上篇講過了導出寄存器的值
但是當函數參數多餘4個的話(R0 R1 R2 R3 ),其他的值會保存在堆棧中,所以必須導出SP附近的值才能查看其它參數的值
此函數實現如下:
第一個參數爲SP的值,第二個是一SP爲中心要打印周圍棧的數據
static int dump_arm_stack(unsigned int * _addr , unsigned int addrSize)
{
int i=0;
int j=0;
int word_per_line=4;
unsigned int * addr = _addr;
addr = addr + word_per_line*addrSize;
for(i=0;i<addrSize*2;i++)
{
char * middlestack = "---";
if(i==addrSize)
{
middlestack = "$$$";
}
printk(" addr:0x%08x %s 0x%08x 0x%08x 0x%08x 0x%08x \n", \
(addr-(i*word_per_line+0)),\
middlestack, \
*(addr-(i*word_per_line+0)),\
*(addr-(i*word_per_line+1)),\
*(addr-(i*word_per_line+2)),\
*(addr-(i*word_per_line+3)) \
);
}
return 0;
}
實際調用(regs->uregs[13] 即爲stack pointer):
static int handler_pre(struct kprobe *p, struct pt_regs *regs)
{
printk(" kprobes name is %s pt_regs size is %d \n",p->symbol_name,sizeof(regs->uregs));
dump_arm_regs(regs->uregs);
dump_arm_stack((unsigned int *)regs->uregs[13],5);
return 0;
}
當探測到實際printk輸出如下:
//導出當時堆棧的值
<4>[ 9749.267927]-(0)[186:adbd] addr:0xdbe8ff80 --- 0xdbe8ffa4 0x00000000 0xdbe8e000 0xc000e0a4
<4>[ 9749.269044]-(0)[186:adbd] addr:0xdbe8ff70 --- 0x00000002 0x00043d34 0x00042ff4 0x00000035
<4>[ 9749.270161]-(0)[186:adbd] addr:0xdbe8ff60 --- 0x00000035 0x80045430 0x00000000 0xc8131300
<4>[ 9749.271278]-(0)[186:adbd] addr:0xdbe8ff50 --- 0xdbe8ff7c 0x00000000 0x00000001 0x00000000
<4>[ 9749.272395]-(0)[186:adbd] addr:0xdbe8ff40 --- 0x00000001 0xc063bd50
0x00000088 0x00000055
<4>[ 9749.273512]-(0)[186:adbd] addr:0xdbe8ff30 $$$ 0x00000044
0xc00872a4 0xc00524fc 0xdbe8ff30 //這裏是當時堆棧的中心
<4>[ 9749.274629]-(0)[186:adbd] addr:0xdbe8ff20 --- 0xdbe8ff8c 0x00000000 0xdbe8e000 0xdc38f000
<4>[ 9749.275746]-(0)[186:adbd] addr:0xdbe8ff10 --- 0x00001482 0x00000000 0xdbe8e000 0xc4b6b000
<4>[ 9749.276864]-(0)[186:adbd] addr:0xdbe8ff00 --- 0xc06309f4 0x60000013 0xdbe8ff1c 0xc063bd98
<4>[ 9749.277981]-(0)[186:adbd] addr:0xdbe8fef0 --- 0xc00873c8 0xffffffff 0x60000013 0xc0052368
testAddadd5(0x11,0x22,0x33,mytestbuf,0x44,0x55,0x88);
可以看出上面printk輸出紅色部分與第5,6,7的傳入的參數是一致的。
說明導出的stack的值是可信的。