Linux ptrace 原理,ptrace运行原理及使用详解(示例代码)

Playing with ptrace, Part I

Issue103From Issue #103November2002Nov01, 2002By Pradeep Padala

inSysAdmin

Using ptrace allows you tosetup system call interception and modification at the user level.

Have you ever wondered how system calls can be intercepted? Have you ever tried fooling the kernel by changing system call arguments? Have you ever wondered how debuggers stop a running process and let you take control of the process?If you are thinking ofusing complex kernel programming to accomplish tasks, think again. Linux provides an elegant mechanism to achieve all of these things: the ptrace (Process Trace) system call. ptrace provides a mechanism by which a parent process may observe and control the execution of another process. It can examine and change its core image and registers and isused primarily to implement breakpoint debugging and system call tracing.

Inthis article, we learn how to intercept a system call and change its arguments. In Part II of the article we will study advanced techniques—setting breakpoints and injecting code into a running program. We will peek into the child process‘registers and data segment and modify the contents. We will also describe a way to inject code so the process can be stopped and execute arbitrary instructions.

Basics

Operating systems offer services through a standard mechanism called system calls. They provide a standard APIfor accessing the underlying hardware and low-level services, such as the filesystems. When a process wants to invoke a system call, it puts the arguments to system calls in registers and calls soft interrupt 0x80. This soft interrupt islike a gate to the kernel mode, and the kernel will execute the system call after examining the arguments.

On the i386 architecture (all the codein this article is i386-specific), the system call number is put in the register %eax. The arguments to this system call are put into registers %ebx, %ecx, %edx, %esi and %edi, inthat order. For example, the call:

write(2, "Hello", 5)

roughly would translate into

movl $4, %eax

movl $2, %ebx

movl $hello,%ecx

movl $5, %edxint $0x80

where $hello points to a literal string“Hello”.

Sowhere does ptrace come into picture? Before executing the system call, the kernel checks whether the process is being traced. If it is, the kernel stops the process and gives control to the tracking process so it can examine and modify the traced process‘registers.

Let‘s clarify this explanation with an example of how the process works:

#include#include#include#include#include

#include /*For constants x86_64=>

ORIG_EAX etc*/

intmain()

{ pid_t child;longorig_eax;

child=fork();if(child == 0) {

ptrace(PTRACE_TRACEME,0, NULL, NULL);

execl("/bin/ls", "ls", NULL);

}else{

wait(NULL);

orig_eax=ptrace(PTRACE_PEEKUSER,

child,4 *ORIG_EAX,

NULL);

printf("The child made a"

"system call %ld\n", orig_eax);

ptrace(PTRACE_CONT, child, NULL, NULL);

}return 0;

}

When run,thisprogram prints:

The child made a system call11along with the output of ls. System call number11 is execve, and it‘s the first system call executed by the child. For reference, system call numbers can be found in /usr/include/asm/unistd.h.

As you can see in the example, a process forks a child and the child executes the process we want to trace. Before running exec, the child calls ptrace with the first argument, equal to PTRACE_TRACEME. This tells the kernel that the process is being traced, and when the child executes the execve system call, it hands over control to its parent. The parent waits for notification from the kernel with a wait() call. Then the parent can check the arguments of the system call or do other things, such aslooking into the registers.

When the system call occurs, the kernel saves the original contents of the eax register, which contains the system call number. We can readthis value from child‘s USER segment by calling ptrace with the first argument PTRACE_PEEKUSER, shown as above.

After we are done examining the system call, the child cancontinue with a call to ptrace with the first argument PTRACE_CONT, which lets the system call continue.

ptrace Parameters

ptraceiscalled with four arguments:long ptrace(enum__ptrace_request request,

pid_t pid,void *addr,void *data);

The first argument determines the behaviour of ptrace and how other arguments are used. The value of request should be one of PTRACE_TRACEME, PTRACE_PEEKTEXT, PTRACE_PEEKDATA, PTRACE_PEEKUSER, PTRACE_POKETEXT, PTRACE_POKEDATA, PTRACE_POKEUSER, PTRACE_GETREGS, PTRACE_GETFPREGS, PTRACE_SETREGS, PTRACE_SETFPREGS, PTRACE_CONT, PTRACE_SYSCALL, PTRACE_SINGLESTEP, PTRACE_DETACH. The significance of each o