{"id":31667728,"url":"https://github.com/a-mahla/strace-unix","last_synced_at":"2025-10-08T00:16:59.901Z","repository":{"id":209521969,"uuid":"718380257","full_name":"A-Mahla/Strace-Unix","owner":"A-Mahla","description":"My implementation of Strace Unix command. ","archived":false,"fork":false,"pushed_at":"2023-11-27T15:12:14.000Z","size":345,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2023-11-27T21:24:58.221Z","etag":null,"topics":["c","gdb","syscalls","unix"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/A-Mahla.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-11-14T00:34:03.000Z","updated_at":"2023-11-27T21:25:01.715Z","dependencies_parsed_at":"2023-11-27T21:25:00.996Z","dependency_job_id":"23a39eb4-cd88-4d57-9e10-3afa0bcc85d1","html_url":"https://github.com/A-Mahla/Strace-Unix","commit_stats":null,"previous_names":["a-mahla/strace-unix"],"tags_count":0,"template":null,"template_full_name":null,"purl":"pkg:github/A-Mahla/Strace-Unix","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/A-Mahla%2FStrace-Unix","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/A-Mahla%2FStrace-Unix/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/A-Mahla%2FStrace-Unix/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/A-Mahla%2FStrace-Unix/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/A-Mahla","download_url":"https://codeload.github.com/A-Mahla/Strace-Unix/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/A-Mahla%2FStrace-Unix/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278867690,"owners_count":26059831,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-07T02:00:06.786Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["c","gdb","syscalls","unix"],"created_at":"2025-10-08T00:16:58.632Z","updated_at":"2025-10-08T00:16:59.893Z","avatar_url":"https://github.com/A-Mahla.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Strace-Unix - Lightweight Debugger with System Call Tracing\n\n\u003cbr\u003e\n\n![mybadge](https://badgen.net/badge/SKILLS/%20UNIX,%20SYSCALL,%20C%20/red?scale=1.2)\n\n#### This project aims to better understand how GDB handles program tracing.\n\n\n🔧 System Requirements:\n   - Operating System: Linux 64_X86 Distribution\n   - Software: [make](https://www.gnu.org/software/make/), [gcc](https://gcc.gnu.org/), [docker](https://www.docker.com/) (optional)\n\n\u003cbr\u003e\n\n## Usage\n\n\n\nTo use it open your terminal and run these commands:\n\n  - To create custom strace binary ```./ft_strace```:\n\n      ```shell\n      (cd /path/to/project/directory \u0026\u0026 make)\n      ```\n\n   - To use this custom nm:\n\n      ```shell\n      ./ft_strace \u003cprog\u003e \u003cargs\u003e ...\n      ```\n\n   - For run it if you haven't all libraries required:\n      ```shell\n      (cd /path/to/project/directory \u0026\u0026 make run)\n      ./ft_strace \u003cprog\u003e \u003cargs\u003e ...\n      ```\n\n\u003e This is program is made to be compiled and run on a linux x86\\_64 system. It\n\u003e has not been tested on any other architecture and is not expected to work\n\u003e under any other one. However, it is still possible to trace 32bit processes.\n\n\u003cbr\u003e\n\n## About\n\n\u003cbr\u003e\n\nThis program observes a running process and lists each\n[system call](https://en.wikipedia.org/wiki/System_call) with the\n[ptrace()](https://man7.org/linux/man-pages/man2/ptrace.2.html) function (which\nactually is a system call too). After having seized a process it will use the\n[waitpid()](https://man7.org/linux/man-pages/man2/wait4.2.html) system call to\nwait for events.\n\n\u003cbr\u003e\n\n## What is a system call\n\nSystem calls are a userspace to kernel interface. They allow regular user\nprocesses to access system functionalities. The\n[Kernel](https://en.wikipedia.org/wiki/Linux_kernel) is a program that is always\nrunning. It acts as bridge between the OS and the hardware. Thus it handles\neverything memory-related, networking, etc... It also spawns and kills\nprocesses or sends signals for example.\n\nThey include _open()_, _read()_, _write()_, or _fork()_ and _execve()_... The\ncomplete [list](https://x64.syscall.sh/) contains more than 300 different system\ncalls. Most of them are accessible through glibc wrapper functions that somewhat\nabstract the interface for compatibility between architectures. Some of them do\nnot have corresponding wrappers and have to be called with the\n[syscall()](https://man7.org/linux/man-pages/man2/syscall.2.html) function.\n\nIn its most basic form a linux system call is an assembly instruction, an\ninterruption for legacy 32bit systems and the *syscall* instruction for x86\\_64\nsystems. The particular system called being used is designated by a unique\nsyscall number that is passed in a particular register (*eax* for i386 and *rax*\nfor x86\\_64). It takes at most 6 parameters through six other registers. On\ndifferent processor architectures different syscall numbers and register sets\nwill be used. Some might even have system calls that do not exist on an other\none. Or they could also implement the same system call in different ways. A\nparticularly egregious example of that is the _clone()_ system call. It has\n[four different definitions](https://github.com/torvalds/linux/blob/master/kernel/fork.c#L3022)\nincluding three that have five parameters in varying order and one with six\nparameters.\n\nMost of that is abstracted for the final user that should not have to worry\nabout it. However it is important to keep in mind when dealing with different\narchitectures in a low level setting. This one of the reason that ft\\_strace\nonly works on the x86\\_64 architecture.\n\n\u003cbr\u003e\n\n## How to catch a system call ?\n\nWith _ptrace()_. But first you have to *seize* the running process you want to\nobserve. For that one simply has to use the *PTRACE_SEIZE* request on the pid of\nthe chosen process:\n\n```C\nptrace(PTRACE_SEIZE, pid, NULL, NULL);\n```\n\nThen if the process has appropriate rights, or if the pid corresponds to a child\nprocess, the target process will be traced. If the tracee is not already stopped\nit will have to be done with an other *ptrace()* request (*PTRACE_INTERRUPT*).\nThen the process can be restarted using this request:\n\n```C\nptrace(PTRACE_SYSCALL, pid, NULL, NULL);\n```\n\nIt will both restart the process and make it stop on the next syscall entry.\nFrom there ft\\_strace simply waits for events with the _wait4()_ function. Every\nsystem call entry and exit of the tracee will be reported back to ft\\_strace, as\nwell as the signals it receives and eventually its death (be it by _exit()_ or\nby a signal).\n\nTo get the details of a syscall, which one has been called, its parameters and\neventually its return value, the registers of the tracee must be inspected. This\nis done with yet an other _ptrace()_ request:\n\n```C\nptrace(PTRACE_GETREGSET, pid, NT_PRSTATUS, \u0026registers);\n```\n\nThis copies the regular register values (as specified by *NT_PRSTATUS*) of the\nprocess identified by *pid* in the *registers* structure. Then the tracer\nprocess has to interpret the register structure depending on the architecture\nto extract the syscall information.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fa-mahla%2Fstrace-unix","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fa-mahla%2Fstrace-unix","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fa-mahla%2Fstrace-unix/lists"}