下个linux kernel,通常在arch/xxx/include下有ptrace.h(通常是,但不总是,找不到时不妨grep下),里面有相应结构的定义
举个例子,有伪代码夹杂:
struct x86_regs {
uint32_t ebx, ecx, edx, esi;
uint32_t edi, ebp, eax, xds;
uint32_t xes, xfs, xgs, orig_eax;
uint32_t eip, xcs, eflags, esp;
uint32_t xss;
};
struct amd64_regs {
uint64_t r15, r14, r13, r12;
uint64_t rbp, rbx, r11, r10;
uint64_t r9, r8, rax, rcx;
uint64_t rdx, rsi, rdi, orig_rax;
uint64_t rip, cs, eflags, rsp;
uint64_t ss, fs_base, gs_base, ds;
uint64_t es, fs, gs;
};
if (x86平台) {
if (进程是64位) {
amd64_regs regs;
iov.iov_base = ®s;
iov.iov_len = sizeof(regs);
ptrace(PTRACE_GETREGSET, pid, (void*)NT_PRSTATUS, &iov);
// 使用_regs.eip等寄存器
} else {
x86_regs regs;
iov.iov_base = ®s;
iov.iov_len = sizeof(regs);
ptrace(PTRACE_GETREGSET, pid, (void*)NT_PRSTATUS, &iov);
// 使用_regs.rip等寄存器
}
}
struct x86_regs {
uint32_t ebx, ecx, edx, esi;
uint32_t edi, ebp, eax, xds;
uint32_t xes, xfs, xgs, orig_eax;
uint32_t eip, xcs, eflags, esp;
uint32_t xss;
};
struct amd64_regs {
uint64_t r15, r14, r13, r12;
uint64_t rbp, rbx, r11, r10;
uint64_t r9, r8, rax, rcx;
uint64_t rdx, rsi, rdi, orig_rax;
uint64_t rip, cs, eflags, rsp;
uint64_t ss, fs_base, gs_base, ds;
uint64_t es, fs, gs;
};
if (x86平台) {
if (进程是64位) {
amd64_regs regs;
iov.iov_base = ®s;
iov.iov_len = sizeof(regs);
ptrace(PTRACE_GETREGSET, pid, (void*)NT_PRSTATUS, &iov);
// 使用_regs.eip等寄存器
} else {
x86_regs regs;
iov.iov_base = ®s;
iov.iov_len = sizeof(regs);
ptrace(PTRACE_GETREGSET, pid, (void*)NT_PRSTATUS, &iov);
// 使用_regs.rip等寄存器
}
}