Stack Overflow
Stack Overflow

Questions tagged [ptrace]

The ptrace() system call provides a means by which a parent process may observe and control the execution of another process, and examine and change its core image and registers.

Ptrace stands for Process-trace. And is used extensively by debuggers such as GDB and DBX, by tracing tools like strace and ltrace.
By attaching to another process we can have extensive control on the target which includes manipulation of

  1. File Descriptors
  2. Registers
  3. Memory

It can single-step through the target's code, can observe system calls and their results, and can manipulate the target's signal handlers and both receive and send signals on its behalf.

The ability to write into the target's memory allows not only its data store to be changed, but also the applications own code segment, allowing the controller to install breakpoints and patch the running code of the target.

Basic tutorial on ptrace is available here and here.

465 questions
10
votes
2 answers

How to change compiler in Xcode C++

I've been searching for quite some time, and I can't seem to find out how to change the compiler on the latest Xcode. I am not sure what it is set at currently, but I'd like to change it to GCC if possible. Right now my homework example will not…
user1765804
  • 161
  • 2
  • 3
  • 10
10
votes
2 answers

ptrace on iOS 8

I'm trying to call a function on ptrace like thisptrace(PT_DENY_ATTACH, 0, 0, 0); But when I try to import it using #include Xcode gives me an error 'sys/ptrace.h' file not found. Am I missing something, do I need to import a library…
imas145
  • 1,959
  • 1
  • 23
  • 32
10
votes
1 answer

Reading /proc/pid/mem from ptraced process returns EOF

Context I've been working in a program for my final assignment and I've found the following strange behaviour. I've coded a tracer in order to be able to read/write memory from child processes. My intention is to read the currently executed…
user883128
10
votes
3 answers

Cancel a system call with ptrace()

For some security purpose, I use ptrace to get the syscall number, and if it's a dangerous call (like 10 for unlink), I want to cancel this syscall. Here's the source code for the test program del.c. Compile with gcc -o del del.c. #include…
laifjei
  • 606
  • 2
  • 7
  • 16
9
votes
3 answers

Why does this ptrace program say syscall returned -38?

It's the same as this one except that I'm running execl("/bin/ls", "ls", NULL);. The result is obviously wrong as every syscall returns with -38: [user@ test]# ./test_trace syscall 59 called with rdi(0), rsi(0), rdx(0) syscall 12 returned with…
lexer
  • 1,027
  • 3
  • 14
  • 18
9
votes
2 answers

Any good guides on using PTRACE_SYSEMU?

Does anyone have any good explanations, tutorials, books, or guides on the use of PTRACE_SYSEMU?
naasking
  • 2,514
  • 1
  • 27
  • 32
9
votes
3 answers

After attaching to process, how to check whether the tracee is in a syscall?

According to the ptrace manual page: Syscall-enter-stop and syscall-exit-stop are indistinguishable from each other by the tracer. The tracer needs to keep track of the sequence of ptrace-stops in order to not misinterpret syscall-enter- …
secretpow
  • 315
  • 2
  • 11
9
votes
3 answers

gdb cannot attach to process

Here is the OS I am using: Linux securecluster 4.9.8-moby #1 SMP Wed Feb 8 09:56:43 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux When trying to attach gdb to hanging process as root user, I got the following: Attaching to process 9636 Could not attach…
Ted
  • 379
  • 1
  • 5
  • 18
9
votes
1 answer

Tracing syscalls of a process and all forked processes

I'm using ptrace to trace the syscalls of a process. After forking the process, I use PTRACE_TRACEME to start trace the the process. The code looks like this: while (true) { int status; int gotPid; gotPid = waitpid(pid, &status, 0); …
petersohn
  • 11,292
  • 13
  • 61
  • 98
8
votes
6 answers

Low-overhead way to access the memory space of a traced process?

I'm looking for an efficient way to access(for both read and write operations) the memory space of my ptraced child process. The size of blocks being accessed may vary from several bytes up to several megabytes in size, so using the ptrace call with…
vovick
  • 298
  • 1
  • 8
8
votes
5 answers

Disabling vsyscalls in Linux

I'm working on a piece of software that monitors other processes' system calls using ptrace(2). Unfortunately most modern operating system implement some kind of fast user-mode syscalls that are called vsyscalls in Linux. Is there any way to disable…
Michael
  • 8,920
  • 3
  • 38
  • 56
8
votes
4 answers

How to ptrace a multi-threaded application?

EDIT (MADE PROGRESS): I am trying to ptrace a vsftpd daemon. I have the following code which is attaching to the daemon. Then it successfully displays the PID of the first spawned process. However, for the children of this spawned process it returns…
ofosho
  • 433
  • 1
  • 5
  • 15
8
votes
1 answer

Sandboxing for online judges

I developed a Linux application that runs untrusted code received from users (contestants). More specifically, the application is an online judge, which is something like UVa OJ, SPOJ and Codeforces, but mainly like BOCA Online Contest…
matheuscscp
  • 827
  • 7
  • 23
8
votes
3 answers

PTRACE_ATTACH not permitted for

For some reason i am not able to attach to my very own processes?! Works fine if i try strace as root. $ ./list8 & [1] 3141 $ child4 starts... $ strace -p 3141 attach: ptrace(PTRACE_ATTACH, ...): Operation not permitted Could not attach to process.…
user2705045
  • 83
  • 1
  • 1
  • 4
8
votes
2 answers

Is utrace project dead?

I was trying to use stap to trace a userspace executable, as advised by this answer: https://stackoverflow.com/a/324709/368507 To do this, kernel must have utrace patch, but i can't find any utrace patch for recent kernels. The mailing list is…
user368507
  • 1,388
  • 1
  • 13
  • 25
1
2
3
30 31