ptrace requests

The ptrace system call has a libc wrapper like any other system call, so you may include ptrace.h and simply call ptrace while passing it a request and a process ID. The following details are not a replacement for the main pages of ptrace(2), although some descriptions were borrowed from the main pages.

Here's the synopsis:

#include <sys/ptrace.h>
long ptrace(enum __ptrace_request request, pid_t pid,
void *addr, void *data);

ptrace request types

Here is a list of requests that are most commonly used when using ptrace to interact with a process image:

The term tracer refers to the process that is doing the tracing (the one that is invoking ptrace), and the term tracee or the traced means the program that is being traced by the tracer (with ptrace).

Note

The default behavior overrides any mmap or mprotect permissions. This means that a user can write to the text segment with ptrace (even though it is read-only). This is not true if the kernel is pax or grsec and patched with mprotect restrictions, which enforce segment permissions so that they apply to ptrace as well; this is a security feature.

My paper on ELF runtime infection at http://vxheavens.com/lib/vrn00.html discusses some methods to bypass these restrictions for code injection.