Date: Tue, 4 Apr 2006 12:05:10 +0200 From: "Nicolas Cormier" <n.cormier@gmail.com> To: freebsd-hackers@freebsd.org Subject: Function calling Message-ID: <c4630b800604040305l4a46f816oa33edd2a09858845@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello.
I'm writing a function tracer on freebsd to know which function the
process passes inside.
ex:
----
nico > cat toto.c
int foo4()
{
}
int foo3()
{
}
int foo2()
{
foo3();
}
int foo1()
{
foo2();
}
int main()
{
foo1();
foo4();
}
nico >
will print:
0x80484a8 (foo1)
0x804849c (foo2)
0x8048494 (foo3)
ret @ 0x8048498
ret @ 0x80484a5
ret @ 0x80484b1
0x804848c (foo4)
ret @ 0x8048490
----
I use PTRACE to run the process in single-stepping mode.
For each step I look on the next instruction (read at %eip) and I seek
the following sequence:
call
[backup eip in addr and wait a step]
pushl=09%ebp
movl=09%esp, %ebp
[print addr and the sym associed]
OR
(plt call)
call
jmp =09*
pushl=09$
jmp =09.
[print eip and the sym associed]
OR
leave
ret
[print ret @ eip]
But when the program uses the libc I have more RET than call ...
What's the good way to find function calls and return ?
Thanks in advance for your help and sorry for my poor english.
--
Nico
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c4630b800604040305l4a46f816oa33edd2a09858845>