Read the stderr of a process using PTRACE (2)

Hi dear Stackoverflowers :),

In recent weeks I've been diving into the obscure (at least to me) world of the ptrace system call. My goal is to read stderr of another process. For debugging purposes, it might be a child process, but in production I would like to read everything (requires root privileges, which I assume).

My understanding says that I should follow the following flow:

• PTRACE_ATTACH
• PTRACE_SYSCALL to be notified the next time the trace runs syscall,
• waitpid to be able to access data.
• PTRACE_GETREGS to see if it is a strong write and if it writes to fd number 2.
• PTRACE_PEEKDATA to read what was writtento fd number 2.

Can anyone help me in checking if I am right or wrong. And then understanding how to implement the correct steps?

This would be very helpful.

My sources so far have been:

http://man7.org/linux/man-pages/man2/ptrace.2.html
https://groogroot.eu/the-ptrace-system-call/ (really good tutorial)
https://keithtech.wordpress.com/2013/10/21/how-to-use-ptrace_getregs/
https://webdocs.cs.ualberta.ca/~paullu/C498/meng.ptrace.slides.pdf
https://github.com/eklitzke/ptrace-call-userspace
https://eklitzke.org/ptrace

      

        
        
        
      

    

Update:

I was able to read the data that the process was dumping into the std err. My goal now is to fully understand how this works. Once it's ready, my own answer will follow.

A working example can be seen in: Mittcher Glove Github repo