PTRACE_SYSCALL, PTRACE_SINGLESTEP
Restart the stopped tracee as for PTRACE_CONT, but arrange
for the tracee to be stopped at the next entry to or exit
from a system call, or after execution of a single
instruction, respectively. (The tracee will also, as
usual, be stopped upon receipt of a signal.) From the
tracer's perspective, the tracee will appear to have been
stopped by receipt of a SIGTRAP. So, for PTRACE_SYSCALL,
for example, the idea is to inspect the arguments to the
system call at the first stop, then do another
PTRACE_SYSCALL and inspect the return value of the system
call at the second stop. The data argument is treated as
for PTRACE_CONT. (addr is ignored.)
Hook syscalls using:
PTRACE_SYSCALL, PTRACE_SINGLESTEP Restart the stopped tracee as for PTRACE_CONT, but arrange for the tracee to be stopped at the next entry to or exit from a system call, or after execution of a single instruction, respectively. (The tracee will also, as usual, be stopped upon receipt of a signal.) From the tracer's perspective, the tracee will appear to have been stopped by receipt of a SIGTRAP. So, for PTRACE_SYSCALL, for example, the idea is to inspect the arguments to the system call at the first stop, then do another PTRACE_SYSCALL and inspect the return value of the system call at the second stop. The data argument is treated as for PTRACE_CONT. (addr is ignored.)