Reading target registers

Reading target registers

[Bloch, Jack]

While this is not a direct GDB question, I'm hoping someone can answer me. I
have an application which uses the ptrace interface to attach to a target
process and read the target registers (I'm specifically interested in the
EIP). It will run on a SuSE 2.6 Kernel x86 based machine. My code is below.


#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <sys/reg.h>
#include <sys/user.h>
#include <linux/stddef.h>
#include <linux/version.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <string.h>
#include <link.h>
#include <fcntl.h>
#include <limits.h>
#include <dirent.h>
#include <pthread.h>
#ifndef BFD64
   #define BFD64
#endif
#include <bfd.h>
#include <signal.h>
#include "tracer.h"


int main (int     p_argc,
          char    **p_argv)

{

   int             l_ret;
   pid_t           l_pid
   unsigned long   l_regs[17];
   
   /***********************************************************************/
   /* i have ommitted the code which retrieves the command line arguments */
   /***********************************************************************/

   if ((l_ret = ptrace(PTRACE_ATTACH,l_pid,NULL,NULL)) < 0)
   { 
      l_ret = errno; 
      printf("ERROR %s ATTACHING TO TARGET !!!\n",strerror(l_ret);
      return(l_ret);
   }
   if ((l_ret = ptrace(PTRACE_GETREGS,l_pid,NULL,&l_regs)) < 0)
   { 
      l_ret = errno; 
      printf("ERROR %s READING TARGET REGISTERS !!!\n",strerror(l_ret);
      return(l_ret);
   }
   printf("CURRENT EIP 0x%x\n",l_regs[EIP]);
   return(l_ret);
}


The EIP value is always incorrect. Any ideas. Please CC me directly on any
response.


Regards,


Jack

   

Re: Reading target registers

[Daniel Jacobowitz]

On Mon, May 09, 2005 at 12:44:05PM -0700, Bloch, Jack wrote:
> While this is not a direct GDB question, I'm hoping someone can answer me. I
> have an application which uses the ptrace interface to attach to a target
> process and read the target registers (I'm specifically interested in the
> EIP). It will run on a SuSE 2.6 Kernel x86 based machine. My code is below.

You can only use PTRACE_GETREGS when the process is stopped; that may
be the problem.  After attaching be sure to wait().  Otherwise, try
stracing to see what's going on.


-- 
Daniel Jacobowitz
CodeSourcery, LLC

RE: Reading target registers

[Bloch, Jack]

Thanks,  I also waituntil the target is stopped before reading the
registers. I get a value, just not the correct value. I noticed that I get
the same incorrect value as the lsstack application which uses
ptrace(PTRACE_PEEKUSER,l_pid,EIP*4,0)
But GDB gets the correc value. I'm assuming it is something with my linking
or which version of user I'm including. I may be way off here but any help
is appreciated.

-----Original Message-----
From: Daniel Jacobowitz [mailto:drow@false.org]
Sent: Monday, May 09, 2005 3:50 PM
To: Bloch, Jack
Cc: gdb@sources.redhat.com
Subject: Re: Reading target registers


On Mon, May 09, 2005 at 12:44:05PM -0700, Bloch, Jack wrote:
> While this is not a direct GDB question, I'm hoping someone can answer me.
I
> have an application which uses the ptrace interface to attach to a target
> process and read the target registers (I'm specifically interested in the
> EIP). It will run on a SuSE 2.6 Kernel x86 based machine. My code is
below.

You can only use PTRACE_GETREGS when the process is stopped; that may
be the problem.  After attaching be sure to wait().  Otherwise, try
stracing to see what's going on.


-- 
Daniel Jacobowitz
CodeSourcery, LLC

Re: Reading target registers

['Daniel Jacobowitz']

On Mon, May 09, 2005 at 12:53:20PM -0700, Bloch, Jack wrote:
> Thanks,  I also waituntil the target is stopped before reading the
> registers. I get a value, just not the correct value. I noticed that I get
> the same incorrect value as the lsstack application which uses
> ptrace(PTRACE_PEEKUSER,l_pid,EIP*4,0)
> But GDB gets the correc value. I'm assuming it is something with my linking
> or which version of user I'm including. I may be way off here but any help
> is appreciated.

A couple of things:
  - Always cast the arguments to ptrace.  They are generally of type
    "long", which may not be the same as "int".
  - If you are debugging a 64-bit program you need a 64-bit GDB. 
    Sounds like you're on a 32-bit system though.
  - Verify whether your headers are messed up.  I already recommended
    the use of strace for this.  It can decode the arguments.

What is the incorrect value?  What is the correct value?

-- 
Daniel Jacobowitz
CodeSourcery, LLC

Re: Reading target registers

['Daniel Jacobowitz']

On Mon, May 09, 2005 at 02:21:01PM -0700, Bloch, Jack wrote:
> I have attached an strace. The PTRACE_GETREGS returns a 0.
> 
> 
> The wierd value I am seeing is 0xFFFFE410, and it always shows the same
> value. No matter where the actual program is running.
> 
> 
> The good value should be 0x80486AC

That's a correct value.  It's the syscall return address; any time that
you attach to a binary running in the kernel, it will appear to be
there.

(gdb) bt
#0  0xffffe410 in __kernel_vsyscall ()				<----
#1  0xb7ed41ae in poll () from /lib/tls/i686/cmov/libc.so.6
#2  0x0810ec8d in delete_file_handler ()
#3  0x0810e6aa in gdb_do_one_event ()
#4  0x0807d9a1 in catch_exceptions_with_msg ()
#5  0x0807d820 in throw_exception ()
#6  0x0807da00 in catch_errors ()
#7  0x080be4e4 in _initialize_tui_hooks ()
#8  0x0810c3c3 in current_interp_command_loop ()
#9  0x080747cb in main ()

-- 
Daniel Jacobowitz
CodeSourcery, LLC