- Observe system behavior:
strace ./binary
- Understand program logic:
ltrace ./binary
- Debug with control:
gdb ./binary
1. PTRACE
ptrace is the low-level system call that allows one process to control another. All dynamic analysis tools (gdb, strace, ltrace) are built on top of ptrace.
Common ptrace capabilities:
- Attach to a process
- Read/write memory
- Read/write registers
- Control execution (step, continue)
- Intercept syscalls
Relevant behaviors:
- Used by debuggers and tracers
- Can be detected by malware (anti-debugging)
Basic usage via gdb (ptrace under the hood):
gdb ./binary
attach <pid>
Anti-debug example (in code):
ptrace(PTRACE_TRACEME, 0, NULL, NULL);
If already being traced → returns error
2. STRACE (SYSCALL TRACING)
Purpose:
Trace system calls (interaction with kernel)
What it shows:
- File access
- Process creation
- Network activity
- Memory mapping
- Permissions
Basic usage:
strace ./binary
Save output:
strace -o output.txt ./binary
Follow child processes:
strace -f ./binary
Filter specific syscall:
strace -e openat ./binary
Summary (statistics):
strace -c ./binary
Common syscalls:
openat()
read()
write()
execve()
mmap()
connect()
getdents64()
Use cases:
- Detect file access
- Detect process spawning
- Identify execution flow
- Observe runtime behavior
3. LTRACE (LIBRARY CALL TRACING)
Purpose:
Trace library calls (libc and shared libraries)
What it shows:
- Function calls inside userland
- String operations
- Memory allocations
- Environment checks
- Logic decisions
Basic usage:
ltrace ./binary
Save output:
ltrace -o output.txt ./binary
Filter specific function:
ltrace -e malloc ./binary
Common functions:
malloc()
free()
strlen()
strcmp()
getenv()
printf()
Use cases:
- Understand program logic
- Identify comparisons and checks
- Observe string handling
- Detect environment-based behavior