1

I am trying to get the filename from the sys_open system call using ptrace. I get the filepath pointer, and I am able to get the correct data from that address, however, I need a way to know how much data to get, ie the length of the filename. I thought this value was supposed to be in edx, but that doesn't seem to be the case here. Any thoughts?

        orig_eax = ptrace(PTRACE_PEEKUSER, child, 4 * ORIG_EAX, NULL);
        if(orig_eax == __NR_open){
            ptrace(PTRACE_GETREGS, child, NULL, &regs);
            if(regs.eax > 0){                    
                filepath = (char *)calloc((regs.edx+1), sizeof(char));
                getdata(child, regs.ebx, filepath, regs.edx);

                printf("Open eax %ld ebx %ld ecx %ld filepath %s\n",regs.eax, regs.ebx, regs.ecx, filepath);

                free(filepath);
            }
        }

Sample output:

Open eax 3 ebx 2953895 edx 438 filepath /etc/localtime
Open eax 3 ebx 143028320 edx 384 filepath /var/log/vsftpd.log
Open eax 4 ebx 2957879 edx 438 filepath /etc/nsswitch.conf
Segmentation Fault

Just the edx:

edx 438
edx 384
edx 438
//seg fault here
edx -1217013808
edx 0
edx 143035796
edx 0
edx 0
karlphillip
  • 92,053
  • 36
  • 243
  • 426
ofosho
  • 433
  • 1
  • 5
  • 15

1 Answers1

3

I always like to check the Linux System Call Table for situations like this, and then this page for more details.

The fact is that for sys_open, %edx doesn't store the length of the filename. It stores file permissions.

The only way to know the length of the filename is after you retrieve the filename and pass it to strlen(), which will return the size of the string.

karlphillip
  • 92,053
  • 36
  • 243
  • 426
  • 1
    @karlphillip, The second link you gave is amazing. I have been looking for something like that all morning. I understand the strlen however, could you explain how I retrieve the filename to being with? How do I know how many times to call POKEDATA? – ofosho Mar 30 '11 at 17:26
  • Great! It's also important for us that you review the answers and accept the one that solved your problem. Good luck. – karlphillip Mar 30 '11 at 17:28
  • sorry @karlphillip, just modified my comment. Could you take another look? – ofosho Mar 30 '11 at 17:30
  • I'll be glad to do it in another thread because this one ha been answered already, and your new question justifies creating a new thread. Just so you do it right next time, where's POKEDATA on your code? I don't know what you mean by that. You can ask as many question as you would like. But don't hijack on your own thread, ok? – karlphillip Mar 30 '11 at 17:36
  • By the way, I found this tutorial quite clarifying: http://www.linuxjournal.com/article/6100?page=0,0 – karlphillip Mar 30 '11 at 17:41
  • @karlphillip, your point is well taken. I have been following that tutorial, which is actually where I get the getdata function from. I will add a new question, and send you a comment. Thanks. – ofosho Mar 30 '11 at 18:54
  • @karlphillip: I am facing a similar problem which i posted it [http://stackoverflow.com/questions/9799373/how-does-strace-read-the-file-name-of-system-call-sys-open] Can you take a look?? – kidd0 Mar 21 '12 at 08:25