Remote syscall execution
This page describes how the exec
command in crtools works.
Description
The exec
command executes arbitrary system call from another task's context. It does so by exploiting the parasite code execution feature, which is also used to dump various process' information.
Syntax
The command syntax is
crtools exec -t <pid> <syscall-name> <syscall-arguments>
The syscall-name
is just a name of a system call. Since typically each syscall is wrapped with the respective glibc function, you can find out information about the interesting system call in the respective man page.
The rest of the command line is treated as syscall-arguments
. Each command line argument in this list is converted into the system call argument by the following rules:
- If an argument starts with '&', the rest of it is copied to the target task's address space (it's allocated by remotely calling the
mmap
syscall) and the pointer to this area is passed as the system call argument
- Otherwise, the argument is converted into an
unsigned long
number withstrtol
and passed to system call directly
- Not specified arguments (if required by system call) are set to 0
In order to execute a system call for remote task, you don't have to be root -- you should only have rights to do debugging (strace) on it.
If you want to make task perform some action, that consists of several syscalls, you should first stop it with SIG_STOP
.
Examples
Re-opening stdout
You can close the 1st fd from a task and re-open it into some other file like this
# crtools exec -t <pid> close 1 # crtools exec -t <pid> open '&<path-to-file>' 2
In the 2nd string 2 means the O_RDWR
opening mode.
Adding madvise-s to a mapping
You can tune the task's address space with madvise
bits like this
# crtools exec -t <pid> madvise <start> <lenght> <madvise-bits-value>