All geek questions in one place

Ptrace% edx for sys_open incompatible

I am trying to get the file name from the sys_open system call using ptrace. I get a pointer to the filepath, and I can get the correct data from this address, however I need a way to find out how much data I need to get, i.e. the length of the file name. I thought this value should be in edx, but it doesn't seem to be that way. Any thoughts?

orig_eax = ptrace(PTRACE_PEEKUSER, child, 4 * ORIG_EAX, NULL); if(orig_eax == __NR_open){ ptrace(PTRACE_GETREGS, child, NULL, &regs); if(regs.eax > 0){ filepath = (char *)calloc((regs.edx+1), sizeof(char)); getdata(child, regs.ebx, filepath, regs.edx); printf("Open eax %ld ebx %ld ecx %ld filepath %s\n",regs.eax, regs.ebx, regs.ecx, filepath); free(filepath); } }

Output Example:

 Open eax 3 ebx 2953895 edx 438 filepath /etc/localtime Open eax 3 ebx 143028320 edx 384 filepath /var/log/vsftpd.log Open eax 4 ebx 2957879 edx 438 filepath /etc/nsswitch.conf Segmentation Fault

Just edx:

 edx 438 edx 384 edx 438 //seg fault here edx -1217013808 edx 0 edx 143035796 edx 0 edx 0
+1
source share
1 answer

I always like to check the Linux system call table for such situations, and then this page for more details.

The fact is that for sys_open %edx does not store the length of the file name. It retains file permissions.

The only way to know the length of the file name is after getting the file name and passing it to strlen () , which will return the size of the string.

+3
source

Source: https://habr.com/ru/post/1402596/

More articles:


All Articles