Traces process execution flow.
This system call
provides a means by which a parent process may observe and control the execution of another process, and examine and change its core image and registers. It is primarily used to implement breakpoint debugging and system call tracing.
The parent can initiate a trace by calling sys_fork and having the resulting child do a PTRACE_TRACEME, followed (typically) by an sys_execve. Alternatively, the parent may commence trace of an existing process using PTRACE_ATTACH.
While being traced, the child will stop each time a signal is delivered, even if the signal is being ignored. (The exception is SIGKILL, which has its usual effect.) The parent will be notified at its next sys_wait* and may inspect and modify the child process while it is stopped. The parent then causes the child to continue, optionally ignoring the delivered signal (or even delivering a different signal instead).
When the parent is finished tracing, it can terminate the child with PTRACE_KILL or cause it to continue executing in a normal, untraced mode via PTRACE_DETACH.
Arguments
eax |
26 |
ebx |
Operation to be performed. It may be one of the following:
PTRACE_TRACEME |
Indicates that this process is to be traced by its parent. Any signal (except SIGKILL) delivered to this process will cause it to stop and its parent to be notified via sys_wait*. Also, all subsequent calls to sys_execve by this process will cause a SIGTRAP to be sent to it, giving the parent a chance to gain control before the new program begins execution. A process probably shouldn't make this request if its parent isn't expecting to trace it.
This request is used only by a child process.
ecx, edx, and esi are ignored. |
PTRACE_PEEKTEXT,
PTRACE_PEEKDATA |
Reads a dword at the location specified by edx in the child's memory, returning the dword as the result of the sys_ptrace call. Linux does not have separate text and data address spaces, so the two requests are currently equivalent.
ecx - PID of the child process to be acted on. The child process must be stopped.
esi is ignored. |
PTRACE_PEEKUSR |
Reads a dword at offset specified by edx in the child's USER area which has following form:
struc user
{
.regs user_regs_struct
.u_fpvalid rd 1
.i387 user_i387_struct
.u_tsize rd 1
.u_dsize rd 1
.u_ssize rd 1
.start_code rd 1
.start_stack rd 1
.signal rd 1
.reserved rd 1
.u_ar0 rd 1
.u_fpstate rd 1
.magic rd 1
.u_comm rb 32
.u_debugreg rd 8
} |
user members:
regs
See PTRACE_GETREGS for information regarding user_regs_struct structure.
u_fpvalid
Not used.
i387
See PTRACE_GETFPREGS for information regarding user_i387_struct structure.
u_tsize
Text segment size (pages).
u_dsize
Data segment size (pages).
u_ssize
Stack segment size (pages).
start_code
Starting virtual address of text segment.
start_stack
Starting virtual address of stack area (bottom of the stack, top of the stack is always found in the
esp register)
signal
Signal that caused the core dump if any.
reserved
Not used.
u_ar0
Pointer to a user_pt_regs structure. Used by gdb to help find the values for the registers.
u_fpstate
Pointer to a user_i387_struct structure. Used by gdb to help find the values for the registers. *to be verified*
magic
Core file unique identifier.
u_comm
User command that was responsible
u_debugreg
*to be documented*
The dword is returned as the result of the sys_ptrace call. The offset must be word-aligned. *to be verified*
ecx - PID of the child process to be acted on. The child process must be stopped.
esi is ignored.
|
PTRACE_POKETEXT,
PTRACE_POKEDATA |
Copies the dword specified by esi to location specified by edx in the child's memory. |
PTRACE_POKEUSR |
Copies the dword specified by esi to location specified by edx in the child's USER area. The offset must typically be word-aligned. In order to maintain the integrity of the kernel, some modifications to the USER area are disallowed. |
PTRACE_CONT |
Restarts the stopped child process. If esi is non-zero and not SIGSTOP, it is interpreted as a signal to be delivered to the child; otherwise, no signal is delivered. Thus, for example, the parent can control whether a signal sent to the child is delivered or not.
ecx - PID of the child process to be acted on. The child process must be stopped.
edx is ignored. |
PTRACE_KILL |
Sends the child a SIGKILL to terminate it.
ecx - PID of the child process to be acted on.
edx is ignored. |
PTRACE_SINGLESTEP |
*to be documented* |
PTRACE_ATTACH |
Attaches to the process specified in ecx, making it a traced "child" of the current process; the behavior of the child is as if it had done a PTRACE_TRACEME. The current process actually becomes the parent of the child process for most purposes (e.g., it will receive notification of child events and appears in ps (man 1 ps) output as the child's parent), but a sys_getppid by the child will still return the PID of the original parent. The child is sent a SIGSTOP, but will not necessarily have stopped by the completion of this call; use sys_wait* to wait for the child to stop.
ecx - PID of the child process to be acted on. The child process must be stopped.
edx and esi are ignored. |
PTRACE_DETACH |
Restarts the stopped child as for PTRACE_CONT, but first detaches from the process, undoing the reparenting effect of PTRACE_ATTACH, and the effects of PTRACE_TRACEME. Although perhaps not intended, under Linux a traced child can be detached in this way regardless of which method was used to initiate tracing.
ecx - PID of the child process to be acted on. The child process must be stopped.
edx is ignored. |
PTRACE_SYSCALL |
Restarts the stopped child as for PTRACE_CONT, but arranges for the child to be stopped at the next entry to or exit from a system call, or after execution of a single instruction, respectively. (The child will also, as usual, be stopped upon receipt of a signal.) From the parent's perspective, the child will appear to have been stopped by receipt of a SIGTRAP. So, for PTRACE_SYSCALL, for example, the idea is to inspect the arguments to the system call at the first stop, then do another PTRACE_SYSCALL and inspect the return value of the system call at the second stop.
ecx - PID of the child process to be acted on. The child process must be stopped.
edx is ignored. |
PTRACE_SYSEMU,
PTRACE_SYSEMU_SINGLESTEP |
(since Linux 2.6.14) For PTRACE_SYSEMU, continue and stop on entry to the next syscall, which will not be executed. For PTRACE_SYSEMU_SINGLESTEP, do the same but also singlestep if not a syscall. This call is used by programs like User Mode Linux that want to emulate all the the child's syscalls.
ecx - PID of the child process to be acted on. The child process must be stopped.
edx and esi are ignored. |
PTRACE_SETOPTIONS |
Set ptrace options. esi is interpreted as a bitmask of options, which are specified by the following flags:
PTRACE_O_TRACESYSGOOD |
When delivering syscall traps, set bit 7 in the signal number (i.e., deliver 'SIGTRAP or 0x80' This makes it easy for the tracer to tell the difference between normal traps and those caused by a syscall |
PTRACE_O_TRACEFORK |
Stop the child at the next sys_fork call with 'SIGTRAP or PTRACE_EVENT_FORK shl 8' and automatically start tracing the newly forked process, which will start with a SIGSTOP. The PID for the new process can be retrieved with PTRACE_GETEVENTMSG. |
PTRACE_O_TRACEVFORK |
Stop the child at the next sys_vfork call with 'SIGTRAP or PTRACE_EVENT_VFORK shl 8' and automatically start tracing the newly vforked process, which will start with a SIGSTOP. The PID for the new process can be retrieved with PTRACE_GETEVENTMSG. |
PTRACE_O_TRACECLONE |
Stop the child at the next sys_clone call with 'SIGTRAP or PTRACE_EVENT_CLONE shl 8' and automatically start tracing the newly cloned process, which will start with a SIGSTOP. The PID for the new process can be retrieved with PTRACE_GETEVENTMSG. This option may not catch sys_clone calls in all cases. If the child calls sys_clone with the CLONE_VFORK flag, PTRACE_EVENT_VFORK will be delivered instead if PTRACE_O_TRACEVFORK is set; otherwise if the child calls sys_clone with the exit signal set to SIGCHLD, PTRACE_EVENT_FORK will be delivered if PTRACE_O_TRACEFORK is set. |
PTRACE_O_TRACEEXEC |
Stop the child at the next sys_execve call with 'SIGTRAP or PTRACE_EVENT_EXEC shl 8'. |
PTRACE_O_TRACEVFORKDONE |
Stop the child at the completion of the next sys_vfork call with 'SIGTRAP or PTRACE_EVENT_VFORK_DONE shl 8'. |
PTRACE_O_TRACEEXIT |
Stop the child at exit with 'SIGTRAP or PTRACE_EVENT_EXIT shl 8'. The child's exit status can be retrieved with PTRACE_GETEVENTMSG. This stop will be done early during process exit when registers are still available, allowing the tracer to see where the exit occurred, whereas the normal exit notification is done after the process is finished exiting. Even though context is available, the tracer cannot prevent the exit from happening at this point. |
|
ecx - PID of the child process to be acted on. The child process must be stopped.
edx is ignored. |
PTRACE_GETEVENTMSG |
Retrieve a message (as an unsigned 32bit value) about the ptrace event that just happened, placing it in the location specified by esi in the parent. For PTRACE_EVENT_EXIT this is the child's exit status. For PTRACE_EVENT_FORK, PTRACE_EVENT_VFORK and PTRACE_EVENT_CLONE this is the PID of the new process.
ecx - PID of the child process to be acted on. The child process must be stopped.
edx is ignored. |
PTRACE_GETSIGINFO |
Retrieve information about the signal that caused the stop. Copies a siginfo structure (see sys_sigaction) from the child to location specified in esi in the parent.
ecx - PID of the child process to be acted on. The child process must be stopped.
edx is ignored. |
PTRACE_SETSIGINFO |
Set signal information. Copies a siginfo_t structure from location specified by esi in the parent to the child. This will only affect signals that would normally be delivered to the child and were caught by the tracer. It may be difficult to tell these normal signals from synthetic signals generated by sys_ptrace itself.
ecx - PID of the child process to be acted on. The child process must be stopped.
edx is ignored |
PTRACE_GETREGS,
PTRACE_GETFPREGS |
Copies the child's general purpose or floating-point registers, respectively, to location specified by esi in the parent.
General purpose registers are defined in an user_regs_struct structure:
struc user_regs_struct
{
.ebx rd 1
.ecx rd 1
.edx rd 1
.esi rd 1
.edi rd 1
.ebp rd 1
.eax rd 1
.ds rw 1
.__ds rw 1
.es rw 1
.__es rw 1
.fs rw 1
.__fs rw 1
.gs rw 1
.__gs rw 1
.orig_eax rd 1
.eip rd 1
.cs rw 1
.__cs rw 1
.eflags rd 1
.esp rd 1
.ss rw 1
.__ss rw 1
} |
FPU registers are defined in an user_i387_struct structure:
struc user_i387_struct
{
.cwd rd 1
.swd rd 1
.twd rd 1
.fip rd 1
.fcs rd 1
.foo rd 1
.fos rd 1
.st_space rd 20
}
|
ecx - PID of the child process to be acted on. The child process must be stopped.
edx is ignored
|
PTRACE_SETREGS,
PTRACE_SETFPREGS |
Copies the child's general purpose or floating-point registers, respectively, from location specified by esi in the parent. As for PTRACE_POKEUSER, some general purpose register modifications may be disallowed.
ecx - PID of the child process to be acted on. The child process must be stopped.
edx is ignored |
|
|
ecx |
This argument depends on the operation used (ebx). See above. |
edx |
This argument depends on the operation used (ebx). See above. |
esi |
This argument depends on the operation used (ebx). See above. |
Return values
If the system call succeeds and the operation was PTRACE_PEEK* the return value is the requested data, otherwise return value is 0.
If the system call fails the return value is one of the following errno values:
-EBUSY |
There was an error with allocating or freeing a debug register. |
-EFAULT |
There was an attempt to read from or write to an invalid area in the parent's or child's memory, probably because the area wasn't mapped or accessible. Unfortunately, under Linux, different variations of this fault will return EIO or EFAULT more or less arbitrarily. |
-EINVAL |
An attempt was made to set an invalid option. |
-EIO |
ebx is invalid, or an attempt was made to read from or write to an invalid area in the parent's or child's memory, or there was a word-alignment violation, or an invalid signal was specified during a restart request. |
-EPERM |
The specified process cannot be traced. This could be because the parent has insufficient privileges (the required capability is CAP_SYS_PTRACE); non-root processes cannot trace processes that they cannot send signals to or those running set-user-ID/set-group-ID programs, for obvious reasons. Alternatively, the process may already be being traced, or be init (PID 1). |
-ESRCH |
The specified process does not exist, or is not currently being traced by the caller, or is not stopped (for requests that require that). |
|
Remarks
Tracing causes a few subtle differences in the semantics of traced processes. For example, if a process is attached to with PTRACE_ATTACH, its original parent can no longer receive notification via sys_wait* when it stops, and there is no way for the new parent to effectively simulate this notification.
See /samples/basic/ptrace.asm for an example.
Compatibility
n/a |