IP _before_ a system call
Nate Eldredge
neldredge at hmc.edu
Sat Mar 1 13:17:00 UTC 2003
On Sat, 1 Mar 2003, Dmitry Zinoviev wrote:
> Hello,
>
> Is there any way to patch the Linux version of strace to obtain the
> value of the IP just before a system call? It must be saved somewhere,
> no? Any suggestions?
The value of EIP you already have points to the instruction after the
system call, right? Except for odd compatibility abi's, the only
instruction that can cause a system call is "int 0x80" (0xcd 0x80 if I
remember correctly). So just subtract 2 from the address.
AFAIK, the address of the system call isn't explicitly saved anywhere,
since there's no need for it. The kernel just needs to know where to
return.
You can probably handle weird abi's as well if you want, by finding the
instructions that generate system calls and looking for them explicitly.
--
Nate Eldredge
neldredge at hmc.edu
More information about the Strace-devel
mailing list