lorenz.stechauner/BSc-Thesis
1
0
Fork 0
Code Activity

thesis: Almost complete first section

Browse Source
This commit is contained in:
Lorenz Stechauner
2025-07-08 20:12:43 +02:00
parent d1d9f601c9
commit ac96d571cd
6 changed files with 152 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
thesis/.gitignore vendored
View File

@@ -3,6 +3,7 @@
/example.*
/*.pdf
/*.txt
/_minted/
*.acn
*.aux
*.glo

4
thesis/listings/ltrace.txt Normal file
View File

@@ -0,0 +1,4 @@
malloc(10) = 0x55624164b2a0
printf("Hello World!\nString: %s\n", "Abc123") = 28
free(0x55624164b2a0) = <void>
+++ exited (status 0) +++

10
thesis/listings/main.c Normal file
View File

@@ -0,0 +1,10 @@
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int main(const int argc, char *const argv[]) {
char *str = malloc(10);
strcpy(str, "Abc123");
printf("Hello World!\nString: %s\n", str);
free(str);
}

37
thesis/listings/strace.txt Normal file
View File

@@ -0,0 +1,37 @@
execve("./main", ["./main"], 0x7ffd63b32bb0 /* 71 vars */) = 0
brk(NULL) = 0x55adbd615000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=277707, ...}) = 0
mmap(NULL, 277707, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f79bd90b000
close(3) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f79bd909000
openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0px\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 840, 64) = 840
fstat(3, {st_mode=S_IFREG|0755, st_size=2006328, ...}) = 0
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 840, 64) = 840
mmap(NULL, 2030680, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f79bd719000
mmap(0x7f79bd73d000, 1507328, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x24000) = 0x7f79bd73d000
mmap(0x7f79bd8ad000, 319488, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x194000) = 0x7f79bd8ad000
mmap(0x7f79bd8fb000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e1000) = 0x7f79bd8fb000
mmap(0x7f79bd901000, 31832, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f79bd901000
close(3) = 0
mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f79bd716000
arch_prctl(ARCH_SET_FS, 0x7f79bd716740) = 0
set_tid_address(0x7f79bd716a10) = 22451
set_robust_list(0x7f79bd716a20, 24) = 0
rseq(0x7f79bd716680, 0x20, 0, 0x53053053) = 0
mprotect(0x7f79bd8fb000, 16384, PROT_READ) = 0
mprotect(0x55ad87c2e000, 4096, PROT_READ) = 0
mprotect(0x7f79bd98c000, 8192, PROT_READ) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
munmap(0x7f79bd90b000, 277707) = 0
getrandom("\xcf\x53\xd9\xf6\xf0\x89\x95\xbd", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x55adbd615000
brk(0x55adbd636000) = 0x55adbd636000
fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(0x88, 0x2), ...}) = 0
write(1, "Hello World!\n", 13) = 13
write(1, "String: Abc123\n", 15) = 15
exit_group(0) = ?
+++ exited with 0 +++

103
thesis/src/02.intercept.tex
View File

@@ -7,10 +7,95 @@ Lorem Ipsum.
Lorem Ipsum.
\subsection{\texttt{ptrace} System Call}\label{subsec:ptrace}
The first thing that pops up when researching on how to intercept system calls in Linux is the \texttt{ptrace} (``process trace'') system call.
This system call allows one process to observe and control the execution of another process (including memory and registers).
The control is handed from the traced process to the tracing process each time any signal is delivered.
\cite{ptrace.2}
To make use of this system call, a corresponding command already exists.
See~\ref{subsec:strace}.
\subsection{\texttt{strace} Command}\label{subsec:strace}
The \texttt{strace} (``system call/signal trace'') command may be used to run a specified command and to thereby intercept and record the system calls which are made.
Each system call is recorded as a line and either written to the standard error output or a specified file.
\cite{strace.1}
Listings \ref{lst:main.c} and \ref{lst:strace} give a simple example of what this output looks like.
It is clearly visible that only (``pure'') system calls are recorded, and calls to library functions (like \texttt{malloc} or \texttt{free}) do not appear.
Also note that, arguments to the calls are displayed in a ``pretty'' way.
For example, strings arguments would be simple pointers, but \texttt{strace} displays them as C-like strings.
\begin{listing}[htbp]
\begin{minted}[linenos]{c}
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
int main(const int argc, char *const argv[]) {
char *str = malloc(10);
strcpy(str, "Abc123");
printf("Hello World!\nString: %s\n", str);
free(str);
}
\end{minted}
\caption{Contents of \texttt{main.c}.}
\label{lst:main.c}
\end{listing}
\begin{listing}[htbp]
\begin{minted}{text}
execve("./main", ["./main"], 0x7ffd63b32bb0 /* 71 vars */) = 0
[-- 32 lines omitted --]
write(1, "Hello World!\n", 13) = 13
write(1, "String: Abc123\n", 15) = 15
exit_group(0) = ?
+++ exited with 0 +++
\end{minted}
\caption{Output of \texttt{strace ./main}.}
\label{lst:strace}
\end{listing}
This approach works great for debugging and other use-cases,
but only intercepting system calls does not statisfy the requirements for this work.
\subsection{\texttt{ltrace} Command}\label{subsec:ltrace}
The \texttt{ltrace} (``library call trace'') command may be used to trace dynamic library calls instead of system calls.
It works similarly to \texttt{strace} (see \ref{subsec:strace}).
\cite{ltrace.1}
Listings \ref{lst:main.c} and \ref{lst:ltrace} illustrate what the output of \texttt{ltrace} looks like.
In contrast to the output of \texttt{strace} now only ``real'' calls to library functions are included in the output.
Therefore, a lot less ``noise'' is generated (see omitted lines in listing \ref{lst:strace}).
Again, the function arguments are displayed in a ``pretty'' way.
This command uses so-called prototype functions~\cite{ltrace.conf.5} to format function arguments.
\begin{listing}[htbp]
\begin{minted}{text}
malloc(10) = 0x55624164b2a0
printf("Hello World!\nString: %s\n", "Abc123") = 28
free(0x55624164b2a0) = <void>
+++ exited (status 0) +++
\end{minted}
\caption{Output of \texttt{ltrace ./main}.}
\label{lst:ltrace}
\end{listing}
This method fits the requirements for this work a lot better than \texttt{strace} (see~\ref{subsec:strace}),
but it is not very flexible and offers no means to modify the intercepted function calls.
\subsection{Wrapper Functions in gcc}\label{subsec:wrapper-functions}
Another method for overriding functions is to tell the compiler directly, which functions should be overridden.
A different approach to intercepting function calls is to tell the compiler directly, which functions should be intercepted.
The compiler, and the linker respectively, then directly link calls to the specified functions to wrapper functions.
(See \ref{subsec:preloading} for more details.)
The default linker \texttt{ld} includes such a feature.
See the OPTIONS section in the ld(1) Linux manual page~\cite{ld.1}:
@@ -47,7 +132,7 @@ See the OPTIONS section in the gcc(1) Linux manual page~\cite{gcc.1}:
This means, by specifying \texttt{-Wl,-{}-wrap=\textit{symbol}} when compiling using gcc,
all calls from the currently compiled program to \texttt{\textit{symbol}} are redirected to \texttt{\_\_wrap\_\textit{symbol}}.
To call the real function inside the wrapper, \texttt{\_\_real\_\textit{symbol}} may be used.
The listings \ref{lst:wrap.c} and \ref{lst:wrap} try to illustrate this by overriding the \texttt{malloc} function of the C standard library.
Listings \ref{lst:wrap.c} and \ref{lst:wrap} try to illustrate this by overriding the \texttt{malloc} function of the C standard library.
\begin{listing}[htbp]
\begin{minted}[linenos]{c}
@@ -111,7 +196,7 @@ See the ENVIRONMENT section in the ld.so(8) Linux manual page~\cite{ld.so.8}:
\end{quote}
This means, by setting the environment variable \texttt{LD\_PRELOAD}, it is possible to override specific functions.
The listings \ref{lst:preload.c} and \ref{lst:preload} try to illustrate this by overriding the \texttt{malloc} function of the C standard library.
Listings \ref{lst:preload.c} and \ref{lst:preload} try to illustrate this by overriding the \texttt{malloc} function of the C standard library.
\begin{listing}[htbp]
\begin{minted}[linenos]{c}
@@ -153,18 +238,6 @@ By using this method, it is possible to override, and therefore wrap, any functi
Although, one has to be aware that not only function calls inside the targeted binary, but also calls inside other libraries (e.g., to \texttt{malloc}) are redirected to the overriding function.
\subsection{Kernel Module}\label{subsec:kernel-module}
Lorem Ipsum.
\subsection{Emulation}\label{subsec:emulation}
Lorem Ipsum.
\subsection{Modifying the Kernel}\label{subsec:modifiying-kernel}
Lorem Ipsum.
\subsection{Conclusion}\label{subsec:conclusion}
Lorem Ipsum.

12
thesis/src/99.intercept.bib
View File

@@ -10,3 +10,15 @@
@manual{gcc.1,
title = {GCC(1) -- GNU -- Linux manual pages},
}
@manual{ptrace.2,
title = {ptrace(2) -- System Calls Manual -- Linux manual pages},
}
@manual{strace.1,
title = {STRACE(1) -- General Commands Manual -- Linux manual pages},
}
@manual{ltrace.1,
title = {LTRACE(1) -- User Commands -- Linux manual pages},
}
@manual{ltrace.conf.5,
title = {ltrace.conf(5) -- ltrace configuration file -- Linux manual pages},
}