Go to: Linux System Call-ptrace function details

Call the ptrace function in Linux

 

Notes: sorting and reprinting
Address: http://hi.baidu.com/lisuo/blog/item/05b70a248be7662fd50742c1.html

Ptrace system call]

1. Function Description:

It provides a mechanism for the parent process to observe and control the execution of another process, and also provides the ability to query and modify the core images and registers of another process. It is mainly used for breakpoint debugging and system call tracking. The parent process can call fork, specify the ptrace_traceme behavior of the child process generated, and use exec and other operations to initialize a process trace. The alternative is that the parent process tracks the execution of an existing process through the ptrace_attach request.
When a sub-process is tracked, the execution is stopped every time the signal is received, even if the signal is not processed (except for the sigkill signal ). When the parent process executes the wait call next time, it receives the core announcement and may check and modify the stopped child process. The parent process allows the child process to continue execution and may ignore the received signal.

2. Usage:

# Include <sys/ptrace. h>
Long ptrace (Enum _ ptrace_request request, pid_t PID, void * ADDR, void * data );

Parameters:

Request: the action of the request, which may be:

Ptrace_traceme // indicates that the parent process traces the execution of a child process. Any signal sent to the child process will cause the execution to stop, and the parent process will be notified when it calls wait. Then, when the child process calls exec (), the core sends the sigtrap signal to it, giving the parent process control opportunity before the new program starts to execute. PID, ADDR, and data parameters are ignored.

The preceding is the only request used by the child process, and the rest will be used by the parent process.

Ptrace_peektext, ptrace_peekdata // read a word from the position pointed to by the sub-process memory space ADDR and return the result of the call. In Linux, the text and data segments are not differentiated, so the two requests are equal. The data parameter is ignored.

Ptrace_peekusr // read a word from the position ADDR of the subprocess's user zone and return the result of the call.

Ptrace_poketext, ptrace_pokedata // copy the words pointed to by data to the location where the sub-process memory space is directed by ADDR.

Ptrace_pokeusr // copy the words pointed to by data to the position pointed to by ADDR In the subprocess user area.

Ptrace_getregs, ptrace_getfpregs // copy the values of common and floating-point registers of sub-processes to the position pointed by data in the parent process. The ADDR parameter is ignored.

Ptrace_getsiginfo // obtain the signal that causes the sub-process to stop running and store it in the position pointed by data in the parent process. The ADDR parameter is ignored.

Ptrace_setregs, ptrace_setfpregs // copy the data pointing to from the parent process to the common and floating-point registers of the child process. The ADDR parameter is ignored.

Ptrace_setsiginfo // copy the data pointed to by data in the parent process as the siginfo_t struct to the child process. The ADDR parameter is ignored.

Ptrace_setoptions // set the value pointed to by data in the parent process to ptrace. Data is interpreted as a bit mask, which is specified by the following flag.

Ptrace_o_tracesysgood // when forwarding the syscall trap (traps), set it to 7 in the signal encoding, that is, the highest bit of the first byte. For example, sigtrap | 0x80. This helps the tracker to identify common traps and those caused by syscall.

Ptrace_o_tracefork // use (sigtrap | ptrace_event_fork <8) to stop a subprocess when fork () is called next time, and automatically track the new process with the sigstop signal set when execution starts. The PID of the new process can be obtained through ptrace_geteventmsg.

Ptrace_o_tracevfork // use (sigtrap | ptrace_event_vfork <8) to stop the sub-process when vfork () is called next time, and automatically track the new process with the sigstop signal set when execution starts. The PID of the new process can be obtained through ptrace_geteventmsg.

Ptrace_o_traceclone // use (sigtrap | ptrace_event_clone <8) to stop the sub-process from executing the next clone () call, and automatically track the new process with the sigstop signal set when the execution starts. The PID of the new process can be obtained through ptrace_geteventmsg.

Ptrace_o_traceexec // use (igtrap | ptrace_event_exec <8) to stop a sub-process from executing it the next time it calls exec.

Ptrace_o_tracevforkdone // use (sigtrap | ptrace_event_vfork_done <8) to stop a child process from executing exec () the next time it calls exec.

Ptrace_o_traceexit // stop a sub-process when it exits through (sigtrap | ptrace_event_exit <8. The exit status of the sub-process can be ptrace_geteventmsg.

Ptrace_geteventmsg // obtain the ptrace event message that has just occurred and place it in the position pointed by data in the parent process. The ADDR parameter is ignored.

Ptrace_cont // restart the stopped process. If the data points to neither 0 nor sigstop, it will be interpreted as a signal passed to the sub-process. In this way, the parent process can control whether to send a signal to the child process. The ADDR parameter is ignored.

Ptrace_syscall, ptrace_singlestep // restart the execution of sub-processes like ptrace_cont, but the execution of sub-processes stops at the next entry or exit from the system call or after executing a single command, this can be used for single-step debugging. The ADDR parameter is ignored.

Ptrace_sysemu, ptrace_sysemu_singlestep // All system calls of the sub-process simulation program used in user mode.

Ptrace_kill // send a sigkill signal to the sub-process to terminate its execution. The data and ADDR parameters are ignored.

Ptrace_attach // connect to the process specified by the PID, so that it becomes the tracking target of the current process.

Ptrace_detach // The reverse operation of ptrace_attach.

PID: ID of the target process.

ADDR: The target address for executing the peek and poke operations.
Data: The location where data is stored for poke operations. For the peek operation, where the data is obtained.

Return description:
When the execution is successful, the ptrace_peek * request returns the requested data, and the other returns 0. -1 is returned for failure, and errno is set to one of the following values. Because a successful ptrace_peek * request may return-1, the caller should check errno before deciding whether the error occurs.

Ebusy: An error occurred while allocating and releasing the debug register.
Efault: read/write memory space that is inaccessible
Einval: Try to set invalid options
EIO: the request is invalid, or the attempt to read or write the space that the parent-child process cannot access
Eperm: You are not authorized to track the specified process.
Esrch: the specified sub-process does not exist or is being tracked by the caller.