Advanced and improved absolute paths decoding
Zubin Mithra
zubin.mithra at gmail.com
Tue Feb 25 16:57:37 UTC 2014
Hey all,
I'm Zubin and I love low level systems programming! :)
A little about myself, I program primarily in C and Python, have systems
programming experience with Minix(filesystem development) and Linux and am
a hobbyist reverse engineer(I play CTF security exercises) -- and thats
when I use strace the most !
I had a look at the ideas list here[1] and found the idea on improved path
decoding quite interesting and was hoping we could discuss it further on
the mailing list.
I had a quick look at the implementation of the -y flag and noticed the
implementation of getfdpath(where the magic seemed to be happening). It
seemed to be trying to read the value of the symbolic link at
/proc/<pid>/fd/<fd>.
Is my understanding of the following accurate?
Modifications need to be made such that upon using the "yy" flag:-
- Calls to functions that take a path as an argument are displayed with the
absolute path regardless of the argument that is passed in.
- When calls to functions that return a file descriptor are made, the
absolute path to the filename corresponding to the file descriptor needs to
be printed
- Same as above for functions that use path/descriptor combos.
I believe that the first step would be to document and note down the system
calls that belong to one or more of the above categories and their system
call numbers, and if the -yy flag is used, check the tcp->scno against
these numbers and act accordingly.
Is there something I'm missing? I'd love any kind of feedback!
Cheers,
-- zm
[1] http://sourceforge.net/p/strace/wiki/GoogleSummerOfCode2014/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20140225/9340470e/attachment.html>
More information about the Strace-devel
mailing list