Menu
According to the ptrace manual page:
Syscall-enter-stop and syscall-exit-stop are indistinguishable from each other by the tracer. The tracer needs to keep track of the sequence of ptrace-stops in order to not misinterpret syscall-enter- stop as syscall-exit-stop or vice versa.
When I attach to a process using PTRACE_ATTACH, how do I know whether the tracee is currently in a syscall or not? Put differently, if I restart the tracee using PTRACE_SYSCALL, how do I know whether the next syscall-stop is a syscall-enter-stop or a syscall-exit-stop?
748
When the traced process stops on a system call ENTRY, the EAX register will contain -ENOSYS and orig_rax has the number of that system call.
Following code sample demonstrate an example.
if (registers.rax == -ENOSYS)
{ switch (registers.orig_rax)
{
case _NR_open: //Example
break;
default:
// to get the arguments
fprintf(stderr, "%#08x, %#08x, %#08x",
registers.rbx, registers.rcx,
registers.rdx);
break;
}
}
else
{
if (registers.rax < 0)
{
// error condition
fprintf(stderr, "#Err: %s\n",
errors[abs(registers.rax)]);
}
else
{
// return code
fprintf(stderr, "%#08x\n", registers.rax);
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With