Process already attached by a tracer

[allenaigit]

This isn't really a bug, but it's a very confusing situation when encountered and I think it's worth at least being mentioned here.

To reproduce: attach to a process (say process ID 1000) with gdb or strace, then try to attach to the same process with scanmem. scanmem will produce error "failed to attach" as a result.

Suggestion: check the process's status before attempting to attach, and return a clear message to let user know the reason of failed attachment is due to the process already being traced. e.g. check the return of grep TracerPid /proc/$PID/status and if it isn't 0, a process has already attached to it.

Why this was important to me: I was poking around TotalWar Three Kingdoms and noticed that GameConqueror always returns 0 address disregard of value to search for. So I tried again with scanmem directly and got the error "failed to attach". However since both the game process and GC are all launched by me (under my username) and that I have sudo access, it is really weird I'd run into any kind of permission issues. After quite some time digging around google I finally nailed the problem to that game process already has tracer attached. That attached thing is made by game publisher to pass signals between their "launcher" and the game itself, so I killed the attached process and now I have full access to the game's memory again.

When I first launch the game, this is what I get with scanmem:

error: failed to attach to 79436, Operation not permitted
error: failed to search target address space.

This is because:

root:~# grep TracerPid /proc/79436/status
TracerPid:	79435

[12345ieee]

Yes, a program tracing itself is a common defense against memory editors on linux.

I welcome a PR that adds this feature to scanmem, but I can't promise I'll work on it myself.