How do I know which function has called the kill method via svc?

[w296488320]

I found a function that calls the kill function via svc and I want to know where the kill is called,
I tried to intercept by ptrace and judging by the system call number if it was a kill function I tried to print his FP register but get 0 .

        case SC_kill: {
            word_t LRAddress = peek_reg(tracee, CURRENT, SYSARG_RESULT);
            word_t PCAddress = peek_reg(tracee, CURRENT, INSTR_POINTER);
            word_t SPAddress = peek_reg(tracee, CURRENT, STACK_POINTER);
            word_t FPAddress = peek_reg(tracee, CURRENT, FRAME_POINTER);

            
            LOGE(">>>>>>>>>  ptrace find call kill by svc , sig -> %lu "
                 "LR reg address -> 0x%lX  "
                 "PC reg address -> 0x%lX  "
                 "栈顶 SP reg address -> 0x%lX  "
                 "栈底 FP reg address -> 0x%lX  ",
                 peek_reg(tracee, CURRENT, SYSARG_2),
                 LRAddress,
                 PCAddress,
                 SPAddress,
                 FPAddress
            )
            
             mapItemInfo info = getSymbolforAddress(LRAddress, tracee->pid);
             LOGE(">>>>>>>>>  ptrace call kill LR so name  -> %s ,start addr -> %zu ",
                     info.mapsName,
                     info.start
             )

I add the reg.cpp to the original one
ARCH_ARM64 -> [FRAME_POINTER] = USER_REGS_OFFSET(regs[29]),
ARCH_ARM_EABI -> [FRAME_POINTER] = USER_REGS_OFFSET(uregs[12]),

#elif defined(ARCH_ARM_EABI)
static off_t reg_offset[] = {
        [SYSARG_NUM]    = USER_REGS_OFFSET(uregs[7]),
        [SYSARG_1]      = USER_REGS_OFFSET(uregs[0]),
        [SYSARG_2]      = USER_REGS_OFFSET(uregs[1]),
        [SYSARG_3]      = USER_REGS_OFFSET(uregs[2]),
        [SYSARG_4]      = USER_REGS_OFFSET(uregs[3]),
        [SYSARG_5]      = USER_REGS_OFFSET(uregs[4]),
        [SYSARG_6]      = USER_REGS_OFFSET(uregs[5]),
        [SYSARG_RESULT] = USER_REGS_OFFSET(uregs[0]),
        [STACK_POINTER] = USER_REGS_OFFSET(uregs[13]),
        [INSTR_POINTER] = USER_REGS_OFFSET(uregs[15]),
        [USERARG_1]     = USER_REGS_OFFSET(uregs[0]),
        [FRAME_POINTER]     = USER_REGS_OFFSET(uregs[12]),
};
#elif defined(ARCH_ARM64)
#undef  USER_REGS_OFFSET
#define USER_REGS_OFFSET(reg_name) offsetof(struct user_regs_struct, reg_name)

static off_t reg_offset[] = {
[SYSARG_NUM]    = USER_REGS_OFFSET(regs[8]),
[SYSARG_1]      = USER_REGS_OFFSET(regs[0]),
[SYSARG_2]      = USER_REGS_OFFSET(regs[1]),
[SYSARG_3]      = USER_REGS_OFFSET(regs[2]),
[SYSARG_4]      = USER_REGS_OFFSET(regs[3]),
[SYSARG_5]      = USER_REGS_OFFSET(regs[4]),
[SYSARG_6]      = USER_REGS_OFFSET(regs[5]),
[SYSARG_RESULT] = USER_REGS_OFFSET(regs[0]),
[STACK_POINTER] = USER_REGS_OFFSET(sp),
[INSTR_POINTER] = USER_REGS_OFFSET(pc),
[USERARG_1]     = USER_REGS_OFFSET(regs[0]),
[FRAME_POINTER]     = USER_REGS_OFFSET(regs[29]),
};

I don t know if it s because I write wrong causing the FP register is equal 0 or the original FP register is equal 0。
Do you have any good advice?Great developer

[michalbednarski]

regs[29] appears to be correct place for FRAME_POINTER on AArch64 (when both proot and tracee are 64bit), however depending on programming language and compiler (e.g. when using gcc -fomit-frame-pointer) frame pointer might not be present

I'd recommend attaching debugger to target inside proot (with debugger also running inside proot) and seeing what registers are set to

If you want to stop program at point of particular syscall do kill(tracee->pid, SIGSTOP) (assuming single-threaded program, you'll need to adapt snippet otherwise) at moment of handling particular syscall and then check registers using debugger inside proot