 |
|
| Linux Forum Index » Linux Development - System » Only intercept mprotect(2) syscall... |
|
Page 1 of 1 |
|
| Author |
Message |
| Henrik Faber... |
 Posted: Thu Nov 05, 2009 2:50 am |
|
|
|
Guest
|
Dear group,
I'd like to do the following: Trap all read/write access to a page in
memory (e.g., for logging purposes), but do not deny them. When I use
mprotect() on a certain location, I can intercept the read/write, but
(as the page is obviously protected) the read/write is not actually
performed. I'd like my handler to be called right prior to any read and
any write, but without changing the results.
I find it hard to explain (English is not my native language), so maybe
the solution I have though of (but find incredibly ugly) helps:
1. Install sighandler for SIGSEGV
2. mprotect() the region in question
3. Upon SIGSEGV, log, reverse mprotect, set flag that memory is unprotected
4. Change return value on stack so that the instuction which led to the
SIGSEGV is executed again (and will work this time). Also patch code so
that instructed executed after the trapped instruction is replaced by int3
5. Upon SIGSEGV (because of int3), install mprotect again, set flag that
memory is protected, patch code back to original instruction, again
change return value so that the last instruction is executed
This should work - but it's horrible. And really lots of work. What I
would like much more is something like a flag that I could pass to
mprotect (all pseudocode following)
mprotect(my_region, 4096, PROT_INTERCEPT);
void intercepthandler(int signal, void *magic) {
struct magicmprotstruct *m = (struct magicmprotstruct *)magic;
printf("There was a %d byte %s on addr %x with value %x\n",
magic->opsize,
magic->read ? "read" : write,
magic->addr,
magic->value);
}
Is there any way I can achieve this (or something like this) without
going through the whole trouble I described above?
Regards,
Henrik |
|
|
| Back to top |
|
|
|
| Chris McDonald... |
| Posted: Thu Nov 05, 2009 2:50 am |
|
|
|
Guest
|
Henrik Faber <hfaber at (no spam) invalid.net> writes:
Quote: I'd like to do the following: Trap all read/write access to a page in
memory (e.g., for logging purposes), but do not deny them. When I use
mprotect() on a certain location, I can intercept the read/write, but
(as the page is obviously protected) the read/write is not actually
performed. I'd like my handler to be called right prior to any read and
any write, but without changing the results.
Not my field of expertise, at all, but could you mirror the page being
watched with another page, trap all reads and writes to the watched page,
and then perform the requested operations on your own page?
--
Chris. |
|
|
| Back to top |
|
|
|
| Vitus Jensen... |
| Posted: Wed Nov 18, 2009 9:34 am |
|
|
|
Guest
|
Hi Henrik,
On Thu, 5 Nov 2009, Henrik Faber wrote:
Quote: I'd like to do the following: Trap all read/write access to a page in memory
(e.g., for logging purposes), but do not deny them. When I use mprotect() on
a certain location, I can intercept the read/write, but (as the page is
obviously protected) the read/write is not actually performed. I'd like my
handler to be called right prior to any read and any write, but without
changing the results.
I find it hard to explain (English is not my native language), so maybe the
solution I have though of (but find incredibly ugly) helps:
1. Install sighandler for SIGSEGV
2. mprotect() the region in question
3. Upon SIGSEGV, log, reverse mprotect, set flag that memory is unprotected
What about
4. analyse the interrupted instruction and do the memory access yourself
from inside the SIGSEGV handler
5. install mprotect again
6. continue
The hard part is the disassembling. But your design has the same problem.
Vitus
--
Vitus Jensen, Hannover, Germany, Earth, Universe (current) |
|
|
| Back to top |
|
|
|
|
|
All times are GMT - 5 Hours
The time now is Wed Dec 02, 2009 12:26 pm
|
|