假定啟動命令為:./abcd 23,我們想看看該進程是否需要訪問test.txt文件
1. 啟動后lsof -p $(pgrep abcd)
2. 啟動過程中 strace -f -e file ./abcd 23 2>&1 | grep open #strace -e network/signal/desc都是很有用的調試參數
3. 可以chmod a-rw test.txt,然后再啟動./abcd 23,如果程序無法訪問test.txt,或許會報錯并退出,我們可以根據報錯信息來順藤摸瓜
4. 還有一種方法,經測試未奏效:
(gdb) start
(gdb) break open
(gdb) condition 2 strcmp (((char**)$esp)[1], "bar") == 0
上面((char**)$esp)[1]用于取第一個參數,gdb的strcmp或許會不好用(可以用p strcmp("hello", "hello")測試一下),如果不好用,可以自己寫一個:
int mystrcmp(const char* p1, const char* p2) {
return strcmp(p1, p2);
}
5. 通過斷點來打印bt信息:
define mybt
set logging file t3.log
set logging on
break $arg0
while 1
continue
bt
end
set logging off
end
6. 經過不懈的努力,終于得到了一種可行的方法:
$ cat t3.gdb
set print pretty on
#set print elements 0
set print frame-arguments all
#set print union on
set print object on
#set print demangle on
set logging file t3.log
set logging overwrite
set logging redirect
set logging on
start < <(echo $(cat b.html)) #give input stream from a temporary named pipe
#catch syscall open
break open
while 1
continue
#info args
#info locals
print (char*)$rdi #print filename
#bt full
bt
end
set logging off
$ gdb --batch -x t3.gdb --args ./test -a 1 -o "test.txt"
7. mkfifo test.txt #this maybe hang up read
8. sudo apt-get install auditd; sudo auditctl -p wra -w $PWD/test.txt; sudo ausearch -f $PWD/test.txt(or sudo vim /var/log/audit/audit.log) #this will monitor read/write/access of test.txt and record logs in /var/log/audit/audit.log