How does ptrace work in Linux?
When the attached child process invokes a system call, the ptracing parent process can be notified. But how exactly does that happen? Parent process calls ptrace with PTRACE_ATTACH, and his child calls ptrace with PTRACE_TRACEME option. This pair will connect two processes by filling some fields inside their task_struct (kernel/ptrace.c: sys_ptrace, child will have PT_PTRACED … Read more