ptrace | A Go library for the Linux ptrace system call

If you cannot use PTRACE_SYSCALL to stop the child right before/after a syscall, then you will have to manually detect when one is about to happen. I doubt that checking the source code of strace would help, since strace is most likely using PTRACE_SYSCALL, no reason to manually decode instructions.

Assuming you are working on x86-64, here's how you can do it:

1. Using PTRACE_SINGLESTEP, keep stepping one instruction at a time.
2. Each instruction, use PTRACE_PEEKTEXT to fetch the next instruction pointed by the instruction pointer.
3. Check if the instruction is a syscall instruction by comparing the bytes with the opcode of syscall, which is two bytes: 0x0f 0x05. Since x86 is little endian, this means checking whether the return value of ptrace(PTRACE_PEEKDATA, ...) has the two least significant bytes set to 0x050f.

NOTE: If you are on another architecture, or if you also want to detect 32-bit syscalls, you can simply check for different/more values on step 3. On Linux x86-64, there are multiple ways to issue a syscall, with different opcodes. For example, 32-bit syscalls on Linux are done through int 0x80 (opcode 0xcd 0x80). Check this other answer of mine for a list.

Here's an example:

ptrace doesn't have a disassembler in the kernel¹, and the hardware itself won't tell you this until after the call instruction has executed.

If you can wait until after the instruction executes, probably your best bet is to PTRACE_SINGLESTEP then read the return address call pushed onto the stack. (ESP/RSP will point at it²).

The other option is of course to decode it yourself (including any prefixes which might get used for padding, like when ld relaxes 6-byte call [got_entry] to 1+5 byte addr32 call rel32). Either with a disassembler library, or by scanning through prefixes until you get to one of the call opcodes, then you have the length either from it (E8 call rel32) or from decoding the ModRM byte for an indirect FF /2 call [r/m32]. (https://www.felixcloutier.com/x86/call).

If you wanted portability to non-x86 ISAs, many use a link register instead of pushing a return address so it's not identical; you can't just generically deref the stack pointer with uintptr_t width.

And many of those ISAs have fixed instruction widths so you could just go one instruction forward instead of single-stepping and reading a register. (Although many support a compact encoding with 2 or 4-byte instructions, like ARM Thumb, MIPS, and RISC-V).

There are other wrinkles on some ISAs, for example MIPS has a branch delay slot so the return address is actually after the next instruction after a jal.

Footnote 1: (fun fact: ARM Linux kernels used to have a disassembler with support for some instructions, so it could emulate single-step for you, but that hack was removed).

Footnote 2: Even for hand-written asm with a far call, the CS:[ER]IP return address will have the offset part at the lowest address, i.e. pointed to by ESP/RSP. Of course, far calls use different opcodes, so you could treat them separately or ignore them.

I'm not sure if it's possible for prefixes to override a size in a way that will get call to push a different-sized return address. (e.g. 16-bit in 32-bit mode). Probably not, and even if so it would only be a concern for malicious binaries trying to fool your tracer on purpose. Even hand-written asm for GNU/Linux is vanishingly unlikely to do this for any normal reason.

Here is what I got:

The issue here is that the likelihood of coming from each model involves probability density for the Gaussian and mass for the discrete, which are not commensurate. Specifically, the computation for comparing where a zero observation came from, will involve likelihoods

gdb generates assembly code that corresponds directly to your source code "optimized code" i can suggest to try "hex editor" and edit your binary code file it's available on windows and linux. hope that could help you

While read(2) can't return -21, the read system call can. In other words, you are overlooking a layer between the kernel and your program; libc. Have a look at these snippets from musl libc:

I solved this by taking the program's base address by reading the first line of /proc/pid/maps and adding it to DW_AT_low_pc. DW_AT_high_pc is an offset from DW_AT_low_pc.

Then in my debugger loop I ran it single-stepped with

The header files you pull in come from /usr/include/linux (which gets installed from include/uapi in the kernel repo), when you compile a userspace program with #include .

he kernel space headers are deliberately different, to keep you from trying to access things which are not accessible from outside the kernel.

UPDATE: I'm not an expert on bpf programs, but a quick reading indicates bpf samples are (or were at some point) compiled using the Linux Kernel's KConfig Makefile system. If you use the samples/bpf/Makefile as a template, you may be able to compile against more in-kernel headers. I'm not sure if that is intended.

With a "does nothing" program like the one you're testing, most of the execution run will be in the guest dynamic linker and libc. Those do a lot of work behind the scenes before your program gets control, and some of that work varies between a "native" run and a "QEMU" run. There are two main sources of divergence, judging by some of the extra detail you give in the comments:

1. The environment QEMU provides to the guest binary is not 100% identical to that which a real host kernel provides; it's only intended to be "close enough that correct guest binaries behave in a reasonable way". For instance, there is a data structure passed to the guest called the "ELF auxiliary vector"; this contains information including "what CPU features are supported", "what user ID are you executing as", and so on. The dynamic linker iterates through this data structure at startup, so minor harmless differences in what entries are in the vector in what order will cause slightly different execution paths in the guest code.

2. The CPU QEMU emulates does not provide exactly the same features that your host CPU does. There's no support for emulation of AVX or SSE2, for instance. The guest libc will adjust its behaviour so that it takes advantage of CPU features when they're available, so it picks different optimised versions of functions like memcpy() or strlen() under the hood. Since the dynamic linker will end up calling these functions, this also results in divergences of execution.

You may be able to work around some of this by restricting the area of instruction tracing you look at to just starting from the beginning of the 'main' function to avoid tracing all of the dynamic linker startup. I can't think of a way to work around the differences in what CPU features are available on the host vs QEMU, though.