sys_ptrace  [kernel/ptrace.c]


Traces process execution flow.

This system call provides a means by which a parent process may observe and control the execution of another process, and examine and change its core image and registers. It is primarily used to implement breakpoint debugging and system call tracing.

The parent can initiate a trace by calling sys_fork and having the resulting child do a PTRACE_TRACEME, followed (typically) by an sys_execve. Alternatively, the parent may commence trace of an existing process using PTRACE_ATTACH.

While being traced, the child will stop each time a signal is delivered, even if the signal is being ignored. (The exception is SIGKILL, which has its usual effect.) The parent will be notified at its next sys_wait* and may inspect and modify the child process while it is stopped. The parent then causes the child to continue, optionally ignoring the delivered signal (or even delivering a different signal instead).

When the parent is finished tracing, it can terminate the child with PTRACE_KILL or cause it to continue executing in a normal, untraced mode via PTRACE_DETACH.

Arguments

eax 26
ebx Operation to be performed. It may be one of the following:
PTRACE_TRACEME Indicates that this process is to be traced by its parent. Any signal (except SIGKILL) delivered to this process will cause it to stop and its parent to be notified via sys_wait*. Also, all subsequent calls to sys_execve by this process will cause a SIGTRAP to be sent to it, giving the parent a chance to gain control before the new program begins execution. A process probably shouldn't make this request if its parent isn't expecting to trace it.

This request is used only by a child process.

ecx, edx, and esi are ignored.
PTRACE_PEEKTEXT,
PTRACE_PEEKDATA
Reads a dword at the location specified by edx in the child's memory, returning the dword as the result of the sys_ptrace call. Linux does not have separate text and data address spaces, so the two requests are currently equivalent.

ecx - PID of the child process to be acted on. The child process must be stopped.
esi
is ignored.
PTRACE_PEEKUSR

Reads a dword at offset specified by edx in the child's USER area which has following form:

struc user
{
.regs        user_regs_struct
.u_fpvalid   rd 1
.i387        user_i387_struct
.u_tsize     rd 1
.u_dsize     rd 1
.u_ssize     rd 1
.start_code  rd 1
.start_stack rd 1
.signal      rd 1
.reserved    rd 1
.u_ar0       rd 1
.u_fpstate   rd 1
.magic       rd 1
.u_comm      rb 32
.u_debugreg  rd 8
}

user members:

regs
See PTRACE_GETREGS for information regarding user_regs_struct structure.
u_fpvalid
Not used.
i387
See PTRACE_GETFPREGS for information regarding user_i387_struct structure.
u_tsize
Text segment size (pages).
u_dsize
Data segment size (pages).
u_ssize
Stack segment size (pages).
start_code
Starting virtual address of text segment.
start_stack
Starting virtual address of stack area (bottom of the stack, top of the stack is always found in the
esp register)
signal
Signal that caused the core dump if any.
reserved
Not used.
u_ar0
Pointer to a user_pt_regs structure. Used by gdb to help find the values for the registers.
u_fpstate
Pointer to a user_i387_struct structure. Used by gdb to help find the values for the registers. *to be verified*
magic
Core file unique identifier.
u_comm
User command that was responsible
u_debugreg
*to be documented*

The dword is returned as the result of the sys_ptrace call. The offset must be word-aligned. *to be verified*

ecx - PID of the child process to be acted on. The child process must be stopped.
esi
is ignored.

PTRACE_POKETEXT,
PTRACE_POKEDATA
Copies the dword specified by esi to location specified by edx in the child's memory.
PTRACE_POKEUSR Copies the dword specified by esi to location specified by edx in the child's USER area. The offset must typically be word-aligned. In order to maintain the integrity of the kernel, some modifications to the USER area are disallowed.
PTRACE_CONT Restarts the stopped child process. If esi is non-zero and not SIGSTOP, it is interpreted as a signal to be delivered to the child; otherwise, no signal is delivered. Thus, for example, the parent can control whether a signal sent to the child is delivered or not.

ecx - PID of the child process to be acted on. The child process must be stopped.
edx
is ignored.
PTRACE_KILL Sends the child a SIGKILL to terminate it.

ecx - PID of the child process to be acted on.
edx
is ignored.
PTRACE_SINGLESTEP *to be documented*
PTRACE_ATTACH Attaches to the process specified in ecx, making it a traced "child" of the current process; the behavior of the child is as if it had done a PTRACE_TRACEME. The current process actually becomes the parent of the child process for most purposes (e.g., it will receive notification of child events and appears in ps (man 1 ps) output as the child's parent), but a sys_getppid by the child will still return the PID of the original parent. The child is sent a SIGSTOP, but will not necessarily have stopped by the completion of this call; use sys_wait* to wait for the child to stop.

ecx - PID of the child process to be acted on. The child process must be stopped.
edx
and esi are ignored.
PTRACE_DETACH Restarts the stopped child as for PTRACE_CONT, but first detaches from the process, undoing the reparenting effect of PTRACE_ATTACH, and the effects of PTRACE_TRACEME. Although perhaps not intended, under Linux a traced child can be detached in this way regardless of which method was used to initiate tracing.

ecx - PID of the child process to be acted on. The child process must be stopped.
edx
is ignored.
PTRACE_SYSCALL Restarts the stopped child as for PTRACE_CONT, but arranges for the child to be stopped at the next entry to or exit from a system call, or after execution of a single instruction, respectively. (The child will also, as usual, be stopped upon receipt of a signal.) From the parent's perspective, the child will appear to have been stopped by receipt of a SIGTRAP. So, for PTRACE_SYSCALL, for example, the idea is to inspect the arguments to the system call at the first stop, then do another PTRACE_SYSCALL and inspect the return value of the system call at the second stop.

ecx - PID of the child process to be acted on. The child process must be stopped.
edx
is ignored.
PTRACE_SYSEMU,
PTRACE_SYSEMU_SINGLESTEP
(since Linux 2.6.14) For PTRACE_SYSEMU, continue and stop on entry to the next syscall, which will not be executed. For PTRACE_SYSEMU_SINGLESTEP, do the same but also singlestep if not a syscall. This call is used by programs like User Mode Linux that want to emulate all the the child's syscalls.

ecx - PID of the child process to be acted on. The child process must be stopped.
edx
and esi are ignored.
PTRACE_SETOPTIONS Set ptrace options. esi is interpreted as a bitmask of options, which are specified by the following flags:
PTRACE_O_TRACESYSGOOD When delivering syscall traps, set bit 7 in the signal number (i.e., deliver 'SIGTRAP or 0x80' This makes it easy for the tracer to tell the difference between normal traps and those caused by a syscall
PTRACE_O_TRACEFORK Stop the child at the next sys_fork call with 'SIGTRAP or PTRACE_EVENT_FORK shl 8' and automatically start tracing the newly forked process, which will start with a SIGSTOP. The PID for the new process can be retrieved with PTRACE_GETEVENTMSG.
PTRACE_O_TRACEVFORK Stop the child at the next sys_vfork call with 'SIGTRAP or PTRACE_EVENT_VFORK shl 8' and automatically start tracing the newly vforked process, which will start with a SIGSTOP. The PID for the new process can be retrieved with PTRACE_GETEVENTMSG.
PTRACE_O_TRACECLONE Stop the child at the next sys_clone call with 'SIGTRAP or PTRACE_EVENT_CLONE shl 8' and automatically start tracing the newly cloned process, which will start with a SIGSTOP. The PID for the new process can be retrieved with PTRACE_GETEVENTMSG. This option may not catch sys_clone calls in all cases. If the child calls sys_clone with the CLONE_VFORK flag, PTRACE_EVENT_VFORK will be delivered instead if PTRACE_O_TRACEVFORK is set; otherwise if the child calls sys_clone with the exit signal set to SIGCHLD, PTRACE_EVENT_FORK will be delivered if PTRACE_O_TRACEFORK is set.
PTRACE_O_TRACEEXEC Stop the child at the next sys_execve call with 'SIGTRAP or PTRACE_EVENT_EXEC shl 8'.
PTRACE_O_TRACEVFORKDONE Stop the child at the completion of the next sys_vfork call with 'SIGTRAP or PTRACE_EVENT_VFORK_DONE shl 8'.
PTRACE_O_TRACEEXIT Stop the child at exit with 'SIGTRAP or PTRACE_EVENT_EXIT shl 8'. The child's exit status can be retrieved with PTRACE_GETEVENTMSG. This stop will be done early during process exit when registers are still available, allowing the tracer to see where the exit occurred, whereas the normal exit notification is done after the process is finished exiting. Even though context is available, the tracer cannot prevent the exit from happening at this point.

ecx -
PID of the child process to be acted on. The child process must be stopped.
edx
is ignored.
PTRACE_GETEVENTMSG Retrieve a message (as an unsigned 32bit value) about the ptrace event that just happened, placing it in the location specified by esi in the parent. For PTRACE_EVENT_EXIT this is the child's exit status. For PTRACE_EVENT_FORK, PTRACE_EVENT_VFORK and PTRACE_EVENT_CLONE this is the PID of the new process.

ecx - PID of the child process to be acted on. The child process must be stopped.
edx
is ignored.
PTRACE_GETSIGINFO Retrieve information about the signal that caused the stop. Copies a siginfo structure (see sys_sigaction) from the child to location specified in esi in the parent.

ecx - PID of the child process to be acted on. The child process must be stopped.
edx
is ignored.
PTRACE_SETSIGINFO Set signal information. Copies a siginfo_t structure from location specified by esi in the parent to the child. This will only affect signals that would normally be delivered to the child and were caught by the tracer. It may be difficult to tell these normal signals from synthetic signals generated by sys_ptrace itself.

ecx - PID of the child process to be acted on. The child process must be stopped.
edx
is ignored
PTRACE_GETREGS,
PTRACE_GETFPREGS

Copies the child's general purpose or floating-point registers, respectively, to location specified by esi in the parent.
General purpose registers are defined in an user_regs_struct structure:

struc user_regs_struct
{
.ebx      rd 1
.ecx      rd 1
.edx      rd 1
.esi      rd 1
.edi      rd 1
.ebp      rd 1
.eax      rd 1
.ds       rw 1
.__ds     rw 1
.es       rw 1
.__es     rw 1
.fs       rw 1
.__fs     rw 1
.gs       rw 1
.__gs     rw 1
.orig_eax rd 1
.eip      rd 1
.cs       rw 1
.__cs     rw 1
.eflags   rd 1
.esp      rd 1
.ss       rw 1
.__ss     rw 1
}

FPU registers are defined in an user_i387_struct structure:


struc user_i387_struct
{
.cwd rd 1
.swd rd 1
.twd rd 1
.fip rd 1
.fcs rd 1
.foo rd 1
.fos rd 1
.st_space rd 20
}

ecx - PID of the child process to be acted on. The child process must be stopped.
edx
is ignored

PTRACE_SETREGS,
PTRACE_SETFPREGS
Copies the child's general purpose or floating-point registers, respectively, from location specified by esi in the parent. As for PTRACE_POKEUSER, some general purpose register modifications may be disallowed.

ecx - PID of the child process to be acted on. The child process must be stopped.
edx
is ignored
ecx This argument depends on the operation used (ebx). See above.
edx This argument depends on the operation used (ebx). See above.
esi This argument depends on the operation used (ebx). See above.

Return values

If the system call succeeds and the operation was PTRACE_PEEK* the return value is the requested data, otherwise return value is 0.
If the system call fails the return value is one of the following errno values:

-EBUSY There was an error with allocating or freeing a debug register.
-EFAULT There was an attempt to read from or write to an invalid area in the parent's or child's memory, probably because the area wasn't mapped or accessible. Unfortunately, under Linux, different variations of this fault will return EIO or EFAULT more or less arbitrarily.
-EINVAL An attempt was made to set an invalid option.
-EIO ebx is invalid, or an attempt was made to read from or write to an invalid area in the parent's or child's memory, or there was a word-alignment violation, or an invalid signal was specified during a restart request.
-EPERM The specified process cannot be traced. This could be because the parent has insufficient privileges (the required capability is CAP_SYS_PTRACE); non-root processes cannot trace processes that they cannot send signals to or those running set-user-ID/set-group-ID programs, for obvious reasons. Alternatively, the process may already be being traced, or be init (PID 1).
-ESRCH The specified process does not exist, or is not currently being traced by the caller, or is not stopped (for requests that require that).

Remarks

Tracing causes a few subtle differences in the semantics of traced processes. For example, if a process is attached to with PTRACE_ATTACH, its original parent can no longer receive notification via sys_wait* when it stops, and there is no way for the new parent to effectively simulate this notification.

See /samples/basic/ptrace.asm for an example.

Compatibility

n/a