How to use ptrace(2) to change behaviour of syscalls?

Question

Are there any guides or examples (especially ARM ones) or libraries of using ptrace to affect execution of other process? For example, to make it believe that some data is appeared on file descriptor (i.e. release select/poll with some result and "answer" the following read syscall before the kernel). Expecting something involving PTRACE_SYSEMU.

Can it be done in portable way? I want something like libc-overriding LD_PRELOAD trick, but which can be attached at runtime.

Can it be done with some gdb commands?

Ideal variant would be if there is some library where I can easily and portably hook into syscalls and edit them before of after the actual call is made (or emulate them), like when doing it using LD_PRELOAD.

@link Any good guides on using PTRACE_SYSEMU?

you want to look at this file to see how ptrace affect execution of other process : - http://lxr.free-electrons.com/source/tools/testing/selftests/breakpoints/breakpoint_test.c — Pradeep Goswami, Dec 28 '15 at 05:44

score 1 · Answer 1 · edited Sep 28 '15 at 22:06

You can use the PTRACE_SYSCALL request: it restarts the child process (just like PTRACE_CONT) but arranges for it to stop at the next entry to or exit from a system call. For example (assume a kernel built for x86):

#include <sys/ptrace.h>
#include <signal.h>
#include <linux/user.h>
#include <sys/types.h>
#include <sys/wait.h>

int main(int argc, char **argv)
{
    int status = 0, pid, r;
    struct user_regs_struct uregs;

    if ((pid = fork()) == 0) {
        printf("pid = %d, ppid = %d\n", getpid(), getppid());
        ptrace(PTRACE_TRACEME, 0, 0, 0);
        kill(getpid(), SIGINT);
        r = getpid();
        printf("%d\n", r);
    } else {
        wait(&status);
        ptrace(PTRACE_SYSCALL, pid, 0, 0);
        wait(&status);
        ptrace(PTRACE_GETREGS, pid, 0, &uregs);

        /* this prints the syscall number of getpid */
        printf("syscall nr: %d\n", uregs.orig_eax);
        /* 64 is syscall number of getppid */
        uregs.orig_eax = 64;
        ptrace(PTRACE_SETREGS, pid, 0, &uregs);
        ptrace(PTRACE_CONT, pid, 0, 0);
        wait(&status);
        if(WIFEXITED(status))
            printf("we're done\n");
    }
}

The child prints its PID and delivers a signal to itself. Because of the prior call to ptrace() this means it will be stopped.

The parent waits for this to happen and restarts the child with PTRACE_SYSCALL, then waits. Next, the child invokes the getpid system call and it is stopped once again. The parent process uses the PTRACE_GETREGS invocation to peek into the child's registers, where eax holds the system call number. The parent changes this to the system call number of getppid, then once again allows the child to continue. Because the system call number has changed prior to the invocation of the system call, the child will now invoke getppid instead of getpid.

Using ptrace for this purpose may be portable, but I have not tested it. In gdb, you can also use the catch syscall command.

For x86 there is also injcode (and maybe some other tools). What about libraries for such things or (for example) ARM examples? Can it be done on a bit higher level than CPU register twiddling? — Vi., Nov 17 '12 at 01:24
I'm not familiar with injcode but from its description it looks possible. Generally, if you want to mess with process internals, `ptrace` (and consequently a debugger) is probably the highest level of abstraction you can get. — Michael Foukarakis, Nov 17 '12 at 01:27
Using gdb commands is higher level than ptrace, for example. Maybe there's something in middle (some "libptrace" that presents easy to use API for ptracing other processes in various ways; note: existing "libptrace" also seems to be x86-only...)? — Vi., Nov 17 '12 at 01:31
In my case the parent catches the call to `write`. I think glibc caches the result of getpid(). — basin, Oct 27 '13 at 11:52

How to use ptrace(2) to change behaviour of syscalls?

1 Answers1

Linked