TL;DR

1. summary
   • ptrace make tracee stop on ptrace hook and notify tracer [1][2]
   • tracer use ptrace syscall to get tracee registers and memory [3][4]
   • strace pretty output syscall name and argument according to tracee registers and memory
     • strace get tracee registers and memory at tracee enter and exit syscall
2. ptrace
   • tracee call ptrace(PTRACE_TRACEME) to set process status to PT_PTRACED
   • tracee enter syscall execute ptrace hook tracehook_report_syscall_entry notify tracer
   • tracee exit syscall execute ptrace hook tracehook_report_syscall_exit notify tracer
3. strace
   • tracee call ptrace set process status to PT_PTRACED [5]
   • strace call wait tracee resume
   • strace call ptrace to get tracee registers and memory [6][7]
   • strace parse syscall name according to register value
   • strace print syscall argument, such as: open

links:

• [1] ptrace syscall enter hook
• [2] ptrace syscall exit hook
• [3] ptrace get tracee registers
• [4] ptrace get tracee memory
• [5] ptrace PTRACE_TRACEME option
• [6] strace get tracee registers
• [7] strace get tracee memory