I\'m working on a Linux application incorporating ptrace to observe another process which had been created by fork() system call.
Strictly speaking: I want to implement
Yes, it is completely platform-specific. I read a lot of materials which described ptrace syscall and how we can use it to capture the EIP of the next instruction that is going to execute after the ptrace send some request (like PTRACE_CONT) to the suspended tracee. I always see that the EIP value is something like this :
80484a6:
80484a7:
80484ac:
80484b2:
80484b4:
80484b6:
80484b8:
I test a simple code (just print the value of EIP and the corresponding executed instruction). but the result was as you shown below:
EIP: b773cbe0 Instruction executed: c3595a5d
EIP: b773cbe1 Instruction executed: ccc3595a
EIP: b773cbe0 Instruction executed: c3595a5d
hello world 5
EIP: b773cbe0 Instruction executed: c3595a5d
EIP: b773cbe1 Instruction executed: ccc3595a
EIP: b773cbe0 Instruction executed: c3595a5d
hello world 6
EIP: b773cbe0 Instruction executed: c3595a5d
EIP: b773cbe1 Instruction executed: ccc3595a
EIP: b773cbe0 Instruction executed: c3595a5d
what is this (b773cbe0) ??!!! I moved to gdb and viewed the dump file using this command line (objdump -d a.out) the result is something different with previous results
8048864: 8b 6c 24 20 mov 0x20(%esp),%ebp
8048868: 8d b3 0c ff ff ff lea -0xf4(%ebx),%esi
804886e: e8 41 fb ff ff call 80483b4 <_init>
8048873: 8d 83 08 ff ff ff lea -0xf8(%ebx),%eax
8048879: 29 c6 sub %eax,%esi
804887b: c1 fe 02 sar $0x2,%esi
804887e: 85 f6 test %esi,%esi
8048880: 74 23 je 80488a5 <__libc_csu_init+0x55>
8048882: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
8048888: 83 ec 04 sub $0x4,%esp
804888b: ff 74 24 2c pushl 0x2c(%esp)
804888f: ff 74 24 2c pushl 0x2c(%esp)
8048893: 55 push %ebp
8048894: ff 94 bb 08 ff ff ff call *-0xf8(%ebx,%edi,4)
804889b: 83 c7 01 add $0x1,%edi
804889e: 83 c4 10 add $0x10,%esp
80488a1: 39 f7 cmp %esi,%edi
80488a3: 75 e3 jne 8048888 <__libc_csu_init+0x38>
80488a5: 83 c4 0c add $0xc,%esp
80488a8: 5b pop %ebx
80488a9: 5e pop %esi
80488aa: 5f pop %edi
80488ab: 5d pop %ebp
80488ac: c3 ret
80488ad: 8d 76 00 lea 0x0(%esi),%esi
I'm really confused about this.
You're not modifying the EIP, you're adding something to the value of the instruction at EIP, and probably resulting in a bad address reference. To change EIP, use PTRACE_SETREGS
wait(NULL);
ptrace(PTRACE_GETREGS, child,NULL, ®s);
printf("\n EIP @ 0x %#lx\n",regs.eip);
regs.eip += ???;
ptrace(PTRACE_SETREGS, child, NULL, ®s);
ptrace(PTRACE_CONT, child, NULL, NULL);