Filter by ret value #50

chouex · 2024-04-05T16:17:48Z

chouex
Apr 5, 2024

-f/--filter 已可對輸入作過濾, 有沒有辦法對ret過濾

[23229|24374|] faccessat(dirfd=-100, pathname=0xb4000071c729b7c0(/system/lib64/libxposed_art.so), mode=0x0(F_OK), flags=0x0) LR:0x7132f7d004 PC:0x71330bb034 SP:0x712bc9cb00
[23229|24374|] faccessat(dirfd=-100, pathname=0xb4000071c729b7c0, mode=0x0(F_OK), flags=0x0, ret=-2)
[23229|24374|] faccessat(dirfd=-100, pathname=0xb4000071c729d5c0(/system/xposed.prop), mode=0x0(F_OK), flags=0x0) LR:0x7132f7d004 PC:0x71330bb034 SP:0x712bc9cbb0
[23229|24374|] faccessat(dirfd=-100, pathname=0xb4000071c729d5c0, mode=0x0(F_OK), flags=0x0, ret=-2)
[23229|24374|] faccessat(dirfd=-100, pathname=0xb4000071d753b650(/system/framework/XposedBridge.jar), mode=0x0(F_OK), flags=0x0) LR:0x7132f7d004 PC:0x71330bb034 SP:0x712bc9cbb0
[23229|24374|] faccessat(dirfd=-100, pathname=0xb4000071d753b650, mode=0x0(F_OK), flags=0x0, ret=-2)

試著ret作為最後一個參數 -w faccessat[int,str,int,int,int,int.f0]ss -f b:-2, 參數卻越來越多.

[28031|28525|] faccessat(arg_0=-100, arg_1=0xb4000071c72b1d80(/system/lib/libxposed_art.so), arg_2=0, arg_3=0, arg_4=16) LR:0x7132f82004 PC:0x71330c0034 SP:0x712bca1b40
[28031|28525|] faccessat(arg_0=-100, arg_1=0xb4000071c72b1d80(/system/lib/libxposed_art.so), arg_2=0, arg_3=0, arg_4=16, ret=-2)
[28031|28525|] faccessat(arg_0=-100, arg_1=0xb4000071c72b0d60(/system/lib64/libxposed_art.so), arg_2=0, arg_3=0, arg_4=16) LR:0x7132f82004 PC:0x71330c0034 SP:0x712bca1b40
[28031|28525|] faccessat(arg_0=-100, arg_1=0xb4000071c72b0d60(/system/lib64/libxposed_art.so), arg_2=0, arg_3=0, arg_4=16, ret=-2)

Answered by SeeFlowerX

Apr 8, 2024

就现有代码来说，不支持对ret做过滤，只能对入参做过滤

最简单的方法是直接修改代码实现

stackplz/src/syscall.c

Line 244 in da9841b

u64 ret = READ_KERN(regs->regs[0]);

比如这里的代码修改成下面这样就可以实现只记录返回值为-2的结果，不过sys_enter和sys_exit的数据是分开发送的，所以这样依然会包含全部的sys_enter数据

    // 读取返回值
    u64 ret = READ_KERN(regs->regs[0]);
    if (ret != 0xfffffffffffffffe) {
        return 0;
    }
    save_to_submit_buf(p.event, (void *) &ret, sizeof(ret), op_ctx->save_index);

View full answer

SeeFlowerX · 2024-04-08T02:16:32Z

SeeFlowerX
Apr 8, 2024
Maintainer

就现有代码来说，不支持对ret做过滤，只能对入参做过滤

最简单的方法是直接修改代码实现

stackplz/src/syscall.c

Line 244 in da9841b

u64 ret = READ_KERN(regs->regs[0]);

比如这里的代码修改成下面这样就可以实现只记录返回值为-2的结果，不过sys_enter和sys_exit的数据是分开发送的，所以这样依然会包含全部的sys_enter数据

    // 读取返回值
    u64 ret = READ_KERN(regs->regs[0]);
    if (ret != 0xfffffffffffffffe) {
        return 0;
    }
    save_to_submit_buf(p.event, (void *) &ret, sizeof(ret), op_ctx->save_index);

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Filter by ret value #50

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Filter by ret value #50

chouex Apr 5, 2024

Replies: 1 comment

SeeFlowerX Apr 8, 2024 Maintainer

chouex
Apr 5, 2024

SeeFlowerX
Apr 8, 2024
Maintainer