stackoom
  简体   繁体   中英

Change system calls function pointers at runtime in Linux

 原文  2022-02-23 20:33:34       c/ linux/ system-calls

Question

I have a huge project that is creating a lot of files and folders that I want to track them. In order to debug the code, I would like to replace a system call behavior to check what is going on.

My idea is to hook a new function in the same place where the system call is being used and see the behavior of the application, after it has started. To be more clear, here is an example of what I need:

The application is creating a annoying folder like /tmp/annoying_folder. So I would like to intercept every mkdir system call and check if the it's argument is the annoying_folder and if it is the case, force it to return an error, so I can locate which process is doing this and also know it's stack call.

What I have tried up to now is using LD_PRELOAD, which is not working in the case of this application, because it is doing direct system calls, instead of going through libc.

I'm having trouble using gdb, because I'm not sure which process is doing these calls, because the application is started by a script that calls multiple other processes.

Through strace I'm able to see the mkdir call that I'm looking for, but it doesn't help me much, because I need to also know the stack trace call of the application to figure out where is the code that is generating this.

So one option that thought to be interesting is to use LD_PRELOAD to load a library with a constructor function that would change the hook point of mkdir and redirect it to my custom function. But I need directions on how to do that for Linux system calls.

Do someone knows how to change System calls function pointers at runtime?

1 answers

solution1
 0  2022-02-24 21:30:10

I wasn't able to intercept those system calls as I expected, but I've found an interesting workaround with stap utility.

I've created the following script:

#! /bin/stap -g

probe nd_syscall.mkdir.return {
  folder_name = user_string(@entry(pointer_arg(1)), "-");
  folder_name_prefix = substr(folder_name, 0, 9);
  if(folder_name_prefix == "/tmp/test") {
    printf("[%d] [%d] [%16s] [%s]\n", uid(), pid(), execname(), folder_name);
    raise(%{ SIGSTOP %});
}

Then I was able to send a signal stop to the process and after that connect gdb to analyze the application stack trace.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Trace libc and system call function calls on Linux? Are function calls like read() , write() actual system calls in linux? Linux Block System Calls Pointers as arguments to a function that calls scanf C program pointers crashing system calls C: System calls and pointers to reverse a file Linux system calls return value errno, strerror and Linux system calls open system calls in C on linux Linux bare system calls, not glibc
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM