Why user_regs_struct values for execve syscall are 0 and how to fix this issue?

Asked Mar 06 '18 at 16:34

Active Oct 16 '21 at 06:31

Viewed 236 times

I am trying to catpure name of an executable for execve system call using ptrace as -

long val = ptrace(PTRACE_PEEKUSER, child, sizeof(long) * RDI);

Where RDI is the register which holds first argument to execve

I was hoping to get some arbitrary number in val But, it ended up having 0 all the time.

asked Mar 06 '18 at 16:34

vp8

How are you stopping the program at the `execve` moment? Are you sure that your tracee is caught at the right moment? – Mark Segal Mar 06 '18 at 20:17
@MarkSegal I am checking value of `ptrace(PTRACE_PEEKUSER, child, sizeof(long) * ORIG_RAX);` and making sure it equals to `__NR_EXECVE` this macro is defined in `asm/unistd_64.h`. I am able to print some text when `execve` is trapped. – vp8 Mar 06 '18 at 21:00

0 Answers0