From: Nate E. <nel...@hm...> - 2003-03-01 21:11:12
|
On Sat, 1 Mar 2003, Dmitry Zinoviev wrote: > Hello, > > Is there any way to patch the Linux version of strace to obtain the > value of the IP just before a system call? It must be saved somewhere, > no? Any suggestions? The value of EIP you already have points to the instruction after the system call, right? Except for odd compatibility abi's, the only instruction that can cause a system call is "int 0x80" (0xcd 0x80 if I remember correctly). So just subtract 2 from the address. AFAIK, the address of the system call isn't explicitly saved anywhere, since there's no need for it. The kernel just needs to know where to return. You can probably handle weird abi's as well if you want, by finding the instructions that generate system calls and looking for them explicitly. -- Nate Eldredge nel...@hm... |