data sedimentation

A process can end its life by either explicitly calling the exit() system call or having it called for them.

ptraces of death attempts to trace the termination of common processes, such as the firefox web browser, using the common ptrace system call. A piece of software is traced exquisitely (we can peek into certain registers within the core processor, or even look at the exact operational code which is being executed). In this case, wmctrl is used to remotely shut down firefox. An audio file of around four hours duration (at 44100 samples per second) is thus generated.

ptraces of death is available as a limited edition (1 of 10) USB stick with all data logs and audio rendering of a firefox shutdown.

Building on self3 below, self examination translates CPU/machine code registers starting and running a specific process into audio. We can render as audio (at a range of sample rates), the machine code registers of any process running on the computer. Examples include simple utilities such as ping, and the initialisation process of more complex executables such as Audacity (the latter was abandoned after generating a 16 hour audio file).

The code presented below is a modification which examines a process which runs a process which examines a process and so on… and so on…

audio: http://soundcloud.com/martin\_howse/sets/self\_examination

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <sys/user.h> 

static void self(){
  pid_t pid;
  int result, wait_val,x,ya,res;
  struct user_regs_struct red;

  pid = fork();
  if (pid) { 
    printf("pid = %d\n", pid);
    x=ptrace(PTRACE_ATTACH, pid, NULL, NULL);

    if(x==-1){
      perror("ptrace");
    }

    res = waitpid(pid, &wait_val, WUNTRACED);
    
    while(1){
      x=ptrace(PTRACE_SINGLESTEP,pid,NULL,NULL);
      wait(&wait_val);

      if(x==-1){
        perror("ptracestep");
      }

      x=ptrace(PTRACE_GETREGS,pid,NULL,&red);

      if(x==-1){
        perror("ptracegetregs");
      }

      ya=(int)((int)red.eax%255);// was eax   
      if (ya>0) {
        printf("%c",ya); 
      }
    }
  }
  else self(); // child
}

int main(void){
  self();
}

Daily diff maintains a daily log of changes across a single filesystem residing on an IBM x60 in daily use. The filesystem was mirrored locally at the beginning of June and free software tool rsync is used to log and update the mirror. The following shell script runs each day from the /etc/cron.daily directory.

#!/bin/bash

diffy=/storeddiffs/diff_`date +%b-%d-%y`.log
rsync --write-batch=$diffy -av --delete --exclude /mnt --exclude /media --exclude /sys --exclude /dev --exclude /proc --exclude /diff --exclude /storeddiffs / /diff

audio excerpts:

http://soundcloud.com/martin\_howse/sets/diff\_in\_june/

audio: http://soundcloud.com/martin\_howse/stackoverflow1

Stack overflow renders audible program (over) flow and control.

As the name suggests the (execution or call) stack can be visualised as a pile of data; when a subroutine is called information such as where the routine should return to when its completed, is piled on the stack. A stack overflow occurs when the stack grows beyond its imposed bounds, overwriting other variables in memory and causing the machine to crash/behave in unpredictable manners. Stack overflow here is implemented on the ATmega8 microcontroller.

Future stack overflows explore the possibilities of extending the stack overflow imaginary into everyday life.

• code:

#define F_CPU 12000000UL
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <avr/io.h>
#include <avr/delay.h>
#include <avr/interrupt.h>
#include <alloca.h>

void set_tone(uint16_t f){
  OCR1AH = (f >> 8);
  OCR1AL = f;
}

int dtae,x;
int *dttt;

void clll(void){
  alloca(x);x++;
  _delay_ms(100);
}

void callitself(void (* calling)(void *)){
  //  asm ("push %0" : "=r" (dtae) : );
  clll();
  dttt=(int *)0x005d;
  dtae=*dttt;
  set_tone(dtae);
  return calling(calling);
}

int main(void)
{
  DDRB   |= 0x02;
  OCR1AH = 0x20;
  OCR1AL = 0x00;
  TCCR1A |= 0x40; // was 0x43
  TCCR1B |= 0x09; // 0x1c - now fast 10 bit pwm with 128 prescale.
  sei();
  callitself(&callitself);
}

• reference:

http://en.wikipedia.org/wiki/Stack\_overflow

Self stack display attempts to map the changes in memory of a running software process.

Short code as follows to output successive stack states to a file ready for plotting with gnuplot:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string.h>
#include <errno.h>
#include <memory.h>
#include <math.h>

#define _XOPEN_SOURCE 500
#define _FILE_OFFSET_BITS 64
#define PAGER 4096

unsigned long get_sp(void) {
  __asm__("movl %esp,%eax");
}

int main(int argc, char **argv) {

  int mem_fd,memmap,n,x,y; unsigned char buf[4096], otheur[128];
  unsigned long *addr_ptr, *addr_ptrr, addr; 
  FILE *file;

  if ((mem_fd =  open("/proc/self/mem", O_RDONLY,0)) ==-1) {
    perror("can't open\n");
    exit(1);
  }

  file=fopen("/root/test", "w");
  x=0;

  addr=get_sp();
  addr_ptrr=(long *)addr;

  while(1)
    {
      n=lseek64(mem_fd,0, SEEK_SET); 
      if (n==-1) {
        printf("lseek failed to 0\n");
      }
  
      n=lseek64(mem_fd,addr_ptrr, SEEK_SET); 
      if (n==-1) {
        printf("lseek failed to SPI\n");
      }
      n=read(mem_fd,buf,PAGER);
      if (n!=-1) {
        for (y=0;y<PAGER;y++)
          {
            fprintf(file,"%d\n",buf[y]);
          }
        usleep(1000);
      }
      fprintf(file,"\n");
    }
  fclose(file);
}

self3 creates a self-portait of its own activities within the machine's central processing unit (CPU).

Code: http://www.1010.co.uk/self3.tar.gz