Questions tagged [ptrace]

The ptrace() system call provides a means by which a parent process may observe and control the execution of another process, and examine and change its core image and registers.

Ptrace stands for Process-trace. And is used extensively by debuggers such as GDB and DBX, by tracing tools like strace and ltrace.
By attaching to another process we can have extensive control on the target which includes manipulation of

File Descriptors
Registers
Memory

It can single-step through the target's code, can observe system calls and their results, and can manipulate the target's signal handlers and both receive and send signals on its behalf.

The ability to write into the target's memory allows not only its data store to be changed, but also the applications own code segment, allowing the controller to install breakpoints and patch the running code of the target.

Basic tutorial on ptrace is available here and here.

465 questions

votes

1 answer

How is `gdb` attaching to running processes?

I want to create a simple tool (with C) which can do this tiny subset of gdbs features: Attach to an already running program (with PID) Inject instructions into it like this: dup2(open("/tmp/my_stdout", 1089, 0777), 1) GDB can do this without…

c gdb ptrace

asked May 01 '22 at 07:50

Daniel

2,318
2
22
53

votes

0 answers

Attaching to a process and call `dup2` on aarch64?

I tried attaching to a running process with gdb to redirect its stdout to an external file with these commands: #Attaching gdb -p 123456 #Redirecting (within GDB) (gdb) p dup2(open("/tmp/my_stdout", 1089, 0777), 1) I used the number 1089 because…

c process gdb arm64 ptrace

asked Apr 30 '22 at 18:48

Daniel

2,318
2
22
53

votes

0 answers

adding breakpoints manually to an assembly code

if I have the following assembly code: foo: mov $0x1,%rax callq bar retq bar: dec %r8 cmp $0x0,%r8 je end callq foo mov $0x5,%rax mov $0x1,%rdi end: retq _start: mov $0x3,%r8 callq 4000d4 …

debugging assembly x86-64 breakpoints ptrace

asked Jan 25 '22 at 21:48

CS2000

votes

0 answers

Reading the first argument of a syscall when ptrace(PTRACE_SYSCALL)ing a process on an arm64 CPU

I was trying to read the first syscall argument (stored in x0 register) while ptracing a process on an arm64 CPU, but it's overwritten by the result, and struct user_regs_struct does not contain it. I saw there is an orig_x0 variable in the kernel…

ptrace

asked Dec 31 '21 at 17:38

SBell6hf

votes

1 answer

Conditions that make a tracee stopped, even though its parent didn't require it

I am trying to learn to use ptrace, I wrote a simple assembly stub that 1/ calls ptrace(0,0,0,0) (the syscall, not the libc function). Then displays hello world then spawns a shell. I run my code from a bash shell. Hello world is displayed, however…

x86 gdb x86-64 ptrace

asked Dec 15 '21 at 09:24

Aaa Bbb

votes

0 answers

arm64 ptrace SINGLESTEP: are the steps described in this paper correct?

I was reading the paper Hiding in the Shadows: Empowering ARM for Stealthy Virtual Machine Introspection and I was wondering whether the steps they are described in paragraph "2.3 Debug Exceptions" were correct or not: AArch64 allows to generate…

operating-system arm freebsd arm64 ptrace

asked Dec 09 '21 at 07:22

ParisHilton

votes

1 answer

RUST error ENOMEM in call of posix_memalign into attached program

I'll try to summarize but it's gonna be complicated. I'm having an operating system course in my university, and i have a lab work to do. I'm working in Rust (the lab work is said to be doable in any compiled language but was principally designed…

memory rust libc ptrace enomem

asked Nov 28 '21 at 17:41

Carryboo

votes

1 answer

what will tracee get SIGSTOP do while gdb attach to tracee

I know the behavior about tracee call ptrace(TRACEME) . but how about TRACE_ATTACH behavior ? here is my guess: tracer send SIGSTOP to tracee, the tracee SIGSTOP-handler function mark self as TRACED(but how? why it knows being traced) then send…

linux gdb signals ptrace

asked Nov 04 '21 at 07:06

Ryan Gao

votes

0 answers

How to detect if the current process is running under Valgrind with vgdb / gdbserver

I have some error handling code that uses ptrace detection like How to detect if the current process is being run by GDB? Valgrind does not use ptrace, so debuggerIsAttached() returns false even if Valgrind is running with --vgdb=full. valgrind.h…

c linux debugging valgrind ptrace

asked Oct 29 '21 at 19:26

gibbss

2,013
1
15
22

votes

0 answers

Not able to receive 'Continued' status from waitpid using the nix crate

I'm experimenting with the nix crate in order to debug child processes. I would like to receive events when the child process stops, continues and exits. Stoppages and exits are reported using the waitpid function. I'm having trouble receiving the…

debugging unix rust ptrace waitpid

asked Jul 04 '21 at 20:05

rempas

votes

1 answer

Bypass ptrace anti-debugging trick

I'm having some trouble bypassing calls to ptrace when debugging a 32-bit Linux executable. I have this binary: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.26,…

debugging gdb ptrace reversing

asked Apr 22 '21 at 22:47

Sp00nc3

votes

0 answers

ptrace - Retrieve the (symbol) name of the function called with the 'call' instruction

I am trying, as an exercise, to make some sort of custom profiler for binaries in C, using the ptrace api. I assume all binaries to be traced have been statically linked, I have access to tools such as nm(1), objdump and readelf and use a Linux,…

c x86 elf profiler ptrace

asked Mar 23 '21 at 05:12

Desperados

votes

0 answers

STRACE implementation in c

I'm trying to implement STRACE in c, I was able to print all the SYSCALLS with it's arguments but it doesn't look like the real STRACE ex : my strace mmap(0x7f4a8f56a000,8192,3,2066,3,0x1c000) Strace : mmap(0x7fc66739a000, 8192,…

c strace ptrace

asked Jan 01 '21 at 21:12

haxor12

votes

1 answer

How to set the LD_PRELOAD environment variable for a ptrace child

I'm trying to load a pre-load library to the ptrace child process using environment variables. But somehow I got an error when creating the child process: int main(int argc, char **argv) { char *env[] =…

linux ptrace ld-preload

asked Dec 28 '20 at 16:00

xiaogw

votes

1 answer

PTRACE_PEEKTEXT return value and non-printable characters

I'm trying to implement STRACE without options but I'm having a problem with SYSCALL arguments ex: SYSCALL 0 (read) in STRACE -> read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360q\2\0\0\0\0\0"..., 832) = 832 1 - I don't know exactly…

c strace ptrace

asked Dec 27 '20 at 18:44

haxor12

Prev 1 2 3

…

30 31 Next