Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Want to get /var/log/messages redirected to a FIFO ...
Top Forums Programming Want to get /var/log/messages redirected to a FIFO ... Post 302272488 by redoubtable on Tuesday 30th of December 2008 06:39:09 PM
Old 12-30-2008
ptrace lets you have complete control over some program's syscalls. You can peek data, poke data (inject/modify) and even say when the process should continue executing that system call.

This solution is not the way to go (ptrace() can be very slow in some cases).

Anyway:
Code:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/user.h>
#include <sys/syscall.h>
#include <asm/ptrace-abi.h>


void
getdata (pid_t child, long addr, char * str, int len)
{   
        char * laddr;
        int i, j;
        int long_size = sizeof (long);
        union 
        {
                long val;
                char chars[long_size];
        } u;

        for (i=0, j = len / long_size, laddr = str; i < j; i++, laddr += long_size)
        {
                u.val = ptrace (PTRACE_PEEKDATA, child, addr + i * 4, NULL);
                memcpy (laddr, u.chars, long_size);
        }
        j = len % long_size;
        if (j != 0) 
        {
                u.val = ptrace (PTRACE_PEEKDATA, child, addr + i * 4, NULL);
                memcpy (laddr, u.chars, j);
        }
        str[len] = '\0';
}

int 
main (int argc, char * argv[])
{
        pid_t child = atoi (argv[1]);
        long orig_eax;
        long params[3];
        int status;
        char *str, *laddr;
        int toggle = 0;

        ptrace (PTRACE_ATTACH, child, NULL, NULL);
      
        while (1) 
        {
                orig_eax = ptrace (PTRACE_PEEKUSER, child, 4 * ORIG_EAX, NULL);
                if(orig_eax == SYS_read) 
                {
                        if (toggle == 0) 
                        {
                                toggle = 1;
                                params[0] = ptrace (PTRACE_PEEKUSER, child, 4 * EBX, NULL);
                                params[1] = ptrace (PTRACE_PEEKUSER, child, 4 * ECX, NULL);
                                params[2] = ptrace (PTRACE_PEEKUSER, child, 4 * EDX, NULL);
                                str = (char *) malloc ((params[2]+1)* sizeof(char));
                                memset (str, 0x0, (params[2]+1) * sizeof (char));
                                getdata(child, params[1], str, params[2]);
                                /* 
                                 * handle your string here 
                                 */
                                printf ("%s\n", str);
                                free (str);
                        }
                        else 
                        {
                                toggle = 0;
                        }
                }
                ptrace(PTRACE_SYSCALL, child, NULL, NULL);
        }
        exit (0);
}

Just go ahead and run ./this-program syslog_PID. If you do not supply a pid the program will segfault because there is no error checking specially around atoi().

Note: this is only a PoC of my suggestion.
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

/var/log/messages

Which programm, deamon or script is responsible for filling the file /var/log/messages ? (1 Reply)
Discussion started by: Cozmic
1 Replies

2. Solaris

diff b/w /var/log/syslog and /var/adm/messages

hi sirs can u tell the difference between /var/log/syslogs and /var/adm/messages in my working place i am having two servers. in one servers messages file is empty and syslog file is going on increasing.. and in another servers message file is going on increasing but syslog file is... (2 Replies)
Discussion started by: tv.praveenkumar
2 Replies

3. UNIX for Advanced & Expert Users

/var/adm/messages vs /var/log/messages

The /var/adm/messages in Solaris seem to log more system messages/errors compared to /var/log/messages in Linux. I checked the log level in Linux and they seem OK. Is there any other log file that contains the messages or is it just that Linux doesn't log great many things? (2 Replies)
Discussion started by: gomes1333
2 Replies

4. Solaris

Difference between /var/log/syslog and /var/adm/messages

Hi, Is the contents in /var/log/syslog and /var/adm/messages are same?? Regards (3 Replies)
Discussion started by: vks47
3 Replies

5. Shell Programming and Scripting

How can view log messages between two time frame from /var/log/message or any type of log files

How can view log messages between two time frame from /var/log/message or any type of log files. when logfiles are very big and especially many messages with in few minutes, I would like to display log messages between 5 minute interval. Could you pls give me the command? (1 Reply)
Discussion started by: johnveslin
1 Replies

6. UNIX for Dummies Questions & Answers

fprintd messages in /var/log/messages

Whenever a user uses su I get the following error messages in /var/log/messages: Nov 23 04:24:55 <REMOVED> abrt: saved core dump of pid 26141 (/usr/libexec/fprintd) to /var/spool/abrt/ccpp-1322018695-26141.new/coredump (753664 bytes) Nov 23 04:24:55 <REMOVED> abrtd: Directory... (3 Replies)
Discussion started by: JakesHat
3 Replies

7. SuSE

Some error messages in var/log/messages

How are you? SUSE V10 and 11. In /var/log/messages I see these lines in some servers. I'd like to know what causes these errors and how to fix them. Thank you, error: PAM: Authentication failure for root from XXXXXXXX Did not receive identification string from XXXXXXX Invalid user suse-gm... (2 Replies)
Discussion started by: JDBA
2 Replies

8. Shell Programming and Scripting

Log all the commands input by user at real time in /var/log/messages

Below is my script to log all the command input by any user to /var/log/messages. But I cant achieve the desired output that i want. PLease see below. function log2syslog { declare COMMAND COMMAND=$(fc -ln -0) logger -p local1.notice -t bash -i -- "$USER:$COMMAND" } trap... (12 Replies)
Discussion started by: invinzin21
12 Replies

9. Shell Programming and Scripting

Transfer the logs being thrown into /var/log/messages into another file example /var/log/volumelog

I have been searching and reading about syslog. I would like to know how to Transfer the logs being thrown into /var/log/messages into another file example /var/log/volumelog. tail -f /var/log/messages dblogger: msg_to_dbrow: no logtype using missing dblogger: msg_to_dbrow_str: val ==... (2 Replies)
Discussion started by: kenshinhimura
2 Replies

10. Red Hat

Meaning of /var/log/messages

I am getting a lot of message as follows in /var/log/message files as follows. messages.1:559:May 4 20:01:56 SERVER2 kernel: session_stat: sync=0 async=33 aretr=0 messages.1:560:May 4 20:02:42 SERVER2 kernel: session_stat: dev=fd:5 state=6 blksize=4096 mmapsize=262144 messages.1:561:May 4... (2 Replies)
Discussion started by: Anjan Ganguly
2 Replies

LEARN ABOUT X11R4

ptrace

ptrace(3C)                                                 Standard C Library Functions                                                 ptrace(3C)

NAME

       ptrace - allows a parent process to control the execution of a child process

SYNOPSIS

       #include <unistd.h>
       #include <sys/types.h>

       int ptrace(int request, pid_t pid, int addr, int data);

DESCRIPTION

       The  ptrace()  function  allows  a parent process to control the execution of a child process. Its primary use is for the implementation of
       breakpoint debugging. The child process behaves normally until it encounters a signal (see signal.h(3HEAD)), at  which  time  it  enters  a
       stopped  state and its parent is notified by the wait(3C) function. When the child is in the stopped state, its parent can examine and mod-
       ify its "core image" using ptrace(). Also, the parent can cause the child either to terminate or continue, with the possibility of ignoring
       the signal that caused it to stop.

       The request argument determines the action to be taken by ptrace() and is one of the following:

       0        This  request  must  be  issued  by the child process if it is to be traced by its parent. It turns on the child's trace flag that
                stipulates that the child should be left in a stopped state on receipt of a signal rather than the state specified  by  func  (see
                signal(3C)).  The  pid, addr, and data arguments are ignored, and a return value is not defined for this request. Peculiar results
                ensue if the parent does not expect to trace the child.

       The remainder of the requests can only be used by the parent process. For each, pid is the process ID of the child. The child must be in  a
       stopped state before these requests are made.

       1, 2     With these requests, the word at location addr in the address space of the child is returned to the parent process. If instruction
                and data space are separated, request 1 returns a word from instruction space, and request 2 returns a word from  data  space.  If
                instruction  and  data space are not separated, either request 1 or request 2 may be used with equal results. The data argument is
                ignored. These two requests fail if addr is not the start address of a word, in which case -1 is returned to  the  parent  process
                and the parent's errno is set to EIO.

       3        With this request, the word at location addr in the child's user area in the system's address space (see <sys/user.h>) is returned
                to the parent process. The data argument is ignored. This request fails if addr is not the start address of a word or  is  outside
                the user area, in which case -1 is returned to the parent process and the parent's errno is set to EIO.

       4, 5     With  these  requests,  the  value  given by the data argument is written into the address space of the child at location addr. If
                instruction and data space are separated, request 4 writes a word into instruction space, and request 5 writes a  word  into  data
                space.  If instruction and data space are not separated, either request 4 or request 5 may be used with equal results. On success,
                the value written into the address space of the child is returned to the parent. These two requests fail if addr is not the  start
                address of a word. On failure -1 is returned to the parent process and the parent's errno is set to EIO.

       6        With  this  request, a few entries in the child's user area can be written. data gives the value that is to be written and addr is
                the location of the entry. The few entries that can be written are the general registers and the condition codes of the  Processor
                Status Word.

       7        This  request  causes  the child to resume execution. If the data argument is 0, all pending signals including the one that caused
                the child to stop are canceled before it resumes execution. If the data argument is a valid signal number, the child resumes  exe-
                cution  as  if  it  had incurred that signal, and any other pending signals are canceled. The addr argument must be equal to 1 for
                this request. On success, the  value of data is returned to the parent. This request fails if data is not 0 or a valid signal num-
                ber, in which case -1 is returned to the parent process and the parent's errno is set to EIO.

       8        This request causes the child to terminate with the same consequences as exit(2).

       9        This  request  sets  the  trace bit in the Processor Status Word of the child and then executes the same steps as listed above for
                request 7. The trace bit causes an interrupt on completion of one machine instruction. This effectively allows single stepping  of
                the child.

       To  forestall  possible  fraud,  ptrace() inhibits the set-user-ID facility on subsequent calls to one of the exec family of functions (see
       exec(2)). If a traced process calls one of these functions, it stops before executing the first instruction of the new image showing signal
       SIGTRAP.

ERRORS

       The ptrace() function will fail if:

       EIO      The request argument is an illegal number.

       EPERM    The calling process does not have appropriate privileges to control the calling process. See proc(4).

       ESRCH    The pid argument identifies a child that does not exist or has not executed a ptrace() call with request 0.

USAGE

       The ptrace() function is available only with the 32-bit version of libc(3LIB). It is not available with the 64-bit version of this library.

       The  /proc debugging interfaces should be used instead of ptrace(), which provides quite limited debugger support and is itself implemented
       using the /proc interfaces. There is no actual ptrace() system call in the kernel.  See proc(4) for descriptions  of  the  /proc  debugging
       interfaces.

ATTRIBUTES

       See attributes(5) for descriptions of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE         |      ATTRIBUTE VALUE        |
       +-----------------------------+-----------------------------+
       |Interface Stability          |Standard                     |
       +-----------------------------+-----------------------------+
       |MT-Level                     |MT-Safe                      |
       +-----------------------------+-----------------------------+

SEE ALSO

       exec(2), exit(2), libc(3LIB), signal(3C), signal.h(3HEAD), wait(3C), proc(4), attributes(5)

SunOS 5.10                                                          22 Mar 2004                                                         ptrace(3C)
All times are GMT -4. The time now is 07:44 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy