Stack Overflow
Stack Overflow

Questions tagged [ptrace]

The ptrace() system call provides a means by which a parent process may observe and control the execution of another process, and examine and change its core image and registers.

Ptrace stands for Process-trace. And is used extensively by debuggers such as GDB and DBX, by tracing tools like strace and ltrace.
By attaching to another process we can have extensive control on the target which includes manipulation of

  1. File Descriptors
  2. Registers
  3. Memory

It can single-step through the target's code, can observe system calls and their results, and can manipulate the target's signal handlers and both receive and send signals on its behalf.

The ability to write into the target's memory allows not only its data store to be changed, but also the applications own code segment, allowing the controller to install breakpoints and patch the running code of the target.

Basic tutorial on ptrace is available here and here.

465 questions
1
vote
2 answers

Capture file system system calls on Linux platform

I want to capture all the system calls on a file system in great details. E.g. for write system call, I want to record the target file, number of bytes written and the offset that write occurs. Currently, I want to implement such a logger with…
Summer_More_More_Tea
  • 12,740
  • 12
  • 51
  • 83
1
vote
2 answers

Finding start of main function with ptrace

I have a file scope kernel extension that informs a daemon when an application is launched. The daemon is required to pause the launched application at the beginning of its first instruction in main(). When calling ptrace with PT_ATTACH, the daemon…
TheDarkKnight
  • 27,181
  • 6
  • 55
  • 85
1
vote
1 answer

ptrace abnormal values returned in the registers

I've got an assignment and i have to use ptrace to trace the system calls of an application. The problem is that when i am running the program it gives me some uncommon values, that i obtain from the registers, as output. Some of those values are…
Stamatis Liatsos
  • 74
  • 1
  • 8
1
vote
1 answer

Why SIGINT is send to a child process and does nothing?

I am building a simple debugger for my university class and I have a problem in handling SIGINT. What I want to do is when the debugger process (from now on PDB) takes a SIGINT signal passes that to the child process (the one that is being actually…
Blenikos
  • 733
  • 10
  • 19
1
vote
0 answers

Decoding ptrace Registers

I'm wondering where in the contents/members of `struct user_regs_struct ur` which is filled in by a call to ptrace(PTRACE_GETREGS, pid, 0, &ur); // get registers I can extract the information about whether a traced child process syscall is…
Nordlöw
  • 11,838
  • 10
  • 52
  • 99
1
vote
1 answer

why does ptrace singlestep return a too big instruction count when statically linking it?

So, I've already read this article Counting machine instructions of a process using PTRACE_SINGLESTEP, and i understand that dynamically linking a testprogram to my ptrace program will return an instruction count that also counts the initialization…
Imara
  • 37
  • 3
1
vote
1 answer

Why this ptrace error?

I'm just testing read and write memory via ptrace() call, but when I run the code shown below, I got an error like this. Processkey() : 0x80481240 readmem pid 3950 Original opcode : 0x4641682b writemem pid 3950 readmem pid 3950 PEEKDATA error: No…
osmund sadler
  • 1,021
  • 2
  • 15
  • 27
1
vote
2 answers

Read/Write memory on OS X 10.8.2 with vm_read and vm_write

This is my code that works only on Xcode (version 4.5): #include #include #include #include #include #include #include #include…
genesisxyz
  • 778
  • 3
  • 14
  • 29
1
vote
2 answers

C and execve(3) arguments

I'm working on a project that basically does the same thing as strace(1) using ptrace(). Basically we have a controller.c program that takes an executable as an argument and it outputs any system calls made by the executable (for example %…
user1348913
  • 189
  • 4
  • 12
1
vote
0 answers

Is it possible to use PTRACE_SETREGS to change the execution sequence of a process?

Is it possible to use PTRACE_SETREGS to change the execution sequence of a process? I'm saving the process register file at a point of the process execution and I want to use it later to set the current register file of the process (to repeat the…
user22690
  • 21
  • 3
1
vote
1 answer

ptrace with request PTRACE_POKETEXT fails

i'm trying to inject code in a traced process...i'm able to read correctly registers (PTRACE_GETREGS) and also PTRACE_PEEKTEXT works...i've verified with GDB. However if i call ptrace with PTRACE_POKETEXT request it returns 0 but reading again at…
MirkoBanchi
  • 2,173
  • 5
  • 35
  • 52
1
vote
0 answers

PT_CONTINUE returns 'Operation not supported' on iOS

I want writer a small debugger using ptrace on iOS jailbreaking. Now i could attach the other process successfully,but then 'PTRACE(PT_CONTINUE, m_tid, (caddr_t)1, data)' always returns 'Operation not supported', the errno number is 45. I just could…
timestee
  • 1,086
  • 12
  • 36
1
vote
1 answer

Accessing a Process's Memory Region

I am trying to learn how to access the memory region of a process in order to print the start and end addresses of the code, its data regions, and the start and end of the heap. I believe that /proc/$pid/maps contains the process's start and end…
user1321341
  • 11
  • 1
0
votes
2 answers

Ptracing syscalls

I've the following code: void attach_to_pid (int pid, char *username, int pts) { int sys_call_nr = 0; struct user_regs_struct regs; ptrace (PTRACE_ATTACH, pid, 0, 0); waitpid (pid, 0, WCONTINUED); ptrace (PTRACE_SETOPTIONS, pid, 0, …
user1189104
  • 79
  • 1
  • 6
0
votes
1 answer

calculate the amount of memory used by a particular process in linux

I'm writing a program to trace every system call called by child process and determine the exact memory use of it(excluding sharing memory). here's my plan. let child process ptraced by father process, if child process make system calls, father…
lx75249
  • 35
  • 3
1 2 3
30 31