When using ptrace to get the registers of another process, is it possible that the stop point is in kernel space (doing system call or something like in sleep()), that the RIP is in kernel code segment and RSP is the kernel stack pointer?
Asked
Active
Viewed 260 times
2 Answers
1
is it possible ... that the RIP is in kernel code segment and RSP is the kernel stack pointer?
No, at least not on Linux.
Employed Russian
- 199,314
- 34
- 295
- 362
-
Could you explain the reason? – WindChaser Jan 14 '15 at 08:18
0
ptrace() itself is a syscall. And so when you used it in userspace, the returning value is in userspace. And the returning values are when the debuggee have been stopped in its execution - which must be in userspace.
These are all specified in the syscall APIs definition.
http://man7.org/linux/man-pages/man2/syscalls.2.html
But if you want to trace the program execution trace in the kernel, that is possible through hardware feature like Intel Processor Tracing:
https://software.intel.com/en-us/blogs/2013/09/18/processor-tracing
and various other option.
Peter Teoh
- 6,337
- 4
- 42
- 58