ptrace can get the registers and memory data when entry/exit syscall. But if linux syscall handler change some memory include some place in stack, How can I get to know which memory has been changed.
Asked
Active
Viewed 201 times
1 Answers
0
You cannot; but for example strace (which in turn uses ptrace) knows the semantics of most (all?) syscalls and can show you the memory changed.
For example, if the syscall-number is 0, strace knows, that the read()-syscall is invoked and that the kernel will write to the address specified in the second parameter. The number of bytes written there equals the return value of the syscall.
Now, the contents of these memory locations can be read with PTRACE_PEEK* and be displayed to you.
However, when it comes to custom syscalls with unknown or less-strict semantics (for example a proposed syscall write_to_random_memory_location()); you cannot determine memory changes with ptrace() in general (neither from kernel nor from userspace).
Depending on what you need to achieve, a general solution can only be to utilize some sort of virtualization (for example, what valgrind does in userspace) and simulate/watch all memory accesses.
Ctx
- 18,090
- 24
- 36
- 51