All geek questions in one place

How does strace read the sys_open system call file name?

I am writing a program that uses Ptrace and does the following:

  • It reads the current eax and checks if the sys_open system call is.
  • If this is then, I need to know what arguments are passed.

    int sys_open (const char * filename, const int mode, const int mask)

So eax = 5 means it is an open system call
I found out that ebx has a file location address from this Question But how do I know the length of the file name so that I can read the contents in this place?
I came across the following questions that relate to the same Question 1
Question 2 (This one is mine only!)
But I still have not received a solution to my problem. :( as the answers were not clear. I still get a segmentation error when I try to use the approach in question-1
You can check my code here
So now I'm really curious how strace extracts these values ​​so beautifully :(

+4
source share
1 answer

As you know, sys_open() does not get the size of the file name as a parameter. However, the standard states that the literal string must end with \0 . This is good news, because now we can make a simple loop repeating over the characters of the string, and when we find the character \0 (NULL), we know that we have reached its end.

What a standard procedure, how strlen() does it, and also how strace does it!

C example:

 #include <stdio.h> int main() { const char* filename = "/etc/somefile"; int fname_length = 0; for (int i = 0; filename[i] != '\0'; i++) { fname_length++; } printf("Found %d chars in: %s\n", fname_length, filename); return 0; }

Return to your task, you must access the address filename and follow the procedure described by me. This is what you will need to do, and there is no other way.

+4
source

Source: https://habr.com/ru/post/1402589/

More articles:


All Articles