IP _before_ a system call

Nate Eldredge neldredge at hmc.edu
Sat Mar 1 13:17:00 UTC 2003

On Sat, 1 Mar 2003, Dmitry Zinoviev wrote:

> Hello,
> Is there any way to patch the Linux version of strace to obtain the
> value of the IP just before a system call? It must be saved somewhere,
> no? Any suggestions?

The value of EIP you already have points to the instruction after the
system call, right?  Except for odd compatibility abi's, the only
instruction that can cause a system call is "int 0x80" (0xcd 0x80 if I
remember correctly).  So just subtract 2 from the address.

AFAIK, the address of the system call isn't explicitly saved anywhere,
since there's no need for it.  The kernel just needs to know where to

You can probably handle weird abi's as well if you want, by finding the
instructions that generate system calls and looking for them explicitly.


Nate Eldredge
neldredge at hmc.edu

More information about the Strace-devel mailing list