写一个监控的东东需要仔细看看ptrace,那就来一个了
ptrace
Name
ptrace - process trace
Synopsis
#include <sys/ptrace.h>
long ptrace(enum __ptrace_request request, pid_t pid, void
*addr, void *data);
Description
ptrace系统调用提供一种方法,使得一个父进程可以观察和控制另外一个 进程的运行,同时检查甚至修改它的核心映像和寄存器的值.它主要用在实现断点调试和系统调用的追踪.
The ptrace() system call provides a means by which a parent process may observe and control the execution of another process, and examine and change its core image and registers. It is primarily used to implement breakpoint debugging and system call tracing.
父进程可以为子进程生成一个trace,通过调用fork生成子进程,同时设置子进程为PTRACE_TRACEME,跟上exec来生成子进程.ptrace还可以实现追踪一个已经运行的进程的任务,使用PTRACE_ATTACH.
The parent can initiate a trace by calling fork(2) and having the resulting child do a PTRACE_TRACEME, followed (typically) by an exec(3). Alternatively, the parent may commence trace of an existing process using PTRACE_ATTACH.
当被追踪时,子进程在传递每个信号signal的时候,会停止,甚至在这个信号被忽略的情况下(SIGKILL信号除外).父进程会在下次执行wait的时候收到通知,并且检查和修改已经停止的子进程.父进程使得子进程继续执行,并且有可能忽略收到的信号(甚至修改掉信号)
While being traced, the child will stop each time a signal is delivered, even if the signal is being ignored. (The exception is SIGKILL, which has its usual effect.) The parent will be notified at its next wait(2) and may inspect and modify the child process while it is stopped. The parent then causes the child to continue, optionally ignoring the delivered signal (or even delivering a different signal instead).
当父进程完成追踪之后,可以选择阶数子进程PTRACE_KILL或者让子进程自己继续运行下去,解除这种追踪状态 PTRACE_DETACH
When the parent is finished tracing, it can terminate the child with PTRACE_KILL or cause it to continue executing in a normal, untraced mode via PTRACE_DETACH.
request参数的值决定了ptrace采取何种行为
The value of request determines the action to be performed:
PTRACE_TRACEME
设置此参数说明这个进程被其父进程所追踪.任何发送给这个进程的信号(除SIGKILL外)都会到这本进程被停止掉,同时它的父进程(追踪它的进程)会通过wait得到消息.同时这个进程所产生的exec的调用都导致一个内核SIGTRAP发送给自己,给父进程一个机会控制它的机会. pid addr data信息都会忽略掉,使用这个参数时
Indicates that this process is to be traced by its parent. Any signal (except SIGKILL) delivered to this process will cause it to stop and its parent to be notified via wait(). Also, all subsequent calls to exec() by this process will cause a SIGTRAP to be sent to it, giving the parent a chance to gain control before the new program begins execution. A process probably shouldn't make this request if its parent isn't expecting to trace it. (pid, addr, and data are ignored.)
这个参数只用于子进程,剩下的都只用于父进程.下面的所有的使用中,都要指定子进程的pid进而可以被追踪到,除了PTRACE_KILL之外,所有的其他request都会导致子进程停止(stop)
The above request is used only by the child process; the rest are used only by the parent. In the following requests, pid specifies the child process to be acted on. For requests other than PTRACE_KILL, the child process must be stopped.
PTRACE_PEEKTEXT, PTRACE_PEEKDATA
从子进程的内存空间中读取一个word在addr指定的位置,将这个word作为ptrace调用的返回信息.Linux不区分text和data地址空间,所有这两个参数是同样效用的,data参数被忽略
Reads a word at the location addr in the child's memory, returning the word as the result of the ptrace() call. Linux does not have separate text and data address spaces, so the two requests are currently equivalent. (The argument data is ignored.)
PTRACE_PEEKUSR
在子进程的USER区域在offset为addr位置读取一个word(主要为寄存器和其他信息).将word作为ptrace的返回值.通常这个word必须是一个word对齐的,不过根机器体系结构相关,data参数被忽略
Reads a word at offset addr in the child's USER area, which holds the registers and other information about the process (see <linux/user.h> and <sys/user.h>). The word is returned as the result of the ptrace() call. Typically the offset must be word-aligned, though this might vary by architecture. (data is ignored.)
PTRACE_POKETEXT, PTRACE_POKEDATA
将data信息拷贝到子进程内存中addr位置,text和data不区分,故而两个参数效果相同
Copies the word data to location addr in the child's memory. As above, the two requests are currently equivalent.
PTRACE_POKEUSR
将data信息拷贝到子进程USER的区域addr处,必须注意字对齐.某些修改是不允许的,到底是哪些还不清楚
Copies the word data to offset addr in the child's USER area. As above, the offset must typically be word-aligned. In order to maintain the integrity of the kernel, some modifications to the USER area are disallowed.
PTRACE_GETREGS, PTRACE_GETFPREGS
拷贝子进程的目的寄存器或者浮点寄存器的命令到父进程的指定位置,相关信息都在<linux/user.h><sys/user.h><sys/reg.h>中查到信息格式(addr被忽略)
Copies the child's general purpose or floating-point registers, respectively, to location data in the parent. See <linux/user.h> for information on the format of this data. (addr is ignored.)
PTRACE_GETSIGINFO (since Linux 2.3.99-pre6)
Retrieve information about the signal that caused the stop. Copies a siginfo_t structure (see sigaction(2)) from the child to location data in the parent. (addr is ignored.)
PTRACE_SETREGS, PTRACE_SETFPREGS
Copies the child's general purpose or floating-point registers, respectively, from location data in the parent. As for PTRACE_POKEUSER, some general purpose register modifications may be disallowed. (addr is ignored.)
PTRACE_SETSIGINFO (since Linux 2.3.99-pre6)
Set signal information. Copies a siginfo_t structure from location data in the parent to the child. This will only affect signals that would normally be delivered to the child and were caught by the tracer. It may be difficult to tell these normal signals from synthetic signals generated by ptrace() itself. (addr is ignored.)
PTRACE_SETOPTIONS (since Linux 2.4.6; see BUGS for caveats)
Sets ptrace options from data in the parent. (addr is ignored.) data is interpreted as a bitmask of options, which are specified by the following flags:
PTRACE_O_TRACESYSGOOD (since Linux 2.4.6)
When delivering syscall traps, set bit 7 in the signal number (i.e., deliver (SIGTRAP | 0x80) This makes it easy for the tracer to tell the difference between normal traps and those caused by a syscall. (PTRACE_O_TRACESYSGOOD may not work on all architectures.)
PTRACE_O_TRACEFORK (since Linux 2.5.46)
Stop the child at the next fork() call with SIGTRAP | PTRACE_EVENT_FORK << 8 and automatically start tracing the newly forked process, which will start with a SIGSTOP. The PID for the new process can be retrieved with PTRACE_GETEVENTMSG.
PTRACE_O_TRACEVFORK (since Linux 2.5.46)
Stop the child at the next vfork() call with SIGTRAP | PTRACE_EVENT_VFORK << 8 and automatically start tracing the newly vforked process, which will start with a SIGSTOP. The PID for the new process can be retrieved with PTRACE_GETEVENTMSG.
PTRACE_O_TRACECLONE (since Linux 2.5.46)
Stop the child at the next clone() call with SIGTRAP | PTRACE_EVENT_CLONE << 8 and automatically start tracing the newly cloned process, which will start with a SIGSTOP. The PID for the new process can be retrieved with PTRACE_GETEVENTMSG. This option may not catch clone() calls in all cases. If the child calls clone() with the CLONE_VFORK flag, PTRACE_EVENT_VFORK will be delivered instead if PTRACE_O_TRACEVFORK is set; otherwise if the child calls clone() with the exit signal set to SIGCHLD, PTRACE_EVENT_FORK will be delivered if PTRACE_O_TRACEFORK is set.
PTRACE_O_TRACEEXEC (since Linux 2.5.46)
Stop the child at the next exec() call with SIGTRAP | PTRACE_EVENT_EXEC << 8.
PTRACE_O_TRACEVFORKDONE (since Linux 2.5.60)
Stop the child at the completion of the next vfork() call with SIGTRAP | PTRACE_EVENT_VFORK_DONE << 8.
PTRACE_O_TRACEEXIT (since Linux 2.5.60)
Stop the child at exit with SIGTRAP | PTRACE_EVENT_EXIT << 8. The child's exit status can be retrieved with PTRACE_GETEVENTMSG. This stop will be done early during process exit when registers are still available, allowing the tracer to see where the exit occurred, whereas the normal exit notification is done after the process is finished exiting. Even though context is available, the tracer cannot prevent the exit from happening at this point.
PTRACE_GETEVENTMSG (since Linux 2.5.46)
Retrieve a message (as an unsigned long) about the ptrace event that just happened, placing it in the location data in the parent. For PTRACE_EVENT_EXIT this is the child's exit status. For PTRACE_EVENT_FORK, PTRACE_EVENT_VFORK and PTRACE_EVENT_CLONE this is the PID of the new process. (addr is ignored.)
PTRACE_CONT
重新启动被停止的子进程,如果数据为非0并且非SIGSTOP,将会被解释为一个信号发送给子进程;其他时候不会发送信号.
Restarts the stopped child process. If data is non-zero and not SIGSTOP, it is interpreted as a signal to be delivered to the child; otherwise, no signal is delivered. Thus, for example, the parent can control whether a signal sent to the child is delivered or not. (addr is ignored.)
PTRACE_SYSCALL, PTRACE_SINGLESTEP
重新启动被停止的子进程,类似PTRACE_CONT,但是在子进程下次进入或者从系统调用中退出的时候将子进程停止,或者执行了一个单步的指令字后停止.(通常,子进程也会根据接收到的信号停止)从父进程角度来看,子进程表现的像接收到SIGTRAP信号停止,可以用于单步调试.So,对于PTRACE_SYSCALL,这个思路可以用于侦测系统调用的参数在第一次停止时候,然后第二次可以用于侦测系统调用的返回值.(addr被忽略)
Restarts the stopped child as for PTRACE_CONT, but arranges for the child to be stopped at the next entry to or exit from a system call, or after execution of a single instruction, respectively. (The child will also, as usual, be stopped upon receipt of a signal.) From the parent's perspective, the child will appear to have been stopped by receipt of a SIGTRAP. So, for PTRACE_SYSCALL, for example, the idea is to inspect the arguments to the system call at the first stop, then do another PTRACE_SYSCALL and inspect the return value of the system call at the second stop. (addr is ignored.)
PTRACE_SYSEMU, PTRACE_SYSEMU_SINGLESTEP (since Linux 2.6.14)
For PTRACE_SYSEMU, continue and stop on entry to the next syscall, which will not be executed. For PTRACE_SYSEMU_SINGLESTEP, do the same but also singlestep if not a syscall. This call is used by programs like User Mode Linux that want to emulate all the the child's syscalls. (addr and data are ignored; not supported on all architectures.)
PTRACE_KILL
发送给子进程SIGKILL信号停止它,addr,data参数被忽略
Sends the child a SIGKILL to terminate it. (addr and data are ignored.)
PTRACE_ATTACH
Attaches to the process specified in pid, making it a traced "child" of the current process; the behavior of the child is as if it had done a PTRACE_TRACEME. The current process actually becomes the parent of the child process for most purposes (e.g., it will receive notification of child events and appears in ps(1) output as the child's parent), but a getppid(2) by the child will still return the PID of the original parent. The child is sent a SIGSTOP, but will not necessarily have stopped by the completion of this call; use wait() to wait for the child to stop. (addr and data are ignored.)
PTRACE_DETACH
Restarts the stopped child as for PTRACE_CONT, but first detaches from the process, undoing the reparenting effect of PTRACE_ATTACH, and the effects of PTRACE_TRACEME. Although perhaps not intended, under Linux a traced child can be detached in this way regardless of which method was used to initiate tracing. (addr is ignored.)
Notes
Although arguments to ptrace() are interpreted according to the prototype given, GNU libc currently declares ptrace() as a variadic function with only the request argument fixed. This means that unneeded trailing arguments may be omitted, though doing so makes use of undocumented gcc(1) behavior.
init(8), the process with PID 1, may not be traced.
The layout of the contents of memory and the USER area are quite OS- and architecture-specific.
The size of a "word" is determined by the OS variant (e.g., for 32-bit Linux it's 32 bits, etc.).
Tracing causes a few subtle differences in the semantics of traced processes. For example, if a process is attached to with PTRACE_ATTACH, its original parent can no longer receive notification via wait() when it stops, and there is no way for the new parent to effectively simulate this notification.
This page documents the way the ptrace() call works currently in Linux. Its behavior differs noticeably on other flavors of Unix. In any case, use of ptrace() is highly OS- and architecture-specific.
The SunOS man page describes ptrace() as "unique and arcane", which it is. The proc-based debugging interface present in Solaris 2 implements a superset of ptrace() functionality in a more powerful and uniform way.
Return Value
On success, PTRACE_PEEK* requests return the requested data, while other requests return zero. On error, all requests return -1, and errno is set appropriately. Since the value returned by a successful PTRACE_PEEK* request may be -1, the caller must check errno after such requests to determine whether or not an error occurred.
Bugs
On hosts with 2.6 kernel headers, PTRACE_SETOPTIONS is declared with a different value than the one for 2.4. This leads to applications compiled with such headers failing when run on 2.4 kernels. This can be worked around by redefining PTRACE_SETOPTIONS to PTRACE_OLDSETOPTIONS, if that is defined.
Errors
EBUSY
(i386 only) There was an error with allocating or freeing a debug register.
EFAULT
There was an attempt to read from or write to an invalid area in the parent's or child's memory, probably because the area wasn't mapped or accessible. Unfortunately, under Linux, different variations of this fault will return EIO or EFAULT more or less arbitrarily.
EINVAL
An attempt was made to set an invalid option.
EIO
request is invalid, or an attempt was made to read from or write to an invalid area in the parent's or child's memory, or there was a word-alignment violation, or an invalid signal was specified during a restart request.
EPERM
The specified process cannot be traced. This could be because the parent has insufficient privileges (the required capability is CAP_SYS_PTRACE); non-root processes cannot trace processes that they cannot send signals to or those running set-user-ID/set-group-ID programs, for obvious reasons. Alternatively, the process may already be being traced, or be init (PID 1).
ESRCH
The specified process does not exist, or is not currently being traced by the caller, or is not stopped (for requests that require that).
Conforming to
SVr4, 4.3BSD
See Also
gdb(1), strace(1), execve(2), fork(2), signal(2), wait(2), exec(3), capabilities(7)
Referenced By
clone(2), credentials(7), gstack(1), libunwind-ptrace(3), ltrace(1), polkit-auth(1), pstack(1), scanmem(1), syscalls(2)
扫一扫
2455
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
