After posting a lot of questions on ptrace
(the most recent 5 questions are mine :( ) I finally got the desired output when I replaced
reg_val[1] = ptrace(PTRACE_PEEKDATA, child, 4 * EBX, NULL);
with
reg_val[1] = ptrace(PTRACE_PEEKUSER, child, 4 * EBX, NULL);
The difference mentioned in man page is like this
PTRACE_PEEKTEXT
reads a word at the location addr in the child's memoryPTRACE_PEEKUSER
reads a word at offset addr in the child's USER areaI am unable to understand this difference alone from the man page. Can any one educate me more on this??
PTRACE_PEEKDATA
is for reading the data/code section of the child (process in general -- the so called tracee). As you know, debuggers use ptrace
a lot. They can use this call to examine values of variables. For example, in GDB/DBX
, if you say
print count
the debuggers will internally invoke ptrace
with PTRACE_PEEKDATA
and find its value.
PTRACE_PEEKUSER
is used to read the contents of the child's USER area which holds contents of registers and other info. sys/user.h lists what is that other info.
For example USER area contains,
struct user_regs_struct
{
long int ebx;
long int ecx;
long int edx;
long int esi;
long int edi;
long int ebp;
long int eax;
long int xds;
long int xes;
long int xfs;
long int xgs;
long int orig_eax;
long int eip;
long int xcs;
long int eflags;
long int esp;
long int xss;
};
In short:
PTRACE_PEEKDATA
is for program data (e.g. variables) and code;PTRACE_PEEKUSER
is for things like register values and other debug info;Notice the equivalence between PTRACE_PEEKDATA
and PTRACE_PEEKTEXT
. From man ptrace
:
Linux does not have separate text and data address spaces, so these two requests are currently equivalent.