One of the things I’ve always found hard to do via ptrace is system-based state. Watching all processes across a system for a behaviour “trend”.  This is difficult as ptrace is not really designed for that. Frysk tried to address this in a different way. But Systemtap does it in a very scriptable way.

So  …. lately, I’ve been writing a series of articles around Systemtap, and I was hacking up a little script. I found this little tiny scriptlet very useful. It is so simple as well – and child’s play for the experienced Systemtap hackers out there. It simply watches every process for fork/clone and exec. It prints the name and pid for the processes involved. It also watches for a process exec and prints the process name, pid and executable to exec. The actual heavy lifting is done in 6 lines of code, which I find remarkable.

#! /usr/bin/env stap

probe begin {
print ("Tracking process creations .... \n\n")
}

probe process.create {
printf("%s (%d) created %d\n", execname(), pid(), new_pid)
}

probe process.exec {
printf("%s (%d) is exec'ing %s\n", execname(), pid(), filename)
}

probe end {
print("All done!\n")
}

Example output. During this script run, I run thunderbird for the gnome panel:

sudo ./stap -v ~/process_creation.stp 

Pass 1: parsed user script and 43 library script(s) in 220usr/10sys/223real ms.
Pass 2: analyzed script: 5 probe(s), 7 function(s), 1 embed(s), 0 global(s) in 220usr/60sys/294real ms.
Pass 3: using cached .systemtap/cache/dd/stap_dd2b93e5305e7a0f5b95894e9f0d798a_2825.c
Pass 4: using cached .systemtap/cache/dd/stap_dd2b93e5305e7a0f5b95894e9f0d798a_2825.ko
Pass 5: starting run.
Tracking process creations .... 

hald-runner (2128) created 21509
hald-runner (21509) is exec'ing /usr/lib64/hal/scripts/hal-system-killswitch-get-power
hal-system-kill (21509) created 21510
hal-system-kill (21510) is exec'ing /usr/bin/hal-is-caller-privileged
hal-system-kill (21509) created 21511
hal-system-kill (21511) is exec'ing /bin/basename
hal-system-kill (21509) is exec'ing /usr/lib64/hal/scripts/linux/hal-system-killswitch-get-power-linux
hal-system-kill (21509) created 21512
hal-system-kill (21512) is exec'ing /usr/libexec/hal-ipw-killswitch-linux
gnome-panel (3031) created 21513
gnome-panel (21513) created 21514
gnome-panel (21514) is exec'ing /usr/lib64/qt-3.3/bin/thunderbird
gnome-panel (21514) is exec'ing /usr/kerberos/bin/thunderbird
gnome-panel (21514) is exec'ing /usr/lib64/ccache/thunderbird
gnome-panel (21514) is exec'ing /usr/local/bin/thunderbird
gnome-panel (21514) is exec'ing /usr/bin/thunderbird
thunderbird (21514) created 21515
thunderbird (21515) is exec'ing /bin/uname
thunderbird (21514) is exec'ing /usr/lib64/thunderbird-2.0.0.14/thunderbird
thunderbird (21514) created 21516
thunderbird (21516) is exec'ing /usr/bin/dirname
thunderbird (21514) created 21517
thunderbird (21517) is exec'ing /bin/basename
thunderbird (21514) created 21518
thunderbird (21518) is exec'ing /usr/lib64/thunderbird-2.0.0.14/run-mozilla.sh
run-mozilla.sh (21518) created 21519
run-mozilla.sh (21519) is exec'ing /bin/basename
run-mozilla.sh (21518) created 21520
run-mozilla.sh (21520) is exec'ing /usr/bin/dirname
run-mozilla.sh (21518) created 21521
run-mozilla.sh (21521) created 21522
run-mozilla.sh (21522) is exec'ing /usr/bin/which
run-mozilla.sh (21518) created 21523
run-mozilla.sh (21523) is exec'ing /usr/lib64/thunderbird-2.0.0.14/thunderbird-bin