问题
I am trying to get the filename from the sys_open system call using ptrace. I get the filepath pointer, and I am able to get the correct data from that address, however, I need a way to know how much data to get, ie the length of the filename. I thought this value was supposed to be in edx, but that doesn't seem to be the case here. Any thoughts?
orig_eax = ptrace(PTRACE_PEEKUSER, child, 4 * ORIG_EAX, NULL);
if(orig_eax == __NR_open){
ptrace(PTRACE_GETREGS, child, NULL, ®s);
if(regs.eax > 0){
filepath = (char *)calloc((regs.edx+1), sizeof(char));
getdata(child, regs.ebx, filepath, regs.edx);
printf("Open eax %ld ebx %ld ecx %ld filepath %s\n",regs.eax, regs.ebx, regs.ecx, filepath);
free(filepath);
}
}
Sample output:
Open eax 3 ebx 2953895 edx 438 filepath /etc/localtime
Open eax 3 ebx 143028320 edx 384 filepath /var/log/vsftpd.log
Open eax 4 ebx 2957879 edx 438 filepath /etc/nsswitch.conf
Segmentation Fault
Just the edx:
edx 438
edx 384
edx 438
//seg fault here
edx -1217013808
edx 0
edx 143035796
edx 0
edx 0
回答1:
I always like to check the Linux System Call Table for situations like this, and then this page for more details.
The fact is that for sys_open, %edx doesn't store the length of the filename. It stores file permissions.
The only way to know the length of the filename is after you retrieve the filename and pass it to strlen(), which will return the size of the string.
来源:https://stackoverflow.com/questions/5489306/ptrace-edx-for-sys-open-inconsistent