Function calling
Nicolas Cormier
n.cormier at gmail.com
Tue Apr 4 10:05:13 UTC 2006
Hello.
I'm writing a function tracer on freebsd to know which function the
process passes inside.
ex:
----
nico > cat toto.c
int foo4()
{
}
int foo3()
{
}
int foo2()
{
foo3();
}
int foo1()
{
foo2();
}
int main()
{
foo1();
foo4();
}
nico >
will print:
0x80484a8 (foo1)
0x804849c (foo2)
0x8048494 (foo3)
ret @ 0x8048498
ret @ 0x80484a5
ret @ 0x80484b1
0x804848c (foo4)
ret @ 0x8048490
----
I use PTRACE to run the process in single-stepping mode.
For each step I look on the next instruction (read at %eip) and I seek
the following sequence:
call
[backup eip in addr and wait a step]
pushl %ebp
movl %esp, %ebp
[print addr and the sym associed]
OR
(plt call)
call
jmp *
pushl $
jmp .
[print eip and the sym associed]
OR
leave
ret
[print ret @ eip]
But when the program uses the libc I have more RET than call ...
What's the good way to find function calls and return ?
Thanks in advance for your help and sorry for my poor english.
--
Nico
More information about the freebsd-hackers
mailing list