PTrace Not Recognizing Child Process

2018-06-23 16:17:00

I'm writing a program that monitors system calls ( among other things ). But I'm having some trouble getting ptrace to recognize the process ID that I'm passing to it. Upon executing the program, I get this error message:

:No such process

However, I have verified the process ID right before the call by printing it to the console and verifying it with ps -all .

Here's some of the code that may be relevant ( I can post more if necessary ):

Heading the child process:

/* Call to be traced */

if (ptrace (PTRACE_TRACEME, 0, 0, 0) < 0){
   perror ("Process couldn't be traced");
   exit (-1);
}

/* Execute process image */

if (execv (ProcessArgs[0], &ProcessArgs[1]) < 0){
    perror ("Couldn't execute process");
    exit (-1);
}

In a thread of the parent process:

DbgdProcess * _Process = ( DbgdProcess * ) _ProcessPass;

int SystemCall = 0,
        Status = 0;

/* I have tried sleep(1) here to wait for PTRACE_ME to no avail */

while (!_Process->CloseSignal){
    if ( wait  (&Status) < 0) // error handler
    if ( WIFEXITED  (Status)) // error handler
    if (!WIFSTOPPED (Status)) continue;

    SystemCall = ptrace (PTRACE_PEEKUSER, _Process->ID, 4 * ORIG_RAX, 0);

    if (SystemCall < 0) // error handler

    printf ("Process made system call %dn", SystemCall);

    if (ptrace (PTRACE_CONT, _Process->ID, 0, 0) < 0) // error handler
}

May anyone explain this behavior to me?

Some extra notes:

The process being debugged is a direct child of the parent

I'm pretty sure this is a 64 bit compilation because sys/reg.h only defines RAX

All error handlers include a perror() message

Update:

I've read this from the man page:

Most ptrace commands (all except PTRACE_ATTACH, PTRACE_SEIZE, PTRACE_TRACEME, PTRACE_INTERRUPT, and PTRACE_KILL) require the tracee to be in a ptrace-stop, otherwise they fail with ESRCH.

ESRCH, I believe, gives the message 'No such process'. So maybe the process is not ptrace-stopped when I make the ptrace call?

Update:

I was testing the code in this example. I did getting it to work after doing the following: - updating the header from to a - changing (eax_orig * 4) to (rax_orig * 8)

But those changes are, as well, in my program and it's still not working.

Update:

I've got my code working. I'm not entirely sure why but it started working after I called PTRACE_ATTACH within the same thread that makes the polling calls with ptrace(2). I guess that would mean that ptrace must be used within the same thread of the parent process but I'm not entirely sure. My question now is, does anyone know if that's true? Or, if not, why ptrace behaves this way?

Update:

I found this link, which seems to suggest my problem is not unheard of.

sleep(1) is sometimes not enough; try sleep(5).

Why are you doing a PTRACE_SYSCALL, prior to checking if process has stopped or not?

Ideally, in the parent thread, you should wait for child to stop by using wait.

Once the child stops with WIFSTOPPED, then only use any other ptrace calls.

it appears that ESRCH is being returned by PTRACE_SYSCALL. Can you please confirm it

链接地址: http://www.djcxy.com/p/66374.html

上一篇: ptrace如何捕获fork的系统调用？

下一篇: PTrace无法识别子进程