On Fri, Dec 02, 2005 at 16:56:11 +0530, Saumender Dash wrote: > I'm writing a KLM where I want to detect from where a system call is > invoked and report the program counter(PC). So I want to unwind the user > stack from the kernel, and go above the libc and find the PC, if it lies > in a program text. Well, you can freely access the userland memory (ok, you have to use copy_from_user and such to handle page faults for you) and you have the stack pointer available in the task struct, which you obtain from current. The rest is making sense out of that stack. That being said, I don't really think you should do this from kernel. For programs that don't use libc (they DON'T have to), you can't really tell which stack frame to report. And for those that do, you can simply preload, via LD_PRELOAD, a library that will wrap the syscalls in some reporting mechanism -- which will have a lot easier work, because it will simply log it's return address. Simply create a library, that will provide the syscalls. For the simple syscalls, you will then have to invoke them manually via the __syscallN thing, for the more complex ones, libc does provide them under alternate names to call to. Or you could use yet another way - inspect the process using ptrace from another process. That will give you the same possibilities that you would have from kernel, but you will have all the good userland stuff available. -- Jan 'Bulb' Hudec <bulb@xxxxxx>
Attachment:
signature.asc
Description: Digital signature
