logo

drewdevault.com

[mirror] blog and personal website of Drew DeVault git clone https://hacktivis.me/git/mirror/drewdevault.com.git

Redirecitng-stderr-of-running-process.md (2017B)

    

  1. ---
  2. date: 2018-05-04
  3. layout: post
  4. title: Redirecting stderr of a running process
  5. tags: [hack]
  6. ---
  8. During the KDE sprint in Berlin, [Roman Gilg](http://www.subdiff.de/) leaned
  9. over to me and asked if I knew how to redirect the stderr of an already-running
  10. process to a file. I Googled it and found underwhelming answers using strace and
  11. trying to decipher the output by reading the write syscalls. Instead, I thought
  12. a gdb based approach would work better, and after putting the pieces together
  13. Roman insisted I wrote a blog post on the topic.
  15. gdb, the GNU debugger, has two important features that make this possible:
  17. - Attaching to running processes via `gdb -p`
  18. - Executing arbitrary code in the target process space
  20. With this it's actually quite straightforward. The process is the following:
  22. 1. Attach gdb to the running process
  23. 2. Run `compile code -- dup2(open("/tmp/log", 65), 2)`
  25. The magic 65 here is the value of `O_CREAT | O_WRONLY` on Linux, which is easily
  26. found with a little program like this:
  28. ```c
  29. #include <sys/stat.h>
  30. #include <fcntl.h>
  32. int main(int argc, char **argv) {
  33.     printf("%d\n", O_CREAT | O_WRONLY);
  34.     return 0;
  35. }
  36. ```
  38. 2 is always the file descriptor assigned to stderr. What happens here is:
  40. 1. Via [`open`](https://linux.die.net/man/3/open), the file you want to redirect
  41.    to is created.
  42. 2. Via [`dup2`](https://linux.die.net/man/3/dup2), stderr is overwritten with
  43.    this new file.
  45. The `compile code` gdb command will compile some arbitrary C code and run the
  46. result in the target process, presumably by mapping some executable RAM and
  47. loading it in, then jumping to the blob. Closing gdb (control+d) will continue
  48. the process, and it should start writing out to the file you created.
  50. There are lots of other cool (and hacky) things you can do with gdb. I once
  51. disconnected someone from an internet radio by attaching gdb to nginx and
  52. closing their file descriptor, for example. Thanks to Roman for giving me the
  53. chance to write an interesting blog post on the subject!