I am on x86_64 and I want retrieve the path for an open call using the associated register - this gives a SIGSEGV on the print
syscall.PtraceGetRegs(pid, ®s)
ptr := uintptr(regs.Rdi)
path := (*[]byte)(unsafe.Pointer(ptr))
//path := C.GoString((*C.char)(unsafe.Pointer(ptr)))
fmt.Printf("<path> %v
", *path)
http://man7.org/linux/man-pages/man2/syscall.2.html lists RDI as the register, I have tried others but all seg fault.
The value of the registers are:
syscall.PtraceRegs{R15:0x0, R14:0x0, R13:0x1, R12:0x7fe899dbe0a8,
Rbp:0xffffffffffffffff, Rbx:0x55fb7ac6ca21, R11:0x287, R10:0x0,
R9:0x0, R8:0x0, Rax:0x3, Rcx:0x7fe899bb1cdd, Rdx:0x80000,
Rsi:0x7fe899bb6428, Rdi:0xffffff9c, Orig_rax:0x101,
Rip:0x7fe899bb1cdd, Cs:0x33, Eflags:0x287, Rsp:0x7ffc421ad9d8,
Ss:0x2b, Fs_base:0x0, Gs_base:0x0, Ds:0x0, Es:0x0, Fs:0x0, Gs:0x0}
Based on some code I found
https://github.com/orivej/fptrace/search?q=readString&unscoped_q=readString
I then tried this - but nothing comes back and the for loops forever
fmt.Printf("<data> %s
", readString(pid,regs.Rdi))
func readString(pid int, addr uint64) string {
var chunk [64]byte
var buf []byte
for {
n, err := syscall.PtracePeekData(pid, uintptr(addr), chunk[:])
if err != syscall.EIO {
fmt.Print(err)
}
end := bytes.IndexByte(chunk[:n], 0)
if end != -1 {
buf = append(buf, chunk[:end]...)
return string(buf)
}
buf = append(buf, chunk[:n]...)
addr += uint64(n)
}
}
I will clone https://github.com/orivej/fptrace and see if that works and figure out from there what I need to do.