I am writing a program which uses Ptrace and does the following:
- It reads the current eax and checks if the system call is sys_open.
- If it is then i need to know what are the arguments that are passed.
int sys_open(const char * filename, const int mode, const int mask)
So eax = 5 implies it is a open system call
I came to know ebx has the address of the file location from this Question
But how do I knows the length of the file name so I can read the contents in that location?
I came across the following questions which address the same
Question 1
Question 2 (This one is mine only!)
But I still didn't get a solution to my problem. :( as both the answers were not clear.
I am still getting a segmentation fault when I try the approach in the Question-1
You can check my code here
So Now I really was wondering how does strace extract these values so beautifully :(
As you know,
sys_open()
doesn't receive the size of the filename as parameter. However, the standard says that a literal string must end with a\0
character. This is good news, because now we can do a simple loop iterating over the characters of the string, and when we find a\0
(NULL) character we know we've reached the end of it.That's the standard procedure, that's how
strlen()
does it, and also how strace does it!C example:
Back to your task at hand, you must access the address of
filename
and perform the procedure I just described. This is something you will have to do, and there's no other way.