编辑(制作进展):
我试图ptrace一个vsftpd守护进程.我有以下代码附加到守护程序.然后它成功显示第一个衍生进程的PID.但是,对于这个衍生进程的子进程,它返回PID为2,3,..程序确实捕获了生成进程的退出,这让我觉得我很接近.
有任何想法吗?
void * trace_process(void * pid){
pid_t child = atoi((char *) pid);
long orig_eax, eax;
int status;
int callmade = FALSE;
long opt = PTRACE_O_TRACEFORK;
long newpid;
long trace = ptrace(PTRACE_ATTACH,child,NULL,NULL);
ptrace(PTRACE_SETOPTIONS,child,NULL,opt);
if(trace == FALSE)
printf("Attached to %d\n",child);
while(TRUE) {
child = waitpid(-1, &status, __WALL);
if (status >> 16 == PTRACE_EVENT_FORK) {
ptrace(PTRACE_GETEVENTMSG, child, NULL, (long) &newpid);
ptrace(PTRACE_SYSCALL, newpid, NULL, NULL);
printf("Attached to offspring %ld\n", newpid);
}
else{
if(WIFEXITED(status))
printf("Child %d exited\n", child);
}
ptrace(PTRACE_SYSCALL,child, NULL, NULL);
} …