0

I'm trying to read the instruction pointer / pc register of a process/thread on an arm Aarch64 linux which is stuck within a system call ( = kernel land ) via this C++ code:

ptrace( PTRACE_GETREGSET, threadProcessId, NULL, &regs );
printf( "Register dump: %lx\n", regs.pc );

However, the address printed out is not the same as the function address from the top of the stack returned by /proc/threadProcessId/stack. It doesn't even seem to be in kernel space.

Am I doing something wrong? Can I access the kernel part pcs at all this way?

red0ct
  • 4,840
  • 3
  • 17
  • 44
Desperado17
  • 835
  • 6
  • 12
  • Maybe you see the state of registers as set by the kernel at system call entry. If that the case maybe it is possible to interrupt the system call by sending a signal, so that the kernel restore the state of the registers. – Oliv Jan 16 '19 at 16:17
  • Look at PTRACE_INTERRUPT and PTRACE_SYSCALL. And in man ptrace/Stopped state you will find the answer! – Oliv Jan 16 '19 at 16:22
  • They are two different concepts; `PTRACE_GETREGSET` and `/proc/pid/stack`. One is the process and the other is kernel space. The kernel and process have seperate `SP` values as determined by the mode. The GETREGSET should be where user space called into the kernel and the `proc/pid/stack` is where the kernel is processing the user request. – artless noise Jan 16 '19 at 17:22
  • Is there any other interface to process kernel information besides /proc? – Desperado17 Jan 16 '19 at 18:59

1 Answers1

1

Ptrace is launched from user space, so it can access only user space memory [of user processes]. Kernel space is accessed by kernel modules, which can be inserted my insmod. The kernel space analogue of Ptrace is Ftrace.

Vlad Havriuk
  • 1,291
  • 17
  • 29