hook系统调用表函数sys_execve后如何打印argv参数
作为标题,我通过ftrace连接系统呼叫表函数sys_execve,但是当我打印argv参数和envp参数时,printk函数会打印一堆无形的字符,我该怎么做才能打印argv参数通常
我的操作系统是ubuntu18.04,内核版本为5.4.0,编译器是GCC-7.5
我的挂钩代码看起来像
static asmlinkage long (*orig_sysexecve)(const struct pt_regs*);
asmlinkage int hook_sysexecve(const struct pt_regs *regs)
{
char __user *filename = (char *)regs->di;
char file_name[NAME_MAX] = {0};
char __user *argv = (char *)regs->si;
char __user *envp = (char *)regs->dx;
char envp_list[NAME_MAX] = {0};
char argv_list[NAME_MAX] = {0};
long error1 = strncpy_from_user(file_name,filename,NAME_MAX);
long error2 = strncpy_from_user(argv_list,argv,NAME_MAX);
long error3 = strncpy_from_user(envp_list,envp,NAME_MAX);
if(error1 > 0 && error2 > 0 && error3 > 0)
{
printk(KERN_INFO "[TestSysExecve]: filename = %s | argv = %s | envp = %s\n",file_name,argv_list,envp_list);
}
orig_sysexecve(regs);
return 0;
}
我尝试使用char __user ** argv =(char **)regs-> si; char ** argvs;长错误= strncpy_from_user(argvs,argv,name_max),但直接编译失败。
还要尝试使用char ** argv =(char **)regs-> si; printk(kern_info“%s”,argv [0]);,但是此系统直接损坏。
as title,I hook system call table function sys_execve through ftrace,But when I print the argv parameter and the envp parameter, the printk function prints a bunch of invisible characters,What should I do to print the argv parameter normally
My OS is ubuntu18.04,Kernel version is 5.4.0,the compiler is gcc-7.5
My hook code looks like this
static asmlinkage long (*orig_sysexecve)(const struct pt_regs*);
asmlinkage int hook_sysexecve(const struct pt_regs *regs)
{
char __user *filename = (char *)regs->di;
char file_name[NAME_MAX] = {0};
char __user *argv = (char *)regs->si;
char __user *envp = (char *)regs->dx;
char envp_list[NAME_MAX] = {0};
char argv_list[NAME_MAX] = {0};
long error1 = strncpy_from_user(file_name,filename,NAME_MAX);
long error2 = strncpy_from_user(argv_list,argv,NAME_MAX);
long error3 = strncpy_from_user(envp_list,envp,NAME_MAX);
if(error1 > 0 && error2 > 0 && error3 > 0)
{
printk(KERN_INFO "[TestSysExecve]: filename = %s | argv = %s | envp = %s\n",file_name,argv_list,envp_list);
}
orig_sysexecve(regs);
return 0;
}
I tried using char __user **argv = (char**)regs->si; char **argvs; long error = strncpy_from_user(argvs,argv,NAME_MAX),but the direct compilation fails.
Also try to use char **argv = (char**)regs->si;printk(KERN_INFO "%s",argv[0]);,But this system is directly broken.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
它实际上比人们想象的要简单得多。你可以看看我在我的项目中是如何做到的:
获取 execve 系统调用的 argv
获取调用的进程的argv open/openat
open/openat 选项是一个单行选项,现在我想了一下,它也应该适用于 execve。
如果对您有帮助,请随意为该项目加注星标;)
Its actually much simpler then people think. You can check out how I did it in my project:
Get argv of execve syscall
Get argv of process that called open/openat
The open/openat option is a one liner, and now that I think about it, it should work for execve as well.
Feel free to star the project if it helped you ;)