C - How To Check If Traced Process Is 32 bits?

Question

When using ptrace_attach.How can you know if the process you're attaching is running in 32 or 64 bits ?

I'm coding a little strace-like and I need to know if it's 32 or 64 bits because the number of the syscalls in RAX(EAX) will not have the same meaning.

When you're tracing a cmd (strace ls) it's quiet simple, you mmap the binary and you perform some checking with Elf.

But I cannot find anything regarding an already existing process ?

Thank you !

Answer 1

This is quite an interesting question.

Using /proc/<PID>/exe is easy, but is not very reliable: /proc filesystem may not be mounted, or the process could be executing in a chroot.

I took a look at what strace does. It executes the following:

union {
  struct user_regs_struct x86_64_r;
  struct i386_user_regs_struct i386_r;
} regs;

struct iovec {
  .iov_base = &regs,
  .iov_len = sizeof(regs)
} x86_io;

ptrace(PTRACE_GETREGSET, pid, NT_PRSTATUS, &x86_io);
if (regs.iov_len == sizeof(i386_user_regs_struct) {
  // this is a 32-bit process
} else {
  // this is either x86_64, or x32 process
}

But is this fully portable

Nothing about ptrace is fully-portable. Just about every UNIX variant will require custom handling here.