I am writing a program which uses Ptrace and does the following:
我正在编写一个使用Ptrace的程序并执行以下操作:
- It reads the current eax and checks if the system call is sys_open.
- 它读取当前的eax并检查系统调用是否为sys_open。
- If it is then i need to know what are the arguments that are passed.
int sys_open(const char * filename, const int mode, const int mask)
int sys_open(const char * filename,const int mode,const int mask)
So eax = 5 implies it is a open system call
I came to know ebx has the address of the file location from this Question But how do I knows the length of the file name so I can read the contents in that location?
I came across the following questions which address the same
Question 1
Question 2 (This one is mine only!)
But I still didn't get a solution to my problem. :( as both the answers were not clear. I am still getting a segmentation fault when I try the approach in the Question-1
You can check my code here
So Now I really was wondering how does strace extract these values so beautifully :(
所以eax = 5意味着它是一个开放的系统调用我才知道ebx有来自这个问题的文件位置的地址但是我怎么知道文件名的长度所以我可以读取该位置的内容?我遇到了以下问题,这些问题涉及相同的问题1问题2(这只是我的!)但我仍然无法解决我的问题。 :(因为两个答案都不清楚。当我在问题-1中尝试方法时,我仍然得到分段错误你可以在这里检查我的代码所以现在我真的想知道strace如何如此精美地提取这些值:(
1 个解决方案
#1
4
As you know, sys_open() doesn't receive the size of the filename as parameter. However, the standard says that a literal string must end with a \0 character. This is good news, because now we can do a simple loop iterating over the characters of the string, and when we find a \0 (NULL) character we know we've reached the end of it.
如您所知,sys_open()没有收到文件名的大小作为参数。但是,标准表示文字字符串必须以\ 0字符结尾。这是个好消息,因为现在我们可以对字符串的字符进行一个简单的循环迭代,当我们找到一个\ 0(NULL)字符时,我们知道我们已经到了它的末尾。
That's the standard procedure, that's how strlen() does it, and also how strace does it!
这是标准程序,strlen()是如何做到的,以及它是如何做到的!
C example:
C示例:
#include <stdio.h>
int main()
{
const char* filename = "/etc/somefile";
int fname_length = 0;
for (int i = 0; filename[i] != '\0'; i++)
{
fname_length++;
}
printf("Found %d chars in: %s\n", fname_length, filename);
return 0;
}
Back to your task at hand, you must access the address of filename and perform the procedure I just described. This is something you will have to do, and there's no other way.
回到你手头的任务,你必须访问文件名的地址并执行我刚才描述的过程。这是你必须要做的事情,没有别的办法。
#1
4
As you know, sys_open() doesn't receive the size of the filename as parameter. However, the standard says that a literal string must end with a \0 character. This is good news, because now we can do a simple loop iterating over the characters of the string, and when we find a \0 (NULL) character we know we've reached the end of it.
如您所知,sys_open()没有收到文件名的大小作为参数。但是,标准表示文字字符串必须以\ 0字符结尾。这是个好消息,因为现在我们可以对字符串的字符进行一个简单的循环迭代,当我们找到一个\ 0(NULL)字符时,我们知道我们已经到了它的末尾。
That's the standard procedure, that's how strlen() does it, and also how strace does it!
这是标准程序,strlen()是如何做到的,以及它是如何做到的!
C example:
C示例:
#include <stdio.h>
int main()
{
const char* filename = "/etc/somefile";
int fname_length = 0;
for (int i = 0; filename[i] != '\0'; i++)
{
fname_length++;
}
printf("Found %d chars in: %s\n", fname_length, filename);
return 0;
}
Back to your task at hand, you must access the address of filename and perform the procedure I just described. This is something you will have to do, and there's no other way.
回到你手头的任务,你必须访问文件名的地址并执行我刚才描述的过程。这是你必须要做的事情,没有别的办法。