ptrace

96 阅读 0 评论 64 点赞

我是靠谱客的博主清爽手链，最近开发中收集的这篇文章主要介绍ptrace，觉得挺不错的，现在分享给大家，希望可以做个参考。

概述

1. definition

long ptrace(int request, pid_t pid, void * addr, void * data)

request , trace type;

the request determine the meaning of the other parameters and return value.

possibility of request

#define PTRACE_TRACEME 0
#define PTRACE_PEEKTEXT 1
#define PTRACE_PEEKDATA 2
#define PTRACE_PEEKUSR 3
#define PTRACE_POKETEXT 4
#define PTRACE_POKEDATA 5
#define PTRACE_POKEUSR 6
#define PTRACE_CONT 7
#define PTRACE_KILL 8
#define PTRACE_SINGLESTEP 9
#define PTRACE_ATTACH 0x10
#define PTRACE_DETACH 0x11
#define PTRACE_SYSCALL 24
#define PTRACE_SETOPTIONS 0x4200
#define PTRACE_GETEVENTMSG 0x4201
#define PTRACE_GETSIGINFO 0x4202
#define PTRACE_SETSIGINFO 0x4203
#define PTRACE_O_TRACESYSGOOD 0x00000001
#define PTRACE_O_TRACEFORK 0x00000002
#define PTRACE_O_TRACEVFORK 0x00000004
#define PTRACE_O_TRACECLONE 0x00000008
#define PTRACE_O_TRACEEXEC 0x00000010
#define PTRACE_O_TRACEVFORKDONE 0x00000020
#define PTRACE_O_TRACEEXIT 0x00000040
#define PTRACE_O_MASK 0x0000007f
#define PTRACE_EVENT_FORK 1
#define PTRACE_EVENT_VFORK 2
#define PTRACE_EVENT_CLONE 3
#define PTRACE_EVENT_EXEC 4
#define PTRACE_EVENT_VFORK_DONE 5
#define PTRACE_EVENT_EXIT 6

PTRACE_TRACEME
Indicates that this process is to be traced by its parent. Any signal (except SIGKILL) delivered to this process will cause it to stop and its parent to be notified via wait(2). Also, all subsequent calls to execve(2) by this process will cause a SIGTRAP to be sent to it, giving the parent a chance to gain control before the new program begins execution. A process probably shouldn't make this request if its parent isn't expecting to trace it. (pid, addr, and data are ignored.)

PTRACE_PEEKTEXT, PTRACE_PEEKDATA Reads a word at the location addr in the child's memory, returning the word as the result of the ptrace() call. Linux does not have separate text and data address spaces, so the two requests are currently equivalent. (The argument data is ignored.)
PTRACE_PEEKUSER Reads a word at offset addr in the child's USER area, which holds the registers and other information about the process (see <sys/user.h>). The word is returned as the result of the ptrace() call. Typically the offset must be word-aligned, though this might vary by architecture. See NOTES. ( data is ignored.)
PTRACE_POKETEXT, PTRACE_POKEDATA Copies the word data to location addr in the child's memory. As above, the two requests are currently equivalent.
PTRACE_POKEUSER Copies the word data to offset addr in the child's USER area. As above, the offset must typically be word-aligned. In order to maintain the integrity of the kernel, some modifications to the USER area are disallowed
PTRACE_GETREGS, PTRACE_GETFPREGS Copies the child's general purpose or floating-point registers, respectively, to location data in the parent. See <sys/user.h> for information on the format of this data. ( addris ignored.)

	struct pt_regs r;
	if(ptrace(PTRACE_GETREGS, pid, 0, &r)) return 0;

//different architecture has different structure of "struct pt_regs".
PTRACE_GETSIGINFO (since Linux 2.3.99-pre6) Retrieve information about the signal that caused the stop. Copies a siginfo_t structure (see sigaction(2)) from the child to location data in the parent. ( addr is ignored.)
PTRACE_SETREGS, PTRACE_SETFPREGS Copies the child's general purpose or floating-point registers, respectively, from location data in the parent. As for PTRACE_POKEUSER, some general purpose register modifications may be disallowed. ( addr is ignored.)
PTRACE_SETSIGINFO (since Linux 2.3.99-pre6) Set signal information. Copies a siginfo_t structure from location data in the parent to the child. This will only affect signals that would normally be delivered to the child and were caught by the tracer. It may be difficult to tell these normal signals from synthetic signals generated by ptrace() itself. ( addr is ignore) // don't understand quite well yet.
PTRACE_SETOPTIONS (since Linux 2.4.6; see BUGS for caveats)
Sets ptrace options from data in the parent. (addr is ignored.)
data is interpreted as a bit mask of options, which are speci‐
fied by the following flags:

PTRACE_O_TRACESYSGOOD (since Linux 2.4.6)
When delivering syscall traps, set bit 7 in the signal
number (i.e., deliver (SIGTRAP | 0x80) This makes it easy
for the tracer to tell the difference between normal
traps and those caused by a syscall. (PTRACE_O_TRACESYS‐
GOOD may not work on all architectures.)

PTRACE_O_TRACEFORK (since Linux 2.5.46)
Stop the child at the next fork(2) call with SIGTRAP |
PTRACE_EVENT_FORK << 8 and automatically start tracing
the newly forked process, which will start with a
SIGSTOP. The PID for the new process can be retrieved
with PTRACE_GETEVENTMSG.

PTRACE_O_TRACEVFORK (since Linux 2.5.46)
Stop the child at the next vfork(2) call with SIGTRAP |
PTRACE_EVENT_VFORK << 8 and automatically start tracing
the newly vforked process, which will start with a
SIGSTOP. The PID for the new process can be retrieved
with PTRACE_GETEVENTMSG.

PTRACE_O_TRACECLONE (since Linux 2.5.46)
Stop the child at the next clone(2) call with SIGTRAP |
PTRACE_EVENT_CLONE << 8 and automatically start tracing
the newly cloned process, which will start with a
SIGSTOP. The PID for the new process can be retrieved
with PTRACE_GETEVENTMSG. This option may not catch
clone(2) calls in all cases. If the child calls clone(2)
with the CLONE_VFORK flag, PTRACE_EVENT_VFORK will be
delivered instead if PTRACE_O_TRACEVFORK is set; other‐
wise if the child calls clone(2) with the exit signal set
to SIGCHLD, PTRACE_EVENT_FORK will be delivered if
PTRACE_O_TRACEFORK is set.

PTRACE_O_TRACEEXEC (since Linux 2.5.46)
Stop the child at the next execve(2) call with SIGTRAP |
PTRACE_EVENT_EXEC << 8.

PTRACE_O_TRACEVFORKDONE (since Linux 2.5.60)
Stop the child at the completion of the next vfork(2)
call with SIGTRAP | PTRACE_EVENT_VFORK_DONE << 8.

PTRACE_O_TRACEEXIT (since Linux 2.5.60)
Stop the child at exit with SIGTRAP |
PTRACE_EVENT_EXIT << 8. The child's exit status can be
retrieved with PTRACE_GETEVENTMSG. This stop will be
done early during process exit when registers are still
available, allowing the tracer to see where the exit
occurred, whereas the normal exit notification is done
after the process is finished exiting. Even though con‐
text is available, the tracer cannot prevent the exit
from happening at this point.

PTRACE_GETEVENTMSG (since Linux 2.5.46) Retrieve a message (as an unsigned long) about the ptrace event that just happened, placing it in the location data in the parent. For PTRACE_EVENT_EXIT this is the child's exit status. For PTRACE_EVENT_FORK, PTRACE_EVENT_VFORK and PTRACE_EVENT_CLONE this is the PID of the new process. Since Linux 2.6.18, the PID of the new process is also available for PTRACE_EVENT_VFORK_DONE. ( addr is ignored.)

PTRACE_CONT

Restarts the stopped child process. If data is nonzero and not SIGSTOP, it is interpreted as a signal to be delivered to the child; otherwise, no signal is delivered. Thus, for example, the parent can control whether a signal sent to the child is delivered or not. ( addr is ignored.)

PTRACE_SYSCALL, PTRACE_SINGLESTEP

Restarts the stopped child as for PTRACE_CONT, but arranges for the child to be stopped at the next entry to or exit from a system call, or after execution of a single instruction, respectively. (The child will also, as usual, be stopped upon receipt of a signal.) From the parent's perspective, the child will appear to have been stopped by receipt of a SIGTRAP. So, for PTRACE_SYSCALL, for example, the idea is to inspect the arguments to the system call at the first stop, then do another PTRACE_SYSCALL and inspect the return value of the system call at the second stop. The data argument is treated as for PTRACE_CONT. ( addr is ignored.)

PTRACE_SYSEMU, PTRACE_SYSEMU_SINGLESTEP (since Linux 2.6.14)

For PTRACE_SYSEMU, continue and stop on entry to the next syscall, which will not be executed. For PTRACE_SYSEMU_SINGLESTEP, do the same but also singlestep if not a syscall. This call is used by programs like User Mode Linux that want to emulate all the child's system calls. The data argument is treated as for PTRACE_CONT. ( addr is ignored; not supported on all architectures.)

PTRACE_KILL

Sends the child a SIGKILL to terminate it. ( addr and data are ignored.)

PTRACE_ATTACH

Attaches to the process specified in pid, making it a traced "child" of the calling process; the behavior of the child is as if it had done a PTRACE_TRACEME. The calling process actually becomes the parent of the child process for most purposes (e.g., it will receive notification of child events and appears in ps(1) output as the child's parent), but a getppid(2) by the child will still return the PID of the original parent. The child is sent a SIGSTOP, but will not necessarily have stopped by the completion of this call; use wait(2) to wait for the child to stop. ( addr and data are ignored.

PTRACE_DETACH

Restarts the stopped child as for PTRACE_CONT, but first detaches from the process, undoing the reparenting effect of PTRACE_ATTACH, and the effects of PTRACE_TRACEME. Although perhaps not intended, under Linux a traced child can be detached in this way regardless of which method was used to initiate tracing. ( addr is ignored.)

Return Value

On success, PTRACE_PEEK* requests return the requested data, while other requests return zero. On error, all requests return -1, and errno is set appropriately. Since the value returned by a successful PTRACE_PEEK* request may be -1, the caller must check errno after such requests to determine whether or not an error occur

to be continued with experiments.