32 bit syscalls not showing up

[hnorkowski]

Summary

I wrote a very show assembly script and compiled it with nasm that just executes the getpid and exit syscalls. These syscalls never show up in lurk but strace shows them.

Details

Code

SECTION .text
	global main

	main:
	  xor eax, eax             ; eax = 0
	  mov al, 20               ; syscall: getpid
	  int 0x80                 ; execute

	  xor eax, eax             ; eax = 0
	  xor ebx, ebx             ; exit code = 0
	  mov al, 1                ; syscalL: exit
	  int 0x80                 ; execute syscall

Compilation

nasm -f elf64 syscall.asm
clang -o asm syscall.o

Execution

❯ lurk ./asm
[74982] execve("", "", "") = 0
[74982] brk(0x0) = 0x555555559000
[74982] arch_prctl(12289, 0x7FFFFFFFE450) = -22
[74982] access("/etc/ld.so.preload", 4) = -2
[74982] openat(4294967196, "/etc/ld.so.cache", 524288) = 3
[74982] newfstatat(3, "", 0x7FFFFFFFD680, 4096) = 0
[74982] mmap(0x0, 79203, 1, 2, 3, 0) = 0x7FFFF7FB0000
[74982] close(3) = 0
[74982] openat(4294967196, "/usr/lib/libc.so.6", 524288) = 3
[74982] read(3, "ELF\u0002\u0001\u0001\u0003", 832) = 832
[74982] pread64(3, "\u0006", 784, 64) = 784
[74982] newfstatat(3, "", 0x7FFFFFFFD680, 4096) = 0
[74982] mmap(0x0, 8192, 3, 34, 4294967295, 0) = 0x7FFFF7FAE000
[74982] pread64(3, "\u0006", 784, 64) = 784
[74982] mmap(0x0, 1973104, 1, 2050, 3, 0) = 0x7FFFF7DCC000
[74982] mmap(0x7FFFF7DF2000, 1417216, 5, 2066, 3, 155648) = 0x7FFFF7DF2000
[74982] mmap(0x7FFFF7F4C000, 344064, 1, 2066, 3, 1572864) = 0x7FFFF7F4C000
[74982] mmap(0x7FFFF7FA0000, 24576, 3, 2066, 3, 1912832) = 0x7FFFF7FA0000
[74982] mmap(0x7FFFF7FA6000, 31600, 3, 50, 4294967295, 0) = 0x7FFFF7FA6000
[74982] close(3) = 0
[74982] mmap(0x0, 8192, 3, 34, 4294967295, 0) = 0x7FFFF7DCA000
[74982] arch_prctl(4098, 0x7FFFF7FAF640) = 0
[74982] set_tid_address(0x7FFFF7FAF910) = 0x124E6
[74982] set_robust_list(0x7FFFF7FAF920, 24) = 0
[74982] rseq() = 0
[74982] mprotect(0x7FFFF7FA0000, 16384, 1) = 0
[74982] mprotect(0x555555557000, 4096, 1) = 0
[74982] mprotect(0x7FFFF7FFB000, 8192, 1) = 0
[74982] prlimit64(0, 3, 0x0, 0x7FFFFFFFE1C0) = 0
[74982] munmap(0x7FFFF7FB0000, 79203) = 0
[74982] writev(1, 0x7FFFFFFFE5A8, 140737488348600) = 0x124E6

strace

❯ strace ./asm
execve("./asm", ["./asm"], 0x7fff374545a0 /* 56 vars */) = 0
brk(NULL)                               = 0x55fcbfd58000
arch_prctl(0x3001 /* ARCH_??? */, 0x7ffe155b8950) = -1 EINVAL (Invalid argument)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=79203, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 79203, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f8134589000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220~\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=1948832, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8134587000
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
mmap(NULL, 1973104, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f81343a5000
mmap(0x7f81343cb000, 1417216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x26000) = 0x7f81343cb000
mmap(0x7f8134525000, 344064, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x180000) = 0x7f8134525000
mmap(0x7f8134579000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1d3000) = 0x7f8134579000
mmap(0x7f813457f000, 31600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f813457f000
close(3)                                = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f81343a3000
arch_prctl(ARCH_SET_FS, 0x7f8134588640) = 0
set_tid_address(0x7f8134588910)         = 75997
set_robust_list(0x7f8134588920, 24)     = 0
rseq(0x7f8134588f60, 0x20, 0, 0x53053053) = 0
mprotect(0x7f8134579000, 16384, PROT_READ) = 0
mprotect(0x55fcbf7a6000, 4096, PROT_READ) = 0
mprotect(0x7f81345ce000, 8192, PROT_READ) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
munmap(0x7f8134589000, 79203)           = 0
[ Process PID=75997 runs in 32 bit mode. ]
strace: WARNING: Proper structure decoding for this personality is not supported, please consider building strace with mpers support enabled.
getpid()                                = 75997
exit(0)                                 = ?
+++ exited with 0 +++

Version details

lurk 0.3.4
strace 6.6
NASM 2.16.01
clang 16.0.6
linux 6.5.9-arch2-1

[hnorkowski]

The reasons seems to be the 32 bit mode syscalls. When using the 64 bit mode syscalls it gets tracked correctly

Code

SECTION .text
	global main

	main:
		mov rax, 39  ; syscall: getpid
		syscall      ; execute

		xor rdi, rdi ; exit code = 0
		mov rax, 60  ; syscall: exit
		syscall      ; execute syscall

Lurk

❯ lurk ./asm
[102962] execve("", "", "") = 0
[102962] brk(0x0) = 0x555555559000
[102962] arch_prctl(12289, 0x7FFFFFFFE450) = -22
[102962] access("/etc/ld.so.preload", 4) = -2
[102962] openat(4294967196, "/etc/ld.so.cache", 524288) = 3
[102962] newfstatat(3, "", 0x7FFFFFFFD680, 4096) = 0
[102962] mmap(0x0, 79203, 1, 2, 3, 0) = 0x7FFFF7FB0000
[102962] close(3) = 0
[102962] openat(4294967196, "/usr/lib/libc.so.6", 524288) = 3
[102962] read(3, "ELF\u0002\u0001\u0001\u0003", 832) = 832
[102962] pread64(3, "\u0006", 784, 64) = 784
[102962] newfstatat(3, "", 0x7FFFFFFFD680, 4096) = 0
[102962] mmap(0x0, 8192, 3, 34, 4294967295, 0) = 0x7FFFF7FAE000
[102962] pread64(3, "\u0006", 784, 64) = 784
[102962] mmap(0x0, 1973104, 1, 2050, 3, 0) = 0x7FFFF7DCC000
[102962] mmap(0x7FFFF7DF2000, 1417216, 5, 2066, 3, 155648) = 0x7FFFF7DF2000
[102962] mmap(0x7FFFF7F4C000, 344064, 1, 2066, 3, 1572864) = 0x7FFFF7F4C000
[102962] mmap(0x7FFFF7FA0000, 24576, 3, 2066, 3, 1912832) = 0x7FFFF7FA0000
[102962] mmap(0x7FFFF7FA6000, 31600, 3, 50, 4294967295, 0) = 0x7FFFF7FA6000
[102962] close(3) = 0
[102962] mmap(0x0, 8192, 3, 34, 4294967295, 0) = 0x7FFFF7DCA000
[102962] arch_prctl(4098, 0x7FFFF7FAF640) = 0
[102962] set_tid_address(0x7FFFF7FAF910) = 0x19232
[102962] set_robust_list(0x7FFFF7FAF920, 24) = 0
[102962] rseq() = 0
[102962] mprotect(0x7FFFF7FA0000, 16384, 1) = 0
[102962] mprotect(0x555555557000, 4096, 1) = 0
[102962] mprotect(0x7FFFF7FFB000, 8192, 1) = 0
[102962] prlimit64(0, 3, 0x0, 0x7FFFFFFFE1C0) = 0
[102962] munmap(0x7FFFF7FB0000, 79203) = 0
[102962] getpid(0x1) = 0x19232
[102962] exit(0) = ?

strace

❯ strace ./asm
execve("./asm", ["./asm"], 0x7ffeb0a6bff0 /* 56 vars */) = 0
brk(NULL)                               = 0x55dfb9d12000
arch_prctl(0x3001 /* ARCH_??? */, 0x7fff320ab190) = -1 EINVAL (Invalid argument)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=79203, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 79203, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f8a08e2e000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220~\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=1948832, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8a08e2c000
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
mmap(NULL, 1973104, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f8a08c4a000
mmap(0x7f8a08c70000, 1417216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x26000) = 0x7f8a08c70000
mmap(0x7f8a08dca000, 344064, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x180000) = 0x7f8a08dca000
mmap(0x7f8a08e1e000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1d3000) = 0x7f8a08e1e000
mmap(0x7f8a08e24000, 31600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f8a08e24000
close(3)                                = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f8a08c48000
arch_prctl(ARCH_SET_FS, 0x7f8a08e2d640) = 0
set_tid_address(0x7f8a08e2d910)         = 105284
set_robust_list(0x7f8a08e2d920, 24)     = 0
rseq(0x7f8a08e2df60, 0x20, 0, 0x53053053) = 0
mprotect(0x7f8a08e1e000, 16384, PROT_READ) = 0
mprotect(0x55dfb7d1c000, 4096, PROT_READ) = 0
mprotect(0x7f8a08e73000, 8192, PROT_READ) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
munmap(0x7f8a08e2e000, 79203)           = 0
getpid()                                = 105284
exit(0)                                 = ?
+++ exited with 0 +++