文章目录
- 背景
- ltrace原理
- ltrace使用
- 跟踪程序调用库函数
- 跟踪指定pid进程调用
- 参考
本文介绍ltrace跟踪
背景
ltrace 会拦截并记录正在执行的进程所调用的动态库调用以及该进程接收到的信号,它还可以拦截并打印程序执行的系统调用。
其代码位置在:https://gitlab.com/cespedes/ltrace.git
ltrace原理
ltrace也是基于ptrace。
ptrace主要是用来跟踪系统调用,ltrace使用了下面的方法来跟踪库函数:
- 首先ltrace打开elf文件,对其进行分析。在elf文件中,出于动态连接的需要,需要在elf文件中保存函数的符号,供连接器使用。具体格式,大家可以参考elf文件的格式。这样ltrace就能够获得该文件中,所有系统调用的符号,以及对应的执行指令。
- 然后,ltrace将该指令所对应的4个字节,替换成断点。其实现可以参考Playing with ptrace, Part II。
- 这样在进程执行到相应的库函数后,就可以通知到了ltrace,ltrace将对应的库函数打印出来之后,继续执行子进程。
实际上ltrace与strace使用的技术大体相同,但ltrace在对支持fork和clone方面,不如strace。strace在收到frok和clone等系统调用后,做了相应的处理,而ltrace没有。
ltrace使用
$ ltrace --help
Usage: ltrace [option ...] [command [arg ...]]
Trace library calls of a given program.-a, --align=COLUMN align return values in a secific column.-A MAXELTS maximum number of array elements to print.-b, --no-signals don't print signals.-c count time and calls, and report a summary on exit.-C, --demangle decode low-level symbol names into user-level names.-D, --debug=MASK enable debugging (see -Dh or --debug=help).-Dh, --debug=help show help on debugging.-e FILTER modify which library calls to trace.-f trace children (fork() and clone()).-F, --config=FILE load alternate configuration file (may be repeated).-h, --help display this help and exit.-i print instruction pointer at time of library call.-l, --library=LIBRARY_PATTERN only trace symbols implemented by this library.-L do NOT display library calls.-n, --indent=NR indent output by NR spaces for each call level nesting.-o, --output=FILENAME write the trace output to file with given name.-p PID attach to the process with the process ID pid.-r print relative timestamps.-s STRSIZE specify the maximum string size to print.-S trace system calls as well as library calls.-t, -tt, -ttt print absolute timestamps.-T show the time spent inside each call.-u USERNAME run command with the userid, groupid of username.-V, --version output version information and exit.-x FILTER modify which static functions to trace.Report bugs to ltrace-devel@lists.alioth.debian.org
跟踪程序调用库函数
ltrace-demo.c
#include <stdio.h>
#include <unistd.h>
#include <sys/wait.h>
#include "demo-lib.h"void func1()
{printf("func1\n");
}int main()
{printf("ltrace-demo\n");pid_t r = fork();if (r == 0) {printf("in child\n");func2();} else if(r > 0) {printf("child pid: %d\n", r);func1();}wait(NULL);return 0;
}
demo-lib.h
void func2();
demo-lib.c
#include "demo-lib.h"
#include <stdio.h>void func2()
{printf("func2\n");
}
编译测试:
linux-dev@linuxdev:~$ gcc -shared -fPIC -o libdemo-lib.so demo-lib.c
linux-dev@linuxdev:~$ gcc -o ltrace-demo ltrace-demo.c -L. -ldemo-lib
linux-dev@linuxdev:~$ export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:.
linux-dev@linuxdev:~$ ltrace -i ./ltrace-demo
[0x5c825eca31fe] puts("ltrace-demo"ltrace-demo
) = 12
[0x5c825eca3203] fork() = 1817
[0x5c825eca3246] printf("child pid: %d\n", 1817child pid: 1817
) = 16
[0x5c825eca31e0] puts("func1"func1
in child
) = 6
[0x5c825eca325a] wait(0func2<no return ...>
[0x7c30b13107a7] --- SIGCHLD (Child exited) ---
[0x5c825eca325a] <... wait resumed> ) = 1817
[0xffffffffffffffff] +++ exited (status 0) +++
跟踪指定pid进程调用
linux-dev@linuxdev:~$ pidof top
1434
linux-dev@linuxdev:~$ sudo ltrace -i -p 1434
[0x618f588eb679] procps_uptime(0x7ffc8ef2b4f0, 0, 0, 0x7d015f325fde) = 0
[0x618f588eb831] procps_pids_reap(0x618f611f7420, 0, 0, -3616) = 0x618f611f7458
[0x618f588eb814] memcpy(0x618f61218ea0, "0\020J^\001}\0\08\020J^\001}\0\0@\020J^\001}\0\0H\020J^\001}\0\0"..., 1696) = 0x618f61218ea0
[0x618f588eb814] memcpy(0x618f612196b0, "0\020J^\001}\0\08\020J^\001}\0\0@\020J^\001}\0\0H\020J^\001}\0\0"..., 1696) = 0x618f612196b0
[0x618f588eb814] memcpy(0x618f61219ec0, "0\020J^\001}\0\08\020J^\001}\0\0@\020J^\001}\0\0H\020J^\001}\0\0"..., 1696) = 0x618f61219ec0
[0x618f588eb814] memcpy(0x618f6121a6d0, "0\020J^\001}\0\08\020J^\001}\0\0@\020J^\001}\0\0H\020J^\001}\0\0"..., 1696) = 0x618f6121a6d0
[0x618f588dc173] procps_stat_reap(0x618f611de980, 0, 0x618f588f7040, 16) = 0x618f611debd0
[0x618f588dc1e3] time(0) = 1739018691
[0x618f588dc20b] procps_meminfo_select(0x618f611f6670, 0x618f588f8180, 9, 3) = 0x618f6121af38
[0x618f588dbb13] putp(0x618f588fb5e0, 0, 0x618f6121af38, 0x2c6b24) = 0
[0x618f588dbb7e] procps_uptime_sprint(72, 0, 0x2f534, 0) = 0x7d015f4223a0
[0x618f588dd201] __vsnprintf_chk(0x618f589019c0, 2048, 2, 2048) = 68
[0x618f588e00bd] strchr("top - 20:44:51 up 30 min, 3 use"..., '\n') = "\n"
[0x618f588e01f3] __snprintf_chk(0x7ffc8ef2a5e0, 512, 2, 512) = 87
[0x618f588e0300] __snprintf_chk(0x7ffc8ef2ace0, 2048, 2, 2048) = 105
[0x618f588e03c5] strcpy(0x7d015eefd010, "\033(B\033[mtop - 20:44:51 up 30 min, "...) = 0x7d015eefd010
[0x618f588e03cd] putp(0x7d015eefd010, 0x7ffc8ef2acff, 1, 9) = 0
[0x618f588e00bd] strchr("", '\n') = nil
[0x618f588dd201] __vsnprintf_chk(0x618f589019c0, 2048, 2, 2048) = 91
[0x618f588e00bd] strchr("Tasks:~3 212 ~2total,~3 1 ~2ru"..., '\n') = "\n"
[0x618f588e01f3] __snprintf_chk(0x7ffc8ef2a5d0, 512, 2, 512) = 20
[0x618f588e01f3] __snprintf_chk(0x7ffc8ef2a5d0, 512, 2, 512) = 23
[0x618f588e01f3] __snprintf_chk(0x7ffc8ef2a5d0, 512, 2, 512) = 20
[0x618f588e01f3] __snprintf_chk(0x7ffc8ef2a5d0, 512, 2, 512) = 23
[0x618f588e01f3] __snprintf_chk(0x7ffc8ef2a5d0, 512, 2, 512) = 22
参考
ltrace
ltrace
Playing with ptrace, Part I
Playing with ptrace, Part II
)
