Difference between ptrace(PTRACE_PEEKUSER) and ptrace(PTRACE_PEEKDATA)?
After posting a lot of questions on ptrace (the most recent 5 questions are mine :( ) I finally got the desired output when I replaced
reg_val[1] = ptrace(PTRACE_PEEKDATA, child, 4 * EBX, NULL);
with
reg_val[1] = ptrace(PTRACE_PEEKUSER, child, 4 * EBX, NULL);
The difference mentioned in man page is like this
PTRACE_PEEKTEXTreads a word at the location addr in the child's memoryPTRACE_PEEKUSERreads a word at offset addr in the child's USER area
I am unable to understand this difference alone from the man page. Can any one educate me more on this??
Answer
PTRACE_PEEKDATA is for reading the data/code section of the child (process in general -- the so called tracee). As you know, debuggers use ptrace a lot. They can use this call to examine values of variables. For example, in GDB/DBX, if you say
print count
the debuggers will internally invoke ptrace with PTRACE_PEEKDATA and find its value.
PTRACE_PEEKUSER is used to read the contents of the child's USER area which holds contents of registers and other info. sys/user.h lists what is that other info.
For example USER area contains,
struct user_regs_struct
{
long int ebx;
long int ecx;
long int edx;
long int esi;
long int edi;
long int ebp;
long int eax;
long int xds;
long int xes;
long int xfs;
long int xgs;
long int orig_eax;
long int eip;
long int xcs;
long int eflags;
long int esp;
long int xss;
};
In short:
PTRACE_PEEKDATAis for program data (e.g. variables) and code;PTRACE_PEEKUSERis for things like register values and other debug info;
Notice the equivalence between PTRACE_PEEKDATA and PTRACE_PEEKTEXT. From man ptrace:
Linux does not have separate text and data address spaces, so these two requests are currently equivalent.