Re: I'm not the process you think I am

From: Anatoly Vorobey (mellon_at_nonexisting.hamakor.org.il)
Date: Tue 31 Aug 2004 - 20:15:56 IDT

• Next message: Boaz Rymland: "cvs import fails on the /dev directory"
• Previous message: Adir Abraham: "Re: Memory upgrade question for hardware gurus"
• In reply to: Muli Ben-Yehuda: "Re: I'm not the process you think I am"
• Next in thread: Muli Ben-Yehuda: "Re: I'm not the process you think I am"
• Reply: Muli Ben-Yehuda: "Re: I'm not the process you think I am"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

On Tue, Aug 31, 2004 at 06:42:35PM +0300, Muli Ben-Yehuda wrote:
> > Can you surreptitiously modify LD_PRELOAD for the user who'll be running
> > ps/top (by modifying their startup files or whatever)? If you can, write
> > a tiny library that redirects open() to itself and, in
> > case a process is trying to open /proc/<your pid>/stat, writes out a
> > similar file in a different private location, opens that instead, and
> > returns the descriptor to the process. If your library is tiny enough
> > and the argument check is the first thing its modified open() does, no
> > one will notice the performance penalty.
>
> That could work, but probably not with replacing the file, but rather
> with hijacking every open/read/close call, keeping hold of which are
> referring to to interesting files, and substituting my own
> information. I did this once with ptrace, it's not pleasant, but it
> works.

[nitpicking follows]

I'm not suggesting replacing the file (impossible in /proc w/o changing
the kernel or the mounting), I'm suggesting replacing the *descriptor*.
That way, you can get away with hijacking only the open() call. After
you return a descriptor to a different file, one of your own, the
original process won't be able to tell the difference,
and will just happily read it all and then close it - you won't have to
monitor those calls. That makes the whole process much simpler and
easier to code.

This is how esddsp operates, for instance. It's a program that redirects
another program's OSS sound output to the esd daemon (used e.g. by
GNOME), so it could be
mixed with other streams, outputted to ALSA, etc. The nice touch about
it is that it only needs to intercept open() calls on /dev/dsp, and
ioctl() calls on the resulting descriptor, because what it substitutes
as the return value of the hijacked open() call is the actual socket it
has established with the esd daemon, set up for receiving raw sound
data. So the original program write()s vast amounts of data to that
descriptor, thinking it all goes to /dev/dsp, while it all travels
through the socket to the daemon, and those calls need not be hijacked
at all, which makes the whole thing go much smoother.

-- 
avva
"There's nothing simply good, nor ill alone" -- John Donne
=================================================================
To unsubscribe, send mail to linux-il-request_at_linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request_at_linux.org.il

• Next message: Boaz Rymland: "cvs import fails on the /dev directory"
• Previous message: Adir Abraham: "Re: Memory upgrade question for hardware gurus"
• In reply to: Muli Ben-Yehuda: "Re: I'm not the process you think I am"
• Next in thread: Muli Ben-Yehuda: "Re: I'm not the process you think I am"
• Reply: Muli Ben-Yehuda: "Re: I'm not the process you think I am"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
• Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.7 : Tue 31 Aug 2004 - 20:26:12 IDT