ptrace with request PTRACE_POKETEXT fails

Question

i'm trying to inject code in a traced process...i'm able to read correctly registers (PTRACE_GETREGS) and also PTRACE_PEEKTEXT works...i've verified with GDB. However if i call ptrace with PTRACE_POKETEXT request it returns 0 but reading again at the same address i don't find the expected bytes:

void print_word(long res) {
    char *datap = (char *)&res;

    if (res == -1)
        //check errno for errors
    else
        printf("%02X %02X %02X %02X\n", datap[0], datap[1], datap[2], datap[3]);
}

....

long res, data = 0xAABBCCDD;

res = ptrace(PTRACE_PEEKTEXT, pid, (void *)regs.eip, NULL);
print_word(res);
res = ptrace(PTRACE_POKETEXT, pid, (void *)regs.eip, (void *)&data);
if (res != 0)
    //error
res = ptrace(PTRACE_PEEKTEXT, pid, (void *)regs.eip, NULL);
print_word(res);

The first print_word prints exactly the four bytes displayed by GDB. The second print_word instead prints strange bytes and not 0xAABBCCDD.

Any ideas?

Answer 1

Those strange bytes that you get from the second ptrace(PTRACE_PEEKTEXT, ...) should match the address of data - compare them with the value of &data.

Although the manual page of ptrace(2) shows the data argument as void *, for the PTRACE_POKETEXT request data holds the request value. Using the address-of operator you actually poke the address of the value instead of the value itself. The correct invocation is as follows:

res = ptrace(PTRACE_POKETEXT, pid, (void *)regs.eip, (void *)data); // w/o &
if (res != 0)
    //error