假定启动命令为:./abcd 23,我们想看看该进程是否需要访问test.txt文件
1. 启动后lsof -p $(pgrep abcd)
2. 启动过程中 strace -f -e file ./abcd 23 2>&1 | grep open #strace -e network/signal/desc都是很有用的调试参数
3. 可以chmod a-rw test.txt,然后再启动./abcd 23,如果程序无法访问test.txt,或许会报错并退出,我们可以根据报错信息来顺藤摸瓜
4. 还有一种方法,经测试未奏效:
(gdb) start
(gdb) break open
(gdb) condition 2 strcmp (((char**)$esp)[1], "bar") == 0
上面((char**)$esp)[1]用于取第一个参数,gdb的strcmp或许会不好用(可以用p strcmp("hello", "hello")测试一下),如果不好用,可以自己写一个:
int mystrcmp(const char* p1, const char* p2) {
return strcmp(p1, p2);
}
5. 通过断点来打印bt信息:
define mybt
set logging file t3.log
set logging on
break $arg0
while 1
continue
bt
end
set logging off
end
6. 经过不懈的努力,终于得到了一种可行的方法:
$ cat t3.gdb
set print pretty on
#set print elements 0
set print frame-arguments all
#set print union on
set print object on
#set print demangle on
set logging file t3.log
set logging overwrite
set logging redirect
set logging on
start < <(echo $(cat b.html)) #give input stream from a temporary named pipe
#catch syscall open
break open
while 1
continue
#info args
#info locals
print (char*)$rdi #print filename
#bt full
bt
end
set logging off
$ gdb --batch -x t3.gdb --args ./test -a 1 -o "test.txt"
7. mkfifo test.txt #this maybe hang up read
8. sudo apt-get install auditd; sudo auditctl -p wra -w $PWD/test.txt; sudo ausearch -f $PWD/test.txt(or sudo vim /var/log/audit/audit.log) #this will monitor read/write/access of test.txt and record logs in /var/log/audit/audit.log