StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PODetect call's offset with ptrace
primarykey
Id
17154486
data
AcceptedAnswerId
0
AnswerCount
1
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2013-06-17T18:40:42.990
FavoriteCount
0
LastActivityDate
2013-06-18T15:50:07.233
LastEditDate
LastEditorUserId
0
OwnerUserId
1901403
ParentId
0
PostTypeId
1
Score
0
ViewCount
471
LastEditorDisplayName
text
Body
I'm trying to do a program that can detect calls with the function ptrace. Using PTRACE_SINGLESTEP I can run a program instructions by instructions, then, when I get the OP_CODE 0xe8 pointed by the register RIP, I use PTRACE_PEEKTEXT to get the 4 next bytes after the adress pointed by RIP. Then, according to the documentation that I found on internet, the 4 bytes coutains an offset referring to the location to jump. It seems like PTRACE_PEEKTEXT is returning some weird values, and I get offsets too big. Here my code below: <pre><code> instr_num = ptrace(PTRACE_PEEKTEXT, this->pid, regs.rip, 0); dest = ptrace(PTRACE_PEEKTEXT, this->pid, regs.rip + 1, 0); if (instr_num == 0xe8) { printf("call : %ld\n", regs.rip + dest); } </code></pre> And here's the output: <pre><code>call : -2853719444197214464 call : -2853719444197214464 call : -2853719444197214464 </code></pre> And this is the objdump -D output, and as you can see there is 15 bytes of offset between the call from the main and the beginning of the function func: <pre><code>00000000004004c4 <func>: 4004c4: 55 push %rbp 4004c5: 48 89 e5 mov %rsp,%rbp 4004c8: 5d pop %rbp 4004c9: c3 retq 00000000004004ca <main>: 4004ca: 55 push %rbp 4004cb: 48 89 e5 mov %rsp,%rbp 4004ce: b8 00 00 00 00 mov $0x0,%eax 4004d3: e8 ec ff ff ff callq 4004c4 <func> 4004d8: 5d pop %rbp 4004d9: c3 retq </code></pre> If just after I detected a call, I do a ptrace(PTRACE_SINGLESTEP) once, will my RIP contain the adress of the function I just jumped to ? According to my tests it seems not to, but I think it should.
Tags
<c><assembly><function-calls><ptrace>
Title
Detect call's offset with ptrace
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. This table or related slice is empty.
UserOwnerUserId
1. USJérémie Charrier
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. This table or related slice is empty.
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.