#include #include #include #include #include #include #include #include #include char *_syscalls[] = { "", "exit", "fork", "read", "write", "open", "close", "waitpid", "creat", "link", "unlink", "execve", "chdir", "time", "mknod", "chmod", "lchown", "break", "oldstat", "lseek", "getpid", "mount", "umount", "setuid", "getuid", "stime", "ptrace", "alarm", "oldfstat", "pause", "utime", "stty", "gtty", "access", "nice", "ftime", "sync", "kill", "rename", "mkdir", "rmdir", "dup", "pipe", "times", "prof", "brk", "setgid", "getgid", "signal", "geteuid", "getegid", "acct", "umount2", "lock", "ioctl", "fcntl", "mpx", "setpgid", "ulimit", "oldolduname", "umask", "chroot", "ustat", "dup2", "getppid", "getpgrp", "setsid", "sigaction", "sgetmask", "ssetmask", "setreuid", "setregid", "sigsuspend", "sigpending", "sethostname", "setrlimit", "getrlimit", "getrusage", "gettimeofday", "settimeofday", "getgroups", "setgroups", "select", "symlink", "oldlstat", "readlink", "uselib", "swapon", "reboot", "readdir", "mmap", "munmap", "truncate", "ftruncate", "fchmod", "fchown", "getpriority", "setpriority", "profil", "statfs", "fstatfs", "ioperm", "socketcall", "syslog", "setitimer", "getitimer", "stat", "lstat", "fstat", "olduname", "iopl", "vhangup", "idle", "vm86old", "wait4", "swapoff", "sysinfo", "ipc", "fsync", "sigreturn", "clone", "setdomainname", "uname", "modify_ldt", "adjtimex", "mprotect", "sigprocmask", "create_module", "init_module", "delete_module", "get_kernel_syms", "quotactl", "getpgid", "fchdir", "bdflush", "sysfs", "personality", "afs_syscall", "setfsuid", "setfsgid", "_llseek", "getdents", "_newselect", "flock", "msync", "readv", "writev", "getsid", "fdatasync", "_sysctl", "mlock", "munlock", "mlockall", "munlockall", "sched_setparam", "sched_getparam", "sched_setscheduler", "sched_getscheduler", "sched_yield", "sched_get_priority_max", "sched_get_priority_min", "sched_rr_get_interval", "nanosleep", "mremap", "setresuid", "getresuid", "vm86", "query_module", "poll", "nfsservctl", "setresgid", "getresgid", "prctl", "rt_sigreturn", "rt_sigaction", "rt_sigprocmask", "rt_sigpending", "rt_sigtimedwait", "rt_sigqueueinfo", "rt_sigsuspend", "pread", "pwrite", "chown", "getcwd", "capget", "capset", "sigaltstack", "sendfile", "getpmsg", "putpmsg", "vfork", "ugetrlimit", "mmap2", "truncate64", "ftruncate64", "stat64", "lstat64", "fstat64", "lchown32", "getuid32", "getgid32", "geteuid32", "getegid32", "setreuid32", "setregid32", "getgroups32", "setgroups32", "fchown32", "setresuid32", "getresuid32", "setresgid32", "getresgid32", "chown32", "setuid32", "setgid32", "setfsuid32", "setfsgid32", "pivot_root", "mincore", "madvise", "madvise1", "getdents64", "fcntl64", "security", "gettid", "readahead", "setxattr", "lsetxattr", "fsetxattr", "getxattr", "lgetxattr", "fgetxattr", "listxattr", "llistxattr", "flistxattr", "removexattr", "lremovexattr", "fremovexattr" }; union { long word; struct { char a; char b; char c; char d; } w; } trace_w; pid_t pid; extern char **environ; int main(int argc, char *argv[]) { int i = 0, tracing = 1; long _o_eax, _eax, _ebx, _ecx, _edx; if (argc < 2) { printf("usage: %s [-p pid] program\n", argv[0]); return 1; } if (strcmp(argv[1], "-p") == 0 && argc >= 3) { pid = atoi(argv[2]); ptrace(PTRACE_ATTACH, pid, 0, 0); } else { argv++; pid = fork(); if (pid == 0) { ptrace(PTRACE_TRACEME, 0, 0, 0); execve(argv[0], argv, environ); } } while(tracing) { if (waitpid(pid, 0, WUNTRACED) == -1) { tracing = 0; continue; } _o_eax = ptrace(PTRACE_PEEKUSER, pid, 4*ORIG_EAX, 0); _eax = ptrace(PTRACE_PEEKUSER, pid, 4*EAX, 0); _ebx = ptrace(PTRACE_PEEKUSER, pid, 4*EBX, 0); _ecx = ptrace(PTRACE_PEEKUSER, pid, 4*ECX, 0); _edx = ptrace(PTRACE_PEEKUSER, pid, 4*EDX, 0); /* if (_o_eax == __NR_read && _eax >= 0) { for (i=0; i<(_eax%4)?((_eax/4)+1):(_eax/4); i++) { trace_w.word = ptrace(PTRACE_PEEKDATA, pid, _ecx+i, 0); printf("%c%c%c%c", trace_w.w.a, trace_w.w.b, trace_w.w.c, trace_w.w.d); } } */ if (_eax != -38) fprintf(stderr, "%s(%d, %d, %d ...)\t\t= %d %s\n", _syscalls[_o_eax], _ebx, _ecx, _edx, _eax, (_eax < 0) ? strerror(-_eax) : ""); ptrace(PTRACE_SYSCALL, pid, 0, 0); } return 0; }