Chapter 13: System Calls
struct sigaction sigact;
sigact.sa_handler = sigchld_handler;
sigaction(SIGCHLD, &sigact, NULL);
/* Attach to the desired process */
res = ptrace(PTRACE_ATTACH, pid, 0, 0);
if (res < 0) {
printf("Failed to attach: %d\n", res);
exit(-1);
} else {
printf("Attached to %u\n", pid);
}
for (;;) {
wait(&res);
if (res == 0) {
exit(1);
}
}
}
The program structure is roughly as follows:
❑ The PID of the traced program is read from the command line, and the usual checks are
carried out.
❑ AhandlerfortheCHLDsignal is installed because the kernel sends this signal to the tracer process
each time the traced program is interrupted.
❑ The tracer process attaches itself to the target application by means of the ptrace request
PTRACE_ATTACH.
❑ The main part of the tracer program consists of a simple endless loop that repeatedly invokes the
waitcommand to wait for the arrival of newCHLDsignals.
This structure is not dependent on a particular processor type and can be used for all systems sup-
ported by Linux. However, the method by which the number of the system call invoked is determined
is very architecture-specific. The method shown works only on IA-32 systems because they keep the
number at a specific offset in the saved register set. This offset is held in theORIG_EAXconstant defined
inasm/ptrace.h. Its value can be read usingPTRACE_PEEKUSERand must be multiplied by the factor of 4
because the registers on this architecture are 4 bytes wide.
Of course, the above would be implemented differentlyon other architectures. For details, see the system
call-relevant code in the kernel sources and the sources of the standardstracetool.
Our main goal is to illustrate howptracecalls are used to check monitored processes. Once process
tracing has been started by means ofPTRACE_ATTACH, the bulk of the work is delegated to the handler
function of theCHLDsignal implemented insigchld_handler. This function is responsible for peforming
the following tasks:
❑ Helping to find the number of the system callinvoked using platform-dependent means.
The information found is output if the result is a system call number not equal to 0. Testing for
0 is necessary to ensure that only requests for system calls are logged but not the signals sent to
the traced process.
