Remote syscall execution
This page describes how the
exec command in crtools works.
exec command executes arbitrary system call from another task's context. It does so by exploiting the parasite code execution feature, which is also used to dump various process' information.
The command syntax is
crtools exec -t <pid> <syscall-name> <syscall-arguments>
syscall-name is just a name of a system call. Since typically each syscall is wrapped with the respective glibc function, you can find out information about the interesting system call in the respective man page.
The rest of the command line is treated as
syscall-arguments. Each command line argument in this list is converted into the system call argument by the following rules:
- If an argument starts with '&', the rest of it is copied to the target task's address space (it's allocated by remotely calling the
mmapsyscall) and the pointer to this area is passed as the system call argument
- Otherwise, the argument is converted into an
unsigned longnumber with
strtoland passed to system call directly
- Not specified arguments (if required by system call) are set to 0
In order to execute a system call for remote task, you don't have to be root -- you should only have rights to do debugging (strace) on it.
If you want to make task perform some action, that consists of several syscalls, you should first stop it with
You can close the 1st fd from a task and re-open it into some other file like this
# crtools exec -t <pid> close 1 # crtools exec -t <pid> open '&<path-to-file>' 2
In the 2nd string 2 means the
O_RDWR opening mode.
Adding madvise-s to a mapping
You can tune the task's address space with
madvise bits like this
# crtools exec -t <pid> madvise <start> <lenght> <madvise-bits-value>