question about using ptrace

[billconan]

hello guys,

one of my computer architecture homework tasks is to count the top 20 mostly executed assembly instruction.

i couldn't find any such tool working under windows xp, but i know a system call under linux which is ptrace() that can step over a program and read back register values and memory data. i know a lot of debuggers are using ptrace.

so i did a simple instruction counter, the code is as same as the one in this article, except that the code in the article takes the linux command /bin/ls as the target program for testing, while i'm testing i very simple program i wrote.

http://linuxgazette.net/issue81/sandeep.html

and this my target program (the child process):

int main()
{
int a=0;
a+=4;
}



surprisingly, the returned counting result was more than 90000, and the counting program ran for quite a while.

i think that is weired, as the target program is so simple.

so i tried to read back the value from the eip register of the child process and found out that, at the beginning, the value inside the eip register is different from the starting address viewed with a disassembler.

in other word, the child process was actually running some other code instead of my target program.

for example, the starting address of the target program viewed in a disassembler is 0x34343434, however the value of the eip register at the first line of the child process is 0x5555555.

i don't know what's wrong?

and if i manually assign the starting address got from the disassembler to the eip register of the child process at the beginning, which means i manually redirect the child process eip to the beginning of the main function of my target program, the counter works pretty well. the result count matches the number of instructions that viewed with the disassembler.

[Peter_APIIT]

Hope expect help.