Difference between ptrace(PTRACE_PEEKUSER) and ptrace(PTRACE_PEEKDATA)?

Question

After posting a lot of questions on ptrace (the most recent 5 questions are mine :( ) I finally got the desired output when I replaced

reg_val[1] = ptrace(PTRACE_PEEKDATA, child, 4 * EBX, NULL);

with

reg_val[1] = ptrace(PTRACE_PEEKUSER, child, 4 * EBX, NULL);

The difference mentioned in man page is like this

• PTRACE_PEEKTEXT reads a word at the location addr in the child's memory
• PTRACE_PEEKUSER reads a word at offset addr in the child's USER area

I am unable to understand this difference alone from the man page. Can any one educate me more on this??

Answer 1

PTRACE_PEEKDATA is for reading the data/code section of the child (process in general -- the so called tracee). As you know, debuggers use ptrace a lot. They can use this call to examine values of variables. For example, in GDB/DBX, if you say

print count

the debuggers will internally invoke ptrace with PTRACE_PEEKDATA and find its value.

PTRACE_PEEKUSER is used to read the contents of the child's USER area which holds contents of registers and other info. sys/user.h lists what is that other info.

For example USER area contains,

struct user_regs_struct
{
  long int ebx;
  long int ecx;
  long int edx;
  long int esi;
  long int edi;
  long int ebp;
  long int eax;
  long int xds;
  long int xes;
  long int xfs;
  long int xgs;
  long int orig_eax;
  long int eip;
  long int xcs;
  long int eflags;
  long int esp;
  long int xss;
};

In short:

• PTRACE_PEEKDATA is for program data (e.g. variables) and code;
• PTRACE_PEEKUSER is for things like register values and other debug info;

Notice the equivalence between PTRACE_PEEKDATA and PTRACE_PEEKTEXT. From man ptrace:

Linux does not have separate text and data address spaces, so these two requests are currently equivalent.