Tracy is a system call tracing, modification and injection framework for Linux, written entirely in C and some assembly. Tracy aims to be mostly cross architecture; and the API is platform agnostic with some platform specific extensions, where required.

Tracy makes use of the ptrace system call but attempts to provide a much higher level API to system call tracing than ptrace does. Using the low level ptrace interface in combination with Tracy is also possible, but not recommended.

See Tracy/TODO for the current limitations

Tracy will probably see some more extensions soon, we will shift the focus a bit more on debugging and tracing in general. This means that not all functions will be 100% "safe" (as in: if programmers want to mess with the debugger, they may be able to do so) but such functionality will clearly be labelled as such. Planned:



Past events: (Note: There is still no proper detailed video of tracy available due to recording at several large events failing -- the FOSDEM one is too short and lacks some details, the OHM one had a complete failure wrt recording and the openfest one is decent if you do not care about A/V syncing)

Short term goals


Cross architecture system call tracing is complicated. All the architectures differ on a low level; a level typically not visible to programmers and only touched by compilers.

Every architecture has its own different set (and number) of registers; and Linux (obviously) has an system call ABI for each architecture. In some cases, Linux supports multiple system call ABIs per architecture. (For example on AMD64 and ARM architectures)

Writing a cross-architecture system call tracer is thus not an easy task. A simple look at strace ( shows how terrible the code can become: countless compiler directives and functions that grow to monstrous sizes.

Tracy aims to provide a (mostly) cross platform API to system call tracing; with some additions:


Currently the only supported platform is Linux; and the supported architectures are:

Source code

Currently, the source is hosted on Github


Documentation can be found in the "doc" folder in the source repository. We use the sphinx documentation tool for our documentation; for (possibly outdated) online documentation, see

Contributing / Contact

Projects using Tracy

The following projects are known to use Tracy:

If you are using Tracy, please let us know, see Contact.


A very basic example in C:

   1 #include <stdlib.h>
   2 #include "tracy.h"
   4 int hook_write(struct tracy_event * e) {
   5     if (e->child->pre_syscall) {
   6         if(e->args.a0 == 1) {
   7             return TRACY_HOOK_DENY;
   8         }
   9     }
  11     return TRACY_HOOK_CONTINUE;
  12 }
  14 int main(int argc, char** argv) {
  15     struct tracy * tracy;
  17     tracy = tracy_init(TRACY_TRACE_CHILDREN | TRACY_VERBOSE);
  19     if (tracy_set_hook(tracy, "write", TRACY_ABI_NATIVE, hook_write)) {
  20         fprintf(stderr, "Could not hook write\n");
  21         return EXIT_FAILURE;
  22     }
  24     if (argc < 2) {
  25         printf("Usage: ./example <program-name>\n");
  26         return EXIT_FAILURE;
  27     }
  29     argv++; argc--;
  31     if (!tracy_exec(tracy, argv)) {
  32         perror("tracy_exec");
  33         return EXIT_FAILURE;
  34     }
  36     tracy_main(tracy);
  38     tracy_free(tracy);
  40     return EXIT_SUCCESS;
  41 }

Tracy (last edited 2015-10-04 21:30:02 by MerlijnWajer)