Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

32 bit syscalls not showing up #31

Open
hnorkowski opened this issue Nov 7, 2023 · 1 comment
Open

32 bit syscalls not showing up #31

hnorkowski opened this issue Nov 7, 2023 · 1 comment

Comments

@hnorkowski
Copy link

Summary

I wrote a very show assembly script and compiled it with nasm that just executes the getpid and exit syscalls. These syscalls never show up in lurk but strace shows them.

Details

Code

SECTION .text
	global main

	main:
	  xor eax, eax             ; eax = 0
	  mov al, 20               ; syscall: getpid
	  int 0x80                 ; execute

	  xor eax, eax             ; eax = 0
	  xor ebx, ebx             ; exit code = 0
	  mov al, 1                ; syscalL: exit
	  int 0x80                 ; execute syscall

Compilation

nasm -f elf64 syscall.asm
clang -o asm syscall.o

Execution

❯ lurk ./asm
[74982] execve("", "", "") = 0
[74982] brk(0x0) = 0x555555559000
[74982] arch_prctl(12289, 0x7FFFFFFFE450) = -22
[74982] access("/etc/ld.so.preload", 4) = -2
[74982] openat(4294967196, "/etc/ld.so.cache", 524288) = 3
[74982] newfstatat(3, "", 0x7FFFFFFFD680, 4096) = 0
[74982] mmap(0x0, 79203, 1, 2, 3, 0) = 0x7FFFF7FB0000
[74982] close(3) = 0
[74982] openat(4294967196, "/usr/lib/libc.so.6", 524288) = 3
[74982] read(3, "ELF\u0002\u0001\u0001\u0003", 832) = 832
[74982] pread64(3, "\u0006", 784, 64) = 784
[74982] newfstatat(3, "", 0x7FFFFFFFD680, 4096) = 0
[74982] mmap(0x0, 8192, 3, 34, 4294967295, 0) = 0x7FFFF7FAE000
[74982] pread64(3, "\u0006", 784, 64) = 784
[74982] mmap(0x0, 1973104, 1, 2050, 3, 0) = 0x7FFFF7DCC000
[74982] mmap(0x7FFFF7DF2000, 1417216, 5, 2066, 3, 155648) = 0x7FFFF7DF2000
[74982] mmap(0x7FFFF7F4C000, 344064, 1, 2066, 3, 1572864) = 0x7FFFF7F4C000
[74982] mmap(0x7FFFF7FA0000, 24576, 3, 2066, 3, 1912832) = 0x7FFFF7FA0000
[74982] mmap(0x7FFFF7FA6000, 31600, 3, 50, 4294967295, 0) = 0x7FFFF7FA6000
[74982] close(3) = 0
[74982] mmap(0x0, 8192, 3, 34, 4294967295, 0) = 0x7FFFF7DCA000
[74982] arch_prctl(4098, 0x7FFFF7FAF640) = 0
[74982] set_tid_address(0x7FFFF7FAF910) = 0x124E6
[74982] set_robust_list(0x7FFFF7FAF920, 24) = 0
[74982] rseq() = 0
[74982] mprotect(0x7FFFF7FA0000, 16384, 1) = 0
[74982] mprotect(0x555555557000, 4096, 1) = 0
[74982] mprotect(0x7FFFF7FFB000, 8192, 1) = 0
[74982] prlimit64(0, 3, 0x0, 0x7FFFFFFFE1C0) = 0
[74982] munmap(0x7FFFF7FB0000, 79203) = 0
[74982] writev(1, 0x7FFFFFFFE5A8, 140737488348600) = 0x124E6

strace

❯ strace ./asm
execve("./asm", ["./asm"], 0x7fff374545a0 /* 56 vars */) = 0
brk(NULL)                               = 0x55fcbfd58000
arch_prctl(0x3001 /* ARCH_??? */, 0x7ffe155b8950) = -1 EINVAL (Invalid argument)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=79203, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 79203, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f8134589000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220~\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=1948832, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8134587000
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
mmap(NULL, 1973104, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f81343a5000
mmap(0x7f81343cb000, 1417216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x26000) = 0x7f81343cb000
mmap(0x7f8134525000, 344064, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x180000) = 0x7f8134525000
mmap(0x7f8134579000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1d3000) = 0x7f8134579000
mmap(0x7f813457f000, 31600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f813457f000
close(3)                                = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f81343a3000
arch_prctl(ARCH_SET_FS, 0x7f8134588640) = 0
set_tid_address(0x7f8134588910)         = 75997
set_robust_list(0x7f8134588920, 24)     = 0
rseq(0x7f8134588f60, 0x20, 0, 0x53053053) = 0
mprotect(0x7f8134579000, 16384, PROT_READ) = 0
mprotect(0x55fcbf7a6000, 4096, PROT_READ) = 0
mprotect(0x7f81345ce000, 8192, PROT_READ) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
munmap(0x7f8134589000, 79203)           = 0
[ Process PID=75997 runs in 32 bit mode. ]
strace: WARNING: Proper structure decoding for this personality is not supported, please consider building strace with mpers support enabled.
getpid()                                = 75997
exit(0)                                 = ?
+++ exited with 0 +++

Version details

lurk 0.3.4
strace 6.6
NASM 2.16.01
clang 16.0.6
linux 6.5.9-arch2-1
@hnorkowski
Copy link
Author

The reasons seems to be the 32 bit mode syscalls. When using the 64 bit mode syscalls it gets tracked correctly

Code

SECTION .text
	global main

	main:
		mov rax, 39  ; syscall: getpid
		syscall      ; execute

		xor rdi, rdi ; exit code = 0
		mov rax, 60  ; syscall: exit
		syscall      ; execute syscall

Lurk

❯ lurk ./asm
[102962] execve("", "", "") = 0
[102962] brk(0x0) = 0x555555559000
[102962] arch_prctl(12289, 0x7FFFFFFFE450) = -22
[102962] access("/etc/ld.so.preload", 4) = -2
[102962] openat(4294967196, "/etc/ld.so.cache", 524288) = 3
[102962] newfstatat(3, "", 0x7FFFFFFFD680, 4096) = 0
[102962] mmap(0x0, 79203, 1, 2, 3, 0) = 0x7FFFF7FB0000
[102962] close(3) = 0
[102962] openat(4294967196, "/usr/lib/libc.so.6", 524288) = 3
[102962] read(3, "ELF\u0002\u0001\u0001\u0003", 832) = 832
[102962] pread64(3, "\u0006", 784, 64) = 784
[102962] newfstatat(3, "", 0x7FFFFFFFD680, 4096) = 0
[102962] mmap(0x0, 8192, 3, 34, 4294967295, 0) = 0x7FFFF7FAE000
[102962] pread64(3, "\u0006", 784, 64) = 784
[102962] mmap(0x0, 1973104, 1, 2050, 3, 0) = 0x7FFFF7DCC000
[102962] mmap(0x7FFFF7DF2000, 1417216, 5, 2066, 3, 155648) = 0x7FFFF7DF2000
[102962] mmap(0x7FFFF7F4C000, 344064, 1, 2066, 3, 1572864) = 0x7FFFF7F4C000
[102962] mmap(0x7FFFF7FA0000, 24576, 3, 2066, 3, 1912832) = 0x7FFFF7FA0000
[102962] mmap(0x7FFFF7FA6000, 31600, 3, 50, 4294967295, 0) = 0x7FFFF7FA6000
[102962] close(3) = 0
[102962] mmap(0x0, 8192, 3, 34, 4294967295, 0) = 0x7FFFF7DCA000
[102962] arch_prctl(4098, 0x7FFFF7FAF640) = 0
[102962] set_tid_address(0x7FFFF7FAF910) = 0x19232
[102962] set_robust_list(0x7FFFF7FAF920, 24) = 0
[102962] rseq() = 0
[102962] mprotect(0x7FFFF7FA0000, 16384, 1) = 0
[102962] mprotect(0x555555557000, 4096, 1) = 0
[102962] mprotect(0x7FFFF7FFB000, 8192, 1) = 0
[102962] prlimit64(0, 3, 0x0, 0x7FFFFFFFE1C0) = 0
[102962] munmap(0x7FFFF7FB0000, 79203) = 0
[102962] getpid(0x1) = 0x19232
[102962] exit(0) = ?

strace

❯ strace ./asm
execve("./asm", ["./asm"], 0x7ffeb0a6bff0 /* 56 vars */) = 0
brk(NULL)                               = 0x55dfb9d12000
arch_prctl(0x3001 /* ARCH_??? */, 0x7fff320ab190) = -1 EINVAL (Invalid argument)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=79203, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 79203, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f8a08e2e000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220~\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=1948832, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8a08e2c000
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
mmap(NULL, 1973104, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f8a08c4a000
mmap(0x7f8a08c70000, 1417216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x26000) = 0x7f8a08c70000
mmap(0x7f8a08dca000, 344064, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x180000) = 0x7f8a08dca000
mmap(0x7f8a08e1e000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1d3000) = 0x7f8a08e1e000
mmap(0x7f8a08e24000, 31600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f8a08e24000
close(3)                                = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8a08c48000
arch_prctl(ARCH_SET_FS, 0x7f8a08e2d640) = 0
set_tid_address(0x7f8a08e2d910)         = 105284
set_robust_list(0x7f8a08e2d920, 24)     = 0
rseq(0x7f8a08e2df60, 0x20, 0, 0x53053053) = 0
mprotect(0x7f8a08e1e000, 16384, PROT_READ) = 0
mprotect(0x55dfb7d1c000, 4096, PROT_READ) = 0
mprotect(0x7f8a08e73000, 8192, PROT_READ) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
munmap(0x7f8a08e2e000, 79203)           = 0
getpid()                                = 105284
exit(0)                                 = ?
+++ exited with 0 +++

@hnorkowski hnorkowski changed the title ASM syscalls not showing up 32 bit ASM syscalls not showing up Nov 7, 2023
@hnorkowski hnorkowski changed the title 32 bit ASM syscalls not showing up 32 bit syscalls not showing up Nov 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hnorkowski