PTRACE(2) System Calls Manual PTRACE(2)

ptraceprocess tracing and debugging

#include <sys/types.h>
#include <sys/ptrace.h>

int
ptrace(int request, pid_t pid, caddr_t addr, int data);

() provides tracing and debugging facilities. It allows one process (the process) to control another (the process). Most of the time, the traced process runs normally, but when it receives a signal (see sigaction(2)), it stops. The tracing process is expected to notice this via wait(2) or the delivery of a SIGCHLD signal, examine the state of the stopped process, and cause it to terminate or continue as appropriate. ptrace() is the mechanism by which all this happens.

The request argument specifies what operation is being performed; the meaning of the rest of the arguments depends on the operation, but except for one special case noted below, all () calls are made by the tracing process, and the pid argument specifies the process ID of the traced process. request can be:

This request is one of two used by the traced process; it declares that the process expects to be traced by its parent. All the other arguments are ignored. (If the parent process does not expect to trace the child, it will probably be rather confused by the results; once the traced process stops, it cannot be made to continue except via ptrace().) When a process has used this request and calls execve(2) or any of the routines built on it (such as execv(3)), it will stop before executing the first instruction of the new image. Also, any setuid or setgid bits on the executable being executed will be ignored.
This request is the other operation used by the traced process; it allows a process that is not currently being traced to deny future traces by its parent. All other arguments are ignored. If the process is currently being traced, it will exit with the exit status of ENOTSUP; otherwise, it sets a flag that denies future traces. An attempt by the parent to trace a process which has set this flag will result in a segmentation violation in the parent.
The traced process continues execution. addr is an address specifying the place where execution is to be resumed (a new value for the program counter), or (caddr_t)1 to indicate that execution is to pick up where it left off. data provides a signal number to be delivered to the traced process as it resumes execution, or 0 if no signal is to be sent.
The traced process continues execution for a single step. The parameters are identical to those passed to PT_CONTINUE.
The traced process terminates, as if PT_CONTINUE had been used with SIGKILL given as the signal to be delivered.
This call has been replaced with PT_ATTACHEXC.
This request allows a process to gain control of an otherwise unrelated process and begin tracing it. It does not need any cooperation from the to-be-traced process. In this case, pid specifies the process ID of the to-be-traced process, and the other two arguments are ignored. This request requires that the target process must have the same real UID as the tracing process, and that it must not be executing a setuid or setgid executable. (If the tracing process is running as root, these restrictions do not apply.) The tracing process will see the newly-traced process stop and may then control it as if it had been traced all along. Note that this call differs from the prior call ( PT_ATTACH) in that signals from the child are delivered to the parent as Mach exceptions (see EXC_SOFT_SIGNAL).
This request is like PT_CONTINUE, except that it does not allow specifying an alternate place to continue execution, and after it succeeds, the traced process is no longer traced and continues execution normally.

Some requests can cause ptrace() to return -1 as a non-error value; to disambiguate, errno can be set to 0 before the call and checked afterwards. The possible errors are:

[]
No process having the specified process ID exists.
[]
  • A process attempted to use PT_ATTACHEXC on itself.
  • The request was not one of the legal requests.
  • The signal number (in data) to PT_CONTINUE was neither 0 nor a legal signal number.
  • , PT_SETREGS, PT_GETFPREGS, or PT_SETFPREGS was attempted on a process with no valid register set. (This is normally true only of system processes.)
[]
  • was attempted on a process that was already being traced.
  • A request attempted to manipulate a process that was being traced by some process other than the one making the request.
  • A request (other than PT_ATTACHEXC) specified a process that wasn't stopped.
[]
  • A request (other than PT_ATTACHEXC) attempted to manipulate a process that wasn't being traced at all.
  • An attempt was made to use PT_ATTACHEXC on a process in violation of the requirements listed under PT_ATTACHEXC above.
March 25, 2015 macOS 15.0