How does strace read the file name of system call

2019-05-04 17:21发布

I am writing a program which uses Ptrace and does the following:

  • It reads the current eax and checks if the system call is sys_open.
  • If it is then i need to know what are the arguments that are passed.

    int sys_open(const char * filename, const int mode, const int mask)

So eax = 5 implies it is a open system call
I came to know ebx has the address of the file location from this Question But how do I knows the length of the file name so I can read the contents in that location?
I came across the following questions which address the same
Question 1
Question 2 (This one is mine only!)
But I still didn't get a solution to my problem. :( as both the answers were not clear. I am still getting a segmentation fault when I try the approach in the Question-1
You can check my code here
So Now I really was wondering how does strace extract these values so beautifully :(

1条回答
Animai°情兽
2楼-- · 2019-05-04 17:33

As you know, sys_open() doesn't receive the size of the filename as parameter. However, the standard says that a literal string must end with a \0 character. This is good news, because now we can do a simple loop iterating over the characters of the string, and when we find a \0 (NULL) character we know we've reached the end of it.

That's the standard procedure, that's how strlen() does it, and also how strace does it!

C example:

#include <stdio.h>

int main()
{
    const char* filename = "/etc/somefile";

    int fname_length = 0;
    for (int i = 0; filename[i] != '\0'; i++)
    {
        fname_length++;
    }

    printf("Found %d chars in: %s\n", fname_length, filename);

    return 0;
}

Back to your task at hand, you must access the address of filename and perform the procedure I just described. This is something you will have to do, and there's no other way.

查看更多
登录 后发表回答