def readSyscall(self, regs): # Read syscall number if CPU_PPC: self.syscall = regs.gpr0 elif RUNNING_LINUX: if CPU_X86_64: self.syscall = regs.orig_rax else: self.syscall = regs.orig_eax else: self.syscall = regs.eax # Get syscall variables self.name = SYSCALL_NAMES.get(self.syscall, "syscall<%s>" % self.syscall)
def readSyscall(self, regs): # Read syscall number if CPU_POWERPC: self.syscall = regs.gpr0 elif RUNNING_LINUX: if CPU_X86_64: self.syscall = regs.orig_rax else: self.syscall = regs.orig_eax else: self.syscall = regs.eax # Get syscall variables self.name = SYSCALL_NAMES.get(self.syscall, "syscall<%s>" % self.syscall)
def trace(pid): ptrace_attach(pid) if wait_status() == -1: return -1 print "-- start traceing %d ..." %pid while True: ptrace_syscall(pid) if wait_status() == -1: ptrace_detach(pid) return -1 regs = ptrace_getregs(pid) res = SYSCALL_NAMES.get(regs.orig_rax) if res == "clone" or res == "fork" or res == "vfork" or res == "execve": limit = resource.getrlimit(resource.RLIMIT_NPROC) if regs.rax > 0 and regs.rax < limit[1]: print "create new child: %s" %regs.rax return 0
def readSyscall(self, regs): # Read syscall number self.syscall = getattr(regs, SYSCALL_REGISTER) # Get syscall variables self.name = SYSCALL_NAMES.get( self.syscall, "syscall<%s>" % self.syscall)
def readSyscall(self, regs): # Read syscall number self.syscall = getattr(regs, SYSCALL_REGISTER) # Get syscall variables self.name = SYSCALL_NAMES.get(self.syscall, "syscall<%s>" % self.syscall)