search

hmgle / graftcp

A flexible tool for redirecting a given program's TCP traffic to SOCKS5 or HTTP proxy.
GNU General Public License v3.0
2.1k stars 173 forks source link

the fourth argument register should be %rcx #9

Closed HUANGChaoLi closed 5 years ago

HUANGChaoLi commented 5 years ago 
long get_syscall_arg(pid_t pid, int order)
{
    int offset;
    long val;

    switch (order) {
    case 0:
        offset = offsetof(struct user, regs.rdi);
        break;
    case 1:
        offset = offsetof(struct user, regs.rsi);
        break;
    case 2:
        offset = offsetof(struct user, regs.rdx);
        break;
    case 3:
        offset = offsetof(struct user, regs.r10);
        break;
    case 4:
        offset = offsetof(struct user, regs.r8);
        break;
    case 5:
        offset = offsetof(struct user, regs.r9);
        break;
    default:
        return -1;
    }
    errno = 0;
    val = ptrace(PTRACE_PEEKUSER, pid, offset);
    assert(errno == 0);
    return val;
}
case 3:
    offset = offsetof(struct user, regs.r10);

image

hmgle commented 5 years ago

The syscall use r10 instead of rcx for the fourth argument, so it is not a bug, but it is worth investigating. This answer(Why is RCX not used for passing parameters to system calls) explains the reasons for the replacement. Thank you for the feedback.