------ Tor (onion router) Anonymous network source code analysis-main program entry point (1) ------, ------ tor

------ Tor (onion router) Anonymous network source code analysis-main program entry point (1) ------, ------ tor

 

--------------------------------------------------------
Overview

The tor source code package can be downloaded from the official website. You may need to use other = * flip ^ = * * Software in advance to access the site. Analyzing tor source code helps us understand one of the most powerful

The operating principles of the Internet anonymous, stealth, and review and avoidance software.

In order to grasp the logic and functions of the program as a whole, this series will summarize the important parts of the source code through the function call flowchart, so as to stand at the height of the design idea to test the tor.

 

Conventions

When a function/struct/macro/definition/declaration is referenced, I will provide the complete path of the source file where it is located in parentheses, and the code line number will also be given if necessary, for example:

Tor_main () (\ tor-0.3.1.8 \ src \ or \ main. c) -- 3682

If the path in the middle is omitted, the drive letter extracted to the disk is stored in the root directory.

The source code version is 0.3.1.8 (the complete path and the code line number are also provided in the lower right corner of the reference code snippet)

 

Requirements

Tor is developed in C programming language. Therefore, you must have basic knowledge and development experience on C to have a better source code analysis experience.

In addition, in order to realize cross-OS platform compatibility, the "Conditional compilation" code block related to OS often appears in the source code, therefore, you are also required to have a certain degree of user-mode programming interfaces for mainstream operating systems.

.

 

Feedback

Due to my limited level of knowledge, coupled with the relationship between work, this series of content may have errors and will be updated occasionally.

You are welcome to provide feedback on any errata or join the ranks to improve the analysis progress. You can submit the modules you are interested in and the analysis blog URL in the comments section!

--------------------------------------------------------

 

Tor main program entry point from tor_main () (\ tor-0.3.1.8 \ src \ or \ main. c). In fact, it is called by main () (\ tor-0.3.1.8 \ src \ or \ tor_main.c.

 

The reason for separating main () from main. c is that the main () function in the source file (test _ *. c) that implements unit testing can be linked to main. c,

Because the latter does not have a main () function with the same name, there is no name conflict. For the relationship between the three, see:

First, let's take a look at main (). It saves the integer value returned by calling tor_main () to the local variable r, and then processes it based on the value of r:

If 0 <= r <= 255, the caller (usually the CRT startup routine that initializes the Tor process Runtime Environment) returns the specific value of r to main ), otherwise, 1 is returned.

 

Further, the beginning of tor_main () defines an integer variable result and initializes it to 0. The internal logic of tor_main () will

The result is set to the corresponding value and then returned to main (). The related code snippets are as follows:

 

 

 

As shown in the preceding two figures, main () sets the two parameters that you receive: argc (number of parameters when executing the tor command) and argv (list/array containing specific parameters) pass

Tor_main (), the latter will use these two parameters under specific circumstances. For example, when tor_init () is called, it is passed over, and one of the main tasks of tor_init, by parsing the command lines carried in argv

Parameters to initialize the tor system according to the user's intent.

 

For the procedures for transferring the number and strings of the Tor command line parameters, see:

 

After tor_main () initializes its own return value, we encounter the first code condition compiling block, which is related to the Windows platform. The content in

A specific condition is constructed as executable code. The related code snippets are as follows:

 

For a 32-bit windows platform, and does not define "heapenableterminationontermination uption when the heap data is corrupted", follow

Description of the MSDN document, which defines the enumerated constant value as 1

(The Role of heapenableterminationonissue uption is to assume that the OS heap Manager detects errors in any heap used by the process,

Heap manager will call the WER service [Windows Error Report] and terminate the process. After this function is enabled, the process cannot be disabled)

If this function has been defined, HeapSetInformation () is called, and heapenableterminationonconfiguruption is passed in for its second parameter to enable this function;

The first parameter of HeapSetInformation () is the heap handle to be set, which is usually returned by HeapCreate () or GetProcessHeap;

Since tor_main () didn't create a heap before, the heap handle is NULL. from Windows Vista, the "low fragment Heap" is enabled by default"

(Low-fragmenation heap, LFH), so the application will use or create LFH. For more information about LFH, see:

Https://msdn.microsoft.com/en-us/library/windows/desktop/aa366750 (v = vs.85). aspx

Note that even if HeapSetInformation () fails to be called, the OS will continue to run the application. Therefore, the HeapSetInformation () return value should be

Detection: If this function cannot be enabled, the Tor process should return a failure and exit-this is the logic omitted in the source code.

For example, on Windows, the more robust code is as follows:

 

 1 BOOL bResult; 2  bResult = HeapSetInformation(NULL, 3                                  HeapEnableTerminationOnCorruption, 4                                  NULL, 5                                  0); 6  7     if (bResult != FALSE) { 8         _tprintf(TEXT("Heap terminate-on-corruption has been enabled.\n")); 9     }10     else {11         _tprintf(TEXT("Failed to enable heap terminate-on-corruption with LastError %d.\n"),12                  GetLastError());13         return 1;14     }

 

 

The key is to call SetProcessDEPPolicy () to enable the Data Execution Protection (DEP) function of the Tor master process permanently,

A Tor is a network application that frequently sends and receives data over the network. Any encoding defects in the program may cause remote code execution.

Adding this call can mitigate the damage caused by buffer overflow/stack overflow attacks.

SetProcessDEPPolicy () is an API function located in Kernel32.dll (see "system requirements" in the relevant MSDN documentation "),

Kernel32.dll uses "dynamic connection upon loading" to map the memory of the Tor process. Therefore, you must first use GetModuleHandleA () to obtain the handle of this module,

(The application that uses "dynamic link during runtime" will call LoadLibrary/Ex ())

To get the address of the SetProcessDEPPolicy () function with GetProcAddress (), assign it to the typedef type definition and

If the declared function pointer "setdeppolicy" can be resolved to the address of the function, you can directly call setdeppolicy to "try" to open DEP.

Why should I emphasize "try?

In earlier versions of Windows, using GetProcAddress () to obtain the address of SetProcessDEPPolicy () will fail to be parsed.

Check the pointer. If it is null, it should not, nor can it start Data Protection (DEP) for the Tor main process. In addition, if the system can resolve

SetProcessDEPPolicy () address, but the call to it fails will not cause danger, so you do not need to handle the error, just call it-even if you cannot

When DEP is enabled, the Tor will continue to run. This completely depends on the secure coding consciousness .....

 

According to the description in the MSDN document, pass 0x3 to the DWORD parameter dwFlags of SetProcessDEPPolicy ().

It indicates that PROCESS_DEP_ENABLE (0x00000001) and PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION (0x00000002) are enabled at the same time.

The annotations in the source code are consistent.

Finally, the setting of the PROCESS_DEP_ENABLE (0x00000001) flag means that the DEP cannot be disabled throughout the life cycle of the Tor process (if enabled successfully ).

When the first condition compilation block ends, it makes full use of the additional security mechanisms provided by Windows for applications.

 

After the specific code block of the platform, in order to let the Tor process dump stack information during crash for subsequent debugging and analysis? Configure_backtrace_handler () is called ()

Function (\ tor-0.3.1.8 \ src \ common \ backtrace. c) to configure the backtracing handler. The related code snippets are as follows:

 

 

Configure_backtrace_handler () accepts a pointer to a character constant, which can obtain the version information of the Tor application through the get_version () helper routine.

Configure_backtrace_handler () first calls the macro tor_free () (\ tor-0.3.1.8 \ src \ common \ util. h -- 83) to release the static

The assigned global variable bt_version is a NULL pointer, and tor_free () can safely release the NULL pointer and set the referenced memory location

NULL.

Based on whether the version information is obtained, it calls tor_asprintf () to output the corresponding program startup information to the console/shell, and then calls

Install_bt_handler () (in the same source file), and pass the return value to tor_main ().

If the callback function fails to be registered, install_bt_handler () will return-1; otherwise, 0 will be returned, and tor_main () will be notified to "Hook "!

 

Read backtrace. c. We can understand that if the USE_BACKTRACE option is not specified during compilation, install_bt_handler () Only returns 0

Caller -- does not actually register the Backtracking handler. Otherwise, install_bt_handler () will be targeted at signals including crashes

(SIGSEGV, SIGILL, SIGFPE, SIGBUS, SIGSYS, SIGIO), install consistent backtracking handler crash_handler (),

The latter calls backtrace () to generate STACK tracing information.

Here we need to make it clear that when the program starts and runs normally, only configure_backtrace_handler () and install_bt_handler () will be called; when the program

Crash_handler () and backtrace () are called to crash or receive one of the preceding six signals (the latter two are CallBack ).

We can use the last abort () call logic in crash_handler () to verify that the crash_handler () operation must be aborted only when it crashes.

The related code snippets are as follows:

 

 

 

The above long article uses the following figure to clearly summarize:

 

At this point, we have dissected the code intent from tor_main () to configure_backtrace_handler (), which is just the opening remarks.

I will continue to analyze the Code related to tor's business logic in the blog post. This is where "dry goods" is located!

(To be continued ......)