Stack Overflow
Stack Overflow

Questions tagged [ptrace]

The ptrace() system call provides a means by which a parent process may observe and control the execution of another process, and examine and change its core image and registers.

Ptrace stands for Process-trace. And is used extensively by debuggers such as GDB and DBX, by tracing tools like strace and ltrace.
By attaching to another process we can have extensive control on the target which includes manipulation of

  1. File Descriptors
  2. Registers
  3. Memory

It can single-step through the target's code, can observe system calls and their results, and can manipulate the target's signal handlers and both receive and send signals on its behalf.

The ability to write into the target's memory allows not only its data store to be changed, but also the applications own code segment, allowing the controller to install breakpoints and patch the running code of the target.

Basic tutorial on ptrace is available here and here.

465 questions
39
votes
1 answer

How does ptrace work in Linux?

The ptrace system call allows the parent process to inspect the attached child. For example, in Linux, strace (which is implemented with the ptrace system call) can inspect the system calls invoked by the child process. When the attached child…
daehee
  • 5,047
  • 7
  • 44
  • 70
25
votes
8 answers

Reading Other Process' Memory in OS X?

I've been trying to understand how to read the memory of other processes on Mac OS X, but I'm not having much luck. I've seen many examples online using ptrace with PEEKDATA and such, however it doesn't have that option on BSD [man ptrace]. int pid…
Jeremy
  • 1
  • 85
  • 340
  • 366
16
votes
1 answer

ptrace and threads

I'm working on an linux application incorporating ptrace to observe the threads of another process. When the application I observe forks a child process this already works quite well. By calling waitpid in my application I can obtain the following…
mupro
  • 333
  • 2
  • 11
16
votes
1 answer

How do you use ptrace to sandbox an untrusted code ran in Rails?

Let's suppose I have this awful controller code: class MovesController < ApplicationController def create eval(params[:input]) end end I've been looking for a best way to sandbox the execution of an untrusted code for some time now and…
Nox
  • 395
  • 3
  • 22
15
votes
4 answers

How to use PTRACE to get a consistent view of multiple threads?

While I was working on this question, I've come across a possible idea that uses ptrace, but I'm unable to get a proper understanding of how ptrace interacts with threads. Suppose I have a given, multithreaded main process, and I want to attach to a…
Kerrek SB
  • 464,522
  • 92
  • 875
  • 1,084
14
votes
2 answers

PTrace: linux/user.h: No such file or directory

I am using Ubuntu 12.04 with linux-headers-3.2.0-60 on intel 32-bit machine.I am trying to build this simple program to understand PTrace. But getting error during compilation. #include #include #include…
Nishant Kumar
  • 2,199
  • 2
  • 22
  • 43
13
votes
0 answers

ptrace returning -1 on Android

I'm trying to detect when gdb is attached to my app and I'm using this in JNI code long x = ptrace(PTRACE_TRACEME, 0, 1, 0); char buffer[24]; sprintf(buffer, "ptrace = %ld", x); return (*env)->NewStringUTF(env, buffer); However, x is always -1…
Mirza Dobric
  • 1,467
  • 1
  • 14
  • 36
13
votes
1 answer

ptrace one thread from another

Experimenting with the ptrace() system call, I am trying to trace another thread of the same process. According to the man page, both the tracer and the tracee are specific threads (not processes), so I don't see a reason why it should not work. So…
Grzegorz Herman
  • 1,875
  • 11
  • 22
12
votes
1 answer

Difference between ptrace(PTRACE_PEEKUSER) and ptrace(PTRACE_PEEKDATA)?

After posting a lot of questions on ptrace (the most recent 5 questions are mine :( ) I finally got the desired output when I replaced reg_val[1] = ptrace(PTRACE_PEEKDATA, child, 4 * EBX, NULL); with reg_val[1] = ptrace(PTRACE_PEEKUSER, child, 4 *…
kidd0
  • 731
  • 2
  • 8
  • 25
12
votes
3 answers

Using ptrace to track all execve() calls across children

I am trying to write a tool on Linux CentOS to track all spawned processes and what is run. In essence, I'm interested in walking all fork/clones and emitting all the command-lines from execve(). Strace already does (some of) this, but it also…
Clint O
  • 123
  • 1
  • 1
  • 4
12
votes
2 answers

occasionally missing PTRACE_EVENT_VFORK when running ptrace

I'm sorry that I can't post code to reproduce this. My problem is precisely that I don't know how to go about debugging this issue. I am using ptrace with PTRACE_O_TRACEFORK | PTRACE_O_TRACEEXEC | PTRACE_O_TRACEVFORK | PTRACE_O_TRACEVFORKDONE |…
David Roundy
  • 1,706
  • 2
  • 14
  • 20
11
votes
2 answers

ptrace'ing of parent process

Can child process use the ptrace system call to trace its parent? Os is linux 2.6 Thanks. upd1: I want to trace process1 from "itself". It is impossible, so I do fork and try to do ptrace(process1_pid, PTRACE_ATTACH) from child process. But I can't,…
osgx
  • 90,338
  • 53
  • 357
  • 513
11
votes
1 answer

(ORIG_EAX*4) in ptrace calls

I was going through an article here and was trying out the code snippet I have copied out below :- #include #include #include #include #include /* For constants …
user277465
11
votes
2 answers

CreateRemoteThread in Linux

I am using CreateRemoteThread in Windows and would like to know if the same thing is possible in Linux. Is it possible to do this in Linux?
CrazyC
  • 1,840
  • 6
  • 39
  • 60
10
votes
1 answer

Is there something like the Linux ptrace syscall in Windows?

Reading Monitoring certain system calls done by a process in Windows, I'm wondering about a Windows equivalent to the ptrace system call or a programmatical workaround.
cort
  • 1,088
  • 1
  • 11
  • 20
1
2 3
30 31