PTRACE(2) | System Calls Manual | PTRACE(2) |
ptrace
—
#include <sys/types.h>
#include <sys/ptrace.h>
int
ptrace
(int
request, pid_t pid,
void *addr,
int data);
ptrace
() provides tracing and debugging facilities. It
allows one process (the tracing process) to control another
(the traced process). Most of the time, the traced process
runs normally, but when it receives a signal (see
sigaction(2)), it stops. The
tracing process is expected to notice this via
wait(2) or the delivery of a
SIGCHLD
signal (see
siginfo(2)), examine the state
of the stopped process, and cause it to terminate or continue as appropriate.
ptrace
() is the mechanism by which all this happens.
When a process that is traced by a debugger requests and calls
execve(2) or any of the
routines built on it (such as
execv(3)), it will stop before
executing the first instruction of the new image and emit
SIGTRAP
with si_code
set to
TRAP_EXEC
. If a program is traced with the
PT_SYSCALL
option enabled, this event notifier is
disabled. If a traced program calls
execve(2) any setuid or setgid
bits on the executable being executed will be ignored.
Program (software) breakpoints are reported with
SIGTRAP
and the si_code
value set to TRAP_BKPT
. These breakpoints are
machine specific instructions that interrupt the process. In order to put a
trap by a tracer into the tracee's program, debugger must violate the
PaX MPROTECT
restrictions. For details check the
security.pax.mprotect.ptrace
option described in
sysctl(7). When a tracee is
interrupted by a trap, the trap is not removed by the kernel and it must be
handled by a debugger.
If a program is traced with single steps
(PT_STEP
) it reports each step with
SIGTRAP
with si_code
set to
TRAP_TRACE
. This event is not maskable
PT_SET_EVENT_MASK
.
Child program traps are reported with
SIGTRAP
and the si_code
value set to TRAP_CHLD
. These events are by default
disabled and can be configured with
PT_SET_EVENT_MASK
. If this event occurs, check with
PT_GET_PROCESS_STATE
the details of the process
state associated with this event.
Design choices for Debug Register accessors
exec
() (TRAP_EXEC
event)
must remove debug registers from LWPPTRACE_LWP_CREATE
/ PTRACE_LWP_EXIT
event monitoring function is
designed to be usedSIGTRAP with
si_code
TRAP_DBREG
PT_SETDBREGS
callA debugger might reuse port specific symbols, to help writing
portable code as described in the port specific part of the
<sys/ptrace.h>
header. Among
these symbols, there are:
PTRACE_REG_PC
PTRACE_REG_SET_PC
PTRACE_REG_SP
PTRACE_REG_INTRV
PTRACE_BREAKPOINT
PTRACE_BREAKPOINT_SIZE
PTRACE_BREAKPOINT_ADJ
The request argument of
ptrace
specifies what operation is being performed;
the meaning of the rest of the arguments depends on the operation, but
except for one special case noted below, all ptrace
calls are made by the tracing process, and the pid
argument specifies the process ID of the traced process.
request can be:
PT_TRACE_ME
ptrace
().
This call does not stop the process neither emit
SIGSTOP
to parent.
PT_READ_I
,
PT_READ_D
int
of data from the
traced process' address space. Traditionally,
ptrace
() has allowed for machines with distinct
address spaces for instruction and data, which is why there are two
requests: conceptually, PT_READ_I
reads from the
instruction space and PT_READ_D
reads from the
data space. In the current NetBSD implementation,
these two requests are completely identical. The
addr argument specifies the address (in the traced
process' virtual address space) at which the read is to be done. This
address does not have to meet any alignment constraints. The value read is
returned as the return value from ptrace
().PT_WRITE_I
,
PT_WRITE_D
PT_READ_I
and
PT_READ_D
, except that they write rather than
read. The data argument supplies the value to be
written.PT_CONTINUE
(void *)1
to indicate
that execution is to pick up where it left off. data
provides a signal number to be delivered to the traced process as it
resumes execution, or 0 if no signal is to be sent. If a negative value is
supplied, that is the negative of the LWP ID of the thread to be resumed,
and only that thread executes.PT_KILL
PT_CONTINUE
had been used with SIGKILL
given as the signal to
be delivered.PT_ATTACH
The tracing process will see the newly-traced process stop and
may then control it as if it had been traced all along. It means that
the SIGSTOP
signal is emitted to tracer. It is
different behavior to the one from
PT_TRACE_ME
.
Three other restrictions apply to all tracing processes, even those running as root. First, no process may trace a system process. Second, no process may trace the process running init(8). Third, if a process has its root directory set with chroot(2), it may not trace another process unless that process' root directory is at or below the tracing process' root.
PT_DETACH
PT_IO
PT_READ_D
, PT_WRITE_D
,
PT_READ_I
, and PT_WRITE_I
.
The I/O request is encoded in a “struct
ptrace_io_desc
” defined as:
struct ptrace_io_desc { int piod_op; void *piod_offs; void *piod_addr; size_t piod_len; };
where piod_offs is the offset within the traced process where the I/O operation should take place, piod_addr is the buffer in the tracing process, and piod_len is the length of the I/O request. The piod_op field specifies which type of I/O operation to perform. Possible values are:
See the description of PT_READ_I
for
the difference between I and D spaces.
The PIOD_READ_AUXV
operation can be
used to read from the ELF auxiliary vector. The
piod_offs argument sets the offset within the
tracee's vector. To read from the beginning of it, this value must be
set to 0 and cast to (void *)
.
A pointer to the I/O descriptor is passed in the
addr argument to ptrace
().
On return, the piod_len field in the I/O
descriptor will be updated with the actual number of bytes transferred.
If the requested I/O could not be successfully performed,
ptrace
() will return -1
and set errno.
PT_DUMPCORE
PT_LWPINFO
struct ptrace_lwpinfo
” defined as:
struct ptrace_lwpinfo { lwpid_t pl_lwpid; int pl_event; };
where pl_lwpid contains a thread LWP ID. Information is returned for the thread following the one with the specified ID in the process thread list, or for the first thread if pl_lwpid is 0. Upon return pl_lwpid contains the LWP ID of the thread that was found, or 0 if there is no thread after the one whose LWP ID was supplied in the call. pl_event contains the event that stopped the thread. Possible values are:
The data argument should contain
“sizeof(struct
ptrace_lwpinfo)
”.
PT_SYSCALL
PT_CONTINUE
.PT_SYSCALLEMU
PT_SYSCALL
. This operation shall be called
for syscall entry trap from PT_SYSCALL
. To resume
execution after intercepting the system call, another
PT_SYSCALL
shall be used.PT_SET_EVENT_MASK
struct ptrace_event
” defined as:
typedef struct ptrace_event { int pe_set_event; } ptrace_event_t;
pe_set_event is the set of events to be reported. This set is formed by OR'ing together the following values:
The fork(2) and
vfork(2) events can occur
with similar operations, like
clone(2) or
posix_spawn(3). The
PTRACE_FORK
value means that process gives birth
to its child without pending on its termination or
execve(2) operation. If
enabled, the child is also traced by the debugger and
SIGRAP
is generated twice, first for the parent
and second for the child. The PTRACE_VFORK
event
is the same as PTRACE_FORK
, but the parent
blocks after giving birth to the child. The
PTRACE_VFORK_DONE
event can be used to report
unblocking of the parent.
A pointer to this structure is passed in
addr. The data argument
should be set to sizeof(struct
ptrace_event)
.
PT_GET_EVENT_MASK
struct ptrace_event
” pointed to by
addr. The data argument should
be set to sizeof(struct ptrace_event)
.PT_GET_PROCESS_STATE
struct ptrace_state
” defined as:
typedef struct ptrace_state { int pe_report_event; pid_t pe_other_pid; } ptrace_state_t;
A pointer to this structure is passed in
addr. The data argument
should be set to sizeof(struct
ptrace_state)
.
PT_SET_SIGINFO
struct
ptrace_siginfo
” defined as:
typedef struct ptrace_siginfo { siginfo_t psi_siginfo; lwpid_t psi_lwpid; } ptrace_siginfo_t;
Where psi_siginfo is the set to signal
information structure. The psi_lwpid field
describes LWP address of the signal. Value 0
means the whole process (route signal to all LWPs).
A pointer to this structure is passed in
addr. The data argument
should be set to sizeof(struct
ptrace_siginfo)
.
In order to pass faked signal to the tracee, the signal type
must match the signal passed to the process with
PT_CONTINUE
or
PT_SYSCALL
.
PT_GET_SIGINFO
struct
ptrace_siginfo
” pointed to by addr.
The data argument should be set to
sizeof(struct ptrace_siginfo)
.PT_RESUME
This call is equivalent to _lwp_continue(2) called by a traced process. This call does not change the general process state from stopped to continued.
PT_SUSPEND
This call is equivalent to _lwp_suspend(2) called by a traced process. This call does not change the general process state from continued to stopped.
Additionally, the following requests exist but are not available
on all machine architectures. The file
<machine/ptrace.h>
lists
which requests exist on a given machine.
PT_STEP
PT_SETSTEP
PT_CLEARSTEP
PT_GETREGS
struct reg
” (defined in
<machine/reg.h>
) pointed
to by addr. The data argument
contains the LWP ID of the thread whose registers are to be read. If zero
is supplied, the first thread of the process is read.PT_SETREGS
PT_GETREGS
; it
loads the traced process' machine registers from the
“struct reg
” (defined in
<machine/reg.h>
) pointed
to by addr. The data argument
contains the LWP ID of the thread whose registers are to be written. If
zero is supplied, the first thread of the process is written.PT_GETFPREGS
struct fpreg
” (defined in
<machine/reg.h>
) pointed
to by addr. The data argument
contains the LWP ID of the thread whose registers are to be read. If zero
is supplied, the first thread of the process is read.PT_SETFPREGS
PT_GETFPREGS
; it
loads the traced process' floating-point registers from the
“struct fpreg
” (defined in
<machine/reg.h>
) pointed
to by addr. The data argument
contains the LWP ID of the thread whose registers are to be written. If
zero is supplied, the first thread of the process is written.PT_GETDBREGS
struct dbreg
” (defined in
<machine/reg.h>
) pointed
to by addr. The data argument
contains the LWP ID of the thread whose registers are to be read. If zero
is supplied, the first thread of the process is read.PT_SETDBREGS
PT_GETDBREGS
; it
loads the traced process' debug registers from the
“struct dbreg
” (defined in
<machine/reg.h>
) pointed
to by addr. The data argument
contains the LWP ID of the thread whose registers are to be written. If
zero is supplied, the first thread of the process is written.PT_GETXMMREGS
struct xmmregs
” (defined in
<machine/reg.h>
) pointed
to by addr. The data argument
contains the LWP ID of the thread whose registers are to be read. If zero
is supplied, the first thread of the process is read.PT_SETXMMREGS
PT_GETXMMREGS
; it
loads the traced process' XMM registers from the
“struct xmmregs
” (defined in
<machine/reg.h>
) pointed
to by addr. The data argument
contains the LWP ID of the thread whose registers are to be written. If
zero is supplied, the first thread of the process is written.PT_GETVECREGS
struct vreg
” (defined in
<machine/reg.h>
) pointed
to by addr. The data argument
contains the LWP ID of the thread whose registers are to be read. If zero
is supplied, the first thread of the process is read.PT_SETVECREGS
PT_GETVECREGS
; it
loads the traced process' vector registers from the
“struct vreg
” (defined in
<machine/reg.h>
) pointed
to by addr. The data argument
contains the LWP ID of the thread whose registers are to be written. If
zero is supplied, the first thread of the process is written.ptrace
() to return
-1
as a non-error value; to disambiguate,
errno can be set to 0 before the call and checked
afterwards. The possible errors are:
EAGAIN
]EBUSY
]PT_ATTACH
was attempted on a process that was already being traced.PT_ATTACH
) specified a
process that wasn't stopped.EDEADLK
]EINVAL
]PT_ATTACH
on
itself.PT_CONTINUE
was neither 0 nor a legal signal
number.PT_GETREGS
,
PT_SETREGS
,
PT_GETFPREGS
, or
PT_SETFPREGS
was attempted on a process with
no valid register set. (This is normally true only of system
processes.)EPERM
]PT_ATTACH
) attempted to
manipulate a process that wasn't being traced at all.PT_ATTACH
on a
process in violation of the requirements listed under
PT_ATTACH
above.ESRCH
]ptrace
() function appeared in
Version 7 AT&T UNIX.
PT_CONTINUE
and similar calls, but the NPC is set
willy-nilly to 4 greater than the PC value. Using
PT_GETREGS
and PT_SETREGS
to
modify the PC, passing (void *)1
to
ptrace
(), should be able to sidestep this.
PT_SET_SIGINFO
,
PT_RESUME
and PT_SUSPEND
can
change the image of process returned by
PT_LWPINFO
.
May 1, 2018 | NetBSD 8.99 |