ptrace - A system call that allows inspection and manipulation of another process.
ptrace system call allows monitoring of and control of other processes. It is possible to read and modify the registers and memory of another running process, let the process execute a single instruction, or attach and detach other process to a tracer. Its use is found in debuggers, analytics and tracing tools, system call interception and emulation, and binary instrumentation.
By itself not a dangerous system call, but its functionality can be misused in certain scenarios, such as manipulating other processes running in the same system.
long- Request type, see below for options
pid_t- PID of the process to operate on
void*[U] - Address in the user space of the process to begin or end operations
void*[U,TOCTOU] - Extra data to be passed to the request, if necessary.
- U - Originated from user space (for example, pointer to user space memory)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
System call trampoline
Provides the system call entry point
To provide an entry point for kernel tracing
Example Use Case¶
A debugging tool that allows the user to monitor and control another running process in the same system.
In certain setups,
ptrace can be used to manipulate another process' running state, making it potentially dangerous.
clone, for forking and tracing a child process.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.