Getting the EIP of a process
From: Jon M. Hanson (jon_at_the-hansons-az.net)
Date: Wed, 13 Oct 2004 04:11:25 GMT
I have written a kernel module that is triggered upon an IOCTL from a
user application. Once triggered the kernel module dumps out the contents
of the system memory and the x86 CPU architecture state to separate files.
I'm writing to the group because my method for getting the registers
from the user process before it entered the kernel is producing incorrect
results. I've looked all through the kernel code and searched all over the
web for an answer to this specific question and have found nothing.
In my research in how to do this I've found that the stack pointer
for the user process before it entered the kernel is stored in current->
thread.esp0. From there the registers for the user process are stored at
offsets from that stack address (for example, eip is supposed to be 0x28
unsigned char bytes from esp0). I have code to get the eip as follows:
unsigned char *stack_address, *eip;
stack_address = (unsigned char *)(current->thread.esp0);
eip = stack_address + 0x28;
printk("eip = %08lx\n", *(unsigned long *)eip);
Like I mentioned above this is producing incorrect results. How do I access
the general purpose x86 register contents at the time the kernel was
entered (or correct my above code if I'm accessing something wrong)?
Thanks in advance for any suggestions offered.