4

I am writing a program which uses Ptrace and does the following:

  • It reads the current eax and checks if the system call is sys_open.
  • If it is then i need to know what are the arguments that are passed.

    int sys_open(const char * filename, const int mode, const int mask)

So eax = 5 implies it is a open system call
I came to know ebx has the address of the file location from this Question But how do I knows the length of the file name so I can read the contents in that location?
I came across the following questions which address the same
Question 1
Question 2 (This one is mine only!)
But I still didn't get a solution to my problem. :( as both the answers were not clear. I am still getting a segmentation fault when I try the approach in the Question-1
You can check my code here
So Now I really was wondering how does strace extract these values so beautifully :(

Community
  • 1
  • 1
kidd0
  • 731
  • 2
  • 8
  • 25
  • 2
    If you're willing to dig a bit into the code, you can look it up yourself at http://strace.git.sourceforge.net/git/gitweb.cgi?p=strace/strace;a=tree -- grepping `sys_open` might be a good start. – che Mar 21 '12 at 06:16
  • 1
    Did you study carefully the source code of `strace`? Did you try `strace strace true` ? – Basile Starynkevitch Mar 21 '12 at 06:16
  • I am getting some compilation errors when I try compiling your code. http://ideone.com/SQie4. I think you need to paste the code for `helper.h` too – Pavan Manjunath Mar 21 '12 at 06:16
  • @che: [http://pastie.org/3639780] This has my helper.h which actually has the headers. Sorry for forgetting it :( – kidd0 Mar 21 '12 at 06:26
  • I didnt try strace strace true. Wait Ill google for it – kidd0 Mar 21 '12 at 06:27
  • @PavanManjunath: I pasted the helper.h too. Sorry fr forgetting it before :( – kidd0 Mar 21 '12 at 06:32

1 Answers1

4

As you know, sys_open() doesn't receive the size of the filename as parameter. However, the standard says that a literal string must end with a \0 character. This is good news, because now we can do a simple loop iterating over the characters of the string, and when we find a \0 (NULL) character we know we've reached the end of it.

That's the standard procedure, that's how strlen() does it, and also how strace does it!

C example:

#include <stdio.h>

int main()
{
    const char* filename = "/etc/somefile";

    int fname_length = 0;
    for (int i = 0; filename[i] != '\0'; i++)
    {
        fname_length++;
    }

    printf("Found %d chars in: %s\n", fname_length, filename);

    return 0;
}

Back to your task at hand, you must access the address of filename and perform the procedure I just described. This is something you will have to do, and there's no other way.

karlphillip
  • 92,053
  • 36
  • 243
  • 426