Is there any way to patch the Linux version of strace to obtain the
value of the IP just before a system call? It must be saved somewhere,
no? Any suggestions?
Dmitry Zinoviev, Assistant Professor
Mathematics & Computer Science Department, Suffolk University, Boston
This is an object-oriented system. If we change anything, the users object.
On Sat, 1 Mar 2003, Dmitry Zinoviev wrote:
> Is there any way to patch the Linux version of strace to obtain the
> value of the IP just before a system call? It must be saved somewhere,
> no? Any suggestions?
The value of EIP you already have points to the instruction after the
system call, right? Except for odd compatibility abi's, the only
instruction that can cause a system call is "int 0x80" (0xcd 0x80 if I
remember correctly). So just subtract 2 from the address.
AFAIK, the address of the system call isn't explicitly saved anywhere,
since there's no need for it. The kernel just needs to know where to
You can probably handle weird abi's as well if you want, by finding the
instructions that generate system calls and looking for them explicitly.