假定啟動(dòng)命令為:./abcd 23,我們想看看該進(jìn)程是否需要訪問(wèn)test.txt文件
1. 啟動(dòng)后lsof -p $(pgrep abcd)
2. 啟動(dòng)過(guò)程中 strace -f -e file ./abcd 23 2>&1 | grep open #strace -e network/signal/desc都是很有用的調(diào)試參數(shù)
3. 可以chmod a-rw test.txt,然后再啟動(dòng)./abcd 23,如果程序無(wú)法訪問(wèn)test.txt,或許會(huì)報(bào)錯(cuò)并退出,我們可以根據(jù)報(bào)錯(cuò)信息來(lái)順藤摸瓜
4. 還有一種方法,經(jīng)測(cè)試未奏效:
(gdb) start
(gdb) break open
(gdb) condition 2 strcmp (((char**)$esp)[1], "bar") == 0
上面((char**)$esp)[1]用于取第一個(gè)參數(shù),gdb的strcmp或許會(huì)不好用(可以用p strcmp("hello", "hello")測(cè)試一下),如果不好用,可以自己寫(xiě)一個(gè):
int mystrcmp(const char* p1, const char* p2) {
return strcmp(p1, p2);
}
5. 通過(guò)斷點(diǎn)來(lái)打印bt信息:
define mybt
set logging file t3.log
set logging on
break $arg0
while 1
continue
bt
end
set logging off
end
6. 經(jīng)過(guò)不懈的努力,終于得到了一種可行的方法:
$ cat t3.gdb
set print pretty on
#set print elements 0
set print frame-arguments all
#set print union on
set print object on
#set print demangle on
set logging file t3.log
set logging overwrite
set logging redirect
set logging on
start < <(echo $(cat b.html)) #give input stream from a temporary named pipe
#catch syscall open
break open
while 1
continue
#info args
#info locals
print (char*)$rdi #print filename
#bt full
bt
end
set logging off
$ gdb --batch -x t3.gdb --args ./test -a 1 -o "test.txt"
7. mkfifo test.txt #this maybe hang up read
8. sudo apt-get install auditd; sudo auditctl -p wra -w $PWD/test.txt; sudo ausearch -f $PWD/test.txt(or sudo vim /var/log/audit/audit.log) #this will monitor read/write/access of test.txt and record logs in /var/log/audit/audit.log