bi0s.kidd0 bi0s.kidd0 - 27 days ago 5x
C Question

Difference between ptrace(PTRACE_PEEKUSER) and ptrace(PTRACE_PEEKDATA)?

After posting a lot of question on Ptrace (the most recent 5 questions are mine :( ) I finally got the desired output when I replaced

reg_val[1] = ptrace (PTRACE_PEEKDATA, child, 4 * EBX, NULL);


reg_val[1] = ptrace (PTRACE_PEEKUSER, child, 4 * EBX, NULL);

The difference mentioned in man page is like this

  • peektext reads a word at the location addr in the child's memory.

  • peekuser reads a word at offset addr in the child's USER area.

    I am unable to understand this difference alone from the man page. Can any one educate me more on this??


PTRACE_PEEKDATA is for reading the data/code section of the child(process in general). As you know that debuggers are the one who use ptrace a lot, they can use this call to examine values of variables. For example, in GDB/DBX, if you say

print count

the debuggers will internally invoked ptrace with PTRACE_PEEKDATA and find its value.

PTRACE_PEEKUSER is to read the contents of the child's USER area which holds contents of registers and other info. sys/user.h lists what is that Other info.

For example USER area contains,

struct user_regs_struct
  long int ebx;
  long int ecx;
  long int edx;
  long int esi;
  long int edi;
  long int ebp;
  long int eax;
  long int xds;
  long int xes;
  long int xfs;
  long int xgs;
  long int orig_eax;
  long int eip;
  long int xcs;
  long int eflags;
  long int esp;
  long int xss;

In short, PTRACE_PEEKDATA is for program data(variables etc ) and code and PTRACE_PEEKUSER is for things like register values and other debug info.