A solution to the problem that I talked about in my previous post is to use PTRACE_SYSCALL and call another system-call that doesn't change the state of the program, such as getpid, instead of the requested system-call.
Here is how it works: A child process calls a system-call that shouldn't be executed by the child, e.g. open file for writing. PTRACE_SYSCALL returns to the parent process after execution of the int instruction and before running the syscall. The parent process replaces the syscall number (eax register) with getpid syscall number and lets the child continue. The kernel runs getpid instead of the open system-call and returns to the parent at the end of the syscall. Now the parent process, replaces the child's registers by appropriate values (perhaps the values that the parent has obtained by running or emulating the system-call itself) and returns to the child. The child continues execution using the values that the parent has given to it.
Using this method we can use PTRACE_SYSCALL and emulate system-calls for a traced process.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment