-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathhookSyscall.cpp
More file actions
45 lines (41 loc) · 1.42 KB
/
hookSyscall.cpp
File metadata and controls
45 lines (41 loc) · 1.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#include <string>
#include <iostream>
#include <sstream>
#include "pin.H"
// get the real path of a file from the file descriptor
std::string getPathFromFd(unsigned int fd){
std::string fdPath = "/proc/self/fd/";
std::ostringstream ss;
ss << fd;
fdPath = fdPath+ss.str();
std::string filePath(realpath(fdPath.c_str(), NULL));
return filePath;
}
// printing the arguments of the write syscall
void printWriteSyscallArgs(unsigned int fd, std::string buffer){
std::string filePath = getPathFromFd(fd);
std::cout << "Found write syscall" << std::endl;
std::cout << "Target file: "<< filePath << std::endl;
std::cout << "Writting buffer: "<< buffer << std::endl;
}
// called before entering any syscall
void syscallEntry(THREADID threadIndex, CONTEXT *ctxt, SYSCALL_STANDARD std, void *v){
ADDRINT sysCallNumber = PIN_GetSyscallNumber(ctxt, std);
// if syscall is write
if(sysCallNumber==1){
// getting the arguments of the write sys call, the fd and the buffer
ADDRINT arg0 = PIN_GetSyscallArgument(ctxt, std, 0);
ADDRINT arg1 = PIN_GetSyscallArgument(ctxt, std, 1);
std::string buffer((char*)arg1);
printWriteSyscallArgs((unsigned int)arg0,buffer);
}
}
int main(int argc, char *argv[]){
if (PIN_Init(argc, argv)){
return 1;
}
// hook syscalls
PIN_AddSyscallEntryFunction(syscallEntry, 0);
PIN_StartProgram();
return 0;
}