rules! dlsym {
         static $name: self::dylib::Symbol<unsafe extern fn($($t),*) -> $ret> =
             self::dylib::Symbol {
                 name: concat!(stringify!($name), "\0"),
-                addr: ::std::sync::atomic::ATOMIC_USIZE_INIT,
+                addr: ::std::sync::atomic::AtomicUsize::new(0),
                 _marker: ::std::marker::PhantomData,
             };
     )*)

remoteprocess/src/linux/gimli_unwinder.rs

@@ -10,7 +10,6 @@ use proc_maps;
 
 use gimli::{EhFrame, BaseAddresses, Pointer, NativeEndian, EhFrameHdr};
 use goblin::elf::program_header::*;
-use gimli;
 
 use gimli::EndianRcSlice;
 type RcReader = EndianRcSlice<NativeEndian>;
@@ -166,11 +165,11 @@ impl Unwinder {
         Ok(Cursor{registers: thread.registers()?, parent: self, initial_frame: true})
     }
 
-    pub fn symbolicate(&self, addr: u64, callback: &mut FnMut(&StackFrame)) -> Result<(), Error> {
+    pub fn symbolicate(&self, addr: u64, line_info: bool, callback: &mut FnMut(&StackFrame)) -> Result<(), Error> {
         let binary = match self.get_binary(addr) {
             Some(binary) => binary,
             None => {
-                return Err(gimli::Error::NoUnwindInfoForAddress.into());
+                return Err(Error::NoBinaryForAddress(addr));
             }
         };
         if binary.filename != "[vdso]" {
@@ -180,7 +179,7 @@ impl Unwinder {
                 *symbols = Some(SymbolData::new(&binary.filename, binary.offset));
             }
             match symbols.as_ref() {
-                Some(Ok(symbols)) => symbols.symbolicate(addr, callback),
+                Some(Ok(symbols)) => symbols.symbolicate(addr, line_info, callback),
                 _ => {
                     // we probably failed to load the symbols (maybe goblin v0.15 dependency causing error
                     // in gimli/object crate). Rather than fail add a stub

remoteprocess/src/linux/mod.rs

@@ -4,7 +4,9 @@ pub mod libunwind;
 mod gimli_unwinder;
 #[cfg(unwind)]
 mod symbolication;
-use libc::{c_void, pid_t};
+use libc::pid_t;
+#[cfg(unwind)]
+use libc::c_void;
 
 use nix::{self, sys::wait, sys::ptrace, {sched::{setns, CloneFlags}}};
 use std::io::Read;
@@ -25,6 +27,7 @@ pub use self::libunwind::{LibUnwind};
 use read_process_memory::{CopyAddress};
 
 pub type Pid = pid_t;
+pub type Tid = pid_t;
 
 pub struct Process {
     pub pid: Pid,
@@ -106,8 +109,8 @@ impl super::ProcessMemory for Process {
 }
 
 impl Thread {
-    pub fn new(threadid: i32) -> Thread{
-        Thread{tid: nix::unistd::Pid::from_raw(threadid)}
+    pub fn new(threadid: i32) -> Result<Thread, Error> {
+        Ok(Thread{tid: nix::unistd::Pid::from_raw(threadid)})
     }
 
     pub fn lock(&self) -> Result<ThreadLock, Error> {
@@ -128,8 +131,8 @@ impl Thread {
         }
     }
 
-    pub fn id(&self) -> Result<u64, Error> {
-        Ok(self.tid.as_raw() as u64)
+    pub fn id(&self) -> Result<Tid, Error> {
+        Ok(self.tid.as_raw())
     }
 
     pub fn active(&self) -> Result<bool, Error> {

remoteprocess/src/linux/symbolication.rs

@@ -51,36 +51,41 @@ impl SymbolData {
         Ok(SymbolData{ctx, offset, dynamic_symbols, symbols, filename: filename.to_owned()})
     }
 
-    pub fn symbolicate(&self, addr: u64, callback: &mut FnMut(&StackFrame)) -> Result<(), Error> {
+    pub fn symbolicate(&self, addr: u64, line_info: bool, callback: &mut FnMut(&StackFrame)) -> Result<(), Error> {
         let mut ret = StackFrame{line:None, filename: None, function: None, addr, module: self.filename.clone()};
 
         // get the address before relocations
         let offset = addr - self.offset;
-        let mut has_debug_info = false;
-
-        // addr2line0.8 uses an older version of gimli (0.0.19) than we are using here (0.0.21),
-        // this means we can't use the type of the error returned ourselves here since the
-        // type alias is private. hack by re-mapping the error
-        let error_handler = |e| Error::Other(format!("addr2line error: {:?}", e));
-
-        // if we have debugging info, get the appropiate stack frames for the adresss
-        let mut frames = self.ctx.find_frames(offset).map_err(error_handler)?;
-        while let Some(frame) = frames.next().map_err(error_handler)? {
-            has_debug_info = true;
-            if let Some(func) = frame.function {
-                ret.function = Some(func.raw_name().map_err(error_handler)?.to_string());
-            }
-            if let Some(loc) = frame.location {
-                ret.line = loc.line;
-                if let Some(file) = loc.file.as_ref() {
-                    ret.filename = Some(file.to_string());
+
+        // if we are being asked for line information, sue gimli addr2line to look up the debug info
+        // (this is slow, and not necessary all the time which is why we are skipping)
+        if line_info {
+            let mut has_debug_info = false;
+
+            // addr2line0.8 uses an older version of gimli (0.0.19) than we are using here (0.0.21),
+            // this means we can't use the type of the error returned ourselves here since the
+            // type alias is private. hack by re-mapping the error
+            let error_handler = |e| Error::Other(format!("addr2line error: {:?}", e));
+
+            // if we have debugging info, get the appropiate stack frames for the adresss
+            let mut frames = self.ctx.find_frames(offset).map_err(error_handler)?;
+            while let Some(frame) = frames.next().map_err(error_handler)? {
+                has_debug_info = true;
+                if let Some(func) = frame.function {
+                    ret.function = Some(func.raw_name().map_err(error_handler)?.to_string());
                 }
+                if let Some(loc) = frame.location {
+                    ret.line = loc.line;
+                    if let Some(file) = loc.file.as_ref() {
+                        ret.filename = Some(file.to_string());
+                    }
+                }
+                callback(&ret);
             }
-            callback(&ret);
-        }
 
-        if has_debug_info {
-            return Ok(())
+            if has_debug_info {
+                return Ok(())
+            }
         }
 
         // otherwise try getting the function name from the symbols

remoteprocess/src/osx/mod.rs

@@ -27,6 +27,7 @@ pub use self::unwinder::Unwinder;
 use libproc::libproc::proc_pid::{pidpath, pidinfo, PIDInfo, PidInfoFlavor};
 
 pub type Pid = pid_t;
+pub type Tid = u32;
 
 pub struct Process {
     pub pid: Pid,
@@ -35,7 +36,7 @@ pub struct Process {
 
 #[derive(Eq, PartialEq, Hash, Copy, Clone)]
 pub struct Thread {
-    pub tid: u32
+    pub tid: Tid
 }
 
 impl Process {
@@ -95,7 +96,15 @@ use self::mach_thread_bindings::{thread_info, thread_basic_info, thread_identifi
 
 
 impl Thread {
-    pub fn id(&self) -> Result<u64, Error> {
+    pub fn new(tid: Tid) -> Result<Thread, Error> {
+        Ok(Thread{tid})
+    }
+
+    pub fn id(&self) -> Result<Tid, Error> {
+        Ok(self.tid)
+    }
+
+    pub fn thread_handle(&self) -> Result<u64, Error> {
         let thread_id = self.get_thread_identifier_info()?;
         Ok(thread_id.thread_handle)
     }

remoteprocess/src/osx/unwinder.rs

@@ -87,7 +87,7 @@ impl Unwinder {
         Ok(Cursor{registers: thread.registers()?, parent: self, initial_frame: true})
     }
 
-    pub fn symbolicate(&self, addr: u64, callback: &mut FnMut(&StackFrame)) -> Result<(), Error> {
+    pub fn symbolicate(&self, addr: u64, _line_info: bool, callback: &mut FnMut(&StackFrame)) -> Result<(), Error> {
         // Get the symbols for the current address
         let symbol = unsafe { self.cs.resolve(addr) };
 

remoteprocess/src/windows/generate_syscall.py

@@ -0,0 +1,115 @@
+""" Generates the syscall.rs code """
+import argparse
+import os
+import sys
+import json
+
+# We need to map to major/minor/build to the names used in the syscall table
+# https://www.gaijin.at/en/infos/windows-version-numbers
+OS_VERSION_LOOKUP = {
+    ("Windows Vista", "SP0"): (6, 0, 6000),
+    ("Windows Vista", "SP1"): (6, 0, 6001),
+    ("Windows Vista", "SP2"): (6, 0, 6002),
+    ("Windows 7", "SP0"): (6, 1, 7600),
+    ("Windows 7", "SP1"): (6, 1, 7601),
+    ("Windows 8", "8.0"): (6, 2, 9200),
+    ("Windows 8", "8.1"): (6, 3, 9600),
+    ("Windows 10", "1507"): (10, 0, 10240),
+    ("Windows 10", "1511"): (10, 0, 10586),
+    ("Windows 10", "1607"): (10, 0, 14393),
+    ("Windows 10", "1703"): (10, 0, 15063),
+    ("Windows 10", "1709"): (10, 0, 16299),
+    ("Windows 10", "1803"): (10, 0, 17134),
+    ("Windows 10", "1809"): (10, 0, 17763),
+    ("Windows 10", "1903"): (10, 0, 18362),
+}
+
+# I'm not supporting anything prior to vista here
+UNSUPPORTED_OS = {"Windows XP", "Windows Server 2003"}
+
+# these seem to have the same NT syscall as the consumer versions
+SERVER_OS = {"Windows Server 2008", "Windows Server 2012"}
+
+# how different are the syscall tables here?
+OS_SERVER_LOOKUP = {
+    ("Windows Server 2008", "SP0"): (6, 0, 6001),
+    ("Windows Server 2008", "SP2"): (6, 0, 6002),
+    ("Windows Server 2008", "R2"): (6, 1, 7600),
+    ("Windows Server 2012", "SP0"): (6, 2, 9200),
+    ("Windows Server 2012", "R2"): (6, 3, 9600),
+    ("Windows Server 2008", "R2 SP1"): (6, 1, 7601),
+}
+
+
+def generate(inputpath, arch="x64", namefilter=lambda s: not s.startswith("NtWait")):
+    nt = json.load(open(os.path.join(inputpath, arch, "json", "nt-per-system.json")))
+    win32k = json.load(open(os.path.join(inputpath, arch, "json", "win32k-per-system.json")))
+    outputpath = os.path.dirname(os.path.realpath(__file__))
+    outputfilename = os.path.join(outputpath, f"syscalls_{arch}.rs")
+
+    syscallnames = set()
+    matches = []
+
+    for ((osname, osversion), (major, minor, build)) in OS_VERSION_LOOKUP.items():
+        syscalls = nt[osname][osversion]
+        syscalls.update(win32k[osname][osversion])
+        for syscallname, syscallnumber in syscalls.items():
+            if namefilter and namefilter(syscallname):
+                continue
+
+            matches.append((major, minor, build, syscallnumber, syscallname))
+            syscallnames.add(syscallname)
+
+    matches.sort()
+    syscallnames = sorted(syscallnames)
+
+    print(outputfilename)
+    with open(outputfilename, "w") as o:
+        o.write(f"// Automatically generated by '{__file__}' - do not edit\n")
+        if namefilter:
+            o.write("// Note that this is a subset of the syscalls, run again with no namefilter\n")
+            o.write("//   for the complete list (which takes forever to compile)\n")
+        o.write("\n")
+        o.write("#[allow(non_camel_case_types)]\n\n")
+
+        o.write("pub enum Syscall {\n")
+        for syscall in syscallnames:
+            o.write(f"    {syscall},\n")
+        o.write("}\n\n")
+
+        o.write("pub fn lookup_syscall(major: u32, minor: u32, build: u32, syscall: u32)")
+        o.write(" -> Option<Syscall> {\n")
+        o.write("    match (major, minor, build, syscall) {\n")
+        for major, minor, build, syscallnumber, syscallname in matches:
+            o.write(f"        ({major}, {minor}, {build}, {syscallnumber})")
+            o.write(f" => Some(Syscall::{syscallname}),\n")
+        o.write("        _ => None\n")
+        o.write("    }\n")
+        o.write("}\n\n")
+
+
+if __name__ == "__main__":
+
+    if sys.platform.startswith("win"):
+        default_syscall_path = os.path.join(os.getenv("userprofile"), "code", "windows-syscalls")
+    else:
+        default_syscall_path = os.path.join(os.getenv("HOME"), "code", "windows-syscalls")
+
+    parser = argparse.ArgumentParser(
+        description="generates syscall.rs", formatter_class=argparse.ArgumentDefaultsHelpFormatter
+    )
+    parser.add_argument(
+        "--syscallpath",
+        type=str,
+        default=default_syscall_path,
+        dest="syscallpath",
+        help="path to syscall repo https://github.com/j00ru/windows-syscalls",
+    )
+    args = parser.parse_args()
+
+    if not os.path.isdir(args.syscallpath):
+        print(f"Directory '{args.syscallpath}' doesn't exist!")
+        print("Pass a valid path to the j00ru/windows-syscalls in with --syscallpath <pathname>")
+        sys.exit(1)
+
+    generate(args.syscallpath)