Remote syscall execution

Revision as of 15:39, 18 December 2012 by Xemul (talk | contribs) (Created page describing 'exec' command.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This page describes how the exec command in crtools works.


The exec command executes arbitrary system call from another task's context. It does so by exploiting the parasite code execution feature, which is also used to dump various process' information.


The command syntax is

crtools exec -t <pid> <syscall-name> <syscall-arguments>

The syscall-name is just a name of a system call. Since typically each syscall is wrapped with the respective glibc function, you can find out information about the interesting system call in the respective man page.

The rest of the command line is treated as syscall-arguments. Each command line argument in this list is converted into the system call argument by the following rules:

  • If an argument starts with '&', the rest of it is copied to the target task's address space (it's allocated by remotely calling the mmap syscall) and the pointer to this area is passed as the system call argument
  • Otherwise, the argument is converted into an unsigned long number with strtol and passed to system call directly
  • Not specified arguments (if required by system call) are set to 0

In order to execute a system call for remote task, you don't have to be root -- you should only have rights to do debugging (strace) on it. If you want to make task perform some action, that consists of several syscalls, you should first stop it with SIG_STOP.


Re-opening stdout

You can close the 1st fd from a task and re-open it into some other file like this

# crtools exec -t <pid> close 1
# crtools exec -t <pid> open '&<path-to-file>' 2

In the 2nd string 2 means the O_RDWR opening mode.

Adding madvise-s to a mapping

You can tune the task's address space with madvise bits like this

# crtools exec -t <pid> madvise <start> <lenght> <madvise-bits-value>