| PTRACE(2) | System Calls Manual | PTRACE(2) | 
ptrace —
#include <sys/types.h>
#include <sys/ptrace.h>
int
  
  ptrace(int
    request, pid_t pid,
    void *addr,
    int data);
ptrace() provides tracing and debugging facilities. It
  allows one process (the tracing process) to control another
  (the traced process). Most of the time, the traced process
  runs normally, but when it receives a signal (see
  sigaction(2)), it stops. The
  tracing process is expected to notice this via
  wait(2) or the delivery of a
  SIGCHLD signal (see
  siginfo(2)), examine the state
  of the stopped process, and cause it to terminate or continue as appropriate.
  ptrace() is the mechanism by which all this happens.
When a process that is traced by a debugger requests and calls
    execve(2) or any of the
    routines built on it (such as
    execv(3)), it will stop before
    executing the first instruction of the new image and emit
    SIGTRAP with si_code set to
    TRAP_EXEC. If a traced program calls
    execve(2) any setuid or setgid
    bits on the executable being executed will be ignored.
Program (software) breakpoints are reported with
    SIGTRAP and the si_code
    value set to TRAP_BKPT. These breakpoints are
    machine specific instructions that interrupt the process. In order to put a
    trap by a tracer into the tracee's program, debugger must violate the
    PaX MPROTECT restrictions. For details check the
    security.pax.mprotect.ptrace option described in
    sysctl(7). When a tracee is
    interrupted by a trap, the trap is not removed by the kernel and it must be
    handled by a debugger.
If a program is traced with single steps
    (PT_STEP) it reports each step with
    SIGTRAP with si_code set to
    TRAP_TRACE. This event is not maskable
    PT_SET_EVENT_MASK.
Child program traps are reported with
    SIGTRAP and the si_code
    value set to TRAP_CHLD. These events are by default
    disabled and can be configured with
    PT_SET_EVENT_MASK. If this event occurs, check with
    PT_GET_PROCESS_STATE the details of the process
    state associated with this event.
Design choices for Debug Register accessors
exec() (TRAP_EXEC event)
      must remove debug registers from LWPPTRACE_LWP_CREATE
      / PTRACE_LWP_EXIT event monitoring function is
      designed to be usedSIGTRAP with
      si_code TRAP_DBREGPT_SETDBREGS callA debugger might reuse port specific symbols, to help writing
    portable code as described in the port specific part of the
    <sys/ptrace.h> header. Among
    these symbols, there are:
PTRACE_REG_PCPTRACE_REG_SET_PCPTRACE_REG_SPPTRACE_REG_INTRVPTRACE_BREAKPOINTPTRACE_BREAKPOINT_SIZEPTRACE_BREAKPOINT_ADJThe request argument of
    ptrace specifies what operation is being performed;
    the meaning of the rest of the arguments depends on the operation, but
    except for one special case noted below, all ptrace
    calls are made by the tracing process, and the pid
    argument specifies the process ID of the traced process.
    request can be:
PT_TRACE_MEptrace().
    This call does not stop the process neither emit
        SIGSTOP to parent.
PT_READ_I,
    PT_READ_Dptrace() has allowed for machines with distinct
      address spaces for instruction and data, which is why there are two
      requests: conceptually, PT_READ_I reads from the
      instruction space and PT_READ_D reads from the
      data space. In the current NetBSD implementation,
      these two requests are completely identical. The
      addr argument specifies the address (in the traced
      process' virtual address space) at which the read is to be done. This
      address does not have to meet any alignment constraints. The value read is
      returned as the return value from ptrace().
    These operations return success on incomplete and cancelled
        byte transfers. New software shall use PT_IO as
        it allows to check whether a byte transfer was completed.
PT_WRITE_I,
    PT_WRITE_DPT_READ_I and
      PT_READ_D, except that they write rather than
      read. The data argument supplies the value to be
      written.
    New software shall use PT_IO as it
        allows to check whether an operation was completed.
PT_CONTINUE(void *)1 to indicate
      that execution is to pick up where it left off. data
      provides a signal number to be delivered to the traced process as it
      resumes execution, or 0 if no signal is to be sent. If a negative value is
      supplied, that is the negative of the LWP ID of the thread to be resumed,
      and only that thread executes.PT_KILLPT_CONTINUE
      has been used with SIGKILL given as the signal to
      be delivered. However, unlike PT_CONTINUE,
      PT_KILL can be used on a non-stopped tracee. The
      addr and data arguments are
      ignored.PT_STOPSIGSTOP given as the signal to be delivered.
      wait(2) will report the child
      (again) as stopped even if it was stopped before. The
      addr and data arguments are
      ignored. Unlike PT_CONTINUE call with
      SIGSTOP, PT_STOP works
      both on running and stopped processes.PT_ATTACHThe tracing process will see the newly-traced process stop and
        may then control it as if it had been traced all along. It means that
        the SIGSTOP signal is emitted to tracer. It is
        different behavior to the one from
      PT_TRACE_ME.
Three other restrictions apply to all tracing processes, even those running as root. First, no process may trace a system process. Second, no process may trace the process running init(8). Third, if a process has its root directory set with chroot(2), it may not trace another process unless that process' root directory is at or below the tracing process' root.
PT_DETACHPT_IOPT_READ_D, PT_WRITE_D,
      PT_READ_I, and PT_WRITE_I.
      The I/O request is encoded in a struct
      ptrace_io_desc defined as:
    
struct ptrace_io_desc {
	int	piod_op;
	void	*piod_offs;
	void	*piod_addr;
	size_t	piod_len;
};
    
    where piod_offs is the offset within the traced process where the I/O operation should take place, piod_addr is the buffer in the tracing process, and piod_len is the length of the I/O request. The piod_op field specifies which type of I/O operation to perform. Possible values are:
See the description of PT_READ_I for
        the difference between I and D spaces.
The PIOD_READ_AUXV operation can be
        used to read from the ELF auxiliary vector. The
        piod_offs argument sets the offset within the
        tracee's vector. To read from the beginning of it, this value must be
        set to 0 and cast to (void *).
A pointer to the I/O descriptor is passed in the
        addr argument to ptrace().
        On return, the piod_len field in the I/O
        descriptor will be updated with the actual number of bytes transferred.
        If the requested I/O could not be successfully performed,
        ptrace() will return -1 and set
        errno.
This interface returns success for partial and cancelled byte
        transfers. For an interrupted transfer, a user shall check whether
        occurred at least a single of the following two conditions:
        piod_len == 0 and set
        errno. Successful but incomplete byte transfers
        shall be restarted in the place where they were stopped.
PT_DUMPCOREPT_LWPINFO
struct ptrace_lwpinfo {
	lwpid_t pl_lwpid;
	int pl_event;
};
    
    where pl_lwpid contains a thread LWP ID. Information is returned for the thread following the one with the specified ID in the process thread list, or for the first thread if pl_lwpid is 0. Upon return pl_lwpid contains the LWP ID of the thread that was found, or 0 if there is no thread after the one whose LWP ID was supplied in the call. pl_event contains the event that stopped the thread. Possible values are:
The data argument should contain
        “sizeof(struct
      ptrace_lwpinfo)”.
PT_SYSCALLPT_CONTINUE.PT_SYSCALLEMUPT_SYSCALL. This operation shall be called
      for syscall entry trap from PT_SYSCALL. To resume
      execution after intercepting the system call, another
      PT_SYSCALL shall be used.PT_SET_EVENT_MASK
typedef struct ptrace_event {
	int	pe_set_event;
} ptrace_event_t;
    
    pe_set_event is the set of events to be reported. This set is formed by OR'ing together the following values:
The fork(2) and
        vfork(2) events can occur
        with clone(2). The
        PTRACE_FORK value means that process gives birth
        to its child without pending on its termination or
        execve(2) operation. If
        enabled, the child is also traced by the debugger and
        SIGTRAP is generated twice, first for the parent
        and second for the child. The PTRACE_VFORK event
        is the same as PTRACE_FORK, but the parent
        blocks after giving birth to the child. The
        PTRACE_VFORK_DONE event can be used to report
        unblocking of the parent.
posix_spawn() on
        NetBSD directly creates the child process
        without intermediate fork. The
        PTRACE_POSIX_SPAWN event semantics are the same
        as PTRACE_FORK, but the child is reported with
        implied execution of a file.
A pointer to this structure is passed in
        addr. The data argument
        should be set to sizeof(struct
      ptrace_event).
PT_GET_EVENT_MASKsizeof(struct ptrace_event).PT_GET_PROCESS_STATE
typedef struct ptrace_state {
	int	pe_report_event;
	pid_t	pe_other_pid;
} ptrace_state_t;
    
    A pointer to this structure is passed in
        addr. The data argument
        should be set to sizeof(struct
      ptrace_state).
PT_SET_SIGINFO
typedef struct ptrace_siginfo {
	siginfo_t	psi_siginfo;
	lwpid_t		psi_lwpid;
} ptrace_siginfo_t;
    
    Where psi_siginfo is the set to signal
        information structure. The psi_lwpid field
        describes LWP address of the signal. Value 0
        means the whole process (route signal to all LWPs).
A pointer to this structure is passed in
        addr. The data argument
        should be set to sizeof(struct
      ptrace_siginfo).
In order to pass faked signal to the tracee, the signal type
        must match the signal passed to the process with
        PT_CONTINUE or
        PT_SYSCALL.
PT_GET_SIGINFOsizeof(struct
      ptrace_siginfo).PT_RESUMEThis call is equivalent to _lwp_continue(2) called by a traced process. This call does not change the general process state from stopped to continued.
PT_SUSPENDThis call is equivalent to _lwp_suspend(2) called by a traced process. This call does not change the general process state from continued to stopped.
Additionally, the following requests exist but are not available
    on all machine architectures. The file
    <machine/ptrace.h> lists
    which requests exist on a given machine.
PT_STEPPT_SETSTEPPT_CONTINUE is issued. This request permits
      combining single-stepping with sending signals and
      PT_SYSCALL.PT_CLEARSTEPPT_GETREGS<machine/reg.h>) pointed
      to by addr. The data argument
      contains the LWP ID of the thread whose registers are to be read. If zero
      is supplied, the first thread of the process is read.PT_SETREGSPT_GETREGS; it
      loads the traced process' machine registers from the
      struct reg (defined in
      <machine/reg.h>) pointed
      to by addr. The data argument
      contains the LWP ID of the thread whose registers are to be written. If
      zero is supplied, the first thread of the process is written.PT_GETFPREGS<machine/reg.h>) pointed
      to by addr. The data argument
      contains the LWP ID of the thread whose registers are to be read. If zero
      is supplied, the first thread of the process is read.PT_SETFPREGSPT_GETFPREGS; it
      loads the traced process' floating-point registers from the
      struct fpreg (defined in
      <machine/reg.h>) pointed
      to by addr. The data argument
      contains the LWP ID of the thread whose registers are to be written. If
      zero is supplied, the first thread of the process is written.PT_GETDBREGS<machine/reg.h>) pointed
      to by addr. The data argument
      contains the LWP ID of the thread whose registers are to be read. If zero
      is supplied, the first thread of the process is read.PT_SETDBREGSPT_GETDBREGS; it
      loads the traced process' debug registers from the struct
      dbreg (defined in
      <machine/reg.h>) pointed
      to by addr. The data argument
      contains the LWP ID of the thread whose registers are to be written. If
      zero is supplied, the first thread of the process is written.PT_GETXMMREGS<machine/reg.h>) pointed
      to by addr. The data argument
      contains the LWP ID of the thread whose registers are to be read. If zero
      is supplied, the first thread of the process is read.PT_SETXMMREGSPT_GETXMMREGS; it
      loads the traced process' XMM registers from the struct
      xmmregs (defined in
      <machine/reg.h>) pointed
      to by addr. The data argument
      contains the LWP ID of the thread whose registers are to be written. If
      zero is supplied, the first thread of the process is written.PT_GETVECREGS<machine/reg.h>) pointed
      to by addr. The data argument
      contains the LWP ID of the thread whose registers are to be read. If zero
      is supplied, the first thread of the process is read.PT_SETVECREGSPT_GETVECREGS; it
      loads the traced process' vector registers from the struct
      vreg (defined in
      <machine/reg.h>) pointed
      to by addr. The data argument
      contains the LWP ID of the thread whose registers are to be written. If
      zero is supplied, the first thread of the process is written.PT_GETXSTATE<machine/cpu_extended_state.h>).
      addr should be a pointer to struct
      iovec (defined in
      <sys/uio.h>) specifying
      the pointer to the aforementioned struct as iov_base
      and its size as iov_len. The
      data argument contains the LWP ID of the thread
      whose registers are to be read. If zero is supplied, the first thread of
      the process is read. The struct will be filled up to the specified
      iov_len. The caller needs to check the
      xs_rfbm bitmap in order to determine which fields
      were provided by the CPU, and may check xs_xstate_bv
      to determine which component states were changed from the initial
    state.PT_SETXSTATEPT_GETXSTATE; it
      loads the traced process' extended FPU state from the
      struct xstate (defined in
      <machine/cpu_extended_state.h>).
      addr should be a pointer to struct
      iovec (defined in
      <sys/uio.h>) specifying
      the pointer to the aforementioned struct as iov_base
      and its size as iov_len. The
      data argument contains the LWP ID of the thread
      whose registers are to be written. If zero is supplied, the first thread
      of the process is written. The xs_rfbm field of the
      supplied xstate specifies which state components are to be updated. Other
      components (fields) will be ignored. The
      xs_xstate_bv field specifies whether component state
      should be set to provided values (when 1) or reset to unitialized (when
      0). The request will fail if xs_xstate_bv is not a
      subset of xs_rfbm, or any of the specified
      components is not supported by the CPU or kernel (i.e., not returned by
      PT_GETXSTATE).ptrace() to return -1 as a
  non-error value; to disambiguate, errno can be set to 0
  before the call and checked afterwards. The possible errors are:
EAGAIN]EBUSY]PT_ATTACH
          was attempted on a process that was already being traced.PT_ATTACH) specified a
          process that wasn't stopped.EDEADLK]EINVAL]PT_ATTACH on
          itself.PT_CONTINUE was neither 0 nor a legal signal
          number.PT_GETREGS,
          PT_SETREGS,
          PT_GETFPREGS,
          PT_SETFPREGS,
          PT_GETXSTATE, or
          PT_SETXSTATE was attempted on a process with
          no valid register set. (This is normally true only of system
          processes.)PT_CONTINUE,
          PT_SYSCALL or
          PT_DETACH with
          vm.user_va0_disable set to 1.PT_SETXSTATE
          attempted to set state components not supported by the kernel, or
          xs_xstate_bv was not a subset of
          xs_rfbm.EPERM]PT_ATTACH) attempted to
          manipulate a process that wasn't being traced at all.PT_ATTACH on a
          process in violation of the requirements listed under
          PT_ATTACH above.ESRCH]ptrace() function appeared in
  Version 7 AT&T UNIX.
PT_CONTINUE and similar calls, but the NPC is set
  willy-nilly to 4 greater than the PC value. Using
  PT_GETREGS and PT_SETREGS to
  modify the PC, passing (void *)1 to
  ptrace(), should be able to sidestep this.
PT_SET_SIGINFO,
    PT_RESUME and PT_SUSPEND can
    change the image of process returned by
  PT_LWPINFO.
| October 9, 2019 | NetBSD 9.4 |