Introduction to Android ptrace

Source: Internet
Author: User
1. The implementation of ptrace itself ptrace provides a parent process that can control sub-processes and check and change its core image. It is mainly used for breakpoint debugging. A tracked process is running until a signal occurs. The process is aborted and its parent process is notified. When a process is aborted, the memory space of the process can be read and written. The parent process also allows the child process to continue execution and determines whether to ignore the signal that caused the suspension. 1.1 user State implementation

See bionic/libc/bionic/ptrace. c

extern long __ptrace(int request, pid_t pid, void *addr, void *data);long ptrace(int request, pid_t pid, void * addr, void * data){    switch (request) {        case PTRACE_PEEKUSR:        case PTRACE_PEEKTEXT:        case PTRACE_PEEKDATA:        {            long word;            long ret;            ret = __ptrace(request, pid, addr, &word);            if (ret == 0) {                return word;            } else {                // __ptrace will set errno for us                return -1;            }        }        default:             return __ptrace(request, pid, addr, data);    }}

0 is returned. -1 is returned. Errno is set.

1.2 kernel State implementation

For implementation code, see kernel/ptrace. C.

SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,unsigned long, data){struct task_struct *child;long ret;if (request == PTRACE_TRACEME) {ret = ptrace_traceme();if (!ret)arch_ptrace_attach(current);goto out;}child = ptrace_get_task_struct(pid);if (IS_ERR(child)) {ret = PTR_ERR(child);goto out;}if (request == PTRACE_ATTACH) {ret = ptrace_attach(child);/* * Some architectures need to do book-keeping after * a ptrace attach. */if (!ret)arch_ptrace_attach(child);goto out_put_task_struct;}ret = ptrace_check_attach(child, request == PTRACE_KILL);if (ret < 0)goto out_put_task_struct;ret = arch_ptrace(child, request, addr, data); out_put_task_struct:put_task_struct(child); out:return ret;}

2. Methods for establishing a debugging relationship

You can use GDB to debug the program, either GDB./mytest or GDB <pid> (mytest process number ). This corresponds to two ways to establish a trace relationship using ptrace:
1) fork: the fork + execve is used to execute the program to be tested. The child process calls ptrace (ptrace_traceme) before execve, and establishes a trace relationship with the parent process (debugger.

2) attach: the debugger can call ptrace (ptrace_attach, PID,...) to establish a tracking relationship between itself and the process whose process number is PID. That is, use ptrace_attach to change itself to the parent process of the program to be debugged (you can see it in PS ). You can call ptrace (ptrace_detach, PID,...) to remove the trace relationship established by attach. Pay attention to the permissions of attach processes. For example, a process with non-root permissions cannot attach to a root process.

3. ptrace request type

• Ptrace_traceme:

Switches the current process to the stopped status. It is usually used with fork/exec, although it can also encounter self-tracking applications. For each process, ptrace_traceme can be called only once. Tracing a process that is being tracked will fail (another less important result is that the process cannot track itself. To do this, you should first derive a process from itself ). A large number of anti-debugging technologies are based on this situation. To overcome this type of technology, you must use a debugger that bypasses ptrace. A signal is sent to the process being debugged and switched to the stopped state. This process can be called from the context of the parent process
The pt_continue and pt_step commands exit from the stop status. The wait function will delay the execution of the parent process until the debugged process is switched to the stopped state or terminated (the return value is 1407 upon termination ). All other parameters are ignored.
• Ptrace_attach:

Switch the running process marked as PID to the stopped State. In this case, the debugger process becomes the "parent process ". All other parameters are ignored. The process must have the same user ID (UID) as the debugging process, and cannot be a Setuid/setduid process (otherwise, you must use root for debugging ). It sends a sigstop signal to the sub-process, so we can view and modify the sub-process, and then use ptrace (ptrace_detach ,...) To run the sub-process.
• Ptrace_detach:

Stop the process as a PID process (
Ptrace_attach and ptrace_traceme), and continue normal operation. All other parameters are ignored.
• Ptrace_cont and ptrace_syscall:

Continue the execution of the debug process marked as PID without interrupting the communication with the debugger process. If ADDR = 0, the execution continues from the last stopped address; otherwise, the execution continues from the specified address. Parameter Data specifies the number of signals sent to the debugged process (zero indicates no signal ).
• Ptrace_singlestep:

Perform one-step execution of processes marked as PID, that is, execute the next machine command and switch to the stopped state. In Linux, the ADDR parameter must be set to 0, and all other parameters are ignored.
• Ptrace_peektext and ptrace_peekdata (read ):

Read machine words from the address space of the Code zone and the debugging process. In many contemporary platforms, these two commands are equivalent. The ptrace function receives the target address ADDR and returns the read result.

• Ptrace_poketext and ptrace_pokedata (write ):

Write the machine word passed in by data to the address specified by ADDR.

• Ptrace_getregs and ptrace_getfpregs:

Read the values of general purpose registers, segment registers, and debugging registers into the memory zone of the debugger process specified by the ADDR pointer. The register structure is described in the header file kernel/ARCH/ARM/include/ASM/ptrace. h or bionic/libc/kernel/arch-arm/ASM/ptrace. h.
• Ptrace_setregs and ptrace _ setfpregs:

You can copy the content of the memory area specified by the ADDR pointer to set the value of the Register of the debugged process.

#define ARM_cpsr uregs[16]#define ARM_pc uregs[15]#define ARM_lr uregs[14]#define ARM_sp uregs[13]#define ARM_ip uregs[12]#define ARM_fp uregs[11]#define ARM_r10 uregs[10]#define ARM_r9 uregs[9]#define ARM_r8 uregs[8]#define ARM_r7 uregs[7]#define ARM_r6 uregs[6]#define ARM_r5 uregs[5]#define ARM_r4 uregs[4]#define ARM_r3 uregs[3]#define ARM_r2 uregs[2]#define ARM_r1 uregs[1]#define ARM_r0 uregs[0]#define ARM_ORIG_r0 uregs[17]

• Ptrace_kill:

Send sigkill to the debugged process to terminate its execution.

• Ptrace_peekusr
Read a byte from the user area. The PID indicates the sub-process to be tracked. The user region address is provided by ADDR. Data is the user variable address used to return the read data. The user structure is the first part of the core file. It describes the status of the process when the process is terminated, such as the register value, code, data segment size, code, and data segment start address. In Linux (i386), data in the user structure can be accessed through ptrace_peekuser and ptrace_pokeusr through registers and debugging registers.
 
• Ptrace_pokeusr
Write a byte to the user area. The PID indicates the child process to be tracked. The address of the user area is provided by ADDR, and the data is the data to be written.

4. Detailed Function Description

1) ptrace_traceme
Format: ptrace (ptrace_traceme, 0, 0, 0)
Description: This process is tracked by its parent process. The parent process should want to track the child process.
 
2) ptrace_peektext, ptrace_peekdata
Format: ptrace (ptrace_peektext, PID, ADDR, data)
Ptrace (ptrace_peekdata, PID, ADDR, data)
Description: reads a byte from the memory address. The PID indicates the sub-process to be tracked. The memory address is provided by ADDR. Data is the user variable address used to return the read data. In Linux (i386), user code segments overlap with user data segments, so reading code segments and data segment data processing are the same.
 
3) ptrace_poketext, ptrace_pokedata
Format: ptrace (ptrace_poketext, PID, ADDR, data)
Ptrace (ptrace_pokedata, PID, ADDR, data)
Description: Write a byte to the memory address. PID indicates the sub-process to be tracked. The memory address is provided by ADDR, and data is the data to be written.
 
4) trace_peekusr
Format: ptrace (ptrace_peekusr, PID, ADDR, data)
Description: reads a byte from the user area. The PID indicates the sub-process to be tracked. The user region address is provided by ADDR. Data is the user variable address used to return the read data. The user structure is the first part of the core file. It describes the status of the process when the process is terminated, such as the register value, code, data segment size, code, and data segment start address. In Linux (i386), data in the user structure can be accessed through ptrace_peekuser and ptrace_pokeusr through registers and debugging registers.
 
5) ptrace_pokeusr
Format: ptrace (ptrace_pokeusr, PID, ADDR, data)
Description: writes a byte to the user area. The PID indicates the sub-process to be tracked. The address of the user area is provided by ADDR. Data is the data to be written.
 
6) ptrace_cont
Format: ptrace (ptrace_cont, PID, 0, signal)
Description: continue execution. PID indicates the sub-process to be tracked. IF signal is 0, the signal that causes the debugging process to stop is ignored. If it is not 0, the signal is processed again.
 
7) ptrace_syscall
Format: ptrace (ptrace_sys, PID, 0, signal)
Description: continue execution. PID indicates the sub-process to be tracked. IF signal is 0, the signal that causes the debugging process to stop is ignored. If it is not 0, the signal is processed again. Unlike ptrace_cont. When the tracked process continues to run until the system call starts or ends, the tracked process is aborted and the parent process is notified.
 
8) ptrace_kill
Format: ptrace (ptrace_kill, pid)
Description: kills a sub-process and causes it to exit. PID indicates the sub-process to be tracked.
 
9) ptrace_singlestep
Format: ptrace (ptrace_kill, PID, 0, signle)
Description: sets the single-step execution flag to execute one command in one step. PID indicates the sub-process to be tracked. If the value of signal is 0, the signal that causes the debugging process to stop is ignored. If the value is not 0, the signal is processed. After a single command is executed by the tracked process, the tracked process is aborted and the parent process is notified.
 
10) ptrace_attach
Format: ptrace (ptrace_attach, pid)
Description: tracks the specified PID process. PID indicates the tracked process. The tracked process becomes the child process of the current process and enters the abort state.
 
11) ptrace_detach
Format: ptrace (ptrace_detach, pid)
Description: end tracking. PID indicates the sub-process to be tracked. After the trail ends, the tracked process continues.
 
12) ptrace_getregs
Format: ptrace (ptrace_getregs, PID, 0, data)
Description: Read register value. PID indicates the sub-process to be tracked. Data is the user variable address used to return the read data. This function reads the values of all 17 basic registers.
 
13) ptrace_setregs
Format: ptrace (ptrace_setregs, PID, 0, data)
Description: registers. The PID indicates the sub-process to be tracked. Data is the user data address. This function sets the values of all 17 basic registers.
 
14) ptrace_getfpregs
Format: ptrace (ptrace_getfpregs, PID, 0, data)
Description: reads the floating-point register value. PID indicates the sub-process to be tracked. Data is the user variable address used to return the read data. This function reads the values of all registers of all floating point coprocessor 387.
 
15) ptrace_setfpregs
Format: ptrace (ptrace_setregs, PID, 0, data)
Description: sets the floating-point register value. PID indicates the sub-process to be tracked. Data is the user data address. This function sets the value of all registers of all floating point coprocessor 387.
 

Refer:

Http://hi.baidu.com/ligh0721/item/ade7ad297a4060d70f37f9f7

Http://blog.sina.com.cn/s/blog_4ac74e9a0100n7w1.html

Http://www.cnblogs.com/wangkangluo1/archive/2012/06/05/2535484.html

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.