├── .gitignore ├── LICENSE ├── README.md ├── pdbattach ├── __init__.py ├── eventloop │ ├── __init__.py │ └── eventloop.py ├── exchange │ ├── __init__.py │ ├── exchange.py │ └── message.py ├── injector │ ├── __init__.py │ ├── elf.py │ ├── print_sym_offset.py │ ├── repl_injector.py │ ├── simple_injector.py │ └── utils.py ├── main.py ├── pty │ ├── __init__.py │ └── pty.py ├── rpdb │ ├── __init__.py │ ├── client.py │ └── rpdb.py └── utils.py └── setup.py /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | pip-wheel-metadata/ 24 | share/python-wheels/ 25 | *.egg-info/ 26 | .installed.cfg 27 | *.egg 28 | MANIFEST 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .nox/ 44 | .coverage 45 | .coverage.* 46 | .cache 47 | nosetests.xml 48 | coverage.xml 49 | *.cover 50 | *.py,cover 51 | .hypothesis/ 52 | .pytest_cache/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | target/ 76 | 77 | # Jupyter Notebook 78 | .ipynb_checkpoints 79 | 80 | # IPython 81 | profile_default/ 82 | ipython_config.py 83 | 84 | # pyenv 85 | .python-version 86 | 87 | # pipenv 88 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 89 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 90 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 91 | # install all needed dependencies. 92 | #Pipfile.lock 93 | 94 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 95 | __pypackages__/ 96 | 97 | # Celery stuff 98 | celerybeat-schedule 99 | celerybeat.pid 100 | 101 | # SageMath parsed files 102 | *.sage.py 103 | 104 | # Environments 105 | .env 106 | .venv 107 | env/ 108 | venv/ 109 | ENV/ 110 | env.bak/ 111 | venv.bak/ 112 | 113 | # Spyder project settings 114 | .spyderproject 115 | .spyproject 116 | 117 | # Rope project settings 118 | .ropeproject 119 | 120 | # mkdocs documentation 121 | /site 122 | 123 | # mypy 124 | .mypy_cache/ 125 | .dmypy.json 126 | dmypy.json 127 | 128 | # Pyre type checker 129 | .pyre/ 130 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 zc 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # pdbattach 2 | 3 | Attach pdb to a running Python process. 4 | 5 | ## Install 6 | 7 | ``` 8 | python3.8 -mpip install git+https://github.com/jschwinger233/pdbattach.git 9 | ``` 10 | 11 | ## Usage 12 | 13 | ### check process stack 14 | 15 | ``` 16 | sudo pdbattach -p $pid -c 'import traceback; f=open("/tmp/bt", "w+"); print("".join(traceback.format_stack()), file=f, flush=True); f.close()' 17 | ``` 18 | 19 | Then you will find the process's stack backtrace at `/tmp/bt` like: 20 | 21 | ``` 22 | File "/usr/lib/python3.8/runpy.py", line 194, in _run_module_as_main 23 | return _run_code(code, main_globals, None, 24 | File "/usr/lib/python3.8/runpy.py", line 87, in _run_code 25 | exec(code, run_globals) 26 | File "/usr/lib/python3.8/http/server.py", line 1294, in 27 | test( 28 | File "/usr/lib/python3.8/http/server.py", line 1257, in test 29 | httpd.serve_forever() 30 | File "/usr/lib/python3.8/socketserver.py", line 232, in serve_forever 31 | ready = selector.select(poll_interval) 32 | File "/usr/lib/python3.8/selectors.py", line 415, in select 33 | fd_event_list = self._selector.poll(timeout) 34 | File "", line 1, in 35 | ``` 36 | 37 | ### interactive debugging using pdb 38 | 39 | Suppose we have a `python3.9` process running with command `python3.9 test.py`, where `test.py` is a simple script: 40 | 41 | ```python 42 | import time 43 | for i in range(1000): 44 | print(i) 45 | time.sleep(10) 46 | ``` 47 | 48 | then we can attach it: 49 | 50 | ```bash 51 | $ sudo pdbattach -p $(pgrep -f test.py) 52 | --Return-- 53 | > (1)()->None 54 | (Pdb) b test.py:3 55 | Breakpoint 1 at /home/gray/Dropbox/mac.local/Documents/src/github.com/jschwinger233/pdbattach/test.py:3 56 | (Pdb) c 57 | > /home/gray/Dropbox/mac.local/Documents/src/github.com/jschwinger233/pdbattach/test.py(3)()->None 58 | -> print(i) 59 | (Pdb) p i 60 | 5 61 | (Pdb) l 62 | 1 import time 63 | 2 for i in range(1000): 64 | 3 B-> print(i) 65 | 4 time.sleep(10) 66 | [EOF] 67 | (Pdb) q 68 | ``` 69 | 70 | ### inject any code snippets 71 | 72 | Suppose we have a simple HTTP server causing memory leak, and we want to use [memray](https://github.com/bloomberg/memray) to do a memory profile by attaching. 73 | 74 | Firstly let's enable the tracker: 75 | 76 | ```bash 77 | sudo pdbattach -p $(pidof python3.9) -c 'import memray; global t; t = memray.Tracker("out.bin"); t.__enter__(); print(t)' 78 | ``` 79 | 80 | You can also put the statements in a script file and run by: 81 | 82 | ```bash 83 | sudo pdbattach -p $(pidof python3.9) -f mem_track.py 84 | ``` 85 | 86 | Suppose the output of the above injection is: 87 | 88 | ``` 89 | Memray WARNING: Correcting symbol for malloc from 0x421420 to 0x7f0400389110 90 | Memray WARNING: Correcting symbol for free from 0x421890 to 0x7f0400389700 91 | 92 | ``` 93 | 94 | Then after a while, stop the tracker and inspect the outcomes: 95 | 96 | ```bash 97 | sudo pdbattach -p $(pidof python3.9) -c 'import ctypes; ctypes.cast(0x7f03ff6598d0, ctypes.py_object).value.__exit__(None, None, None)' 98 | ``` 99 | 100 | ## Known Issues 101 | 102 | 1. pdb doesn't work properly under multi-thread scenarios. See [issue](https://bugs.python.org/issue41571). 103 | 2. ptrace(2) relies on `struct user_regs_struct` whose definition varies across platforms, therefore running pdbattach inside a container (e.g. from docker.io/python:3 image) to attach a host process will cause segmentation fault. See [issue](https://github.com/jschwinger233/pdbattach/issues/4). 104 | -------------------------------------------------------------------------------- /pdbattach/__init__.py: -------------------------------------------------------------------------------- 1 | __version__ = '0.0.7' 2 | -------------------------------------------------------------------------------- /pdbattach/eventloop/__init__.py: -------------------------------------------------------------------------------- 1 | from .eventloop import EventLoop 2 | -------------------------------------------------------------------------------- /pdbattach/eventloop/eventloop.py: -------------------------------------------------------------------------------- 1 | import selectors 2 | 3 | from ..utils import singleton 4 | 5 | 6 | @singleton 7 | class EventLoop: 8 | def __init__(self): 9 | self._cnt = 0 10 | self._selector = selectors.DefaultSelector() 11 | 12 | def register(self, fd: int, event_type, callback): 13 | self._selector.register(fd, event_type, callback) 14 | self._cnt += 1 15 | 16 | def unregister(self, fd: int): 17 | self._selector.unregister(fd) 18 | self._cnt -= 1 19 | if self._cnt == 0: 20 | self._run = False 21 | 22 | def run(self): 23 | self._run = True 24 | while self._run: 25 | events = self._selector.select() 26 | for key, _ in events: 27 | key.data(key.fileobj) 28 | -------------------------------------------------------------------------------- /pdbattach/exchange/__init__.py: -------------------------------------------------------------------------------- 1 | from .exchange import Exchange, Subscriber 2 | -------------------------------------------------------------------------------- /pdbattach/exchange/exchange.py: -------------------------------------------------------------------------------- 1 | from ..utils import singleton 2 | 3 | 4 | class Subscriber: 5 | def recv(self, msg): 6 | handle = getattr(self, "handle_msg_" + msg.__class__.__name__, None) 7 | if handle: 8 | handle(msg) 9 | 10 | 11 | @singleton 12 | class Exchange: 13 | def __init__(self): 14 | self._subs = set() 15 | 16 | def attach(self, sub: Subscriber): 17 | self._subs.add(sub) 18 | 19 | def detach(self, sub: Subscriber): 20 | self._subs.remove(sub) 21 | 22 | def send(self, msg): 23 | for sub in self._subs: 24 | sub.recv(msg) 25 | -------------------------------------------------------------------------------- /pdbattach/exchange/message.py: -------------------------------------------------------------------------------- 1 | import dataclasses 2 | 3 | 4 | @dataclasses.dataclass 5 | class RemotePdbUp: 6 | unix_address: str 7 | 8 | 9 | @dataclasses.dataclass 10 | class PdbDataReceived: 11 | buf: bytes 12 | 13 | 14 | @dataclasses.dataclass 15 | class PtyDataReceived: 16 | buf: str 17 | -------------------------------------------------------------------------------- /pdbattach/injector/__init__.py: -------------------------------------------------------------------------------- 1 | from .simple_injector import SimpleInjector 2 | from .repl_injector import REPLInjector 3 | -------------------------------------------------------------------------------- /pdbattach/injector/elf.py: -------------------------------------------------------------------------------- 1 | import os 2 | import subprocess 3 | from . import print_sym_offset 4 | 5 | 6 | def search_symbol_offset(pid: int, symbol: str) -> int: 7 | with open(print_sym_offset.__file__) as f: 8 | script_code = f.read() 9 | 10 | bin_under_mount = os.readlink(f"/proc/{pid}/exe") 11 | 12 | try: 13 | process = subprocess.run( 14 | [ 15 | "nsenter", 16 | f"--pid=/proc/{pid}/ns/pid", 17 | "chroot", 18 | f"/proc/{pid}/root", 19 | bin_under_mount, 20 | "-", 21 | symbol, 22 | ], 23 | capture_output=True, 24 | encoding="utf8", 25 | check=True, 26 | input=script_code, 27 | ) 28 | except subprocess.CalledProcessError as err: 29 | print(err.stderr) 30 | raise 31 | 32 | parts = process.stdout.split(":") 33 | offset, elf, seq = int(parts[0]), parts[1], int(parts[2]) 34 | 35 | with open(f"/proc/{pid}/maps") as f: 36 | cnt = -1 37 | for line in f: 38 | if not line.rstrip().endswith(elf): 39 | continue 40 | cnt += 1 41 | if cnt == seq: 42 | return offset + int(line.split("-")[0], base=16) 43 | 44 | raise ValueError(f"map not found: elf {elf}, seq {seq}") 45 | 46 | 47 | if __name__ == "__main__": 48 | import sys 49 | 50 | print(search_symbol_offset(int(sys.argv[1]), sys.argv[2])) 51 | -------------------------------------------------------------------------------- /pdbattach/injector/print_sym_offset.py: -------------------------------------------------------------------------------- 1 | import os 2 | import sys 3 | import ctypes 4 | 5 | 6 | if __name__ == "__main__": 7 | symbol = sys.argv[-1] 8 | func = ctypes.pythonapi[symbol] 9 | address = ctypes.cast(func, ctypes.c_void_p).value 10 | with open("/proc/{}/maps".format(os.getpid())) as f: 11 | last_elf, seq = "", -1 12 | for line in f: 13 | columns = line.split() 14 | elf = columns[-1] 15 | if not elf.startswith("/"): 16 | continue 17 | if last_elf == elf: 18 | seq += 1 19 | else: 20 | last_elf = elf 21 | seq = 0 22 | parts = columns[0].split("-") 23 | start, end = int(parts[0], base=16), int(parts[1], base=16) 24 | if start <= address < end: 25 | print( 26 | address - start, 27 | elf, 28 | seq, 29 | sep=":", 30 | end="", 31 | ) 32 | sys.exit(0) 33 | sys.exit(1) 34 | -------------------------------------------------------------------------------- /pdbattach/injector/repl_injector.py: -------------------------------------------------------------------------------- 1 | import time 2 | import shutil 3 | 4 | from .simple_injector import SimpleInjector 5 | from ..exchange import Exchange, message 6 | from ..pty import Pty 7 | from ..rpdb import rpdb 8 | from ..rpdb import Client 9 | 10 | 11 | class REPLInjector(SimpleInjector): 12 | def __init__(self, *args, **kws): 13 | super().__init__(*args, **kws) 14 | 15 | exchange = Exchange() 16 | exchange.attach(Client()) 17 | exchange.attach(Pty()) 18 | 19 | def _do_call_PyRun_SimpleStringFlags(self, fd): 20 | shutil.copy(rpdb.__file__, f"/proc/{self.pid}/cwd") 21 | super()._do_call_PyRun_SimpleStringFlags(fd) 22 | time.sleep(0.1) 23 | Exchange().send( 24 | message.RemotePdbUp(f"/proc/{self.pid}/root/tmp/debug-{self.pid}.unix") # noqa 25 | ) 26 | return True 27 | -------------------------------------------------------------------------------- /pdbattach/injector/simple_injector.py: -------------------------------------------------------------------------------- 1 | import os 2 | import enum 3 | import copy 4 | import uuid 5 | import signal 6 | import selectors 7 | import contextlib 8 | 9 | import syscall 10 | 11 | from . import elf 12 | from .utils import pokebytes 13 | from ..eventloop import EventLoop 14 | 15 | 16 | class State(enum.Enum): 17 | init = 0 18 | syscall_mmap = 1 19 | call_PyGILState_Ensure = 2 20 | probe_stack_offset = 3 21 | call_PyRun_SimpleStringFlags = 4 22 | call_PyGILState_Release = 5 23 | syscall_munmap = 6 24 | restore_and_detach = 7 25 | 26 | 27 | class SimpleInjector: 28 | def __init__(self, pid: int, command: str): 29 | self.pid = pid 30 | self.command = command 31 | 32 | self._signalfd = None 33 | self._state = 0 34 | self._sentinel = f"/tmp/{uuid.uuid4()}" 35 | self._new_frame_offset = 16 36 | 37 | self._offset_PyGILState_Ensure = elf.search_symbol_offset( 38 | pid, "PyGILState_Ensure" 39 | ) 40 | self._offset_PyRun_SimpleStringFlags = elf.search_symbol_offset( 41 | pid, "PyRun_SimpleStringFlags" 42 | ) 43 | self._offset_PyGILState_Release = elf.search_symbol_offset( 44 | pid, "PyGILState_Release" 45 | ) 46 | 47 | def start(self): 48 | signal.pthread_sigmask(signal.SIG_BLOCK, [signal.SIGCHLD]) 49 | self._signalfd = syscall.signalfd( 50 | -1, 51 | [signal.SIGCHLD], 52 | syscall.SFD_NONBLOCK, 53 | ) 54 | EventLoop().register( 55 | self._signalfd, 56 | selectors.EVENT_READ, 57 | self.callback, 58 | ) 59 | 60 | syscall.ptrace(syscall.PTRACE_ATTACH, self.pid, 0, 0) 61 | 62 | def callback(self, fd): 63 | ssi = syscall.SignalfdSiginfo() 64 | n = syscall.read(fd, ssi.byref(), ssi.sizeof()) 65 | if n != len(ssi): 66 | raise RuntimeError( 67 | f"expect to read {len(ssi)} bytes, but got {n} only" 68 | ) 69 | 70 | if ssi.ssi_signo != signal.SIGCHLD: 71 | self.handle_general_signal(ssi.ssi_signo) 72 | return 73 | 74 | os.wait() 75 | call = getattr(self, "_do_" + State(self._state + 1).name) 76 | if call(fd): 77 | self._state += 1 78 | 79 | def handle_general_signal(self, signo: int): 80 | signame = signal.Signal(signo).name 81 | print(f"got signal {signame}") 82 | 83 | def _do_syscall_mmap(self, fd) -> bool: 84 | self._saved_regs = syscall.UserRegsStruct() 85 | syscall.ptrace( 86 | syscall.PTRACE_GETREGS, self.pid, 0, self._saved_regs.byref() 87 | ) 88 | self._current_instruction = syscall.ptrace( 89 | syscall.PTRACE_PEEKDATA, 90 | self.pid, 91 | self._saved_regs.rip, 92 | 0, 93 | ) 94 | self._next_instruction = syscall.ptrace( 95 | syscall.PTRACE_PEEKDATA, 96 | self.pid, 97 | self._saved_regs.rip + 2, 98 | 0, 99 | ) 100 | syscall.ptrace( 101 | syscall.PTRACE_POKEDATA, 102 | self.pid, 103 | self._saved_regs.rip, 104 | self._current_instruction & ~0xFFFF | 0xD0FF, # call *%rax 105 | ) 106 | syscall.ptrace( 107 | syscall.PTRACE_POKEDATA, 108 | self.pid, 109 | self._saved_regs.rip + 2, 110 | self._next_instruction & ~0xFF | 0xCC, # int 111 | ) 112 | 113 | regs = copy.copy(self._saved_regs) 114 | regs.rax = syscall.mmap.no 115 | regs.rdi = 0 116 | regs.rsi = max(len(self.command) + 1, 1024) 117 | regs.rdx = syscall.PROT_READ | syscall.PROT_WRITE 118 | regs.r10 = syscall.MAP_PRIVATE | syscall.MAP_ANONYMOUS 119 | regs.r8 = 0 120 | regs.r9 = 0 121 | regs.rip -= 2 122 | syscall.ptrace( 123 | syscall.PTRACE_SETREGS, 124 | self.pid, 125 | 0, 126 | regs.byref(), 127 | ) 128 | syscall.ptrace( 129 | syscall.PTRACE_SINGLESTEP, 130 | self.pid, 131 | 0, 132 | 0, 133 | ) 134 | return True 135 | 136 | def _do_call_PyGILState_Ensure(self, fd) -> bool: 137 | rregs = syscall.UserRegsStruct() 138 | syscall.ptrace(syscall.PTRACE_GETREGS, self.pid, 0, rregs.byref()) 139 | self._allocated_address = rregs.rax 140 | 141 | regs = copy.copy(self._saved_regs) 142 | regs.rax = self._offset_PyGILState_Ensure 143 | regs.rsp -= self._new_frame_offset 144 | regs.rbp = regs.rsp 145 | syscall.ptrace( 146 | syscall.PTRACE_SETREGS, 147 | self.pid, 148 | 0, 149 | regs.byref(), 150 | ) 151 | syscall.ptrace( 152 | syscall.PTRACE_CONT, 153 | self.pid, 154 | 0, 155 | 0, 156 | ) 157 | return True 158 | 159 | def _do_probe_stack_offset(self, fd) -> bool: 160 | 161 | regs = copy.copy(self._saved_regs) 162 | 163 | with contextlib.suppress(FileNotFoundError): 164 | os.stat(f"/proc/{self.pid}/root/{self._sentinel}") 165 | 166 | pokebytes( 167 | self.pid, 168 | self._allocated_address, 169 | f"import os; os.remove('{self._sentinel}')".encode(), 170 | ) 171 | regs.rax = self._offset_PyRun_SimpleStringFlags 172 | regs.rdi = self._allocated_address 173 | regs.rsi = 0 174 | regs.rsp -= self._new_frame_offset 175 | regs.rbp = regs.rsp 176 | syscall.ptrace(syscall.PTRACE_SETREGS, self.pid, 0, regs.byref()) 177 | syscall.ptrace(syscall.PTRACE_CONT, self.pid, 0, 0) 178 | return True 179 | 180 | self._new_frame_offset += 8 181 | if self._new_frame_offset > 8*50: 182 | raise RuntimeError("valid new frame offset not found") 183 | 184 | pokebytes( 185 | self.pid, 186 | self._allocated_address, 187 | f"import os; os.mknod('{self._sentinel}')".encode(), 188 | ) 189 | regs.rax = self._offset_PyRun_SimpleStringFlags 190 | regs.rdi = self._allocated_address 191 | regs.rsi = 0 192 | regs.rsp -= self._new_frame_offset 193 | regs.rbp = regs.rsp 194 | syscall.ptrace(syscall.PTRACE_SETREGS, self.pid, 0, regs.byref()) 195 | syscall.ptrace(syscall.PTRACE_CONT, self.pid, 0, 0) 196 | return False 197 | 198 | def _do_call_PyRun_SimpleStringFlags(self, fd) -> bool: 199 | pokebytes( 200 | self.pid, 201 | self._allocated_address, 202 | self.command.encode(), 203 | ) 204 | regs = copy.copy(self._saved_regs) 205 | regs.rax = self._offset_PyRun_SimpleStringFlags 206 | regs.rdi = self._allocated_address 207 | regs.rsi = 0 208 | regs.rsp -= self._new_frame_offset 209 | regs.rbp = regs.rsp 210 | syscall.ptrace( 211 | syscall.PTRACE_SETREGS, 212 | self.pid, 213 | 0, 214 | regs.byref(), 215 | ) 216 | syscall.ptrace(syscall.PTRACE_CONT, self.pid, 0, 0) 217 | return True 218 | 219 | def _do_call_PyGILState_Release(self, fd) -> bool: 220 | regs = copy.copy(self._saved_regs) 221 | regs.rax = self._offset_PyGILState_Release 222 | regs.rdi = 0x1 223 | regs.rsp -= self._new_frame_offset 224 | regs.rbp = regs.rsp 225 | syscall.ptrace( 226 | syscall.PTRACE_SETREGS, 227 | self.pid, 228 | 0, 229 | regs.byref(), 230 | ) 231 | syscall.ptrace(syscall.PTRACE_CONT, self.pid, 0, 0) 232 | return True 233 | 234 | def _do_syscall_munmap(self, fd) -> bool: 235 | regs = copy.copy(self._saved_regs) 236 | regs.rax = syscall.munmap.no 237 | regs.rdi = self._allocated_address 238 | regs.rsi = len(self.command) + 1 239 | regs.rdx = 0 240 | regs.r10 = 0 241 | regs.r8 = 0 242 | regs.r9 = 0 243 | regs.rip -= 2 244 | syscall.ptrace( 245 | syscall.PTRACE_SETREGS, 246 | self.pid, 247 | 0, 248 | regs.byref(), 249 | ) 250 | syscall.ptrace( 251 | syscall.PTRACE_SINGLESTEP, 252 | self.pid, 253 | 0, 254 | 0, 255 | ) 256 | return True 257 | 258 | def _do_restore_and_detach(self, fd) -> True: 259 | syscall.ptrace( 260 | syscall.PTRACE_POKEDATA, 261 | self.pid, 262 | self._saved_regs.rip + 2, 263 | self._next_instruction, 264 | ) 265 | syscall.ptrace( 266 | syscall.PTRACE_POKEDATA, 267 | self.pid, 268 | self._saved_regs.rip, 269 | self._current_instruction, 270 | ) 271 | syscall.ptrace( 272 | syscall.PTRACE_SETREGS, 273 | self.pid, 274 | 0, 275 | self._saved_regs.byref(), 276 | ) 277 | syscall.ptrace(syscall.PTRACE_DETACH, self.pid, 0, 0) 278 | 279 | eventloop = EventLoop() 280 | eventloop.unregister(self._signalfd) 281 | return True 282 | -------------------------------------------------------------------------------- /pdbattach/injector/utils.py: -------------------------------------------------------------------------------- 1 | import syscall 2 | 3 | 4 | def pokebytes(pid, address, bytes_): 5 | for i in range(len(bytes_) // 8 + 1): 6 | syscall.ptrace( 7 | syscall.PTRACE_POKEDATA, 8 | pid, 9 | address+8*i, 10 | int.from_bytes( 11 | bytes_[i*8:i*8+8], 12 | "little", 13 | ), 14 | ) 15 | -------------------------------------------------------------------------------- /pdbattach/main.py: -------------------------------------------------------------------------------- 1 | import click 2 | import shutil 3 | 4 | from .injector import REPLInjector, SimpleInjector 5 | from .eventloop import EventLoop 6 | 7 | 8 | @click.group( 9 | context_settings=dict(help_option_names=["-h", "--help"]), 10 | invoke_without_command=True, 11 | ) 12 | @click.option( 13 | "-p", 14 | "--pid", 15 | help="the Python process to tamper", 16 | type=int, 17 | ) 18 | @click.option( 19 | "-c", 20 | "--command", 21 | help="the command to inject, e.g. -c 'print(2333)'", 22 | ) 23 | @click.option( 24 | "-f", 25 | "--filename", 26 | help="the script to inject, e.g. -f evil.py", 27 | type=click.Path(exists=True, dir_okay=False), 28 | ) 29 | @click.option( 30 | "-v", 31 | "--version", 32 | help="show the version", 33 | is_flag=True, 34 | ) 35 | @click.pass_context 36 | def main(ctx, pid: int, command: str, filename: str, version: bool): 37 | if version: 38 | from . import __version__ 39 | 40 | print(__version__) 41 | return 42 | else: 43 | if not pid: 44 | click.echo(ctx.get_help()) 45 | return 46 | 47 | injector_cls = SimpleInjector 48 | 49 | if not command and not filename: 50 | command = f'import sys; sys.path.insert(len(sys.path), ""); import rpdb; rpdb.set_trace("/tmp/debug-{pid}.unix")' # noqa 51 | injector_cls = REPLInjector 52 | 53 | elif filename: 54 | if not filename.endswith(".py"): 55 | raise ValueError('filename must endwith ".py"') 56 | 57 | shutil.copy(filename, f"/proc/{pid}/cwd/") 58 | command = f"import {filename[:-3]}" 59 | 60 | injector = injector_cls(pid, command) 61 | injector.start() 62 | EventLoop().run() 63 | -------------------------------------------------------------------------------- /pdbattach/pty/__init__.py: -------------------------------------------------------------------------------- 1 | from .pty import Pty 2 | -------------------------------------------------------------------------------- /pdbattach/pty/pty.py: -------------------------------------------------------------------------------- 1 | import os 2 | import sys 3 | import fcntl 4 | import selectors 5 | 6 | from ..eventloop import EventLoop 7 | from ..exchange import Exchange, Subscriber, message 8 | 9 | 10 | class Pty(Subscriber): 11 | def __init__(self): 12 | self._initiated = False 13 | self._stdin = sys.stdin 14 | 15 | def handle_msg_PdbDataReceived(self, msg: message.PdbDataReceived): 16 | if not self._initiated: 17 | self._initiated = True 18 | fl = fcntl.fcntl(self._stdin, fcntl.F_GETFL) 19 | fcntl.fcntl(self._stdin, fcntl.F_SETFL, fl | os.O_NONBLOCK) 20 | EventLoop().register( 21 | self._stdin, 22 | selectors.EVENT_READ, 23 | self.handle_stdin_input, 24 | ) 25 | 26 | if not msg.buf: 27 | os.close(self._stdin.fileno()) 28 | EventLoop().unregister(self._stdin) 29 | return 30 | print(msg.buf.decode(), end="", flush=True) 31 | 32 | def handle_stdin_input(self, _): 33 | buf = os.read(self._stdin.fileno(), 4096) 34 | if not buf: 35 | EventLoop().unregister(self._stdin) 36 | 37 | Exchange().send(message.PtyDataReceived(buf)) 38 | -------------------------------------------------------------------------------- /pdbattach/rpdb/__init__.py: -------------------------------------------------------------------------------- 1 | from .rpdb import set_trace 2 | from .client import Client 3 | -------------------------------------------------------------------------------- /pdbattach/rpdb/client.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import selectors 3 | 4 | from ..eventloop import EventLoop 5 | from ..exchange import Subscriber, Exchange, message 6 | 7 | 8 | class Client(Subscriber): 9 | def __init__(self): 10 | self._unix_sock = None 11 | 12 | def handle_msg_RemotePdbUp(self, msg: message.RemotePdbUp): 13 | self._unix_sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) 14 | self._unix_sock.connect(msg.unix_address) 15 | self._unix_sock.setblocking(0) 16 | EventLoop().register( 17 | self._unix_sock, 18 | selectors.EVENT_READ, 19 | self.handle_socket_inbound, 20 | ) 21 | 22 | def handle_msg_PtyDataReceived(self, msg: message.PtyDataReceived): 23 | if not msg.buf: 24 | self._unix_sock.close() 25 | EventLoop().unregister(self._unix_sock) 26 | return 27 | self._unix_sock.send(msg.buf) 28 | 29 | def handle_socket_inbound(self, _): 30 | buf = self._unix_sock.recv(40960) 31 | if not buf: 32 | EventLoop().unregister(self._unix_sock) 33 | self._unix_sock.close() 34 | 35 | Exchange().send(message.PdbDataReceived(buf)) 36 | -------------------------------------------------------------------------------- /pdbattach/rpdb/rpdb.py: -------------------------------------------------------------------------------- 1 | import os 2 | import io 3 | import sys 4 | from pdb import Pdb 5 | import _socket as socket 6 | from contextlib import suppress 7 | 8 | 9 | class rPdb(Pdb): 10 | def __init__(self, conn: int): 11 | self.conn = conn 12 | self.r, self.w = io.open(conn, "r"), io.open(conn, "w") 13 | return super().__init__(stdin=self.r, stdout=self.w) 14 | 15 | def _detach(self): 16 | with suppress(OSError): 17 | self.r.close() 18 | self.w.close() 19 | os.close(self.conn) 20 | self.clear_all_breaks() 21 | 22 | def do_detach(self, *args, **kws): 23 | self._detach() 24 | return super().do_continue(*args, **kws) 25 | 26 | def do_EOF(self, *args, **kws): 27 | self._detach() 28 | return super().do_EOF(*args, **kws) 29 | 30 | do_q = do_exit = do_quit = do_de = do_detach 31 | 32 | 33 | def set_trace(address: str): 34 | with suppress(FileNotFoundError): 35 | os.unlink(address) 36 | sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) 37 | sock.bind(address) 38 | sock.listen(1) 39 | conn, _ = sock._accept() 40 | sock.close() 41 | pdb = rPdb(conn) 42 | frame = sys._getframe().f_back 43 | pdb.set_trace(frame) 44 | -------------------------------------------------------------------------------- /pdbattach/utils.py: -------------------------------------------------------------------------------- 1 | _classes = dict() 2 | 3 | 4 | def singleton(cls): 5 | def new(): 6 | if cls not in _classes: 7 | _classes[cls] = cls() 8 | return _classes[cls] 9 | 10 | return new 11 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | from setuptools import setup, find_packages 2 | 3 | with open("README.md", "r", encoding="utf-8") as fh: 4 | long_description = fh.read() 5 | 6 | g = {} 7 | with open("pdbattach/__init__.py") as f: 8 | exec(f.read(), g, g) 9 | 10 | setup( 11 | name="pdbattach", 12 | packages=find_packages(), 13 | include_package_data=True, 14 | version=g["__version__"], 15 | license="MIT", 16 | description="pdb attach a Python process", 17 | long_description=long_description, 18 | long_description_content_type="text/markdown", 19 | author="gray", 20 | author_email="greyschwinger@gmail.com", 21 | url="https://github.com/jschwinger233/pdbattach", 22 | platform=("linux"), 23 | classifiers=[ 24 | "License :: OSI Approved :: MIT License", 25 | "Operating System :: POSIX :: Linux", 26 | "Programming Language :: Python :: 3", 27 | "Programming Language :: Python :: Implementation :: CPython", 28 | "Topic :: Utilities", 29 | ], 30 | python_requires=">=3.8", 31 | install_requires=[ 32 | "syscall@https://github.com/jschwinger233/py-linux-syscall/zipball/main#egg=syscall==0.0.2", 33 | "click>=8.0.0,<9.0.0", 34 | ], 35 | entry_points={ 36 | "console_scripts": [ 37 | "pdbattach = pdbattach.main:main", 38 | ], 39 | }, 40 | ) 41 | --------------------------------------------------------------------------------