I do know that strace uses ptrace to do the job,
but it needs to run the target process with TRACE_ME on,
which don't apply for the case of an already running process.
how does it work on an already running process?
strace -p <PID> ----> To attach a process to strace. "-p" option is for PID of the process.
strace -e trace=read,write -p <PID> --> By this you can also trace a process/program for an event, like read and write (in this example). So here it will print all such events that include read and write system calls by the process.
Other such examples
-e trace= network (Trace all the network related system calls.)
-e trace=signal (Trace all signal related system calls.)
-e trace=ipc (Trace all IPC related system calls.)
-e trace=desc (Trace all file descriptor related system calls.)
-e trace=memory (Trace all memory mapping related system calls.)
and many more..
trace is one of the many options you can use with -e option.
Press Ctrl-C to abbort the tracing by strace.
Check HELP section for brief summary on strace by typing strace -h
and man page for detailed info.
NOTE: A traced process runs slowly.
The details of ptrace() are OS-specific.
On Linux, a child may request to be traced by its parent with ptrace(PTRACE_TRACEME, ...); but, alternatively, a process may attach itself to another process with ptrace(PTRACE_ATTACH, ...).
See the Linux ptrace(2) man page (and, if you really want the fine details, the strace source, and kernel source starting at kernel/ptrace.c).
来源:https://stackoverflow.com/questions/7482076/how-does-strace-connect-to-an-already-running-process