gabi/gwatch
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
24 Commits 1 Branch 0 Tags 69 KiB
C++ 93.4%
C 2.7%
CMake 2.3%
Shell 1.6%
dfb69f8e28
Go to file
Gabriel Ionita dfb69f8e28
add support for passing arguments to target program
2025-10-28 21:20:56 +00:00
src add support for passing arguments to target program 2025-10-28 21:20:56 +00:00
tests refactor structure and add basic test 2025-10-24 10:43:58 +01:00
vcpkg@3b9d086009 Initial commit 2025-10-24 10:40:03 +01:00
.gitignore refactor structure and add basic test 2025-10-24 10:43:58 +01:00
.gitmodules Initial commit 2025-10-24 10:40:03 +01:00
CMakeLists.txt add tracer.cpp to CMakeLists build 2025-10-28 21:20:56 +00:00
CMakePresets.json Initial commit 2025-10-24 10:40:03 +01:00
README.md add README with implementation details and known limitations 2025-10-28 21:20:56 +00:00
test_access.c remove debug output and add volatile test program 2025-10-28 21:20:56 +00:00
test_with_args.c add support for passing arguments to target program 2025-10-28 21:20:56 +00:00
vcpkg.json add libdwarf dependency 2025-10-28 21:20:56 +00:00

README.md

gwatch - Global Variable Watcher

A tool to monitor reads and writes to global integer variables in Linux binaries using ptrace and hardware watchpoints.

Features

  • Lists all global integer variables in a binary with their addresses
  • Attempts to set up hardware watchpoints via ptrace to monitor variable access
  • Supports PIE (Position Independent Executable) binaries
  • Uses DWARF debug information to locate variables

Building

cmake -B build
cmake --build build

Usage

List all global integer variables:

./build/gwatch --exec <binary>

Watch a specific variable:

./build/gwatch --exec <binary> --var <variable_name>

Note: The binary must be compiled with debug symbols (-g flag).

Implementation Details

Variable Detection

  • Uses libdwarf to parse DWARF debug information
  • Identifies global integer variables (int, long, short, char, unsigned variants)
  • Handles const/volatile type qualifiers
  • Retrieves variable address and size from debug info

Hardware Watchpoints

The tool uses x86-64 hardware debug registers (DR0-DR7) via ptrace to set watchpoints:

  • DR0: Stores the watched address
  • DR7: Configures watchpoint type (read/write) and size
  • DR6: Status register checked on SIGTRAP to detect watchpoint hits

PIE Binary Support

For Position Independent Executables, the tool:

  1. Reads /proc/[pid]/maps to find the actual load address
  2. Adds the load address to the DWARF-provided offset
  3. Sets the watchpoint at the runtime address

Current Limitations

Hardware watchpoints are not currently triggering on the test system. The implementation follows standard Linux ptrace documentation for setting x86 hardware breakpoints, but watchpoint events are not being generated. This may be due to:

  1. Kernel configuration (hardware breakpoints disabled or restricted)
  2. Security settings (e.g., /proc/sys/kernel/yama/ptrace_scope)
  3. System-specific ptrace behavior variations
  4. Potential need for additional ptrace options or setup steps

The code correctly:

  • Sets DR0 to the target address
  • Configures DR7 with proper enable bits, condition codes, and length fields
  • Monitors for SIGTRAP signals
  • Checks DR6 for watchpoint hits

But SIGTRAP signals are never generated when the watched variable is accessed.

Testing

Test binaries are provided:

  • test_binary: Simple binary with global variables (no accesses)
  • test_access: Program that reads and writes to global_counter

Compile test programs with:

gcc -g -O0 -o test_access test_access.c

##Future Work

  • Investigate alternative watchpoint implementations
  • Add support for watchingnon-integer types
  • Support multiple simultaneous watchpoints (using DR1-DR3)
  • Add filtering options (read-only vs write-only vs read/write)
  • Better error reporting and diagnostics