Unix and Linux Stack Exchange
Unix and Linux Stack Exchange

Questions tagged [ptrace]

Ptrace stands for Process-trace. And is used extensively by debuggers such as GDB and DBX, by tracing tools like strace and ltrace.
By attaching to another process we can have extensive control on the target which includes manipulation of

  1. File Descriptors
  2. Registers
  3. Memory

It can single-step through the target's code, can observe system calls and their results, and can manipulate the target's signal handlers and both receive and send signals on its behalf.

The ability to write into the target's memory allows not only its data store to be changed, but also the applications own code segment, allowing the controller to install breakpoints and patch the running code of the target.

Basic tutorial on ptrace is available here and here.

16 questions
5
votes
0 answers

Change ptrace_scope temporarily for a specific user

ptrace_scope is a sysctl value (/proc/sys/kernel/yama/ptrace_scope) that prevents the use of ptrace on non-child processes when set to 1. This is generally considered good security practice. Unfortunately, being able to ptrace a process as a…
Andrew Spott
  • 151
  • 4
3
votes
1 answer

Why do strace and ltrace cause EINTR to happen?

Consider this program: #include #include int main(void) { int epfd = epoll_create1(0); struct epoll_event event; event.events = EPOLLIN; event.data.fd = 0; epoll_ctl(epfd, EPOLL_CTL_ADD, 0,…
Joseph Sible-Reinstate Monica
  • 3,298
  • 14
  • 27
3
votes
1 answer

Compile ptrace() program on OSX

I have this simple C program on MacOS: #include #include #include #include int main(int argc, char *argv[]) { pid_t pid = atoi(argv[1]); printf("pid = %jd\n", (intmax_t) pid); return…
Alexander Mills
  • 9,330
  • 19
  • 95
  • 180
2
votes
1 answer

How can I make a specific process exec a given executable with ptrace()?

I am trying to force the init process of an embedded Linux system to exec() my own init program (systemd) so that I can test an external filesystem before writing it to the system's flash (and risk bricking the device). With GDB, I can run the…
Billy
  • 615
  • 3
  • 11
  • 29
1
vote
0 answers

Strace displaying results in ASCII only at process ending and not runtime

I'm searching a way for strace to print the content of the write(...) syscall to ASCII and not useless bytes ! The Strace command I use : sudo strace -e write=1 -e trace=write -s9999 -p 551 2>&1 The output is made of 3 different sections : 1) The…
Doctor
  • 133
  • 5
1
vote
1 answer

Is there a better method than ptrace for intercepting ("catching") Linux syscalls coming from a forked process?

I would like to catch all syscalls coming from a forked process, modify them, send them to the kernel, and then pass them back to the forked process. Is this possible, and if so, how might I go about this? I've done some research, and found ptrace,…
Sally Beuford
  • 15
  • 2
1
vote
0 answers

Ptrace: Function Not Implemented in GDB Installed on Multiarch/Qemu-User-Static Arm64v8/Alpine Docker Container

I want to debug an aarch64 ELF using GDB installed on an arm64v8/alpine docker on my x86_64 16.04 Ubuntu VirtualBox, which itself is installed on my Mac. In particular, to set up the docker I use the instructions here. That is: sudo docker run --rm…
Newbie
  • 135
  • 9
1
vote
1 answer

Do file writes as in-memory fake on Linux

I'd like to run a Linux process in a fake-write environment where all file writes (with the write(2) system call) are redirected to an in-memory cache, and subsequent reads (of the same region only) will be served from the cache. The cache can be…
pts
  • 1,041
  • 13
  • 22
1
vote
0 answers

Is there a way in which we can notify the tracer (parent process) when the tracee (child process) executes a branch instruction?

As we know, the ptrace system call is one of the most powerful system calls in unix-like systems. All debugging software use ptrace for monitoring and manipulating another process, i.e. tracee. Using ptrace, we can track read/write system call in…
husin alhaj ahmade
  • 287
  • 2
  • 12
0
votes
1 answer

Why does PTRACE_PEEKUSER not allow reading of FPU registers on x86_64?

PTRACE_PEEKUSER is documented to read a word from the user area, whose partial layout on x86_64 is: struct user { struct user_regs_struct regs; int u_fpvalid; struct user_fpregs_struct i387; //... int …
TartanLlama
  • 101
  • 3
0
votes
0 answers

Run GDB on background

I'm working on a program where I have 2 ncurses window, one displaying my custom shell implemented with fork+exec and on the other I want show some info about command ran on my shell. For that, I'm trying to use GDB. My idea is to run GDB on…
brunos098
  • 1
  • 1
0
votes
1 answer

syscall accept4() returns an invalid value

I created a program similar to "strace" which is able to log the syscalls. Also I installed a webserver and watched the syscalls from 'strace' and from my program and compared them. For each program, I initiated to the webserver a simple HTTP GET…
user554179
  • 1
0
votes
2 answers

Permission error when attaching GDB to PID of running process

I have such a toy C++ program #include int main() { int n{}; std::cin >> n; // waits for input std::cout << n << std::endl; } which pauses upon executing the commented line, waiting for the user input and giving me all the…
Enlico
  • 1,471
  • 16
  • 35
0
votes
1 answer

What can a debugger do with /proc that cannot be done with ptrace?

The Wikipedia article on ptrace says: Communications between the controller and target take place using repeated calls of ptrace, passing a small fixed-size block of memory between the two (necessitating two context switches per call); this is…
Ryan1729
  • 591
  • 1
  • 4
  • 7
0
votes
0 answers

Which one to use Cross Memory Attach or ptrace?

I'm trying out ptrace system calls, I just discovered Cross Memory Attach from Christopher Yeoh. I wonder which one is better in term of performance between Cross Memory Attach and ptrace. Thanks in advance
Pierre Le Guen
  • 93
  • 1
  • 6
1
2