LinkBack URL
About LinkBacks
Strace Reader
Ever had to strace a process, and got all this information, and honestly, did not need half of it?
What if you want to see which files the process opens?
How about what does the script execute? And what's the environment, like cwd(current working directory), and other variables which may change the results of the output?
Or, did you want to see how your memory is mapped and utilized during that process?
I've written a script, that does all of the above. I've tried not to miss anything, but I may have, and if I have, please let me know.
Here is the script:
Code:[root@hsvz41.dal.tektonic.net ~]# cat stracereader #!/bin/bash #strace decoder/reader. Written by: Greg Borbonus echo -e "\t\t\tStrace Processor" echo -e "\t This utility will help you to see exactly what a process is doing" echo -e "" echo -e "" echo -e "File processed by this reader should have been run with the following format:" echo -e "strace -Ffvs 4096 -o /path/to/output/file COMMAND" echo -e "" echo -e "" if [ -z $1 ];then echo -n "Which strace file would you like to view?" read file; else echo file=$1 fi echo -e "OPTIONS:" echo -e "\t1\tShow which files were Opened" echo -e "\t2\tShow what was executed with environment" echo -e "\t3\tShow Memory Mapping and protection" echo -e "\t4\tSHOW Environment at time of execution" echo -ne "\nPlease select your option: " read option case $option in 1) echo -e "File\t\t\t\t\t\t\tSTATUS\t\t\t\t\tHANDLE\n\n" grep 'open(' $file \ |cut -d'(' -f2\ |sed -e s/'"'//g\ |sed -e s/')'//g\ |sed -e s/'='/'\,'/g\ |awk -F',' '{ length1=7-(int(length($1)/8)) ; for (i=0;i<length1;i++){ tab=tab"\t" } length2=5-(int(length($2)/8)); for (t=0;t<length2;t++){ tab2=tab2"\t" } print $1 tab $2 tab2 $3; tab=""; tab2=""; }' ;; 2) #execs #Grab all execve, and Environments for i in `grep 'execve' $file \ |grep -v 'resumed'\ |cut -d'(' -f2\ |sed -e s/'\],'/"\n"/g\ |sed -e s/' '/':::'/g`; do chk=`echo $i|grep 'HOSTNAME'`; if [ -z $chk ]; then echo Command:; echo -e $i\ |sed -e s/':::'//g\ |sed -e s/',\['/"\n\t"/g\ |sed -e s/'"'//g\ |sed -e s/','/' '/g; else echo ENVIRONMENT: echo $i\ |cut -d[ -f2\ |cut -d] -f1\ |sed -e s/':::'//g\ |sed -e s/','/"\n\t"/g\ |sed -e s/'"'//g; fi; done ;; 3) echo -e "Memory Process \t Bytes\t\t\tWR Protocol\t\t\tMap Protocol\t\t\tMem Sector" lngth=`grep -c 'mmap(\|mprotect' $file|awk '{print $1+10}'`; grep 'mmap(\|mprotect' $file \ |sed -e s/'=\|)\|('/','/g\ |sed -e s/' '/','/g\ |sed -e s/','/' '/g\ |sed -e s/'mprotect'/'mpro...'/g\ |awk '{ if ($6 == "0"){ $9=$3; $6="" } if ($3="NULL"){ $3=$4 } print $2"\t "$3"\n"$5"\n"$6"\n"$9 }'\ |pr --colum 4 -a -W 140 -l $lngth -t ;; 4) #Env for i in `head -1 $file\ |cut -d'(' -f2\ |sed -e s/'\],'/"\n"/g\ |sed -e s/' '/':::'/g` do chk=`echo $i|grep 'HOSTNAME'`; if [ -z $chk ]; then echo Command: echo -e $i\ |sed -e s/':::'//g\ |sed -e s/',\['/"\n\t"/g\ |sed -e s/'"'//g\ |sed -e s/','/' '/g; else echo ENVIRONMENT:; echo $i\ |cut -d[ -f2\ |cut -d] -f1\ |sed -e s/':::'//g\ |sed -e s/','/"\n\t"/g\ |sed -e s/'"'//g; fi; done ;; *) echo "You picked an invalid option. Please try again" exit ;; esac
Please feel free to edit it, but please leave the credits in place.
Here's a small sample of the open files output:
Code:File STATUS HANDLE /lib64/libtermcap.so.2 O_RDONLY 3 /lib64/libdl.so.2 O_RDONLY 3 /lib64/libc.so.6 O_RDONLY 3 /dev/tty O_RDWR|O_NONBLOCK 3 /usr/lib/locale/locale-archive O_RDONLY 3 /proc/meminfo O_RDONLY 3 /usr/lib64/gconv/gconv-modules.cache O_RDONLY 3 /dev/null O_WRONLY|O_CREAT|O_TRUNC 0666
Here is a small sample of memory mapping:
Code:mmap 8192 PROT_READ|PROT_WRITE MAP_PRIVATE|MAP_FIXED|MAP_DENYWRIT 0x389b481000 mmap 4096 PROT_READ|PROT_WRITE MAP_PRIVATE|MAP_ANONYMOUS 0x2b42850a4000 mmap 4096 PROT_READ|PROT_WRITE MAP_PRIVATE|MAP_ANONYMOUS 0x2b42850a5000 mpro... 4096 PROT_READ 0x389a402000 mpro... 4096 PROT_READ 0x389b801000 mpro... 16384 PROT_READ 0x389a149000 mpro... 4096 PROT_READ 0x3899c1a000 mpro... 4096 PROT_READ 0x389b481000 mmap 4096 PROT_READ|PROT_WRITE MAP_PRIVATE|MAP_ANONYMOUS 0x2b4285099000 mmap 4096 PROT_READ|PROT_WRITE MAP_PRIVATE|MAP_ANONYMOUS 0x2b428509c000
Here is a sample output of executed commands, and evironment(certain information has been removed for security purposes):
Code:Command: /usr/sbin/vzlicview vzlicview --check-status ENVIRONMENT: HOSTNAME=hostname SHELL=/bin/bash TERM=vt100 HISTSIZE=1000 SSH_CLIENT=*********** SSH_TTY=/dev/pts/0 USER=root LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35: PATH=/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin MAIL=/var/spool/mail/root _=/usr/sbin/vzlicview PWD=/root INPUTRC=/etc/inputrc LANG=en_US.UTF-8 HOME=/root SHLVL=2 LOGNAME=root SSH_CONNECTION=********** LESSOPEN=|/usr/bin/lesspipe.sh%s G_BROKEN_FILENAMES=1
Save the script as any filename you'd like, put it in /bin, and change permissions to 0700(dont let other users other then root run it), otherwise, save it in a directory, and run it with the path.
I hope this helps you guys, I know I'm glad I did this, saved me tons of time already.
Reply With Quote
