Playing with ptrace, Part I
Using ptrace allows you to set up system call interception and modification at the user level.
by Pradeep Padala
Have you ever wondered how system calls can be intercepted? Have you ever tried fooling the kernel by
changing system call arguments? Have you ever wondered how debuggers stop a running process and let you
take control of the process?
If you are thinking of using complex kernel programming to accomplish tasks, think again. Linux provides an
elegant mechanism to achieve all of these things: the ptrace (Process Trace) system call. ptrace provides a
mechanism by which a parent process may observe and control the execution of another process. It can
examine and change its core image and registers and is used primarily to implement breakpoint debugging
and system call tracing.
In this article, we learn how to intercept a system call and change its arguments. In Part II of the article we
will study advanced techniques--setting breakpoints and injecting code into a running program. We will peek
into the child process' registers and data segment and modify the contents. We will also describe a way to
inject code so the process can be stopped and execute arbitrary instructions.
Basics
Operating systems offer services through a standard mechanism called system calls. They provide a standard
API for accessing the underlying hardware and low-level services, such as the filesystems. When a process
wants to invoke a system call, it puts the arguments to system calls in registers and calls soft interrupt 0x80.
This soft interrupt is like a gate to the kernel mode, and the kernel will execute the system call after
examining the arguments.
On the i386 architecture (all the code in this article is i386-specific), the system call number is put in the
register
