Stack Overflow
Stack Overflow

Questions tagged [ptrace]

The ptrace() system call provides a means by which a parent process may observe and control the execution of another process, and examine and change its core image and registers.

Ptrace stands for Process-trace. And is used extensively by debuggers such as GDB and DBX, by tracing tools like strace and ltrace.
By attaching to another process we can have extensive control on the target which includes manipulation of

  1. File Descriptors
  2. Registers
  3. Memory

It can single-step through the target's code, can observe system calls and their results, and can manipulate the target's signal handlers and both receive and send signals on its behalf.

The ability to write into the target's memory allows not only its data store to be changed, but also the applications own code segment, allowing the controller to install breakpoints and patch the running code of the target.

Basic tutorial on ptrace is available here and here.

465 questions
0
votes
1 answer

Block signal from propagating to the inferior when using ptrace

I had put a simple trap instruction to simulate a breakpoint on the inferior, but when this instruction is reached I got a CLD_KILLED instead of CLD_SIGTRAP, like the one below. --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=12668,…
Daniele Bestiale
  • 3
  • 2
0
votes
1 answer

How to use ptrace() to observe process until it exits?

I am looking for a ptrace() call to observe a process until the process exits. I have this which compiles with gcc / cc on OSX: #include #include #include #include #include int…
Alexander Mills
  • 90,741
  • 139
  • 482
  • 817
0
votes
1 answer

How to cancel a process waiting to return with ptrace()

I am trying to cancel when a process calls wait(), read(), recvfrom() or similar, because if I use ptrace on it, after the PTRACE_ATTACH and later PTRACE_CONT, my tracer becomes blocked until the function in the tracee returns. Also I think it…
Puffy
  • 401
  • 6
  • 13
0
votes
2 answers

Detect whether tracee is in a signal handler when using ptrace

I test that on Linux and it seems that when the tracee is in a signal handler, the tracer can use ptrace() to attach to it, as usual. But since tracee is in a signal handler, some functions might not be OK to invoke because of the asyn-signal-safe…
walkerlala
  • 1,599
  • 1
  • 19
  • 32
0
votes
1 answer

Get permission to do PTRACE_ATTACH

I'm trying to write a program to do ptrace(PTRACE_ATTACH, pid, nullptr, nullptr) but it returns -1 and errno is 3 (No such process). The tracee are running and kicked off by me so I guess the tracer should have permission. What should I do…
Xiao Wu
  • 45
  • 5
0
votes
1 answer

Is GDB caching debuggee's signal by SIGCHLD?

Came across this doc: https://idea.popcount.org/2012-12-11-linux-process-states/ (a bit old). It says ptrace is handling debugee's signals by receiving SIGCHLD. Is GDB relying on this? Related, does GDB get notification when signal handler is set…
Xiao Wu
  • 45
  • 5
0
votes
0 answers

GDB breakpoint does not stop at specified address

I have set a breakpoint at a specific address with this command: break *0x080488CA but it is not stopping. I have a breakpoint set previously to this one and it works fine, but when running in gdb with run group3, and continuing after the 1st…
Tom
  • 461
  • 1
  • 8
  • 24
0
votes
1 answer

What happens when ptrace(PTRACE_DETATCH,pid,NULL,NULL) is called on a dead pid?

I am trying to capture the command line arguments of all running processes. Some of these processes have command lines that exceed the 4096 character limit of /proc/${pid}/cmdline, so reading that procfs file does not meet my requirement. The…
thurmanukyalur
  • 21
  • 3
0
votes
0 answers

ptrace(PTRACE_TRACEME) breaks parent child sync

pit_t pid = fork(); if (pid == -1){ abort(); } else if (pid == 0){ printf("this is child before\n"); ptrace(PTRACE_TRACEME); raise(SIGSTOP); printf("this is child after\n"); } else { //waitpid(pid, NULL, WUNTRACED) for without ptrace …
Rui Hu
  • 1
0
votes
0 answers

ptrace fails with illegal instruction

I'm trying to compile this simple application for powerpc-apple-darwin on Snow Leopard. I've installed Xcode 3.2.6. prog.c: #include "sys/proc.h" main() { ptrace (0xE, 1, 0, 0); } I'm compiling from the command line like…
AnArrayOfFunctions
  • 3,452
  • 2
  • 29
  • 66
0
votes
1 answer

Disable SIGSTOP stop on forked processes when tracing with `PTRACE_TRACEME`

According to the ptrace documentation. Stop the tracee at the next clone(2) and automatically start tracing the newly cloned process, which will start with a SIGSTOP, or PTRACE_EVENT_STOP if PTRACE_SEIZE was used. The problem is that SIGSTOP may…
marmistrz
  • 5,974
  • 10
  • 42
  • 94
0
votes
1 answer

ptrace get changed memory by syscall

ptrace can get the registers and memory data when entry/exit syscall. But if linux syscall handler change some memory include some place in stack, How can I get to know which memory has been changed.
K.Z
  • 1
0
votes
1 answer

How to properly revert PTRACE_TRACEME

It is common to use ptrace(PTRACE_TRACEME, 0, 0, 0) to prevent a program from being debugged, But once PTRACE_TRACEME is applied, the program will not exit properly, but rather receives a SIGSTOP signal, So how should one make the program exit…
daisy
  • 22,498
  • 29
  • 129
  • 265
0
votes
1 answer

ptrace SIGTRAP not handled

For test1.c, I get: 5 133 1 0 It means that the child process firstly get SIGTRAP (5), cause by execl. The last three lines indicate that the child process dies due to the SIGSTRAP signal from the parent. // test1.c #include #include…
Albert Netymk
  • 1,102
  • 8
  • 24
0
votes
1 answer

Stopped Process but heap is still changing

I have stopped a process by tracing it with the ptrace() syscall. Which in effect sends a kill -sigstop to the process. Now I inspect the [heap] region, which I got from /proc//maps But Reading out certain addresses in the heap memory…
k-stz
  • 1
  • 3
1 2 3
30 31