First, we will introduce ptrace:
Ptrace provides a way for the parent process to monitor and control other processes. It can also change the registers and kernel images in sub-processes, so that it can implement breakpoint debugging and tracing of system calls.
With ptrace, You can intercept and modify system calls at the user layer)
Take an instance as an example:
#include <sys/ptrace.h>#include <sys/types.h>#include <sys/wait.h>#include <unistd.h> #include <linux/user.h> /* For constants ORIG_EAX etc */int main() { pid_t child; long orig_eax; child = fork(); if(child == 0) { ptrace(PTRACE_TRACEME, 0, NULL, NULL); execl("/bin/ls", "ls", NULL); } else { wait(NULL); orig_eax = ptrace(PTRACE_PEEKUSER, child, 4 * ORIG_EAX, NULL); printf("The child made a " "system call %ld ", orig_eax); ptrace(PTRACE_CONT, child, NULL, NULL); } return 0;}
The error message <Linux/user. h> no such file... is returned after running gcc-o xxxx. C.
The cause of the error is that the kernel structure changes from/usr/include/Linux/user. h to/usr/include/sys/Reg. h.
Therefore, you need to change the # include Linux/user. h> statement to # include <sys/Reg. h> during debugging.
Of course, an error will still be reported after modification because the 64-bit register structure is different from that of 32-bit. The solution is to change orig_eax to orig_rax to run successfully.