/*
  * rollover.c
  *
  * using ptrace() to intercept and modify the return value of a system call
  *
  * John Daniele
  * jdaniele@kpmg.ca
  * VOX: (416) 777-3759
  *
  */

#include <unistd.h>
#include <sys/ptrace.h>

int main(void)
{       
        int ret, x, y;
        pid_t procid;

        if(procid = fork()) {           
                for(;;) {
                        x = ptrace(PTRACE_PEEKUSR, procid, 44, 0);
                        if(x == 13) {   
                                y = ptrace(PTRACE_PEEKUSR, procid, EBX, 0);             
                                ptrace(PTRACE_POKEDATA, procid, y, 2175984000);    
                        }
                        ptrace(PTRACE_SYSCALL, procid, 1, 0);   
                }       
        }       
        ptrace(PTRACE_TRACEME, 0, 1, 0);        
        execl("/bin/date", "/bin/date", NULL, (char *)0);
}

--------------------------------------------------------------------------------

Date: Tue, 18 May 1999 12:06:47 -0400
From: John Daniele <JDaniele@KPMG.CA>
To: BUGTRAQ@netspace.org
Subject: Re: LD_PRELOAD: Clarification

Barnett wrote:
> cc    -o rollover rollover.c
> "rollover.c", line 75: undefined symbol: PTRACE_PEEKUSR
> "rollover.c", line 77: undefined symbol: EBX
> cc: acomp failed for rollover.c
> *** Error code 2
> Solaris 2.6
> What OS is your program for?

In response to similar emails rev'd, I was sitting in front of a linux box at
the
time of the LD_PRELOAD posting, thus my code reflects this. However, Solaris
2.6 should support PTRACE_PEEKUSR as this was favoured over PTRACE_READDATA
in 2.5 I believe (correct me if I'm wrong). In any case, look at <sys/ptrace.h>
for valid request types. The value of EBX is defined in <asm/ptrace.h> and is 0.
If all else fails, you can always issue ioctl routines on a process within the
/proc filesystem ;)

John Daniele
jdaniele@kpmg.ca
VOX: (416) 777-3759