I have been playing a while with ptrace. I followed some tutorials like this one or this one. So far, when I have a ptrace-d child process, I am able to:
- Detect system calls and browse the registers.
- Fetch the strings contained in addresses pointed by the registers, thanks to the
PTRACE_PEEKDATAoption ofptrace. - Change the values of those registers and change memory values in the user space of the child process thanks to the
PTRACE_POKEDATAoption ofptrace.
My problem is the following: let’s say that for example I have just detected an open system call. I can modify the filename of the file to be opened thanks to the address stored in the ebx register. However, I wonder if I can just change the filename to anything I want, any size. If the name I am changing to is really large (let’s say 50 times the original filename length), wouldn’t I be messing with some memory I should not be writing on? Should I ‘allocate’ some memory in the child’s memory space? If so, how would this be done?
Note that the child process is some program executed with execve, I cannot access its source code.
The pathname passed to open could be dynamically allocated by the program (so its on the heap or stack somewhere), or it could be in the read-only section if it was a compile-time constant. In either case, you don’t know what other parts of the program might be using it, so its probably not a good idea to change its contents. You would definitely overwrite adjacent memory if you wrote past the current length (which would probably lead to subtle problems like corrupting heap meta-data or corrupting other random allocation objects).
Here are some random ideas (totally untested) on how to allocate memory in a child process: