Article Directory
- 1.Detailed explanation of ptrace function
- 2. Detailed description of functions
-
- 2.1 PTRACE_TRACEME
- 2.2PTRACE_PEEKTEXT, PTRACE_PEEKDATA
- 2.3PTRACE_POKETEXT, PTRACE_POKEDATA
- 2.4PTRACE_PEEKUSR
- 2.5PTRACE_POKEUSR
- 2.6 PTRACE_CONT
- 2.7PTRACE_SYSCALL
- 2.8PTRACE_KILL
- 2.9PTRACE_SINGLESTEP
- 2.10PTRACE_ATTACH
- 2.11 PTRACE_DETACH
- 2.12PTRACE_GETREGS
- 2.13 PTRACE_SETREGS
- 2.14 PTRACE_GETFPREGS
- 2.15 PTRACE_SETFPREGS
1.Detailed explanation of ptrace function
1.1 Calling in the system needs to include header files and function declarations
#include <sys/ptrace.h>
int ptrace(int request, int pid, int addr, int data);
1.2 Detailed analysis function
Ptrace provides a parent process that can control the child process to run, and can check and change its core image. It is mainly used to implement breakpoint debugging. A tracked process is running until a signal occurs. The process is terminated and its parent process is notified. In the state of process suspension, the memory space of the process can be read and written. The parent process can also continue the execution of the child process and choose whether to ignore the signal that caused the suspension.
Request parameter meaning:
PTRACE_TRACEME
This process is tracked by its parent process. The parent process should want to track the child process.
PTRACE_PEEKTEXT, PTRACE_PEEKDATA
reads a byte from the memory address, the memory address is given by addr.
PTRACE_PEEKUSR
reads a byte from the USER area with an offset of addr.
PTRACE_POKETEXT, PTRACE_POKEDATA
write a byte to the memory address. The memory address is given by addr.
PTRACE_POKEUSR
writes a byte to the USER area. The offset is addr.
PTRACE_SYSCALL, PTRACE_CONT run again.
PTRACE_KILL kills the child process and makes it exit.
PTRACE_SINGLESTEP sets the single-step execution flag
PTRACE_ATTACH to track the specified pid process.
PTRACE_DETACH end tracking
Intel386 unique:
PTRACE_GETREGS read register
PTRACE_SETREGS set register
PTRACE_GETFPREGS read floating point register
PTRACE_SETFPREGS set floating point register
1.3 function return value
Return 0 successfully. Error returns -1. errno is set.
Error
EPERM
special process cannot be tracked or the process has been tracked. The process specified by
ESRCH
does not have an illegal
EIO
request
2. Detailed description of functions
2.1 PTRACE_TRACEME
Form: ptrace(PTRACE_TRACEME,0,0,0)
Explanation: This process is tracked by its parent process. The parent process should want to track the child process.
2.2PTRACE_PEEKTEXT, PTRACE_PEEKDATA
Format: ptrace(PTRACE_PEEKTEXT, pid, addr, data)
ptrace(PTRACE_PEEKDATA, pid, addr, data)
Explanation: read a byte from the memory address, pid represents the child process being traced, the memory address is given by addr, data The user variable address is used to return the data read. In Linux (i386), the user code segment coincides with the user data segment, so the read code segment and data segment data processing are the same.
2.3PTRACE_POKETEXT, PTRACE_POKEDATA
Format: ptrace(PTRACE_POKETEXT, pid, addr, data)
ptrace(PTRACE_POKEDATA, pid, addr, data)
Explanation: Write a byte to the memory address. pid represents the child process being tracked, the memory address is given by addr, and data is the data to be written.
2.4PTRACE_PEEKUSR
Form: ptrace (PTRACE_PEEKUSR, pid, addr, data)
Explanation: Read a byte from the USER area, pid represents the child process being traced, the USER area address is given by addr, and data is the user variable address for returning to read The data. The USER structure is the first part of the core file, which describes some states when the process is terminated, such as: register value, code, data segment size, code, data segment start address, etc. In Linux (i386) through PTRACE_PEEKUSER and PTRACE_POKEUSR, the data of the USER structure can be accessed including registers and debug registers.
2.5PTRACE_POKEUSR
Format: ptrace(PTRACE_POKEUSR, pid, addr, data)
Explanation: Write a byte to the USER area, pid represents the child process to be traced, the address of the USER area is given by addr, and data is the data to be written.
2.6 PTRACE_CONT
Form: ptrace (PTRACE_CONT, pid, 0, signal)
Explanation: Continue execution. pid represents the child process being tracked. If signal is 0, the signal that caused the debugging process to stop will be ignored. If it is not 0, the signal signal will continue to be processed.
2.7PTRACE_SYSCALL
Form: ptrace (PTRACE_SYS, pid, 0, signal)
Explanation: Continue execution. pid represents the child process being tracked. If signal is 0, the signal that caused the debugging process to be aborted will be ignored. If it is not 0, the signal will continue to be processed. The difference with PTRACE_CONT is system call tracking. When the tracked process continues to run until the calling system call starts or ends, the tracked process is terminated and the parent process is notified.
2.8PTRACE_KILL
Form: ptrace (PTRACE_KILL, pid)
Explanation: Kill the child process and make it exit. pid represents the child process being tracked.
2.9PTRACE_SINGLESTEP
Form: ptrace(PTRACE_KILL, pid, 0, signle)
Explanation: Set the single step execution flag, and execute an instruction single step. pid represents the child process being tracked. If signal is 0, the signal that caused the suspension of the debugging process is ignored. If it is not 0, the signal signal will continue to be processed. When the tracked process completes an instruction in a single step, the tracked process is terminated and the parent process is notified.
2.10PTRACE_ATTACH
Form: ptrace (PTRACE_ATTACH, pid)
Explanation: Trace the specified pid process. pid represents the process being tracked. The tracked process will become a child process of the current process and enter the suspended state.
2.11 PTRACE_DETACH
Form: ptrace (PTRACE_DETACH, pid)
Explanation: End tracing. pid represents the child process being tracked. After the tracking is finished, the tracked process will continue to execute.
2.12PTRACE_GETREGS
Form: ptrace(PTRACE_GETREGS, pid, 0, data)
Explanation: Read the register value, pid represents the child process being tracked, and data is the address of the user variable used to return the read data. This function will read the values of all 17 basic registers.
2.13 PTRACE_SETREGS
Form: ptrace (PTRACE_SETREGS, pid, 0, data)
Explanation: Set the register value, pid represents the child process being traced, and data is the user data address. This function will set the values of all 17 basic registers.
2.14 PTRACE_GETFPREGS
Form: ptrace(PTRACE_GETFPREGS, pid, 0, data)
Explanation: Read floating-point register value, pid represents the subprocess being tracked, data is the address of user variable used to return the read data.
2.15 PTRACE_SETFPREGS
Format: ptrace (PTRACE_SETREGS, pid, 0, data)
Explanation: Set the floating-point register value, pid represents the child process being traced, and data is the user data address.
Many of the injections in the reverse process of Android are also injected through the ptrace function process, so this function is very important in the security and reverse process.
For more security technical articles, please follow the "Game Security Attack and Defense" official account, learn together and make progress together.