search

JakWai01 / lurk

A pretty (simple) alternative to strace
Apache License 2.0
871 stars 28 forks source link

32 bit syscalls not showing up #31

Open hnorkowski opened 1 year ago

hnorkowski commented 1 year ago

Summary

I wrote a very show assembly script and compiled it with nasm that just executes the getpid and exit syscalls. These syscalls never show up in lurk but strace shows them.

Details

Code

SECTION .text
    global main

    main:
      xor eax, eax             ; eax = 0
      mov al, 20               ; syscall: getpid
      int 0x80                 ; execute

      xor eax, eax             ; eax = 0
      xor ebx, ebx             ; exit code = 0
      mov al, 1                ; syscalL: exit
      int 0x80                 ; execute syscall

Compilation

nasm -f elf64 syscall.asm
clang -o asm syscall.o

Execution

❯ lurk ./asm
[74982] execve("", "", "") = 0
[74982] brk(0x0) = 0x555555559000
[74982] arch_prctl(12289, 0x7FFFFFFFE450) = -22
[74982] access("/etc/ld.so.preload", 4) = -2
[74982] openat(4294967196, "/etc/ld.so.cache", 524288) = 3
[74982] newfstatat(3, "", 0x7FFFFFFFD680, 4096) = 0
[74982] mmap(0x0, 79203, 1, 2, 3, 0) = 0x7FFFF7FB0000
[74982] close(3) = 0
[74982] openat(4294967196, "/usr/lib/libc.so.6", 524288) = 3
[74982] read(3, "ELF\u0002\u0001\u0001\u0003", 832) = 832
[74982] pread64(3, "\u0006", 784, 64) = 784
[74982] newfstatat(3, "", 0x7FFFFFFFD680, 4096) = 0
[74982] mmap(0x0, 8192, 3, 34, 4294967295, 0) = 0x7FFFF7FAE000
[74982] pread64(3, "\u0006", 784, 64) = 784
[74982] mmap(0x0, 1973104, 1, 2050, 3, 0) = 0x7FFFF7DCC000
[74982] mmap(0x7FFFF7DF2000, 1417216, 5, 2066, 3, 155648) = 0x7FFFF7DF2000
[74982] mmap(0x7FFFF7F4C000, 344064, 1, 2066, 3, 1572864) = 0x7FFFF7F4C000
[74982] mmap(0x7FFFF7FA0000, 24576, 3, 2066, 3, 1912832) = 0x7FFFF7FA0000
[74982] mmap(0x7FFFF7FA6000, 31600, 3, 50, 4294967295, 0) = 0x7FFFF7FA6000
[74982] close(3) = 0
[74982] mmap(0x0, 8192, 3, 34, 4294967295, 0) = 0x7FFFF7DCA000
[74982] arch_prctl(4098, 0x7FFFF7FAF640) = 0
[74982] set_tid_address(0x7FFFF7FAF910) = 0x124E6
[74982] set_robust_list(0x7FFFF7FAF920, 24) = 0
[74982] rseq() = 0
[74982] mprotect(0x7FFFF7FA0000, 16384, 1) = 0
[74982] mprotect(0x555555557000, 4096, 1) = 0
[74982] mprotect(0x7FFFF7FFB000, 8192, 1) = 0
[74982] prlimit64(0, 3, 0x0, 0x7FFFFFFFE1C0) = 0
[74982] munmap(0x7FFFF7FB0000, 79203) = 0
[74982] writev(1, 0x7FFFFFFFE5A8, 140737488348600) = 0x124E6

strace

❯ strace ./asm
execve("./asm", ["./asm"], 0x7fff374545a0 /* 56 vars */) = 0
brk(NULL)                               = 0x55fcbfd58000
arch_prctl(0x3001 /* ARCH_??? */, 0x7ffe155b8950) = -1 EINVAL (Invalid argument)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=79203, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 79203, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f8134589000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220~\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=1948832, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8134587000
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
mmap(NULL, 1973104, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f81343a5000
mmap(0x7f81343cb000, 1417216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x26000) = 0x7f81343cb000
mmap(0x7f8134525000, 344064, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x180000) = 0x7f8134525000
mmap(0x7f8134579000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1d3000) = 0x7f8134579000
mmap(0x7f813457f000, 31600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f813457f000
close(3)                                = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f81343a3000
arch_prctl(ARCH_SET_FS, 0x7f8134588640) = 0
set_tid_address(0x7f8134588910)         = 75997
set_robust_list(0x7f8134588920, 24)     = 0
rseq(0x7f8134588f60, 0x20, 0, 0x53053053) = 0
mprotect(0x7f8134579000, 16384, PROT_READ) = 0
mprotect(0x55fcbf7a6000, 4096, PROT_READ) = 0
mprotect(0x7f81345ce000, 8192, PROT_READ) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
munmap(0x7f8134589000, 79203)           = 0
[ Process PID=75997 runs in 32 bit mode. ]
strace: WARNING: Proper structure decoding for this personality is not supported, please consider building strace with mpers support enabled.
getpid()                                = 75997
exit(0)                                 = ?
+++ exited with 0 +++

Version details

lurk 0.3.4 strace 6.6 NASM 2.16.01 clang 16.0.6 linux 6.5.9-arch2-1

hnorkowski commented 1 year ago

The reasons seems to be the 32 bit mode syscalls. When using the 64 bit mode syscalls it gets tracked correctly

Code

SECTION .text
    global main

    main:
        mov rax, 39  ; syscall: getpid
        syscall      ; execute

        xor rdi, rdi ; exit code = 0
        mov rax, 60  ; syscall: exit
        syscall      ; execute syscall

Lurk

❯ lurk ./asm
[102962] execve("", "", "") = 0
[102962] brk(0x0) = 0x555555559000
[102962] arch_prctl(12289, 0x7FFFFFFFE450) = -22
[102962] access("/etc/ld.so.preload", 4) = -2
[102962] openat(4294967196, "/etc/ld.so.cache", 524288) = 3
[102962] newfstatat(3, "", 0x7FFFFFFFD680, 4096) = 0
[102962] mmap(0x0, 79203, 1, 2, 3, 0) = 0x7FFFF7FB0000
[102962] close(3) = 0
[102962] openat(4294967196, "/usr/lib/libc.so.6", 524288) = 3
[102962] read(3, "ELF\u0002\u0001\u0001\u0003", 832) = 832
[102962] pread64(3, "\u0006", 784, 64) = 784
[102962] newfstatat(3, "", 0x7FFFFFFFD680, 4096) = 0
[102962] mmap(0x0, 8192, 3, 34, 4294967295, 0) = 0x7FFFF7FAE000
[102962] pread64(3, "\u0006", 784, 64) = 784
[102962] mmap(0x0, 1973104, 1, 2050, 3, 0) = 0x7FFFF7DCC000
[102962] mmap(0x7FFFF7DF2000, 1417216, 5, 2066, 3, 155648) = 0x7FFFF7DF2000
[102962] mmap(0x7FFFF7F4C000, 344064, 1, 2066, 3, 1572864) = 0x7FFFF7F4C000
[102962] mmap(0x7FFFF7FA0000, 24576, 3, 2066, 3, 1912832) = 0x7FFFF7FA0000
[102962] mmap(0x7FFFF7FA6000, 31600, 3, 50, 4294967295, 0) = 0x7FFFF7FA6000
[102962] close(3) = 0
[102962] mmap(0x0, 8192, 3, 34, 4294967295, 0) = 0x7FFFF7DCA000
[102962] arch_prctl(4098, 0x7FFFF7FAF640) = 0
[102962] set_tid_address(0x7FFFF7FAF910) = 0x19232
[102962] set_robust_list(0x7FFFF7FAF920, 24) = 0
[102962] rseq() = 0
[102962] mprotect(0x7FFFF7FA0000, 16384, 1) = 0
[102962] mprotect(0x555555557000, 4096, 1) = 0
[102962] mprotect(0x7FFFF7FFB000, 8192, 1) = 0
[102962] prlimit64(0, 3, 0x0, 0x7FFFFFFFE1C0) = 0
[102962] munmap(0x7FFFF7FB0000, 79203) = 0
[102962] getpid(0x1) = 0x19232
[102962] exit(0) = ?

strace

❯ strace ./asm
execve("./asm", ["./asm"], 0x7ffeb0a6bff0 /* 56 vars */) = 0
brk(NULL)                               = 0x55dfb9d12000
arch_prctl(0x3001 /* ARCH_??? */, 0x7fff320ab190) = -1 EINVAL (Invalid argument)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=79203, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 79203, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f8a08e2e000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220~\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=1948832, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8a08e2c000
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
mmap(NULL, 1973104, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f8a08c4a000
mmap(0x7f8a08c70000, 1417216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x26000) = 0x7f8a08c70000
mmap(0x7f8a08dca000, 344064, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x180000) = 0x7f8a08dca000
mmap(0x7f8a08e1e000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1d3000) = 0x7f8a08e1e000
mmap(0x7f8a08e24000, 31600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f8a08e24000
close(3)                                = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8a08c48000
arch_prctl(ARCH_SET_FS, 0x7f8a08e2d640) = 0
set_tid_address(0x7f8a08e2d910)         = 105284
set_robust_list(0x7f8a08e2d920, 24)     = 0
rseq(0x7f8a08e2df60, 0x20, 0, 0x53053053) = 0
mprotect(0x7f8a08e1e000, 16384, PROT_READ) = 0
mprotect(0x55dfb7d1c000, 4096, PROT_READ) = 0
mprotect(0x7f8a08e73000, 8192, PROT_READ) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
munmap(0x7f8a08e2e000, 79203)           = 0
getpid()                                = 105284
exit(0)                                 = ?
+++ exited with 0 +++