Stopping Tracing

Tracing is disabled using ptrace_detach, which causes the central ptrace handler to delegate this task to the ptrace_detach function in kernel/ptrace.c. The task itself comprises the following steps:

1. The architecture-specific hook ptrace_disable allows for performing any required low-level operations to stop tracing.

2. The flag tif_syscall_trace is removed from the child's thread flags.

3. The ptrace element of the task_struct instance is reset to 0, and the target process is removed from the ptrace_children list of the tracer process.

4. The parent process is reset to the original task by overwriting task_struct->parent with the value stored in real_parent.

The traced process is woken up with wake_up_process so that it can resume its work.

Continue reading here: Reading and Modifying Target Process Data

Was this article helpful?

0 0