12

After posting a lot of questions on ptrace (the most recent 5 questions are mine :( ) I finally got the desired output when I replaced

reg_val[1] = ptrace(PTRACE_PEEKDATA, child, 4 * EBX, NULL);

with

reg_val[1] = ptrace(PTRACE_PEEKUSER, child, 4 * EBX, NULL);

The difference mentioned in man page is like this

  • PTRACE_PEEKTEXT reads a word at the location addr in the child's memory
  • PTRACE_PEEKUSER reads a word at offset addr in the child's USER area

I am unable to understand this difference alone from the man page. Can any one educate me more on this??

Matheus Santana
  • 581
  • 1
  • 6
  • 22
kidd0
  • 731
  • 2
  • 8
  • 25

1 Answers1

24

PTRACE_PEEKDATA is for reading the data/code section of the child (process in general -- the so called tracee). As you know, debuggers use ptrace a lot. They can use this call to examine values of variables. For example, in GDB/DBX, if you say 

print count

the debuggers will internally invoke ptrace with PTRACE_PEEKDATA and find its value.

PTRACE_PEEKUSER is used to read the contents of the child's USER area which holds contents of registers and other info. sys/user.h lists what is that other info.

For example USER area contains,

struct user_regs_struct
{
  long int ebx;
  long int ecx;
  long int edx;
  long int esi;
  long int edi;
  long int ebp;
  long int eax;
  long int xds;
  long int xes;
  long int xfs;
  long int xgs;
  long int orig_eax;
  long int eip;
  long int xcs;
  long int eflags;
  long int esp;
  long int xss;
};

In short:

  • PTRACE_PEEKDATA is for program data (e.g. variables) and code;
  • PTRACE_PEEKUSER is for things like register values and other debug info;

Notice the equivalence between PTRACE_PEEKDATA and PTRACE_PEEKTEXT. From man ptrace:

Linux does not have separate text and data address spaces, so these two requests are currently equivalent.

Matheus Santana
  • 581
  • 1
  • 6
  • 22
Pavan Manjunath
  • 27,404
  • 12
  • 99
  • 125
  • `PTRACE_PEEKDATA is for things like register values and other debug info.` Aren't ebx, ecx register values?? :O I thought so. By registers what all did you mean? `EIP` (instruction pointer)?? – kidd0 Mar 21 '12 at 12:04
  • sorry for the typo. I corrected it. **PTRACE_PEEKUSER** is for registers and **NOT** **PTRACE_PEEKDATA** – Pavan Manjunath Mar 21 '12 at 12:08
  • Your last sentence is confusing me (is it a typo??). You said peekdata is for program data. fine with tat. Now again you say peekdata is for registers !! Did you mean peekuser?? – kidd0 Mar 21 '12 at 12:10
  • Hi there; so sorry to resurrect an ancient post, but was wondering: where is the child's USER area actually stored in virtual memory? I know that this will likely be implementation specific, but – say – on Ubuntu 64 bit, where in virtual memory is PTRACE_PEEKUSER actually looking? Thanks so much in advance – Atticus Stonestrom Jun 10 '20 at 19:27