stackoom
  简体   繁体   中英

Access ebp when given eip

 原文  2010-11-15 16:40:23       c/ unix

Question

I am trying to develop a runtime stack tracer. I have a function that returns the EIP address whenever the program being traced segfaults. How can I get back to the ebp of the current function (the one during which the program under observation crashed) so that I can start tracing up?

2 answers

solution1
 5  2010-11-15 16:54:29

There is no way to convert an instruction pointer to a stack frame pointer. The same function may be invoked many times (even recursively) with different stack addresses; that's the whole point of having a call stack. If you have a crash dump file (core file, etc.) it should contain a dump of all the registers. If you want the register values you must read them from here.

solution2
 3  2010-11-15 19:09:35

The current ebp and esp (and all other registers) at the time of the segfault is available in the ucontext, which is passed as the third argument to the signal handler. The details of what's where in the ucontext is OS and CPU specific.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Access EIP and EBP via ucontext on OS X Finding %ebp after crash (have %eip) How to disable possible stack smashing protection (EIP is not being overwritten, EBP is) Parsing the Stack and Registers (EBP, EIP, ESP) and figuring out which function is related to each frame Access EBP register from C shellcode gdb Cannot access memory at address of $ebp Cannot access $eip no matter the size of the buffer - gdb How does ESP and EBP registers act when a new program is executed? What is the EBP register pointing to when the main function executes? (Intel x82 architecture) LabVIEW + C-DLL: Access violation (0xC0000005) at EIP = 0x00000000
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM