Skip to content

Commit

Permalink
fix: Always log on syscall exit (#3)
Browse files Browse the repository at this point in the history
  • Loading branch information
@liamg
liamg authored Oct 27, 2022
1 parent 016cc10 commit 6a6e402
Showing 1 changed file with 33 additions and 16 deletions.
49 changes: 33 additions & 16 deletions intercept.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,40 +72,57 @@ func interceptReadsAndWrites(pid int) (fd uint64, data []byte, err error) {
return 0, nil, fmt.Errorf("process interrupted")
}

defer func() {
var exited bool

waitForExit := func() error {

if exited {
return nil
}
exited = true

// continue the syscall we intercepted
err = syscall.PtraceSyscall(pid, 0)
if err != nil {
err = fmt.Errorf("could not continue process: %w", err)
return
return fmt.Errorf("could not continue process: %w", err)
}

// and wait for it to finish
status := syscall.WaitStatus(0)
status = syscall.WaitStatus(0)
_, err = syscall.Wait4(pid, &status, 0, nil)
if err != nil {
err = fmt.Errorf("could not wait for process: %w", err)
return
return err
}

// process exited
if status.Exited() {
err = fmt.Errorf("process exited")
return
}
return nil
}

// if interrupted, stop tracing
if status.StopSignal().String() == "interrupt" {
_ = syscall.PtraceSyscall(pid, int(status.StopSignal()))
err = fmt.Errorf("process interrupted")
return
defer func() {
err = waitForExit()
if err == nil {
// process exited
if status.Exited() {
err = fmt.Errorf("process exited")
return
}

// if interrupted, stop tracing
if status.StopSignal().String() == "interrupt" {
_ = syscall.PtraceSyscall(pid, int(status.StopSignal()))
err = fmt.Errorf("process interrupted")
return
}
}
}()

// if we have a syscall, examine it...
if status.TrapCause()&int(syscall.SIGTRAP|0x80) > 0 {

// wait for syscall exit
if err := waitForExit(); err != nil {
return 0, nil, err
}

// read registers
regs := &syscall.PtraceRegs{}
if err := syscall.PtraceGetRegs(pid, regs); err != nil {
Expand Down

0 comments on commit 6a6e402

Please sign in to comment.