|
http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=8596 [º¹»ç]
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/user.h>
#include <unistd.h>
#include <stdio.h>
int main() {
pid_t child;
long orig_rax;
struct user_regs_struct regs;
int status;
child = fork();
if (child == 0) {
// ÀÚ½Ä ÇÁ·Î¼¼½º: ptrace °¨½Ã Çã¿ë
ptrace(PTRACE_TRACEME, 0, NULL, NULL);
execl("/bin/ls", "ls", NULL); // ls ¸í·É¾î ½ÇÇà
} else {
// ºÎ¸ð ÇÁ·Î¼¼½º: ÀÚ½Ä ÇÁ·Î¼¼½º °¨½Ã
wait(&status);
while (!WIFEXITED(status)) {
// ½Ã½ºÅÛ ÄÝ Á÷Àü ÀÎÅͼÁÆ®
ptrace(PTRACE_SYSCALL, child, NULL, NULL);
wait(&status);
// ·¹Áö½ºÅÍ »óÅ Àбâ
ptrace(PTRACE_GETREGS, child, NULL, ®s);
printf("½Ã½ºÅÛ ÄÝ ¹øÈ£: %ld\n", regs.orig_rax);
// ½Ã½ºÅÛ ÄÝ Á÷ÈÄ ÀÎÅͼÁÆ®
ptrace(PTRACE_SYSCALL, child, NULL, NULL);
wait(&status);
}
}
return 0;
}
ka0r1@mark:~$ ls
show_process show_process.c snap syscall syscall.c test test.c venom.exe
ka0r1@mark:~$ ./syscall
½Ã½ºÅÛ ÄÝ ¹øÈ£: 12
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 21
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 5
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 3
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 0
½Ã½ºÅÛ ÄÝ ¹øÈ£: 5
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 3
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 0
½Ã½ºÅÛ ÄÝ ¹øÈ£: 17
½Ã½ºÅÛ ÄÝ ¹øÈ£: 5
½Ã½ºÅÛ ÄÝ ¹øÈ£: 17
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 3
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 0
½Ã½ºÅÛ ÄÝ ¹øÈ£: 5
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 3
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 158
½Ã½ºÅÛ ÄÝ ¹øÈ£: 218
½Ã½ºÅÛ ÄÝ ¹øÈ£: 273
½Ã½ºÅÛ ÄÝ ¹øÈ£: 334
½Ã½ºÅÛ ÄÝ ¹øÈ£: 10
½Ã½ºÅÛ ÄÝ ¹øÈ£: 10
½Ã½ºÅÛ ÄÝ ¹øÈ£: 10
½Ã½ºÅÛ ÄÝ ¹øÈ£: 10
½Ã½ºÅÛ ÄÝ ¹øÈ£: 10
½Ã½ºÅÛ ÄÝ ¹øÈ£: 302
½Ã½ºÅÛ ÄÝ ¹øÈ£: 11
½Ã½ºÅÛ ÄÝ ¹øÈ£: 137
½Ã½ºÅÛ ÄÝ ¹øÈ£: 137
½Ã½ºÅÛ ÄÝ ¹øÈ£: 318
½Ã½ºÅÛ ÄÝ ¹øÈ£: 12
½Ã½ºÅÛ ÄÝ ¹øÈ£: 12
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 5
½Ã½ºÅÛ ÄÝ ¹øÈ£: 0
½Ã½ºÅÛ ÄÝ ¹øÈ£: 0
½Ã½ºÅÛ ÄÝ ¹øÈ£: 3
½Ã½ºÅÛ ÄÝ ¹øÈ£: 21
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 5
½Ã½ºÅÛ ÄÝ ¹øÈ£: 0
½Ã½ºÅÛ ÄÝ ¹øÈ£: 0
½Ã½ºÅÛ ÄÝ ¹øÈ£: 3
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 5
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 3
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 5
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 3
½Ã½ºÅÛ ÄÝ ¹øÈ£: 202
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 5
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 3
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 5
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 3
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 5
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 3
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 5
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 3
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 5
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 3
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 5
½Ã½ºÅÛ ÄÝ ¹øÈ£: 3
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 5
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 3
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 5
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 3
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 5
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 3
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 5
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 3
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 5
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 3
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 5
½Ã½ºÅÛ ÄÝ ¹øÈ£: 9
½Ã½ºÅÛ ÄÝ ¹øÈ£: 3
½Ã½ºÅÛ ÄÝ ¹øÈ£: 16
½Ã½ºÅÛ ÄÝ ¹øÈ£: 16
½Ã½ºÅÛ ÄÝ ¹øÈ£: 257
½Ã½ºÅÛ ÄÝ ¹øÈ£: 5
½Ã½ºÅÛ ÄÝ ¹øÈ£: 217
½Ã½ºÅÛ ÄÝ ¹øÈ£: 217
½Ã½ºÅÛ ÄÝ ¹øÈ£: 3
½Ã½ºÅÛ ÄÝ ¹øÈ£: 5
½Ã½ºÅÛ ÄÝ ¹øÈ£: 1
show_process show_process.c snap syscall syscall.c test test.c venom.exe
½Ã½ºÅÛ ÄÝ ¹øÈ£: 3
½Ã½ºÅÛ ÄÝ ¹øÈ£: 3
½Ã½ºÅÛ ÄÝ ¹øÈ£: 231
ka0r1@mark:~$
ptrace(2) System Calls Manual ptrace(2)
NAME
ptrace - process trace
LIBRARY
Standard C library (libc, -lc)
SYNOPSIS
#include <sys/ptrace.h>
long ptrace(enum __ptrace_request op, pid_t pid,
void *addr, void *data);
DESCRIPTION
The ptrace() system call provides a means by which one process (the "tracer") may observe and control the exe‐
cution of another process (the "tracee"), and examine and change the tracee's memory and registers. It is
primarily used to implement breakpoint debugging and system call tracing.
.
.
.
ÀÚ¼¼ÇÑ ¼³¸íÀº »ý·«ÇÑ´Ù...
.
.
.
LIBRARY
Standard C library (libc, -lc)
SYNOPSIS
#include <unistd.h>
extern char **environ;
int execl(const char *pathname, const char *arg, ...
/*, (char *) NULL */);
int execlp(const char *file, const char *arg, ...
/*, (char *) NULL */);
int execle(const char *pathname, const char *arg, ...
/*, (char *) NULL, char *const envp[] */);
int execv(const char *pathname, char *const argv[]);
int execvp(const char *file, char *const argv[]);
int execvpe(const char *file, char *const argv[], char *const envp[]);
Feature Test Macro Requirements for glibc (see feature_test_macros(7)):
execvpe():
_GNU_SOURCE
DESCRIPTION
The exec() family of functions replaces the current process image with a new process image. The functions de‐
scribed in this manual page are layered on top of execve(2). (See the manual page for execve(2) for further
details about the replacement of the current process image.)
.
.
.
ÀÚ¼¼ÇÑ ¼³¸íÀº »ý·«ÇÑ´Ù...
.
.
.
SYNOPSIS
#include <sys/wait.h>
pid_t wait(int *_Nullable wstatus);
pid_t waitpid(pid_t pid, int *_Nullable wstatus, int options);
int waitid(idtype_t idtype, id_t id, siginfo_t *infop, int options);
/* This is the glibc and POSIX interface; see
NOTES for information on the raw system call. */
Feature Test Macro Requirements for glibc (see feature_test_macros(7)):
waitid():
Since glibc 2.26:
_XOPEN_SOURCE >= 500 || _POSIX_C_SOURCE >= 200809L
glibc 2.25 and earlier:
_XOPEN_SOURCE
|| /* Since glibc 2.12: */ _POSIX_C_SOURCE >= 200809L
|| /* glibc <= 2.19: */ _BSD_SOURCE
DESCRIPTION
All of these system calls are used to wait for state changes in a child of the calling process, and obtain in‐
formation about the child whose state has changed. A state change is considered to be: the child terminated;
the child was stopped by a signal; or the child was resumed by a signal. In the case of a terminated child,
performing a wait allows the system to release the resources associated with the child; if a wait is not per‐
formed, then the terminated child remains in a "zombie" state (see NOTES below).
.
.
.
ÀÚ¼¼ÇÑ ¼³¸íÀº »ý·«ÇÑ´Ù...
.
.
.
p.s. ¸ð¸¦ ¶© manÀ» ÀÌ¿ëÇÏ¸é µÊ. |
Hit : 492 Date : 2025/01/18 09:05
|
1603, 
80/81 
