System Call
  • /kernel source path/kernel/ptrace.c
    • architecture-independent part
  • /kernel source path/arch/x86/kernel/ptrace.c
    • architecture-dependent part
  • requested operation
    • PTRACE_ATTACH, PTRACE_DETACH
      • When tracing is installed, the SIGSTOP signal is sent to the traced process — this causes the tracer process to be interrupted for the first time.
      • When a traced process is stopped, the tracer program is informed by means of a SIGCHLD signal - then we can use PTRACE_SYSCALL or PTRACE_SINGLESTEP to trace next system call.
    • PTRACE_PEEKTEXT, PTRACE_PEEKDATA
    • PTRACE_PEEKUSR
      • examine the contents of the USER area where register contents and other information is stored. The kernel stores the contents of registers in this area for the parent process to examine through ptrace.
    • PTRACE_POKETEXT, PTRACE_POKEDATA, PTRACE_POKEUSR
    • PTRACE_SETREGS, PTRACE_GETREGS
    • PTRACE_SETFPREGS, PTRACE_GETFPREGS
    • PTRACE_SYSCALL
      • kernel starts process execution until a system call is invoked. Once the traced process has been stopped, wait informs the tracer process which then analyzes the process address space using the above ptrace operations to gather relevant information on the system call.
      • wait informing the tracer process means the status of wait call of tracer process is returned with WIFSTOPPED(status) ((status & 0xff) == 0x7f) as true and WSTOPSIG(status) equal to SIGTRAP(0x05).
      • The traced process is stopped for a second time after completion of the system call to allow the tracer process to check whether the call was successful.
      • Before and after the execution of a system call by the monitored process, the process state is set to TASK_STOPPED, and the tracer is informed accordingly by means of a SIGCHLD signal.
    • PTRACE_SINGLESTEP
      • invokes ptrace with the PTRACE_SINGLESTEP argument
      • the next assembler instruction is executed
      • the process is put to sleep, the tracer is informed accordingly by means of SIGCHLD.
    • PTRACE_KILL
    • PTRACE_TRACEME
      • Indicates that this process is to be traced by its parent.
    • PTRACE_CONT
      • resumes execution of a traced process without specifying special conditions for stopping the process
  • System Call Tracing using ptrace
  • Playing with ptrace Part I, Part II
  • Process Tracing Using Ptrace
  • 以 ptrace 系統呼叫來追蹤/修改行程
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License