在这里,我解释一下我的问题,我是 ptrace 函数的初学者,我希望成功恢复结构的硬信息。 例如,使用此命令,我将有 strace -e trace = fstat ls 一行: fstat (3, {st_mode = ..., st_size = ...} 我想成功检索结构(st_mode)和(st_size)的内容。 我尝试了这个但没有成功:
int buffer(unsigned long long addr, pid_t child, size_t size, void *buffer)
{
size_t byte = 0;
size_t data;
unsigned long tmp;
while (byte < size) {
tmp = ptrace(PTRACE_PEEKDATA, child, addr + byte);
if ((size - byte) / sizeof(tmp))
data = sizeof(tmp);
else
data = size % sizeof(tmp);
memcpy((void *)(buffer + byte), &tmp, data);
byte += data;
}
}
并在参数中:
struct stat stat_i;
buffer(addr, pid, sizeof(stat_i), &stat_i);
printf("%lu", stat_i.st_size); -> fake value :/
谢谢!
最佳答案
来自man page ,
PTRACE_PEEKTEXT, PTRACE_PEEKDATA Read a word at the address addr in the tracee's memory, returning the word as the result of the ptrace() call. Linux does not have separate text and data address spaces, so these two requests are currently equivalent. (data is ignored; but see NOTES.)
因此您必须了解 tmp
将保存读取的实际值。
您的检查错误 - 您应该在调用之前设置errno = 0
,然后检查它是否已更改。如果有 - 你就有错误了。如果没有 - 您可以放心 tmp
拥有来自远程进程的单词。
尝试这样的事情:
int buffer(unsigned long long addr, pid_t child, size_t size, void *buffer)
{
size_t byte = 0;
size_t data;
unsigned long tmp;
// support for word aligned sizes only
if (size % sizeof(long) != 0)
return -1;
long * buffer_int = (long*) buffer;
while (byte < size) {
errno = 0;
tmp = ptrace(PTRACE_PEEKDATA, child, addr + byte);
if (errno)
return -1;
buffer_int[byte / sizeof(long)] = tmp;
byte += sizeof(long);
}
}
关于c - 使用 ptrace 从结构中检索信息,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/49657361/