Getting the EIP of a process

From: Jon M. Hanson (jon_at_the-hansons-az.net)
Date: 10/13/04


Date: Wed, 13 Oct 2004 04:11:25 GMT


            I have written a kernel module that is triggered upon an IOCTL from a
user application. Once triggered the kernel module dumps out the contents
of the system memory and the x86 CPU architecture state to separate files.
            I'm writing to the group because my method for getting the registers
from the user process before it entered the kernel is producing incorrect
results. I've looked all through the kernel code and searched all over the
web for an answer to this specific question and have found nothing.
            In my research in how to do this I've found that the stack pointer
for the user process before it entered the kernel is stored in current->
thread.esp0. From there the registers for the user process are stored at
offsets from that stack address (for example, eip is supposed to be 0x28
unsigned char bytes from esp0). I have code to get the eip as follows:

unsigned char *stack_address, *eip;

stack_address = (unsigned char *)(current->thread.esp0);
eip = stack_address + 0x28;
printk("eip = %08lx\n", *(unsigned long *)eip);

Like I mentioned above this is producing incorrect results. How do I access
the general purpose x86 register contents at the time the kernel was
entered (or correct my above code if I'm accessing something wrong)?
            Thanks in advance for any suggestions offered.



Relevant Pages

  • Re: Getting a process EIP address (and other registers)
    ... Why don't you use the pt_regs structure to restore the EIP ... Once triggered the kernel module dumps ... > from the user process before it entered the kernel is producing ... send the line "unsubscribe linux-kernel" in ...
    (Linux-Kernel)
  • RE: Getting a process EIP address (and other registers)
    ... The EIP is not on the user space stack. ... Upon entering kernel all registeres are saved on the kernel stack. ... > from the user process before it entered the kernel is producing ...
    (Linux-Kernel)
  • Getting a process EIP address (and other registers)
    ... Once triggered the kernel module dumps ... from the user process before it entered the kernel is producing ... I have code to get the EIP as ... send the line "unsubscribe linux-kernel" in ...
    (Linux-Kernel)
  • Oops with 2.6.1_rc1-mm1
    ... Unable to handle kernel NULL pointer dereference at virtual address ... CPU: 0 ... EIP is at vt_ioctl+0x1e/0x1f00 ... Pin 2-17 already programmed ...
    (Linux-Kernel)
  • OOPS: KDE making my kernel flake out?
    ... The Oops actually came from the system just after the Oops occured. ... I think the kernel may have been 2.6.7. ... EIP is at wait_for_completion+0xdc/0x252 ... Inc. VT82xxxxx UHCI USB 1.1 ...
    (Linux-Kernel)