Linux Process Learning notes-process tracking

<!--[if!supportlists]-->ÿ<!--[endif]-->Process TrackingLongPtraceenum__ptrace_request request, pid_t PID,void*ADDR,void*data); Linux uses Ptrace for process tracking, just like we usually use GDB debug, which allows a process to track and control another process. When a trace process is signaled, the tracked process is paused, its memory space becomes readable, and the process that tracks it can choose whether to ignore the signal and let the program continue. The tracked process, whether it is a system call or return from a system call, can process the system call, such as checking or modifying the invocation parameters, modifying registers and inserting new code into the code snippet, and so on. Requset parameter: The type used to represent the secondary PTRACE, there are many kinds: ptrace_traceme This process is tracked by its parent process. Its parent process should want to track child processes. Ptrace_peektext, Ptrace_peekdata reads a byte from the memory address, and the memory address is given by addr. Ptrace_peekusr reads a byte from the user area with an offset of addr. Ptrace_poketext, Ptrace_pokedata writes a byte to the memory address. The memory address is given by addr. Ptrace_pokeusr writes a byte to the user area. The offset is addr. Ptrace_syscall, Ptrace_cont re-run. Ptrace_kill kills the child process and makes it exit. Ptrace_singlestep Sets the step flag Ptrace_attach trace to specify the PID process. Ptrace_detach End Trace Intel386 unique: ptrace_getregs Read register Ptrace_setregs set register Ptrace_getfpregs read floating-point register Ptrace_ Setfpregs set the floating-point register PID parameter: Represents the PIDADDR parameter and the data parameter of the tracked process: different functions because of the Requset parameter, such as request for Ptrace_poketext, which represents a byte of data written to memory , then addr represents the memory address to write, and data represents the byte to write. Ptrace is a very complex topic, more can refer to this article: Playing with Ptrace:part I, part II

Linux Process Learning notes-process tracking