The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Strace Reader

Discussion in 'General Discussion' started by darklord1, Aug 9, 2009.

  1. darklord1

    darklord1 Well-Known Member

    Joined:
    Jul 8, 2006
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Ever had to strace a process, and got all this information, and honestly, did not need half of it?

    What if you want to see which files the process opens?

    How about what does the script execute? And what's the environment, like cwd(current working directory), and other variables which may change the results of the output?

    Or, did you want to see how your memory is mapped and utilized during that process?

    I've written a script, that does all of the above. I've tried not to miss anything, but I may have, and if I have, please let me know.

    Here is the script:

    Code:
    [root@hsvz41.dal.tektonic.net ~]# cat stracereader 
    #!/bin/bash
    #strace decoder/reader. Written by: Greg Borbonus
    
    
    
    echo -e "\t\t\tStrace Processor"
    echo -e "\t This utility will help you to see exactly what a process is doing"
    echo -e ""
    echo -e ""
    echo -e "File processed by this reader should have been run with the following format:"
    echo -e "strace -Ffvs 4096 -o /path/to/output/file COMMAND"
    echo -e ""
    echo -e ""
    
    
    if [ -z $1 ];then
    
     echo -n "Which strace file would you like to view?"
     read file;
    
    else
    echo 
     file=$1
    
    fi
    
    
    echo -e "OPTIONS:"
    echo -e "\t1\tShow which files were Opened"
    echo -e "\t2\tShow what was executed with environment"
    echo -e "\t3\tShow Memory Mapping and protection"
    echo -e "\t4\tSHOW Environment at time of execution"
    echo -ne "\nPlease select your option: "
    read option
    
    
    
    
    
    case $option in 
    
            1) 
    
            echo -e "File\t\t\t\t\t\t\tSTATUS\t\t\t\t\tHANDLE\n\n"
            grep 'open(' $file \
            |cut -d'(' -f2\
            |sed -e s/'"'//g\
            |sed -e s/')'//g\
            |sed -e s/'='/'\,'/g\
            |awk -F',' '{
                length1=7-(int(length($1)/8)) ;
                     for (i=0;i<length1;i++){
                            tab=tab"\t"
                     } 
                length2=5-(int(length($2)/8));
                     for (t=0;t<length2;t++){
                            tab2=tab2"\t"
                     }
            print  $1 tab $2 tab2 $3; 
            tab="";
            tab2="";
             }'
    
            ;;
            2) #execs
    
            #Grab all execve, and Environments
    
             for i in `grep  'execve' $file \
                    |grep -v 'resumed'\
                    |cut -d'(' -f2\
                    |sed -e s/'\],'/"\n"/g\
                    |sed -e s/' '/':::'/g`; do 
    
                chk=`echo $i|grep 'HOSTNAME'`; 
                    if [ -z $chk ]; then 
                       echo Command:;
                       echo -e $i\
                       |sed -e s/':::'//g\
                       |sed -e s/',\['/"\n\t"/g\
                       |sed -e s/'"'//g\
                       |sed -e s/','/' '/g;
                    else 
                       echo ENVIRONMENT:
                       echo $i\
                       |cut -d[ -f2\
                       |cut -d] -f1\
                       |sed -e s/':::'//g\
                       |sed -e s/','/"\n\t"/g\
                       |sed -e s/'"'//g;
                    fi;
            done
            ;;
            3)
              echo -e "Memory Process \t Bytes\t\t\tWR Protocol\t\t\tMap Protocol\t\t\tMem Sector"
    
              lngth=`grep -c 'mmap(\|mprotect' $file|awk '{print $1+10}'`;
    
              grep 'mmap(\|mprotect' $file \
              |sed -e s/'=\|)\|('/','/g\
              |sed -e s/' '/','/g\
              |sed -e s/','/' '/g\
              |sed -e s/'mprotect'/'mpro...'/g\
              |awk '{
    
                 if ($6 == "0"){
                    $9=$3;
                    $6=""
                 }
                 if ($3="NULL"){
                      $3=$4
                 }
                print $2"\t "$3"\n"$5"\n"$6"\n"$9
            }'\
            |pr --colum 4 -a -W 140 -l $lngth -t
            ;;
            4) #Env
    
            for i in `head -1 $file\
                            |cut -d'(' -f2\
                            |sed -e s/'\],'/"\n"/g\
                            |sed -e s/' '/':::'/g`
             do 
                chk=`echo $i|grep 'HOSTNAME'`; 
                    if [ -z $chk ]; then 
                            echo Command:
                              echo -e $i\
                              |sed -e s/':::'//g\
                              |sed -e s/',\['/"\n\t"/g\
                              |sed -e s/'"'//g\
                              |sed -e s/','/' '/g;
                    else 
                            echo ENVIRONMENT:;
                              echo $i\
                              |cut -d[ -f2\
                              |cut -d] -f1\
                              |sed -e s/':::'//g\
                              |sed -e s/','/"\n\t"/g\
                              |sed -e s/'"'//g;
                    fi;
            done
    
            ;;
            *)
            echo "You picked an invalid option. Please try again"
            exit
            ;;
    esac
    

    Please feel free to edit it, but please leave the credits in place.

    Here's a small sample of the open files output:

    Code:
    File                                                    STATUS                                  HANDLE
    /lib64/libtermcap.so.2                                   O_RDONLY                                3
    /lib64/libdl.so.2                                        O_RDONLY                                3
    /lib64/libc.so.6                                         O_RDONLY                                3
    /dev/tty                                                 O_RDWR|O_NONBLOCK                       3
    /usr/lib/locale/locale-archive                           O_RDONLY                                3
    /proc/meminfo                                            O_RDONLY                                3
    /usr/lib64/gconv/gconv-modules.cache                     O_RDONLY                                3
    /dev/null                                                O_WRONLY|O_CREAT|O_TRUNC                0666

    Here is a small sample of memory mapping:

    Code:
    mmap     8192                      PROT_READ|PROT_WRITE               MAP_PRIVATE|MAP_FIXED|MAP_DENYWRIT 0x389b481000
    mmap     4096                      PROT_READ|PROT_WRITE               MAP_PRIVATE|MAP_ANONYMOUS          0x2b42850a4000
    mmap     4096                      PROT_READ|PROT_WRITE               MAP_PRIVATE|MAP_ANONYMOUS          0x2b42850a5000
    mpro...  4096                      PROT_READ                                                             0x389a402000
    mpro...  4096                      PROT_READ                                                             0x389b801000
    mpro...  16384                     PROT_READ                                                             0x389a149000
    mpro...  4096                      PROT_READ                                                             0x3899c1a000
    mpro...  4096                      PROT_READ                                                             0x389b481000
    mmap     4096                      PROT_READ|PROT_WRITE               MAP_PRIVATE|MAP_ANONYMOUS          0x2b4285099000
    mmap     4096                      PROT_READ|PROT_WRITE               MAP_PRIVATE|MAP_ANONYMOUS          0x2b428509c000

    Here is a sample output of executed commands, and evironment(certain information has been removed for security purposes):

    Code:
    Command:
    /usr/sbin/vzlicview
            vzlicview --check-status
    ENVIRONMENT:
    HOSTNAME=hostname
            SHELL=/bin/bash
            TERM=vt100
            HISTSIZE=1000
            SSH_CLIENT=***********
            SSH_TTY=/dev/pts/0
            USER=root
            LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=01;32:*.cmd=01;32:*.exe=01;32:*.com=01;32:*.btm=01;32:*.bat=01;32:*.sh=01;32:*.csh=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.bz=01;31:*.tz=01;31:*.rpm=01;31:*.cpio=01;31:*.jpg=01;35:*.gif=01;35:*.bmp=01;35:*.xbm=01;35:*.xpm=01;35:*.png=01;35:*.tif=01;35:
            PATH=/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
            MAIL=/var/spool/mail/root
            _=/usr/sbin/vzlicview
            PWD=/root
            INPUTRC=/etc/inputrc
            LANG=en_US.UTF-8
            HOME=/root
            SHLVL=2
            LOGNAME=root
            SSH_CONNECTION=**********
            LESSOPEN=|/usr/bin/lesspipe.sh%s
            G_BROKEN_FILENAMES=1
    
    

    Save the script as any filename you'd like, put it in /bin, and change permissions to 0700(dont let other users other then root run it), otherwise, save it in a directory, and run it with the path.

    I hope this helps you guys, I know I'm glad I did this, saved me tons of time already.
     

Share This Page