One of the things I’ve always found hard to do via ptrace is system-based state. Watching all processes across a system for a behaviour “trend”. This is difficult as ptrace is not really designed for that. Frysk tried to address this in a different way. But Systemtap does it in a very scriptable way.
So …. lately, I’ve been writing a series of articles around Systemtap, and I was hacking up a little script. I found this little tiny scriptlet very useful. It is so simple as well – and child’s play for the experienced Systemtap hackers out there. It simply watches every process for fork/clone and exec. It prints the name and pid for the processes involved. It also watches for a process exec and prints the process name, pid and executable to exec. The actual heavy lifting is done in 6 lines of code, which I find remarkable.
#! /usr/bin/env stap
probe begin {
print ("Tracking process creations .... \n\n")
}
probe process.create {
printf("%s (%d) created %d\n", execname(), pid(), new_pid)
}
probe process.exec {
printf("%s (%d) is exec'ing %s\n", execname(), pid(), filename)
}
probe end {
print("All done!\n")
}
Example output. During this script run, I run thunderbird for the gnome panel:
sudo ./stap -v ~/process_creation.stp Pass 1: parsed user script and 43 library script(s) in 220usr/10sys/223real ms. Pass 2: analyzed script: 5 probe(s), 7 function(s), 1 embed(s), 0 global(s) in 220usr/60sys/294real ms. Pass 3: using cached .systemtap/cache/dd/stap_dd2b93e5305e7a0f5b95894e9f0d798a_2825.c Pass 4: using cached .systemtap/cache/dd/stap_dd2b93e5305e7a0f5b95894e9f0d798a_2825.ko Pass 5: starting run. Tracking process creations .... hald-runner (2128) created 21509 hald-runner (21509) is exec'ing /usr/lib64/hal/scripts/hal-system-killswitch-get-power hal-system-kill (21509) created 21510 hal-system-kill (21510) is exec'ing /usr/bin/hal-is-caller-privileged hal-system-kill (21509) created 21511 hal-system-kill (21511) is exec'ing /bin/basename hal-system-kill (21509) is exec'ing /usr/lib64/hal/scripts/linux/hal-system-killswitch-get-power-linux hal-system-kill (21509) created 21512 hal-system-kill (21512) is exec'ing /usr/libexec/hal-ipw-killswitch-linux gnome-panel (3031) created 21513 gnome-panel (21513) created 21514 gnome-panel (21514) is exec'ing /usr/lib64/qt-3.3/bin/thunderbird gnome-panel (21514) is exec'ing /usr/kerberos/bin/thunderbird gnome-panel (21514) is exec'ing /usr/lib64/ccache/thunderbird gnome-panel (21514) is exec'ing /usr/local/bin/thunderbird gnome-panel (21514) is exec'ing /usr/bin/thunderbird thunderbird (21514) created 21515 thunderbird (21515) is exec'ing /bin/uname thunderbird (21514) is exec'ing /usr/lib64/thunderbird-2.0.0.14/thunderbird thunderbird (21514) created 21516 thunderbird (21516) is exec'ing /usr/bin/dirname thunderbird (21514) created 21517 thunderbird (21517) is exec'ing /bin/basename thunderbird (21514) created 21518 thunderbird (21518) is exec'ing /usr/lib64/thunderbird-2.0.0.14/run-mozilla.sh run-mozilla.sh (21518) created 21519 run-mozilla.sh (21519) is exec'ing /bin/basename run-mozilla.sh (21518) created 21520 run-mozilla.sh (21520) is exec'ing /usr/bin/dirname run-mozilla.sh (21518) created 21521 run-mozilla.sh (21521) created 21522 run-mozilla.sh (21522) is exec'ing /usr/bin/which run-mozilla.sh (21518) created 21523 run-mozilla.sh (21523) is exec'ing /usr/lib64/thunderbird-2.0.0.14/thunderbird-bin