The importance of ptrace

In Linux, the ptrace(2) system call is the userland means of accessing a process address space. This means that someone can attach to a process that they own and modify, analyze, reverse, and debug it. Well-known debugging and analysis applications such as gdb, strace, and ltrace are ptrace assisted applications. The ptrace command is very useful for both reverse engineers and malware authors.

It gives a programmer the ability to attach to a process and modify the memory, which can include injecting code and modifying important data structures such as the Global Offset Table (GOT) for shared library redirection. In this section, we will cover the most commonly used features of ptrace, demonstrate memory infection from the attacker's side, and process analysis by writing a program to reconstruct a process image back into an executable. If you have never used ptrace, then you will see that you have been missing out on a lot of fun!