Simple, but useful, code snippet that uses ptrace() to intercept and modify the return value of a system call.
4b11cdaa196778252b1a0065d37767750e2789ab54faf5e34f21ef7384382cf5
/*
* rollover.c
*
* using ptrace() to intercept and modify the return value of a system call
*
* John Daniele
* jdaniele@kpmg.ca
* VOX: (416) 777-3759
*
*/
#include <unistd.h>
#include <sys/ptrace.h>
int main(void)
{
int ret, x, y;
pid_t procid;
if(procid = fork()) {
for(;;) {
x = ptrace(PTRACE_PEEKUSR, procid, 44, 0);
if(x == 13) {
y = ptrace(PTRACE_PEEKUSR, procid, EBX, 0);
ptrace(PTRACE_POKEDATA, procid, y, 2175984000);
}
ptrace(PTRACE_SYSCALL, procid, 1, 0);
}
}
ptrace(PTRACE_TRACEME, 0, 1, 0);
execl("/bin/date", "/bin/date", NULL, (char *)0);
}
--------------------------------------------------------------------------------
Date: Tue, 18 May 1999 12:06:47 -0400
From: John Daniele <JDaniele@KPMG.CA>
To: BUGTRAQ@netspace.org
Subject: Re: LD_PRELOAD: Clarification
Barnett wrote:
> cc -o rollover rollover.c
> "rollover.c", line 75: undefined symbol: PTRACE_PEEKUSR
> "rollover.c", line 77: undefined symbol: EBX
> cc: acomp failed for rollover.c
> *** Error code 2
> Solaris 2.6
> What OS is your program for?
In response to similar emails rev'd, I was sitting in front of a linux box at
the
time of the LD_PRELOAD posting, thus my code reflects this. However, Solaris
2.6 should support PTRACE_PEEKUSR as this was favoured over PTRACE_READDATA
in 2.5 I believe (correct me if I'm wrong). In any case, look at <sys/ptrace.h>
for valid request types. The value of EBX is defined in <asm/ptrace.h> and is 0.
If all else fails, you can always issue ioctl routines on a process within the
/proc filesystem ;)
John Daniele
jdaniele@kpmg.ca
VOX: (416) 777-3759