如何在运行 aptana studio 或 php storm 等执行文件时跟踪所有事件?
更多解释
例如很多软件将用户注册信息隐藏到特殊文件中,当执行该软件时,首先软件会读取该文件并检查许可证。我想知道那个文件在哪里?
我使用 ./excutedfile.sh 从命令行执行文件。以及现在如何为此跟踪所有事件。
最佳答案
你能尝试像这样启用过滤的 strace 吗?
$ strace -e trace=open -f gvim
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
(... snip ...)
open("/usr/lib/x86_64-linux-gnu/libXdmcp.so.6", O_RDONLY|O_CLOEXEC) = 3
open("/proc/filesystems", O_RDONLY) = 3
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
Process 465 attached
[pid 464] open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 5
[pid 464] open("/usr/share/vim/vim74/lang/ja/LC_MESSAGES/vim.mo", O_RDONLY) = 5
[pid 464] open("/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache", O_RDONLY) = 5
[pid 464] open("/lib/terminfo/x/xterm-256color", O_RDONLY) = 5
[pid 464] open(".", O_RDONLY) = 5
[pid 464] open("/usr/share/vim/vimrc", O_RDONLY) = 5
[pid 464] open(".", O_RDONLY) = 6
[pid 464] open("/usr/share/vim/vim74/debian.vim", O_RDONLY) = 6
[pid 464] open("/etc/papersize", O_RDONLY|O_NONBLOCK) = 7
[pid 464] open("/etc/papersize", O_RDONLY) = 7
[pid 464] open(".", O_RDONLY) = 6
[pid 464] open("/usr/share/vim/vim74/syntax/syntax.vim", O_RDONLY) = 6
[pid 464] open(".", O_RDONLY) = 7
[pid 464] open("/usr/share/vim/vim74/syntax/synload.vim", O_RDONLY) = 7
[pid 464] open(".", O_RDONLY) = 8
[pid 464] open("/usr/share/vim/vim74/syntax/syncolor.vim", O_RDONLY) = 8
(... tons of output ...)
-e trace=open 是只选择 open(2) 系统调用。我还添加了 -f 来跟踪子进程。
另见:
关于linux - 跟踪和监控包或执行的文件事件?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/25542092/