Bad Exit Ptracer

bad-exit-ptracer.c

#include <stdio.h>
#include <stdlib.h>
#include <syscall.h>
#include <sys/user.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <errno.h>
 
#define SYSCALL_EXIT 60
#define SYSCALL_EXIT_GROUP 231
 
 
int main(int argc, char **argv) {
		pid_t p;
		char *c;
 
		if (argc <= 1) {
				printf("too few arguments!\n");
				exit(1);
		}
 
		p = strtol(argv[1], &c, 10);
		printf("Got process information for PID %d. Beginning ptrace monitoring syscalls.\n", p);
 
		if (ptrace(PTRACE_ATTACH, p, NULL, NULL) == -1) {
				printf("Failed to attach ptrace, exiting.\n");
				exit(1);
		}
	   
		// We want, on exit, the tracee to not automatically close
		if (ptrace(PTRACE_SETOPTIONS, p, NULL, PTRACE_O_TRACEEXIT) == -1) {
				printf("Failed to set PTRACE_O_TRACEEXIT, exiting\n");
				exit(1);
		}
 
		waitpid(p, NULL, WUNTRACED);
 
		for (;;) {
				if (ptrace(PTRACE_SYSCALL, p, 0, 0) == -1) {
						printf("Failed to trace syscall.\n");
						exit(1);
				}
				if (waitpid(p, 0, 0) == -1) {
						printf("Failed to wait for state change of PID.\n");
						exit(1);
				}
 
				// Check if the syscall will exit us
				struct user_regs_struct regs;
				if (ptrace(PTRACE_GETREGS, p, 0, &regs) == -1) {
						printf("Failed to get register data for process.\n");
						exit(1);
				}
				long syscall = regs.orig_rax;
				if (syscall == SYSCALL_EXIT || syscall == SYSCALL_EXIT_GROUP) {
						// This is the shutdown of the tracee, we intentionally
						// don't want to catch this to cause a problem during shutdown
						printf("Caught exit syscall, intentionally ignoring and exiting...\n");
						exit(0);
				}
		}
}