如何ptrace的一个多线程应用程序? [英] How to ptrace a multi-threaded application?
问题描述
编辑(取得的进展):
我想要一个的ptrace vsftpd的守护进程。我有以下的code是连接到后台程序。然后,它成功地显示的第一个衍生进程的PID。然而,对于这个孩子产生了处理它返回的PID为2,3,...程序没有赶上子进程的退出虽然,这让我觉得我靠近。
任何想法?
无效* trace_process(无效* PID){
将为pid_t孩子=的atoi((字符*)PID);
长orig_eax,EAX;
INT状态;
INT callmade = FALSE;
长选择= PTRACE_O_TRACEFORK;
长newpid; 长期跟踪= ptrace的(PTRACE_ATTACH,孩子,NULL,NULL);
ptrace函数(PTRACE_SETOPTIONS,孩子,NULL,OPT);
如果(跟踪== FALSE)
的printf(附%d个\\ N,儿童); 而(TRUE){
孩子= waitpid函数(-1,&安培;状态,__WALL); 如果(状态>> 16 == PTRACE_EVENT_FORK){
ptrace函数(PTRACE_GETEVENTMSG,儿童,NULL,(长)及newpid);
的ptrace(PTRACE_SYSCALL,newpid,NULL,NULL); 输出(附加到后代%LD \\ N,newpid);
}
其他{
如果(WIFEXITED(状态))
的printf(儿童%d个退出\\ n,儿童);
} ptrace函数(PTRACE_SYSCALL,孩子,NULL,NULL);
}
}
示例输出:
附2015年//守护进程
附后代5302 //新的连接处理程序
附后代2 //应该是认证
儿童5303 //退出退出认证在成功登录
附后代3 //应该是提供服务的进程文件
儿童5304 //退出注销:提供服务的进程文件
儿童5302 //退出连不上
附后代5305 //新的连接处理程序
附后代2 // ...重复
儿童5306退出
附3后代
儿童5307退出
儿童5305退出
我的code进一步去之后,我意识到它的实际工作来捕获所有从父及其子来的系统调用。唯一的问题是,PID被作为相对数,而不是实际的PIDS返回。这将导致不被肯定,等待PID实际上是从父生成。无论哪种方式,code将让你所有的系统调用。我还是想知道为什么PID是相对的,对于我自己的知识,但code正常工作。
EDIT (MADE PROGRESS):
I am trying to ptrace a vsftpd daemon. I have the following code which is attaching to the daemon. Then it successfully displays the PID of the first spawned process. However, for the children of this spawned process it returns the PIDs as 2,3,.. The program does catch the exiting of the spawned processes though, which makes me think I am close.
Any ideas?
void * trace_process(void * pid){
pid_t child = atoi((char *) pid);
long orig_eax, eax;
int status;
int callmade = FALSE;
long opt = PTRACE_O_TRACEFORK;
long newpid;
long trace = ptrace(PTRACE_ATTACH,child,NULL,NULL);
ptrace(PTRACE_SETOPTIONS,child,NULL,opt);
if(trace == FALSE)
printf("Attached to %d\n",child);
while(TRUE) {
child = waitpid(-1, &status, __WALL);
if (status >> 16 == PTRACE_EVENT_FORK) {
ptrace(PTRACE_GETEVENTMSG, child, NULL, (long) &newpid);
ptrace(PTRACE_SYSCALL, newpid, NULL, NULL);
printf("Attached to offspring %ld\n", newpid);
}
else{
if(WIFEXITED(status))
printf("Child %d exited\n", child);
}
ptrace(PTRACE_SYSCALL,child, NULL, NULL);
}
}
Sample output:
Attached to 2015 // daemon
Attached to offspring 5302 // new connection handler
Attached to offspring 2 // should be authenticator
Child 5303 exited // authenticator exiting on successful login
Attached to offspring 3 // should be process serving files
Child 5304 exited // logout: process serving files
Child 5302 exited // connection closed
Attached to offspring 5305 // new connection handler
Attached to offspring 2 // ... repeat
Child 5306 exited
Attached to offspring 3
Child 5307 exited
Child 5305 exited
After going further with my code, I realize that it does actually work to capture all the system calls that are coming from the parent and its children. The only issue is that the PIDs are returned as relative numbers, rather than actual PIds. This results in not being certain that a wait PID was actually generated from the parent. Either way, the code will get you all the system calls. I would still like to know why the PID is relative, for my own knowledge, but the code works fine.
这篇关于如何ptrace的一个多线程应用程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
