ptrace¶

Intro¶

ptrace - A system call that allows inspection and manipulation of another process.

Description¶

The ptrace system call allows monitoring of and control of other processes. It is possible to read and modify the registers and memory of another running process, let the process execute a single instruction, or attach and detach other process to a tracer. Its use is found in debuggers, analytics and tracing tools, system call interception and emulation, and binary instrumentation.

By itself not a dangerous system call, but its functionality can be misused in certain scenarios, such as manipulating other processes running in the same system.

Arguments¶

request:long - Request type, see below for options
pid:pid_t - PID of the process to operate on
addr:void*[U] - Address in the user space of the process to begin or end operations
data:void*[U,TOCTOU] - Extra data to be passed to the request, if necessary.

Available Tags¶

U - Originated from user space (for example, pointer to user space memory)
TOCTOU - Vulnerable to TOCTOU (time of check, time of use)

Hooks¶

do_syscall_64¶

Type¶

System call trampoline

Purpose¶

Provides the system call entry point

sys_ptrace¶

Type¶

Kprobe

Purpose¶

To provide an entry point for kernel tracing

Example Use Case¶

A debugging tool that allows the user to monitor and control another running process in the same system.

Issues¶

In certain setups, ptrace can be used to manipulate another process' running state, making it potentially dangerous.

Syscall clone, for forking and tracing a child process.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.

ptrace¶

Intro¶

Description¶

Arguments¶

Available Tags¶

Hooks¶

do_syscall_64¶

Type¶

Purpose¶

sys_ptrace¶

Type¶

Purpose¶

Example Use Case¶

Issues¶

Related Events¶