Stack Overflow
Stack Overflow

Questions tagged [ptrace]

The ptrace() system call provides a means by which a parent process may observe and control the execution of another process, and examine and change its core image and registers.

Ptrace stands for Process-trace. And is used extensively by debuggers such as GDB and DBX, by tracing tools like strace and ltrace.
By attaching to another process we can have extensive control on the target which includes manipulation of

  1. File Descriptors
  2. Registers
  3. Memory

It can single-step through the target's code, can observe system calls and their results, and can manipulate the target's signal handlers and both receive and send signals on its behalf.

The ability to write into the target's memory allows not only its data store to be changed, but also the applications own code segment, allowing the controller to install breakpoints and patch the running code of the target.

Basic tutorial on ptrace is available here and here.

465 questions
1
vote
1 answer

waitpid() in process A can't catch SIGTRAP in thread created by pthread_create() in process B before B coredump

First, start process B (see mt.cpp below) , it will create a thread with pthread_create(). The ppid, pid and tid of main thread and the new thread will be outputted for process A, then both of them start a for loop and raise SIGTRAP , which should…
ethan.xy
  • 23
  • 6
1
vote
1 answer

What is the range for PTRACE_TRACEME?

If I have a code like this: void child() { do_something(); ptrace(PTRACE_TRACEME, 0, 0, 0); do_some_other_things(); } then will do_something() be traced by the parent? I found in the linux documentation, there were not such thing. It…
Yuheng Zou
  • 173
  • 1
  • 9
1
vote
0 answers

How to detect relative call with PTRACE and opcode

I am trying to recode a little ftrace which displays syscalls and relative call. I can catch syscall but I am unable to catch relative call (I read about the PTRACE_PEEKTEXT return value, it works really well with sycall but not with relative…
void
  • 407
  • 6
  • 18
1
vote
1 answer

How can I stop a child process at the first instruction of newly executed program after exec()?

What I am trying to do is fork a process, exec a new executable in the child process, let the parent terminate and attach to the child process by GDB to debug this child process. The reason I am using an initial parent process to fork a…
Jina Lee
  • 119
  • 2
  • 10
1
vote
2 answers

Save the changes of ptrace() PTRACE_POKEDATA call

I'm using ptrace(PTRACE_POKETEXT, pid, addr, (orig ^ flip_mask)); in order to change a live process's data, but as soon as the call is terminated the changes that have been made disappear, would it be possible to keep the PTRACE_POKETEXT changes…
Yasser Nezzari
  • 83
  • 10
1
vote
1 answer

Eclipse neon: generate core dump

I am debugging an application in Eclipse Neon on Ubuntu 16.04. My project requires that I generate a core dump (which includes all memory (heap, stack, code segments, etc) for the process under debug) while simultaneously having a debug session for…
René Heuven
  • 197
  • 16
1
vote
0 answers

ptrace with PTRACE_PEEKDATA in ubuntu

I use ubuntu 16.04 64bit to practice ptrace. When I used PTRACE_PEEKDATA,I'm confused. the child process execute "ls",I want get the string pass to SYS_write. I get the string address and length in RCX,RDX with PTARECE_PEEKUSER. However when I use…
mmmmar
  • 31
  • 6
1
vote
1 answer

waitpid in infitine wait state after PTRACE_ATTACH

I have integrated Google-Breakpad in my C++ application. Now, I am deliberately crashing the application but it hangs-up in my Ubuntu i686 system. I have to put printf everywhere in Breakpad to check where exactly it is hanging. So, in breakpad, a…
Arpit
  • 767
  • 7
  • 20
1
vote
2 answers

PTRACE_SYSEMU, and PTRACE_SYSEMU_SINGLESTEP not defined on x64 or x86?

My code is as follows: #include #include int main() { printf("PTRACE_CONT: %d\n", PTRACE_CONT); printf("PTRACE_SYSCALL: %d\n", PTRACE_SYSCALL); printf("PTRACE_SINGLESTEP: %d\n", PTRACE_SINGLESTEP); …
Valarauca
  • 1,041
  • 3
  • 10
  • 23
1
vote
1 answer

How to retrieve arguments passed to linux system call in C?

I'm tracing the system calls such as read, write, open etc. using ptrace. If there is a system call for open, the arguments passed to this system call can be retrieved from user_regs_struct. First argument is stored in rdi register. Contents of rdi…
Sagar
  • 72
  • 2
  • 11
1
vote
1 answer

How do I get signal details in debugger while ptrace?

I have a debugger that I am porting over to *bsd from linux. Currently, I am working on the OpenBSD version. Under certain conditions I would like to know the details of the signal that was delivered. For example, suppose a SIGSEGV was delivered,…
Evan Teran
  • 87,561
  • 32
  • 179
  • 238
1
vote
0 answers

PTRACE_POKETEXT modifications being overwritten

Using the code below I inject an INT3 at an specific address. unsigned long data = ptrace(PTRACE_PEEKTEXT, child_pid, 0x4173c0, NULL); ptrace(PTRACE_POKETEXT, child_pid, 0x4173c0, (data & 0xFFFFFFFFFFFFFF00) | 0xCC); printf("%lx\n",…
Ava
  • 2,038
  • 3
  • 23
  • 45
1
vote
2 answers

How to modify EIP's tracee forked procee?

I'm working on a Linux application incorporating ptrace to observe another process which had been created by fork() system call. Strictly speaking: I want to implement a fault injection into forked process (chile process or "tracee"). As you can…
husin alhaj ahmade
  • 451
  • 4
  • 15
1
vote
1 answer

PTRACE_TRACEME without parent

I'm trying for fun to exploit a code which uses ptrace to prevent debugging. This executable is suid, therefore there's no use in cracking it. It have also the stack segment executable. This executable is made for playing. After I found my self a…
Alessandro
  • 598
  • 1
  • 7
  • 18
1
vote
2 answers

Ptrace - communication with child process

I would like to use ptrace in the following way (pseudocode): child: foo(); now that foo is done parent should use ptrace to change things parent did what he wanted to do bar(); parent: pid = fork(); if (pid == 0) //child …
Josh
  • 121
  • 5
1 2 3
30 31