40个版本 (5个重大更改)
| 0.5.2 | 2024年8月6日 |
|---|---|
| 0.5.1 | 2024年7月20日 |
| 0.4.1 | 2024年7月14日 |
| 0.0.5 | 2024年2月29日 |
| 0.0.4 | 2023年11月10日 |
#72 在 调试
每月320次下载
395KB
11K SLoC
tracexec
跟踪execve{,at}和预执行行为的轻量级工具。
tracexec帮助你了解在执行命令时程序如何和何时被执行。
这对于调试构建系统、理解shell脚本的实际行为、找出专有软件运行了什么程序等非常有用。
展示
带伪终端的TUI模式
在TUI模式和使用伪终端的情况下,您可以轻松查看exec事件的详细信息并与伪终端内的进程交互。
跟踪setuid二进制文件
具有root权限,您还可以跟踪setuid二进制文件并查看它们的工作方式。但请注意,这与seccomp-bpf优化不兼容,因此性能会差很多。
sudo tracexec --user $(whoami) tui -t -- sudo ls
嵌套setuid二进制文件跟踪也是可能的:一个实际应用场景是跟踪extra-x86_64-build(Arch Linux的构建工具,需要sudo权限)
在这个实际示例中,我们可以轻松地看到_FORTIFY_SOURCE被从2重定义到3,这导致编译器错误。
将tracexec用作调试器启动器
tracexec还可以用作调试器启动器,使程序调试变得更加容易。例如,调试由shell/python脚本执行(该脚本可以使用管道作为程序的stdio)的程序并非易事或方便。以下视频展示了如何使用tracexec启动gdb以断开由shell脚本连接的两个简单程序的连接。
https://github.com/kxxt/tracexec/assets/18085551/72c755a5-0f2f-4bf9-beb9-98c8d6b5e5fd
请阅读gdb-launcher示例以获取更多详细信息。
日志模式
在日志模式下,默认情况下,tracexec将打印文件名、argv以及环境变量和文件描述符的差异。
示例: tracexec log -- bash(在交互式bash shell中)
使用 --show-cmdline 重建命令行
$ tracexec log --show-cmdline -- <command>
# example:
$ tracexec log --show-cmdline -- firefox
尝试在重建的命令行中重现stdio
可以使用 --stdio-in-cmdline 和 --fd-in-cmdline 来重现(希望如此)进程使用的stdio。
但请注意,当涉及管道、套接字等时,结果可能不准确。
tracexec log --show-cmdline --stdio-in-cmdline -- bash
使用 --show-interpreter 显示shebang指示的解释器
并且使用 --show-cwd 显示当前工作目录。
$ tracexec log --show-interpreter --show-cwd -- <command>
# example: Running Arch Linux makepkg
$ tracexec log --show-interpreter --show-cwd -- makepkg -f
安装
从源代码
通过 cargo
cargo install tracexec --bin tracexec
Arch Linux 用户也可以通过 pacman -S tracexec 从官方仓库安装。
二进制文件
您可以从发布页面下载二进制文件
用法
通用CLI帮助
Tracer for execve{,at} and pre-exec behavior, launcher for debuggers.
Usage: tracexec [OPTIONS] <COMMAND>
Commands:
log Run tracexec in logging mode
tui Run tracexec in TUI mode, stdin/out/err are redirected to /dev/null by default
generate-completions Generate shell completions for tracexec
collect Collect exec events and export them
help Print this message or the help of the given subcommand(s)
Options:
--color <COLOR> Control whether colored output is enabled. This flag has no effect on TUI mode. [default: auto] [possible values: auto, always, never]
-C, --cwd <CWD> Change current directory to this path before doing anything
-P, --profile <PROFILE> Load profile from this path
--no-profile Do not load profiles
-u, --user <USER> Run as user. This option is only available when running tracexec as root
-h, --help Print help
-V, --version Print version
图形用户界面模式
Run tracexec in TUI mode, stdin/out/err are redirected to /dev/null by default
Usage: tracexec tui [OPTIONS] -- <CMD>...
Arguments:
<CMD>... command to be executed
Options:
--seccomp-bpf <SECCOMP_BPF>
Controls whether to enable seccomp-bpf optimization, which greatly improves performance [default: auto] [possible values: auto, on, off]
--successful-only
Only show successful calls
--fd-in-cmdline
[Experimental] Try to reproduce file descriptors in commandline. This might result in an unexecutable cmdline if pipes, sockets, etc. are involved.
--stdio-in-cmdline
[Experimental] Try to reproduce stdio in commandline. This might result in an unexecutable cmdline if pipes, sockets, etc. are involved.
--resolve-proc-self-exe
Resolve /proc/self/exe symlink
--no-resolve-proc-self-exe
Do not resolve /proc/self/exe symlink
--tracer-delay <TRACER_DELAY>
Delay between polling, in microseconds. The default is 500 when seccomp-bpf is enabled, otherwise 1.
--show-all-events
Set the default filter to show all events. This option can be used in combination with --filter-exclude to exclude some unwanted events.
--filter <FILTER>
Set the default filter for events. [default: warning,error,exec,tracee-exit]
--filter-include <FILTER_INCLUDE>
Aside from the default filter, also include the events specified here. [default: <empty>]
--filter-exclude <FILTER_EXCLUDE>
Exclude the events specified here from the default filter. [default: <empty>]
-t, --tty
Allocate a pseudo terminal and show it alongside the TUI
-f, --follow
Keep the event list scrolled to the bottom
--terminate-on-exit
Instead of waiting for the root child to exit, terminate when the TUI exits
--kill-on-exit
Instead of waiting for the root child to exit, kill when the TUI exits
-A, --active-pane <ACTIVE_PANE>
Set the default active pane to use when TUI launches [possible values: terminal, events]
-L, --layout <LAYOUT>
Set the layout of the TUI when it launches [possible values: horizontal, vertical]
-F, --frame-rate <FRAME_RATE>
Set the frame rate of the TUI (60 by default)
-D, --default-external-command <DEFAULT_EXTERNAL_COMMAND>
Set the default external command to run when using "Detach, Stop and Run Command" feature in Hit Manager
-b, --add-breakpoint <BREAKPOINTS>
Add a new breakpoint to the tracer. This option can be used multiple times. The format is <syscall-stop>:<pattern-type>:<pattern>, where syscall-stop can be sysenter or sysexit, pattern-type can be argv-regex, in-filename or exact-filename. For example, sysexit:in-filename:/bash
-h, --help
Print help
日志模式
Run tracexec in logging mode
Usage: tracexec log [OPTIONS] -- <CMD>...
Arguments:
<CMD>... command to be executed
Options:
--more-colors
More colors
--less-colors
Less colors
--show-cmdline
Print commandline that (hopefully) reproduces what was executed. Note: file descriptors are not handled for now.
--no-show-cmdline
Don't print commandline that (hopefully) reproduces what was executed.
--show-interpreter
Try to show script interpreter indicated by shebang
--no-show-interpreter
Do not show script interpreter indicated by shebang
--foreground
Set the terminal foreground process group to tracee. This option is useful when tracexec is used interactively. [default]
--no-foreground
Do not set the terminal foreground process group to tracee
--diff-fd
Diff file descriptors with the original std{in/out/err}
--no-diff-fd
Do not diff file descriptors
--show-fd
Show file descriptors
--no-show-fd
Do not show file descriptors
--diff-env
Diff environment variables with the original environment
--no-diff-env
Do not diff environment variables
--show-env
Show environment variables
--no-show-env
Do not show environment variables
--show-comm
Show comm
--no-show-comm
Do not show comm
--show-argv
Show argv
--no-show-argv
Do not show argv
--show-filename
Show filename
--no-show-filename
Do not show filename
--show-cwd
Show cwd
--no-show-cwd
Do not show cwd
--decode-errno
Decode errno values
--no-decode-errno
Do not decode errno values
--seccomp-bpf <SECCOMP_BPF>
Controls whether to enable seccomp-bpf optimization, which greatly improves performance [default: auto] [possible values: auto, on, off]
--successful-only
Only show successful calls
--fd-in-cmdline
[Experimental] Try to reproduce file descriptors in commandline. This might result in an unexecutable cmdline if pipes, sockets, etc. are involved.
--stdio-in-cmdline
[Experimental] Try to reproduce stdio in commandline. This might result in an unexecutable cmdline if pipes, sockets, etc. are involved.
--resolve-proc-self-exe
Resolve /proc/self/exe symlink
--no-resolve-proc-self-exe
Do not resolve /proc/self/exe symlink
--tracer-delay <TRACER_DELAY>
Delay between polling, in microseconds. The default is 500 when seccomp-bpf is enabled, otherwise 1.
--show-all-events
Set the default filter to show all events. This option can be used in combination with --filter-exclude to exclude some unwanted events.
--filter <FILTER>
Set the default filter for events. [default: warning,error,exec,tracee-exit]
--filter-include <FILTER_INCLUDE>
Aside from the default filter, also include the events specified here. [default: <empty>]
--filter-exclude <FILTER_EXCLUDE>
Exclude the events specified here from the default filter. [default: <empty>]
-o, --output <OUTPUT>
Output, stderr by default. A single hyphen '-' represents stdout.
-h, --help
Print help
收集和导出数据
Collect exec events and export them
Usage: tracexec collect [OPTIONS] --format <FORMAT> -- <CMD>...
Arguments:
<CMD>... command to be executed
Options:
--seccomp-bpf <SECCOMP_BPF> Controls whether to enable seccomp-bpf optimization, which greatly improves performance [default: auto] [possible values: auto, on, off]
--successful-only Only show successful calls
--fd-in-cmdline [Experimental] Try to reproduce file descriptors in commandline. This might result in an unexecutable cmdline if pipes, sockets, etc. are involved.
--stdio-in-cmdline [Experimental] Try to reproduce stdio in commandline. This might result in an unexecutable cmdline if pipes, sockets, etc. are involved.
--resolve-proc-self-exe Resolve /proc/self/exe symlink
--no-resolve-proc-self-exe Do not resolve /proc/self/exe symlink
--tracer-delay <TRACER_DELAY> Delay between polling, in microseconds. The default is 500 when seccomp-bpf is enabled, otherwise 1.
-F, --format <FORMAT> the format for exported exec events [possible values: json-stream, json]
-p, --pretty prettify the output if supported
-o, --output <OUTPUT> Output, stderr by default. A single hyphen '-' represents stdout.
--foreground Set the terminal foreground process group to tracee. This option is useful when tracexec is used interactively. [default]
--no-foreground Do not set the terminal foreground process group to tracee
-h, --help Print help
配置文件
tracexec 可以通过配置文件进行配置。配置文件是一个 toml 文件,可以用来设置备用选项。
配置文件应放置在 $XDG_CONFIG_HOME/tracexec/ 或 $HOME/.config/tracexec/ 并命名为 config.toml。
模板配置文件可以在 https://github.com/kxxt/tracexec/blob/main/config.toml 找到
请注意,配置文件格式尚未稳定,将来可能会发生变化。在升级 tracexec 时,您可能需要更新配置文件。
已知问题
- 非UTF-8字符串以有损方式转换为UTF-8,这意味着输出可能不准确。
- 输出尚未稳定,这意味着输出可能在未来发生变化。
- 测试覆盖率不足。
- 伪终端无法传递某些键组合和终端功能。
来源
这个项目起源于追踪程序执行的需求。
最初我只是使用 strace -Y -f -qqq -s99999 -e trace=execve,execveat <command>。
但输出仍然太冗长,所以我创建了这个项目。
致谢
依赖项
~32–49MB
~666K SLoC