-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdo_write_read.c
102 lines (100 loc) · 2.22 KB
/
do_write_read.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
/*
* =====================================================================================
*
* Filename: do_write_read.c
*
* Description: hook the read and write by ptrace in x86_64
*
* Version: 1.0
* Created: 12/30/2015 10:55:20 AM
* Revision: none
* Compiler: gcc
*
* Author: flysoar
* Organization:
*
* =====================================================================================
*/
#include <stdlib.h>
#include <stdio.h>
#include <sys/user.h>
#include <sys/ptrace.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <unistd.h>
#include "f_ptrace.h"
int intercept_write(pid_t pid,const char* target)
{
struct user_regs_struct regs;
int stat;
unsigned long long int orig_len;
int in_syscall=0;
char *tar;
while (1)
{
waitpid(pid,&stat,WUNTRACED);
if(WIFEXITED(stat))
return -1;
ptrace(PTRACE_GETREGS,pid,NULL,®s);
if(regs.orig_rax==SYS_write)
{
if(in_syscall==0)
{
in_syscall=1;
orig_len=regs.rdx;
char *temp=malloc(orig_len+1);
memset(temp,0,orig_len);
if(temp==NULL)
return -1;
ptrace_get_data(pid,temp,(void *)regs.rsi,orig_len);
if((tar=strstr(temp,target))!=NULL)
for(int j=0;j<strlen(target);j++)
tar[j]=32;
ptrace_put_data(pid,temp,(void *)regs.rsi,orig_len-orig_len%sizeof(long));
ptrace(pid,PTRACE_SETREGS,NULL,®s);
free(temp);
}
else
{
ptrace(pid,PTRACE_GETREGS,NULL,®s);
regs.rax=orig_len;
ptrace(pid,PTRACE_SETREGS,NULL,®s);
return 0;
}
}
ptrace(PTRACE_SYSCALL,pid,NULL,NULL);
}
}
int intercept_read(pid_t pid,long* len,char** ptr)
{
int in_syscall=0;
struct user_regs_struct regs;
unsigned long long int orig_len;
int stat;
while(1)
{
ptrace(PTRACE_SYSCALL,pid,NULL,NULL);
waitpid(pid,&stat,WUNTRACED);
if(WIFEXITED(stat))
return -1; //exited
ptrace(PTRACE_GETREGS,pid,NULL,®s);
if(regs.orig_rax==SYS_read)
{
if(in_syscall==0)
{
in_syscall=1;
}
else
{
if(regs.rdx<=0)
return -2; //syscall fail
*ptr=malloc(regs.rdx);
if(*ptr==NULL)
return -3; //malloc fail
ptrace_get_data(pid,*ptr,(void *)regs.rsi,regs.rdx);
return 0;
}
}
}
}