I am working on a small debugger under Linux 64bits, and I'm having trouble finding the syscall return value,
I am testing the RIP value, I mean that I am doing PEEK_USERDATA, and ptrace gives me the operation code in the opposite direction without the RIP address in this way (where 0x050f is the SYSCALL operation code):
if (rip & 0x0000ffff == 0x050f)
then get the name syscall args etc.
The problem is how to get the return value of these system calls, and I know that ptrace provides PTRACE_SYSCALL to warn us about entering / exiting kernel mode, but I would like to check the RIP value directly, so I use SINGLESTEP, I checked it matches Does my rip operation code SYSLEAVE and SYSEXIT, but it never. The only way to check the return value is to check my orig_rax, but I will not get retval exit_group this way.
I know that Linux ABI wants the return value to be stored in RAX, but I donβt know how to witness a return to the user area.
Thank.
source
share