Stack Overflow
Stack Overflow

Questions tagged [ptrace]

The ptrace() system call provides a means by which a parent process may observe and control the execution of another process, and examine and change its core image and registers.

Ptrace stands for Process-trace. And is used extensively by debuggers such as GDB and DBX, by tracing tools like strace and ltrace.
By attaching to another process we can have extensive control on the target which includes manipulation of

  1. File Descriptors
  2. Registers
  3. Memory

It can single-step through the target's code, can observe system calls and their results, and can manipulate the target's signal handlers and both receive and send signals on its behalf.

The ability to write into the target's memory allows not only its data store to be changed, but also the applications own code segment, allowing the controller to install breakpoints and patch the running code of the target.

Basic tutorial on ptrace is available here and here.

465 questions
0
votes
0 answers

PTRACE_GETREGS (seems) to return junk values

I'm trying to use ptrace to access the registers of a particular thread in a child process. The values I'm getting seem to be junk however - they seem to be way out in the weeks. Here's what I mean: RAX: fffffffffffffdfc RBX: 7f0533fe7700 RCX:…
tonysdg
  • 1,335
  • 11
  • 32
0
votes
0 answers

How to control the thread of child process

I'm trying to implement the following function in a debugger: I want to use the debugger to control a thread in the process which is being debugged. The debugger is the parent process and uses the ptrace() function to debug the child process, but I…
wangxf
  • 160
  • 1
  • 11
0
votes
1 answer

Record memory accesses during execution

Is there a tool that can trace/record a process's memory accesses throughout the execution? I found vmtrace suitable but it seems to be dead( at least the download link is not accessible). Other information about memory access is also useful, such…
qweruiop
  • 3,156
  • 6
  • 31
  • 55
0
votes
1 answer

Why does ptrace produce a zombie process when I want to trace a daemon SSHD

I am trying to ptrace a sshd daemon. The following simple program is attached to the daemon. Whenever a ssh client connection is closed, the new generated sshd process turns into zombie process. Could you give me any comments? Thanks in advance. int…
Koohong Kang
  • 1
0
votes
2 answers

When using GETREGS, does ptrace get only userspace stack RSP, or both kernel and userspace RSP can be possible?

When using ptrace to get the registers of another process, is it possible that the stop point is in kernel space (doing system call or something like in sleep()), that the RIP is in kernel code segment and RSP is the kernel stack pointer?
WindChaser
  • 960
  • 1
  • 10
  • 30
0
votes
1 answer

Qt Creator cannot run gdb on Ubuntu 10.04

My setup: Ubuntu 10.04 LTS 32-bit Kernel 2.6.32 Qt Creator 2.6.2 gcc 4.4.3 gdb 7.1 When I debug a simple "Hello world" console application, Qt Creator complains saying Couldn't get registers: No such process All solutions found on Internet…
Claudio
  • 10,614
  • 4
  • 31
  • 71
0
votes
0 answers

How does GDB/ptrace trap singals like SIGINT?

When I was googling my gdb and sigwait issue, I found this kernel bug thread GDB is not trapping SIGINT. Ctrl+C terminates program when should break gdb. Quote: gdb puts the debugged process in its own pgrp and sets the terminal to that pgrp.…
wei
  • 6,629
  • 7
  • 40
  • 52
0
votes
1 answer

Cannot attach some processes by ptrace?

OS: Android 4.3 & 4.4 (root) Hi all, I try to attach all the processes by calling ptrace(), my tested app can be attached but some processes can't be, for which I list them below: I guess the reason may be its special properties, but what's the…
user3543972
  • 1
  • 1
0
votes
0 answers

PTRACE_POKEUSER failed with error code 3

static inline int set_hw_br(pid_t tracee, dr7_t *pdr7, void *addr, int dr_index) { errno = 0; printf("LINE = %d %d, dr_index= %d\n",__LINE__, tracee, dr_index); if (ptrace(PTRACE_POKEUSER, tracee, offsetof(struct user,…
iDebD_gh
  • 364
  • 5
  • 18
0
votes
1 answer

How to get a process' memory and time usage?

I'm trying to get a process's memory and time usage,and here is [my code] but the memory reported is so much for such a simple app consuming almost 8500Kb. Has something I've done reported the wrong memory usage or are there other reasons? #include…
Jialin
  • 2,415
  • 2
  • 14
  • 10
0
votes
1 answer

Finding the syscalls associated with a number

I am tracing a program using ptrace. After stopping on a syscall, I use PTRACE_PEEKUSER to look at the value of (ORIG_)EAX. Actually RAX since I'm 64 bit. What is a good way of translating this into the appropriate value? For example 2-> "open" (…
Mouse.The.Lucky.Dog
  • 735
  • 8
  • 16
0
votes
1 answer

non-root ptrace/waitpid on a non-child

This is a follow up/modification of my qn : Ptrace/wait on a non child How do I ptrace or wait on a process that is not a child AND the process that waits is not a root user . I tried to be in the same group, still doesnt work [ operation not…
resultsway
  • 12,299
  • 7
  • 36
  • 43
0
votes
2 answers

how does ptrace catch fork's system call?

I try to use ptrace to catch child process system call id such as execve(11) or fork(2). my code is here. #include #include #include #include #include #include int…
mengpq
  • 56
  • 6
0
votes
2 answers

Ptrace/wait on a non child

int Enable ( int pid) { int status; #if 1 { printf ( "child pid = %d \n", pid ); long ret = ptrace (PTRACE_ATTACH, pid, NULL, NULL); do { int w = waitpid(-1, &status, 0); if (w == -1) { …
resultsway
  • 12,299
  • 7
  • 36
  • 43
0
votes
1 answer

Pre Ptrace how did linux gdb breakpoints work?

If I understand correctly, linux gdb breakpoints now work by overwriting opcodes with 'int 3' and ptracing when those are hit. Ptrace hasn't been around forever. How did breakpoints work before ptrace was introduced into the kernel?
user2856949
  • 317
  • 2
  • 6
1 2 3
30 31