问题
I am writing a program which uses Ptrace and does the following:
- It reads the current eax and checks if the system call is sys_open.
- If it is then i need to know what are the arguments that are passed.
int sys_open(const char * filename, const int mode, const int mask)
So eax = 5 implies it is a open system call
I came to know ebx has the address of the file location from this Question
But how do I knows the length of the file name so I can read the contents in that location?
I came across the following questions which address the same
Question 1
Question 2 (This one is mine only!)
But I still didn't get a solution to my problem. :( as both the answers were not clear.
I am still getting a segmentation fault when I try the approach in the Question-1
You can check my code here
So Now I really was wondering how does strace extract these values so beautifully :(
回答1:
As you know, sys_open() doesn't receive the size of the filename as parameter. However, the standard says that a literal string must end with a \0 character. This is good news, because now we can do a simple loop iterating over the characters of the string, and when we find a \0 (NULL) character we know we've reached the end of it.
That's the standard procedure, that's how strlen() does it, and also how strace does it!
C example:
#include <stdio.h>
int main()
{
const char* filename = "/etc/somefile";
int fname_length = 0;
for (int i = 0; filename[i] != '\0'; i++)
{
fname_length++;
}
printf("Found %d chars in: %s\n", fname_length, filename);
return 0;
}
Back to your task at hand, you must access the address of filename and perform the procedure I just described. This is something you will have to do, and there's no other way.
来源:https://stackoverflow.com/questions/9799373/how-does-strace-read-the-file-name-of-system-call-sys-open