Questions tagged [ptrace]

The ptrace() system call provides a means by which a parent process may observe and control the execution of another process, and examine and change its core image and registers.

Ptrace stands for Process-trace. And is used extensively by debuggers such as GDB and DBX, by tracing tools like strace and ltrace.
By attaching to another process we can have extensive control on the target which includes manipulation of

File Descriptors
Registers
Memory

It can single-step through the target's code, can observe system calls and their results, and can manipulate the target's signal handlers and both receive and send signals on its behalf.

The ability to write into the target's memory allows not only its data store to be changed, but also the applications own code segment, allowing the controller to install breakpoints and patch the running code of the target.

Basic tutorial on ptrace is available here and here.

465 questions

votes

0 answers

Troubles at singlestepping on ARM machine

I was just running my own debugger on a ARM 32 Bit Rasperry Pi System. Here, i tried to singlestep through a simple test programm, but for some reason, this doesn't work. I'm using the ptrace syscall with the PTRACE_SINGLESTEP but it always returns…

asked Dec 24 '20 at 05:06

guest

votes

1 answer

Why does the Qemu run differ from the native run?

What did i do? I ran qemu-x86_64 -singlestep -d nochain,cpu ./dummy to dump all the registers of a dummy program after each instruction and used grep to save all the RIP values into a text file (qemu_rip_dump.txt). I then singlestepped the dummy…

linux dynamic linker qemu ptrace

asked Dec 10 '20 at 14:05

Sbardila

votes

0 answers

why ptrace write 0xFFFFFFFFFFFFFFFF instead the real data?

I can't figure out why this happens, my code is this and it's from this question, i only change the type of addr and data in usigned long long int (the computer is x64 and the program run in the WLS). the minimum reproducible example is the one…

c linux debugging x86-64 ptrace

asked Oct 27 '20 at 12:14

colo

votes

0 answers

How do i read cpu register states of another thread? (windows)

Under linux there is the ptrace syscall for that, is there any alternative for windows to read the cpu register values of another running thread? I have found this thread, but this user wants to monitor syscalls in general and searched for a ptrace…

windows multithreading system-calls cpu-registers ptrace

asked Oct 01 '20 at 11:37

Sbardila

votes

0 answers

ptrace failing when process is in select syscall

I have a library that I inject into running processes using ptrace. I used this library many times in different processes without problems. Now I want to inject into a running process that is executing a select syscall (waiting for a set of fd).…

c select ptrace

asked Aug 25 '20 at 02:56

linx_94_

votes

1 answer

Problems with ptrace(PTRACE_ME,...) and subsequent wait

I am porting a debugger, 'pi' ('process inspector') to Linux and am working on the code for fork/exec of a child to inspect it. I am following standard procedure (I believe) but the wait is hanging. 'hang' is the procedure which does the work, the…

linux debugging wait ptrace

asked Jun 25 '20 at 04:33

N. Hunt

votes

1 answer

ptracing long-running process hangs

I'm using Go's syscall package Ptrace interface to trace a process. The problem is, if the tracee is long-running, the tracing seems to hang. I tried replicating the issue with C implementation, but there everything seems to work fine. Here's a Go…

go ptrace

asked Jun 22 '20 at 15:04

NeverThoughtIWouldPostHere

votes

1 answer

Why strace works in docker by default?

As far as I know ptrace system call is disabled by default in docker containers and strace is using ptrace. Example: docker run -it ubuntu:latest bash root@f592f4019a65:/# strace sleep execve("/usr/bin/sleep", ["sleep"], 0x7ffc66c181f0 /* 8 vars */)…

docker strace ptrace

asked Jun 11 '20 at 14:27

Farseer

4,036
3
42
61

votes

1 answer

How to intercept memory accesses/changes in the Hotspot JVM?

I'd like to develop some kind of reverse debugger for Java(where you can step back during execution). To do this, I have to know the initial state of the JVM(which can be easily got by a core dump). Then I have to intercept every memory access the…

java debugging jvm windbg ptrace

asked May 17 '20 at 14:35

Nfff3

votes

0 answers

Waitpid does not continue after tracee stopped

I using ptrace to attach for process and then continue the process until tracee has been stopped (got SIGSTOP/SIGTRAP) ,I wait for that with waitpid . Usually that work fine, but sometime I see that even tracee has been stopped, waitpid (the second…

c linux ptrace waitpid

asked May 11 '20 at 21:14

yfr24493AzzrggAcom

votes

0 answers

How to prevent another process to debug syscall with ptrace

In ptrace I can debug another process to print all the syscall numver that the remote process call.l , with this steps. Attach to process with PTRACE_ATTACH. waitpid (with `__WALL flags) to be sure the remote process has been stopped. In while…

c linux ptrace

asked May 07 '20 at 20:33

yfr24493AzzrggAcom

votes

1 answer

How to use LD_PRELOAD without killing the process

I have running process that I want to hook on specific function. The main idea was killing the process and run it again with LD_PRELOAD and that work. The problem is that I don't want to kill the process,or using ptrace (because I don't want to set…

c linux hook ptrace ld-preload

asked May 05 '20 at 15:37

yfr24493AzzrggAcom

votes

1 answer

How to trace a program execution with ptrace?

I've been trying to use the system call "ptrace" (using the PTRACE_SINGLESTEP macro) to trace the execution of a simple application. While recording the execution of the program I would like to skip the useless part of the reading to only follow…

c linux ptrace

asked May 25 '11 at 14:14

Anhuin

votes

0 answers

I can't dump a stacktrace when i use linux trace event triggers

The kernel document 'tracing: trace event triggers' said i can use stacktrace cmd to dump a stacktrace to the trace buffer whenever the trigger event is hit. But all i got is a simple string "stacktrace". Here is my configure: cd…

linux linux-kernel stack-trace ptrace ftrace

asked Apr 02 '20 at 15:48

jasonbone

votes

1 answer

Reading and modifying data of syscall with ptrace

I am trying to do a simple thing (just for learning), I wish to intercept clock_gettime on 64 bit linux, read the output and modify it so to return a flase date/time to the tracee (/bin/date). What I do is: ptrace(PTRACE_GETREGS, pid, NULL,…

linux date x86-64 ptrace

asked Mar 11 '20 at 21:10

Zibri

9,096
3
52
44

Prev 1 2 3

…

30 31 Next