1

I wrote a program to list all the system calls executed by a command (say /bin/ls). Now what I am trying to do is find all the system call arguments, environment variables, command line arguments that may be passed to it

Example: If I open a file. The system call sys_access will open the file right ? But how to get these values?
Want to do this for system calls like open, read, write, close.

As per my study these must be in the registers (ebx - edx) If so what does these register values signify? I got this link.
But I really couldn't get much from there. Also any further references for this would be much helpful.

kidd0
  • 731
  • 2
  • 8
  • 25
  • 1
    Does this help: http://lxr.free-electrons.com/source/include/linux/syscalls.h – dbrank0 Mar 19 '12 at 11:42
  • @dbrank0: Thanks a lot. It indeed is of help. But I have got one more question. The output of my earlier program is like this `code`SYSCALL 33: ebx :004c48de ecx: 00000000 edx: 004c8ff4 /access RETURN 33: fffffffe The values in this are in hex. So how do I make sense out of it? Im am a noob programmer. Sorry for my ignorance – kidd0 Mar 19 '12 at 11:50
  • 1
    filename is stored at 0x4c48de, mode is 0 (see mode flag defines), edx is not relevant and contains something undefined, and return value is -2 (it's complaining about read-only filesystem). – dbrank0 Mar 19 '12 at 12:08
  • @dbrank0: thanks a lot for your help. Yeah i was running under normal user. Before was root. How can I mark this question solved :D No answers. :D lol. – kidd0 Mar 19 '12 at 12:11
  • 1
    @dbrank0 should add an answer since he helped you solve the problem. – karlphillip Mar 19 '12 at 14:40
  • 3
    `strace` is doing exactly what you want. You could use it, or study its source code. – Basile Starynkevitch Mar 19 '12 at 18:20

1 Answers1

0

(Revised form of comments above (so you can accept it)):

Detailed syscall parameters can be looked up in Linux kernel header syscalls.h. In above case, as sys_access (#33 on x86) has only two parameters:

  • first is the pointer to filename, so your file name was stored at address 0x4c4d8e
  • Second parameter is file mode (see mode flag defines)
  • as there is no third parameter to this syscall, edx is not relevant and contains some undefined value

Return value of this syscall is -2 (ENOENT, defined in errno-base.h), which signifies error (no such file or directory).

Also note (see Basile's comment above) that you are duplicating the functionality of strace utility.

dbrank0
  • 9,026
  • 2
  • 37
  • 55
  • thanks again. I was trying to do it in ptrace so I can learn it. Bt isnt ptrace more friendly to use in C? I mean the peekuser, getregs and all are fun. :D – kidd0 Mar 20 '12 at 03:53
  • It's fun provided your schedule allows playing with it. :) – dbrank0 Mar 20 '12 at 07:57