interfereproc

This page is about how to manipulate other processes using ptrace. Some demonstration programs are supplied:

pfiles pid...: Show information about a process's open files
redirectfd pid fd filename: Redirect a file descriptor of a running process.
retronohup pid: Retrospectively apply "nohup" to a running process
retrotee pid [fd]: Copy the output of a given file descriptor
inject pid fd text: Write the given text to the fd.

Internals

We begin by attaching to the process and waiting for a syscall.

The controlling process gets called twice per system call, so we need to determine whether we are looking at a syscall entry or exit.

On entry, ORIG_EAX is the syscall number and EAX is -ENOSYS.
On exit, ORIX_EAX is the syscall number and EAX is the exit status.

Having intercepted the process on its way into a system call, we stick the filename on the stack and call open(). The parameters to the system call are in EBX, ECX and EDX. ESP is decremented so it points to the bottom of the stack (ie. at the first character of the filename).

EIP is decremented by 2 so that when the syscall is complete, the next instruction to execute is int $0x80, the syscall trap.

On syscall exit, we check the return value of the system call. error and last_error are set so they can be used to check for failed system calls.

To cleanup, we put the syscall arguments back as they were to begin with in the first syscall entry and detach from the process.

Download

Source:	interfereproc-1.3.tar.bz2 Browse sources
Binaries:	pfiles manpage redirectfd manpage retronohup manpage retrotee manpage inject manpage

Peter Benie <peterb@chiark.greenend.org.uk>
Linux