ptrace

进程之间的通信 预备知识： 1、用户态和内核态，当一个进程在执行用户自己的代码时处于用户运行态（用户态）；当一个进程因为系统调用陷入内核代码中执行时处于内核运行态（内核态）。 2、进程之间的通信（Inter Processs Communication- IPC ）实现机制有：管道、消息队列、信号值、信号、共享内存、共享映射文件、套接字等。 3、及时通信：信号（类似中断）；非及时通信：共享内存、邮箱、管道、套接字、 4、常见的信号：终止信号、定时器信号、用户自定义信号等 5、信号： 用户、系统或者进程 发送给 目标进程 的 信息 ，以通知目标进程某个 状态的改变 或 系统异常 。 6、 PCB（progress control block- 进程控制块），系统通过PCB，描述进程和控制进程。在Linux系统下，PCB是 task_struct结构体（进程描述符） 。 　　1、 进程状态 ：记录进程是处于运行状态还是等待状态 　　2、 调度信息 ：进程由哪个函数调度，具体怎样调度等 　　3、进程之间的 通讯状况 　　4、进程之间的 亲属关系 ：在父进程和子进程之间有task_struct类型的指针，将父进程和子进程联系起来 　　5、 时间数据信息 ：每个进程执行所占用CPU的时间 　　6、 进程的标志 　　7、 进程的标识符 ：该进程唯一的标识符用来区别其他进程 　　8、

Why do I need to run as root (not r00t_)? // main() scan.scanProcessOffset(10838, 0x7f8c14000000); // proper pid and offset void MemoryMapper::scanProcessOffset(unsigned int procId, unsigned long long offset) { long attach = ptrace(PTRACE_ATTACH, procId, NULL, NULL); cout << attach << endl << errno << endl; long memory = ptrace(PTRACE_PEEKDATA, procId, offset); if (memory == -1 && errno == 3) { cout << errno << endl; errno = 0; } cout << memory; } As you can see the process I'm hooking into is owned by r00t_ r00t_@:/proc/10838$ ls -l lrwxrwxrwx 1 r00t r00t_ 0 2012-04-15 08:21 exe -> /usr/bin

I want to write a program which reads the string table of a binary. Binary is in ELF running on REDHAT linux 32. I did the following - Read the Elf Header Read all the sections Below is the output of my progam. Entry Address of Binary - 0x8048340 Start of Program Header - 52 Start of section header - 3272 Size of header - 52 Number of section headers - 36 Size of each section headers - 40 Number of section headers - 36 Section header Offset - 3272 string tbl index for section[0] is 0 string tbl index for section[1] is 27 string tbl index for section[7] is 35 string tbl index for section

I was using the following code which actually gets me the contents in the registers (eax, ebx, ecx) whenever a open system call is called. Now after a lot of struggle I understood what the values signify from this Question . ebx contains the pointer to filename. But when I try to access it I was getting a segmentation fault. Where am I going wrong? The code can be accessed from the here Every process has its own address space. An address obtained from another process will not be valid in yours. One way to read memory in the other process would be to use PTRACE_PEEKDATA . On Linux, another way

I am writing a program which uses Ptrace and does the following: It reads the current eax and checks if the system call is sys_open. If it is then i need to know what are the arguments that are passed. int sys_open(const char * filename, const int mode, const int mask) So eax = 5 implies it is a open system call I came to know ebx has the address of the file location from this Question But how do I knows the length of the file name so I can read the contents in that location? I came across the following questions which address the same Question 1 Question 2 (This one is mine only!) But I still