All geek questions in one place

Best way to view the process (and subprocesses) for reading / reading the file system ()?

I would like to develop a command line program that works like this:

myprogram / c [some_executable_here]

Having launched the command specified by the user, and “looked through” the process (and any subprocesses) to read the I / O, and when this program exits, print the list of files that were “read” (this ultimately led to read ()).

My initial OS for implementation is Windows, but I would also like to do the same on Linux.

All of the FileSystem UIs I've seen so far are focused on viewing directories (or individual files), but not processes, so I'm not sure what the best way to do this.

EDIT: I'm looking for code examples of how to eventually implement this (or at least API pointers that I could execute) to do this on Windows and Linux.

Also, to be clear, he cannot use a method, for example, OpendFilesView, procmon or grepping strings from some tool at the system level, which cannot finally identify a process by ID (and any subprocesses) from the very beginning and the end of its execution; There can be no synchronization issues in IOW and the possibility of false positives by searching for "foo.exe" and getting the wrong one.

+3
source share
3 answers

Linux strace - . :.

$ strace -o/tmp/blah -f -eopen,read bash -c "cat ciao.txt"

( , , - -f), /tmp/blah (120 ), , , .

, , , ; , Python, :

import re

linere = re.compile(r'^(\d+)\s+(\w+)\(([^)]+)\)\s+\=\s*(.*)$')

def main():
  openfiles = dict()
  filesread = set()
  with open('/tmp/blah') as f:
    for line in f:
      mo = linere.match(line)
      if mo is None:
        print "Unmatched line %r" % line
      pid, command, args, results = mo.groups()
      if command == 'open':
        fn = args.split(',', 1)[0].strip('"')
        fd = results.split(' ', 1)[0]
        openfiles[fd] = fn
      elif command == 'read':
        if results != '0':
          fd = args.split(',', 1)[0]
          filesread.add(openfiles[fd])
      else:
        print "Unknown command %r" % command
  print sorted(filesread)

( , dup c), , , . :

['/lib/libc.so.6', '/lib/libdl.so.2', '/lib/libncurses.so.5',
 '/proc/meminfo', '/proc/sys/kernel/ngroups_max',
 '/usr/share/locale/locale.alias', 'ciao.txt']

, "" , , " "... , . , , .

strace , , Windows, , StraceNT - 100% , , , & c , , Python ( strace ).

, Unix, , , root () - . Mac OS X sudo dtrace dtruss; strace Mac root.

+7

" Process Monitor" (procmon.exe) ( ). .

Linux lsof strace . grep.

(.. , ) /. API , API .

[.] . " " , Windows.

+5

-d (--watchfd) 2014 pv pid.

.

pv --help
  -d, --watchfd PID[:FD]   watch file FD opened by process PID

.

pv -d `pgrep firefox`
0

Source: https://habr.com/ru/post/1717941/

More articles:


All Articles