Stack Overflow
Stack Overflow

Questions tagged [ptrace]

The ptrace() system call provides a means by which a parent process may observe and control the execution of another process, and examine and change its core image and registers.

Ptrace stands for Process-trace. And is used extensively by debuggers such as GDB and DBX, by tracing tools like strace and ltrace.
By attaching to another process we can have extensive control on the target which includes manipulation of

  1. File Descriptors
  2. Registers
  3. Memory

It can single-step through the target's code, can observe system calls and their results, and can manipulate the target's signal handlers and both receive and send signals on its behalf.

The ability to write into the target's memory allows not only its data store to be changed, but also the applications own code segment, allowing the controller to install breakpoints and patch the running code of the target.

Basic tutorial on ptrace is available here and here.

465 questions
0
votes
1 answer

Ptracing Process Trees

I'm looking for code examples on how to use the Linux system call ptrace() to trace system calls of a process and all its child, grandchild, etc processes. Similar to the behaviour of strace when it is fed the fork flag -f. I'm aware of the…
Nordlöw
  • 11,838
  • 10
  • 52
  • 99
0
votes
1 answer

How can I debug a ptrace tracee?

I'm writing a program that involves controlling a tracee process with ptrace. Of course, there are bugs :) To fix my bugs, I'd like to be able to inspect the tracee's state with gdb. However, gdb -p says: warning: process X is already traced by…
DepressedDaniel
  • 266
  • 1
  • 11
0
votes
2 answers

Inject code into process in ubuntu 64bit

I'm learning ptrace by the article "playing with ptrace". Now I can set breakpoint by replacing tracee's instruction with "syscall" but can't inject code successfully. In X86 , the print can use "int 80" then pause process by "int3". How can I…
mmmmar
  • 31
  • 6
0
votes
1 answer

Using ptrace to reverse ls readout doesn't seem to work

I've been following some instructions on how to use ptrace that are found here. I am on ubuntu 14.04, x64, and I have been altering bits of the example code to work with my x64 machine, such as eax to rax, and changing 4s to 8s where appropriate.…
Iron Attorney
  • 1,003
  • 1
  • 9
  • 22
0
votes
2 answers

ptrace can't work well in kernel 2.6 for mips in qemu?

I want to use ptrace in qemu mips, but I can't wake up the child process when using fork and attach, however, I got success in kernel 3.2. I hope to know why got this ques in kernel 2.6? I got the kernel…
jack link
  • 23
  • 4
0
votes
0 answers

fetching file name using ptrace

I'm trying to fetch the filename which gets opened when the sys_open system call is invoked, but I am hitting a Segmentation Fault. The system call sys_open opens only the first file used and then hits the segmentation fault. How do I resolve…
Prerit Bhandari
  • 13
  • 3
0
votes
1 answer

GCC assembly code shows 32bit registers on 64bit machine

I am trying to learn how to use ptrace library for tracing all system calls and their arguments. I am stuck in getting the arguments passed to system call. I went through many online resources and SO questions and figured out that on 64 bit machine…
harrythomas
  • 1,407
  • 1
  • 13
  • 17
0
votes
1 answer

Android debug confusion

As far as I know, debuggers work based on system calls like ptrace in linux, which will block the tracee and then tracer get informations from tracee's memory. It means, if I want to use a debugger to debug the main thread in an android app…
xjtulk
  • 1
  • 1
0
votes
1 answer

Ptrace parent process

I'm trying to monitor/redirect syscalls in my own process. LD_PRELOAD doesn't work when fwrite calls write inside libc, and got/plt hooks seem to have the same problem. I'm looking for a solution based on ptrace, but I can't fork() and run the main…
patraulea
  • 652
  • 2
  • 5
  • 26
0
votes
1 answer

stopping an attached thread asynchrously using ptrace - linux

after attaching a pthread using its pid and manipulating the content of its debug registers, while waiting using waitpid(-1, &status, __WALL) ; I would like to be able to stop that thread and make additional manipulations (defining another…
Krcn U
  • 411
  • 1
  • 9
  • 16
0
votes
1 answer

How to know the origin of a ret opcode while tracing a program

i am making a little program that works a bit like strace except that i am making it catch all the calls and also the rets. As i can't find a way to get all the calls and ret because of indirect calls, i would like to find a way to get the function…
juan michelle
  • 159
  • 9
0
votes
2 answers

Profiling anti-debugging checks in linux

My main requirement is to profile the mentioned anti-debugging check program twice ( Once in the presence of a debugger and the other without it ) to collect some information for analysis during run-time (Assuming only the binary is…
G Ashwin
  • 23
  • 1
  • 6
0
votes
0 answers

Playing with ptrace example freespaceinject.c doesn't work

Playing with ptrace example freespaceinject.c doesn't work Operating System is Ubuntu 12.04 I am reading "Playing with ptrace". All examples in that article succede except the last example freespaceinject.c. The process of freespaceinject.c as…
MillionSky
  • 25
  • 7
0
votes
2 answers

Read strings with ptrace (linux)

I'm new to stack and relatively new to C. I try to read a process memory from another process with the use of ptrace. So far I managed to read and alter numbers from another process . But with strings I could not find a way. Here is my code: int…
bill marko
  • 1
  • 3
0
votes
1 answer

Which methods/calls perform the disk I/O operations and how to find them?

Which methods and system calls should I hook into, so I can replace 'how' an OS X app (the target) reads and writes to/from the HD?. How may I determine that list of functions or system calls?. Adding more context: This is a final project and…
Daniel
  • 17
  • 4
1 2 3
30 31