Accessing Stack to get Function Arguments

Posted on 2004-10-28
Last Modified: 2012-08-13

[Working on LINUX]

I have an a.out file( compiled without debugging info  I.E. gcc <filename>). Source is not availbale.
I want to find out the details of the user defined function parameters( not system call parameters or library call parameters.)
I know that with the help of EBP + offset, i can get the function parameters.
Right now i am using ptrace to trace my a.out object file. But i am not able to get the values properly. Can anyone direct me to a source of information on this aspect or suggest me a tool. I have tried fenris which gives only first function parameter but not all. Even if the tool is a binary instrumentation tool, i dont mind using it.

Question by:uday_bayan
    LVL 45

    Expert Comment

    Hi Sreeram,

    check these


    There was one particular book I used sometime ago .. cant find it now ... It had several referneces to some good tools (Yes, I used them too) ... will try to look for it in the meanwhile ....

    for your purpose, rec should be some good help


    Author Comment

    Hi Sunny,

    Can i get the values of the function arguments  using the above ?  what i need is the run time values of the user defined function arguments.

    int main()
    int i=100,j;
    scanf("%d", &j);

    what i need is something like this

    suppose i=20

    if i not equal to 20
    foobar(30) {some arbitary value other than 20}

    The main thing is the value of the function parameters. I was able to get the trace of the user defined functions using fenris, but not the values of the parameters.


    LVL 45

    Accepted Solution

    hi Sreeram,

    >what i need is the run time values of the user defined function arguments.
    No ... this will not work to get you run time values .... For these values you have to turn to a good debugger like gdb ...

    Set a break point at the specific function and you can examine the values at that point of time .... however, if the executable is not a debug build and has symbol information stripped then the task becomes lot more difficult.
    LVL 11

    Assisted Solution

    hmm.. reminds me of a small trick.. i used in my college days to debug binaries

    if you know the function address probably you can put a breakpoint there and examine the stack once the breakpoint is hit.

    another cool method is to patch the function call with your own function call (in assembly of course) and examine the stack programatically.. havn't come across any tools for this though..

    LVL 3

    Expert Comment

    if you know the function signature, than it's easy.
    use the debugger, set breakpoint on the function.
    on hit, read params from the stack.

    if the function signature is not known, or the function accepts variable parameters
    (like printf), then you have to analyse the way parameters are put on the stack
    before the function is called.

    once you do that and make your assumptions about the signature, you can
    let the debugger write the actual arguments into a log file when the breakpoint is hit.
    then let the program run and you will get a log file almost the way you want it,
    something like:
    b_foobar 30
    b_foobar 45
    b_foo 100, 20


    Author Comment

    Hi Pratap & Georg

    I have put a break point at the function name. Format of the stack is also known. The first paramet er of the function  is located at location EBP+8.
    i used the following to print the parameters
    print $EBP
    THe value of EBP is printed.( Some value in Hexadecimal)
    I added 8 to that value and printed again.
    print $(added value)

    But i was not able to see the value of the parameter instead i saw  assembly  code of mov instuction.

    Any suggestions how to print it.

    LVL 11

    Expert Comment

    oh that could be a memory address, try dumping the memory at that address specified in EBP+8 see if thats what you are expecting

    LVL 45

    Expert Comment

    >The first paramet er of the function  is located at location EBP+8.
    Are you sure that your stack is growing down and not up? Check EBP-8. Also, could it be that the hex value at that address just happens to correspond to mov.
    LVL 11

    Expert Comment

    you mean the opcodes for mov?? hopefully sreeram is looking at the disassembly rather than a hex dump!!!!!

    Author Comment

    Hi SunnyCoder,

    I tried using the REC tool but it doesnt seem to give me the function signature. Are u aware of any decompilation tools that gives the function definition. I need to know
    some thing like this

    foo(int,float, char *, double)

    what type of parameters does a function have ?

    LVL 3

    Assisted Solution

    hi Sreeram,

    theoretically speaking, it is not possible to make a tool that could
    decompile a binary and give you 100% correct function declarations.

    you have ti investigate a bit. make a disassembly of the code and
    find your function(s). find all places where this function is called from
    (a good disassembler will give you this information). analyse how
    the parameters are put onto stack.

    analyse the target function and find out how the parameters are used.
    pointers will be loaded into a register, eventually an offset is added
    and they will be dereferenced. often there is a test fror 0.
    doubles and floats get loaded into FPU registers.

    then return to debugging and inspect the actual parameters.
    for char pointer, you'll find the string at the address.
    usually, pointers don't contain small numbers, as ints do.

    code few sample functions in C, compile them and
    analyse the produced assembly.

    after some practice in reading assembly code, you
    will be able to translate it simultaneously in C :-)


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Suggested Solutions

    Title # Comments Views Activity
    static class 3 36
    Order table with macro 3 50
    matchUp  challenge 9 31
    find a node in VST 2 21
    Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
    Whether you’re a college noob or a soon-to-be pro, these tips are sure to help you in your journey to becoming a programming ninja and stand out from the crowd.
    An introduction to basic programming syntax in Java by creating a simple program. Viewers can follow the tutorial as they create their first class in Java. Definitions and explanations about each element are given to help prepare viewers for future …
    In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

    877 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now