例如:
#include <stdio.h> #include <sys/ptrace.h> #include <sys/types.h> #include <sys/wait.h> #include <unistd.h> #include <linux/user.h> /* For constants ORIG_EAX etc */ int main() { pid_t child; long orig_eax; child = fork(); if(child == 0) { ptrace(PTRACE_TRACEME, 0, NULL, NULL); execl("/bin/ls", "ls", NULL); } else { wait(NULL); orig_eax = ptrace(PTRACE_PEEKUSER, child, 4 * ORIG_EAX, NULL); printf("The child made a " "system call %ld ", orig_eax); ptrace(PTRACE_CONT, child, NULL, NULL); } return 0; }
在linux的某些版本是运行不了,报错:找不到某个头文件或者某个宏。(上面的代码是基于i386,我试过了好几个linux的版本,还是运行出问题)
最后发现问题了。解决如下:
linux如何查找一个宏或者函数定义的位置:
以宏定义ORIG_EAX为例:
在终端输入
第一种方法:
find /usr/include/ -name *.h | xargs grep 'ORIG_EAX'
结果:
/usr/include/i386-linux-gnu/asm/ptrace-abi.h:#define ORIG_EAX 11 /usr/include/i386-linux-gnu/sys/reg.h:# define ORIG_EAX 11
第二种方法:
grep -nr ORIG_EAX /usr/include/
这种方法可以知道在第几行定义宏
结果:
/usr/include/i386-linux-gnu/asm/ptrace-abi.h:17:#define ORIG_EAX 11 /usr/include/i386-linux-gnu/sys/reg.h:69:# define ORIG_EAX 11
最后修改后,成功运行:
#include <stdio.h> #include <sys/ptrace.h> #include <sys/types.h> #include <sys/wait.h> #include <unistd.h> #include <sys/reg.h> /* For constants ORIG_EAX etc */ int main() { pid_t child; long orig_eax; child = fork(); if(child == 0) { ptrace(PTRACE_TRACEME, 0, NULL, NULL); execl("/bin/ls", "ls", NULL); } else { wait(NULL); orig_eax = ptrace(PTRACE_PEEKUSER, child, 4 * ORIG_EAX, NULL); printf("The child made a " "system call %ld ", orig_eax); ptrace(PTRACE_CONT, child, NULL, NULL); } return 0; }
运行结果:
The child made a system call 11
后面还有ls命令出现的目录清单