通过ptrace来实现的和Debug(gdb、lldb)的实现原理是一样的,下面是ptrace的一个介绍
The ptrace() system call provides a means by which one process (the "tracer") may observe and control the execution of another process (the "tracee"), and examine and change the tracee'smemory and registers. It is primarily used to implement breakpoint debugging and system call tracing.
#include <sys/ptrace.h>
long ptrace(enum __ptrace_request request, pid_t pid,
void *addr, void *data);
root@ubuntu-jammy:~/project/snippet# strace -e write,read -r ls
0.000000 read(3, "\\177ELF\\2\\1\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\3\\0>\\0\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0"..., 832) = 832
0.000741 read(3, "\\177ELF\\2\\1\\1\\3\\0\\0\\0\\0\\0\\0\\0\\0\\3\\0>\\0\\1\\0\\0\\0P\\237\\2\\0\\0\\0\\0\\0"..., 832) = 832
0.000858 read(3, "\\177ELF\\2\\1\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\3\\0>\\0\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0"..., 832) = 832
0.002011 read(3, "nodev\\tsysfs\\nnodev\\ttmpfs\\nnodev\\tbd"..., 1024) = 407
0.000110 read(3, "", 1024) = 0
0.000470 read(3, "# Locale name alias data base.\\n#"..., 4096) = 2996
0.000088 read(3, "", 4096) = 0
0.003889 write(1, "Makefile mcount mcount.c mcou"..., 51Makefile mcount mcount.c mcount.o uftrace.data
) = 51
0.000358 +++ exited with 0 +++
root@ubuntu-jammy:~/project/snippet# strace -c ls
Makefile mcount mcount.c mcount.o uftrace.data
% time seconds usecs/call calls errors syscall
------ ----------- ----------- --------- --------- ----------------
0.00 0.000000 0 7 read
0.00 0.000000 0 1 write
0.00 0.000000 0 24 close
0.00 0.000000 0 31 mmap
0.00 0.000000 0 6 mprotect
0.00 0.000000 0 1 munmap
0.00 0.000000 0 3 brk
0.00 0.000000 0 2 ioctl
0.00 0.000000 0 4 pread64
0.00 0.000000 0 2 2 access
0.00 0.000000 0 1 execve
0.00 0.000000 0 2 2 statfs
0.00 0.000000 0 2 1 arch_prctl
0.00 0.000000 0 1 futex
0.00 0.000000 0 2 getdents64
0.00 0.000000 0 1 set_tid_address
0.00 0.000000 0 34 12 openat
0.00 0.000000 0 23 newfstatat
0.00 0.000000 0 1 set_robust_list
0.00 0.000000 0 1 prlimit64
0.00 0.000000 0 1 getrandom
0.00 0.000000 0 1 rseq
------ ----------- ----------- --------- --------- ----------------
100.00 0.000000 0 151 17 total
-e 过滤指定的system call
还可以执行一类操作
-e trace=/regex(匹配正则的一批syscall)
-e trace=%file (匹配所有使用文件名作为参数的syscall)
-e trace=%process (所有和进程管理相关的syscall)
-e trace=%network (所有和网络相关的syscall)
%signal、%ipc、%desc、%memory、%stat、%lstat、%fstat、%%stat
root@ubuntu-jammy:~/project/snippet# strace -e write,read -c ls
Makefile mcount mcount.c mcount.o uftrace.data
% time seconds usecs/call calls errors syscall
------ ----------- ----------- --------- --------- ----------------
0.00 0.000000 0 7 read
0.00 0.000000 0 1 write
------ ----------- ----------- --------- --------- ----------------
100.00 0.000000 0 8 total
$strace -ttT -e openat ls -al
07:56:38.108073 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 <0.000013>
07:56:38.108240 openat(AT_FDCWD, "/lib64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3 <0.000011>
07:56:38.108448 openat(AT_FDCWD, "/lib64/libcap.so.2", O_RDONLY|O_CLOEXEC) = 3 <0.000013>
07:56:38.108605 openat(AT_FDCWD, "/lib64/libacl.so.1", O_RDONLY|O_CLOEXEC) = 3 <0.000012>
07:56:38.108762 openat(AT_FDCWD, "/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 <0.000012>
07:56:38.109133 openat(AT_FDCWD, "/lib64/libpcre.so.1", O_RDONLY|O_CLOEXEC) = 3 <0.000012>
07:56:38.109289 openat(AT_FDCWD, "/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 <0.000013>
07:56:38.109465 openat(AT_FDCWD, "/lib64/libattr.so.1", O_RDONLY|O_CLOEXEC) = 3 <0.000012>
07:56:38.109659 openat(AT_FDCWD, "/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 <0.000011>
07:56:38.110958 openat(AT_FDCWD, "/proc/filesystems", O_RDONLY) = 3 <0.000015>
07:56:38.111168 openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3 <