使用ptrace()取消系统调用
使用ptrace()取消系统调用
提问于 2012-08-18 09:43:27
出于某种安全目的,我使用ptrace来获取syscall号,如果这是一个危险的调用(比如10表示断开链接),我想取消这个syscall。
下面是测试程序del.c的源代码。使用gcc -o del del.c编译。
#include <stdio.h>
#include <stdlib.h>
int main()
{
remove("/root/abc.out");
return 0;
}这是安全管理器的源代码test.c。使用gcc -o test test.c编译。
#include <signal.h>
#include <syscall.h>
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <errno.h>
#include <sys/user.h>
#include <sys/reg.h>
#include <sys/syscall.h>
int main()
{
int i;
pid_t child;
int status;
long orig_eax;
child = fork();
if(child == 0) {
ptrace(PTRACE_TRACEME, 0, NULL, NULL);
execl("/root/del", "del", NULL);
}
else {
i = 0;
while(1){
wait(&status);
if (WIFEXITED(status) || WIFSIGNALED(status) )break;
orig_eax = ptrace(PTRACE_PEEKUSER,
child, 4 * ORIG_EAX,
NULL);
if (orig_eax == 10){
fprintf(stderr, "Got it\n");
kill(child, SIGKILL);
}
printf("%d time,"
"system call %ld\n", i++, orig_eax);
ptrace(PTRACE_SYSCALL, child, NULL, NULL);
}
}
return 0;
}创建abc.out文件,然后运行测试程序:
cd /root
touch abc.out
./test文件/root/abc.out应该仍然存在。
我如何实现这个要求?
回答 3
Stack Overflow用户
回答已采纳
发布于 2012-08-18 13:55:36
看起来有时候PTRACE_KILL并不能很好的工作,你可以用kill来代替:
if (orig_eax == 10)
{
kill(pid, SIGKILL);
}编辑:我用这个程序在我的机器(Ubuntu kernel 3.4)上测试了一下,一切正常:
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <sys/reg.h>
#include <stdio.h>
int main(int argc, char **argv)
{
pid_t child;
long orig_eax;
int status;
child = fork();
if(child == 0)
{
ptrace(PTRACE_TRACEME, 0, NULL, NULL);
execl("/bin/ls", "ls", NULL);
}
else
{
/* Both wait and waitpid works */
//wait(NULL);
waitpid(child, &status, 0);
orig_eax = ptrace(PTRACE_PEEKUSER, child, 4 * ORIG_EAX, NULL);
/* Tracking execve syscall */
if (orig_eax == 11)
{
/* Both PTRACE_KILL and kill() works on my 3.4.4 Kernel */
fprintf(stdout, "GOT IT\n");
//ptrace(PTRACE_KILL, child, NULL, NULL);
kill(child, SIGKILL);
}
}
return 0;
}更新:问题是您正在使用10而不是11来跟踪系统调用(因为您正在执行execve命令),以下代码将与您的rm命令一起使用:
if (orig_eax == 11)
{
/* Both PTRACE_KILL and kill() works on my 3.4.4 Kernel */
fprintf(stdout, "INSIDE THE TRAP, FILE WILL NOT BE REMOVED\n");
ptrace(PTRACE_KILL, child, NULL, NULL);
//kill(child, SIGKILL);
}编辑:我尝试了这段代码,一切正常(在执行CALL_REMOVE之后,文件abc.out仍然存在)
/*
* REMOVE.c
* gcc -Wall REMOVE.c -o REMOVE
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char **argv)
{
/* Both calls work */
//remove("/root/abc.out");
unlink("/root/abc.out");
return 0;
}
/*
* CALL_REMOVE.c
* gcc -Wall CALL_REMOVE.c -o CALL_REMOVE
*/
#include <signal.h>
#include <syscall.h>
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <errno.h>
#include <sys/user.h>
#include <sys/reg.h>
#include <sys/syscall.h>
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
int i;
pid_t child;
int status;
long orig_eax;
int kill_ret = 0;
child = fork();
if(child == 0)
{
ptrace(PTRACE_TRACEME, 0, NULL, NULL);
execl("/root/REMOVE", "REMOVE", NULL);
}
else
{
i = 0;
while(1)
{
wait(&status);
if (WIFEXITED(status) || WIFSIGNALED(status) )
break;
orig_eax = ptrace(PTRACE_PEEKUSER, child, 4 * ORIG_EAX, NULL);
if (orig_eax == 10)
{
fprintf(stderr, "Got it\n");
kill_ret = kill(child, SIGKILL);
if (kill_ret == -1)
{
fprintf(stderr, "Failed to kill ---> %s\n", strerror(errno));
}
}
printf("%d time, system call %ld\n", i++, orig_eax);
ptrace(PTRACE_SYSCALL, child, NULL, NULL);
}
}
return 0;
}我们得到这样的输出:
root@UnixServer:/root# ll
total 28K
-rw-r--r-- 1 root root 6 2012-08-18 19:37 abc.out
-rw-r--r-- 1 root root 1023 2012-08-18 19:39 CALL_REMOVE.c
-rw-r--r-- 1 root root 213 2012-08-18 19:39 REMOVE.c
-rwxr-xr-x 1 root root 7,3K 2012-08-18 19:39 CALL_REMOVE
-rwxr-xr-x 1 root root 7,0K 2012-08-18 19:39 REMOVE
root@UnixServer:/root# ./CALL_REMOVE
0 time, system call 11
1 time, system call 45
2 time, system call 45
3 time, system call 33
4 time, system call 33
5 time, system call 192
6 time, system call 192
7 time, system call 33
8 time, system call 33
9 time, system call 5
10 time, system call 5
11 time, system call 197
12 time, system call 197
13 time, system call 192
14 time, system call 192
15 time, system call 6
16 time, system call 6
17 time, system call 33
18 time, system call 33
19 time, system call 5
20 time, system call 5
21 time, system call 3
22 time, system call 3
23 time, system call 197
24 time, system call 197
25 time, system call 192
26 time, system call 192
27 time, system call 192
28 time, system call 192
29 time, system call 192
30 time, system call 192
31 time, system call 6
32 time, system call 6
33 time, system call 192
34 time, system call 192
35 time, system call 243
36 time, system call 243
37 time, system call 125
38 time, system call 125
39 time, system call 125
40 time, system call 125
41 time, system call 125
42 time, system call 125
43 time, system call 91
44 time, system call 91
Got it
45 time, system call 10
root@UnixServer:/root# ll
total 28K
-rw-r--r-- 1 root root 6 2012-08-18 19:37 abc.out
-rw-r--r-- 1 root root 1023 2012-08-18 19:39 CALL_REMOVE.c
-rw-r--r-- 1 root root 213 2012-08-18 19:39 REMOVE.c
-rwxr-xr-x 1 root root 7,3K 2012-08-18 19:39 CALL_REMOVE
-rwxr-xr-x 1 root root 7,0K 2012-08-18 19:39 REMOVE
root@UnixServer:/root# Stack Overflow用户
发布于 2014-10-20 01:50:01
有很多低级的/聪明的(而且容易出错的)方法来解决这个问题,但是现代的Linux内核(3.x,你的发行版可能需要一个后端补丁)支持一种叫做seccomp的东西,它允许你限制一个进程可以进行的系统调用。沙箱使用此功能,包括Chromium。
您可以在StackOverflow here或谷歌上看到关于这方面的讨论,以获取文档和示例实现。这里有相当多的信息。
Stack Overflow用户
发布于 2019-05-09 01:04:51
转述https://nullprogram.com/blog/2018/06/23/
一旦启动系统调用,就无法取消它。但是,您可以修改系统调用的参数,或在返回后修改其返回值。因此,您可以这样做:
1)等待被跟踪的进程调用系统调用。
2)将系统调用号替换为无效的。为此,请读取被跟踪进程的寄存器,修改它们,然后将它们写回进程。
3)继续该进程;系统调用将被执行,内核将返回一个错误,因为该进程调用了一个未实现的系统调用。
4)当ptrace跟踪系统调用的返回时,您可以选择将内核的错误代码替换为其他代码(例如,将内核的“未实现的系统调用”替换为“无权限错误”)。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/12015141
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号