Home

ptrace

Ptrace is a system call in Unix-like operating systems that allows one process (the tracer) to observe and control the execution of another process (the traced process). It is most widely used to implement debuggers such as gdb, enabling the tracer to inspect and modify the traced process’s memory and registers, intercept signals, and steer its execution and timing.

Typical operations include attaching to a running process (PTRACE_ATTACH) or initiating tracing at process creation (PTRACE_TRACEME).

Limitations and security: Access to ptrace is typically privileged. Systems commonly restrict attaching to processes owned

Portability: The ptrace interface exists on Linux and many other Unix-like systems, but the exact requests and

The
tracer
can
read
and
write
the
traced
process’s
memory
(PTRACE_PEEKDATA,
PTRACE_POKEDATA),
read
and
write
registers
(PTRACE_GETREGS,
PTRACE_SETREGS),
and
control
execution
(PTRACE_CONT,
PTRACE_SINGLESTEP).
It
can
observe
or
modify
signals
delivered
to
the
traced
process,
and
it
can
request
tracing
of
system
calls
or
other
events,
depending
on
the
OS
and
version.
The
interface
also
provides
access
to
floating-point
and
vector
state
and
to
other
architectural
state
as
needed
by
debuggers.
by
a
different
user
unless
specific
capabilities
or
privileges
are
granted.
Ptrace
can
disrupt
or
terminate
a
process
and
may
be
exploited
by
malware
to
spy
on
or
alter
running
programs;
as
a
result,
its
use
is
generally
restricted
and
audited.
semantics
vary
by
OS.
Debuggers
often
implement
OS-specific
code
paths
and
use
higher-level
abstractions
to
handle
these
differences.