如何在Linux中监控子进程 Linux strace追踪调用

strace

ptrace

strace

ptrace

strace

-f

strace

parent_process

strace

strace -f ./parent_process

strace

parent_process

strace

-e

open

read

strace -f -e trace=open,read ./parent_process

strace

strace

ptrace

ptrace

ptrace

execve

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/reg.h>
#include <sys/user.h>

int main(int argc, char *argv[]) {
    if (argc < 2) {
        fprintf(stderr, "Usage: %s <program>\n", argv[0]);
        exit(1);
    }

    pid_t pid = fork();
    if (pid == 0) {
        // Child process (tracee)
        ptrace(PTRACE_TRACEME, 0, NULL, NULL);
        execvp(argv[1], &argv[1]); // Execute the target program
        perror("execvp");
        exit(1);
    } else if (pid > 0) {
        // Parent process (tracer)
        int status;
        waitpid(pid, &status, 0); // Wait for the tracee to stop

        ptrace(PTRACE_SETOPTIONS, pid, NULL, PTRACE_O_TRACESYSGOOD); // Enable syscall entry/exit traps

        while (1) {
            ptrace(PTRACE_SYSCALL, pid, NULL, NULL); // Continue tracee until next syscall
            waitpid(pid, &status, 0);

            if (WIFEXITED(status)) {
                break; // Tracee exited
            }

            // Check if it's a syscall entry
            if (WIFSTOPPED(status) && (WSTOPSIG(status) == (SIGTRAP | 0x80))) {
                struct user_regs_struct regs;
                ptrace(PTRACE_GETREGS, pid, NULL, &regs);

                // Check if it's execve syscall (syscall number 59 on x86_64)
                if (regs.orig_rax == 59) {
                    printf("execve called!\n");
                    // You can access arguments of execve here using regs
                }
            }
        }
    } else {
        perror("fork");
        exit(1);
    }

    return 0;
}

ptrace

execve

execve

ptrace

strace

ptrace

strace

ptrace