Issue
Under linux, can I use GDB to debug a process that is currently running?
Solution
Yes. Use the attach
command. Check out this link for more information. Typing help attach
at a GDB console gives the following:
(gdb) help attach
Attach to a process or file outside of GDB.
This command attaches to another target, of the same type as your last
"target
" command ("info files
" will show your target stack).
The command may take as argument a process id, a process name
(with an optional process-id as a suffix), or a device file.
For a process id, you must have permission to send the process a signal,
and it must have the same effective uid as the debugger.
When using "attach
" to an existing process, the debugger finds the
program running in the process, looking first in the current working
directory, or (if not found there) using the source file search path
(see the "directory
" command). You can also use the "file
" command
to specify the program, and to load its symbol table.
NOTE: You may have difficulty attaching to a process due to improved security in the Linux kernel - for example attaching to the child of one shell from another.
You'll likely need to set /proc/sys/kernel/yama/ptrace_scope
depending on your requirements. Many systems now default to 1
or higher.
The sysctl settings (writable only with CAP_SYS_PTRACE) are:
0 - classic ptrace permissions: a process can PTRACE_ATTACH to any other
process running under the same uid, as long as it is dumpable (i.e.
did not transition uids, start privileged, or have called
prctl(PR_SET_DUMPABLE...) already). Similarly, PTRACE_TRACEME is
unchanged.
1 - restricted ptrace: a process must have a predefined relationship
with the inferior it wants to call PTRACE_ATTACH on. By default,
this relationship is that of only its descendants when the above
classic criteria is also met. To change the relationship, an
inferior can call prctl(PR_SET_PTRACER, debugger, ...) to declare
an allowed debugger PID to call PTRACE_ATTACH on the inferior.
Using PTRACE_TRACEME is unchanged.
2 - admin-only attach: only processes with CAP_SYS_PTRACE may use ptrace
with PTRACE_ATTACH, or through children calling PTRACE_TRACEME.
3 - no attach: no processes may use ptrace with PTRACE_ATTACH nor via
PTRACE_TRACEME. Once set, this sysctl value cannot be changed.
Answered By - Carl Norum Answer Checked By - Senaida (WPSolving Volunteer)