Reputation: 119
Get the return value with ptrace using SINGLESTEP
I'm working on a little debugger under Linux 64bits and I'm having trouble looking for syscall's return value,
I'm testing RIP value, I mean I do a PEEK_USERDATA and ptrace give me the opcode in return no the RIP address, directly this way (where 0x050f is the opcode of SYSCALL):
if (rip & 0x0000ffff == 0x050f)
then get syscall name args etc
The problem is how do I get the return value of these syscalls, and I know ptrace provide PTRACE_SYSCALL to warn us about enterring/leaving kernel-mode but I'd like to check directly the RIP value so I'm using SINGLESTEP, I checked if my rip match the SYSLEAVE and SYSEXIT opcode but it never. The only way I can check the return value is actually by checking my orig_rax but I won't get the exit_group retval this way.
I know that the Linux ABI want the return value to be stored in RAX, but I don't how to witness a return to userland.
Thanks you.
Upvotes: 4
Views: 1997
Answers (1)
Reputation: 126203
You can't ptrace the kernel, so if you do another PTRACE_SINGLESTEP or PTRACE_SYSCALL after stopping at a SYSCALL, it will execute the system call and stop at the next instruction after it returns. At that point, you can check the registers to see what the return value of the system call is.
Upvotes: 3
Related Questions
- How is PTRACE_SINGLESTEP implemented?
- Intercept only syscall with PTRACE_SINGLESTEP
- Read strings with ptrace (linux)
- On Linux 64-bit, can ptrace() return a double?
- Can't find how to use ptrace() properly
- ptrace(PTRACE_SINGLESTEP) + waitpid = SIGCHLD
- Why doesn't ptrace SINGLESTEP work properly?
- How to trace a program execution with ptrace?
- calling ptrace inside a ptraced Linux process
- Counting machine instructions of a process using PTRACE_SINGLESTEP