绯荤粺璋冪敤鍦ㄦ垜浠棩甯哥殑缂栫爜涓紝鎴戜滑閫氬父浼氱紪鍐欑敤鎴风骇鐨勪唬鐮併€傚唴鏍稿鎴戜滑鏉ヨ濂藉儚鏄€忔槑鐨勶紝鎴戜滑骞舵病鏈夊幓鍏虫敞瀹冦€備絾鏄▼搴忎竴鐩村湪鍜屽唴鏍告墦浜ら亾銆傛瘮濡傝鏂囦欢鏃秗ead锛屾垨鑰呭啓鏂囦欢鏃禬rite锛岄兘浼氱粡杩囧唴鏍搞€傜敤鎴风▼搴忎笉浼氱洿鎺ュ拰纾佺洏绛夌‖浠舵墦浜ら亾锛屽洜姝や笉鑳界洿鎺ュ鏂囦欢杩涜鎿嶄綔锛屾墍浠ラ渶瑕佸唴鏍哥殑鈥渟him鈥濆眰銆傜敱浜庣敤鎴风▼搴忛渶瑕佽闂唴鏍革紝鍥犳蹇呯劧浼氭墽琛岀郴缁熻皟鐢ㄣ€傚綋瑕佹墽琛岀郴缁熻皟鐢ㄦ椂锛孋PU浼氬垏鎹㈠埌鍐呮牳鎬侊紝鎵ц绯荤粺璋冪敤鍑芥暟銆傜敱浜庡唴鏍稿疄鐜颁簡寰堝绯荤粺璋冪敤鍑芥暟锛屽唴鏍搁渶瑕佷负姣忎釜鍑芥暟鎻愪緵涓€涓爣璇嗙锛屼唬琛ㄨ璋冪敤鐨勫唴鏍稿嚱鏁帮紝涓嶅悓鐨勫唴鏍告灦鏋勭郴缁熻皟鐢ㄥ彿涓嶅悓銆傦紙寮傚父鍜屼腑鏂篃浼氬鑷碈PU鍒囨崲鍒板唴鏍告€侊紝杩欓噷涓嶅啀灞曞紑鎻忚堪銆傦級閫氬父涓€涓郴缁熻皟鐢ㄧ殑鎵ц娴佺▼濡備笅銆傜敤鎴风▼搴忚皟鐢╟搴撴垨鑰呯洿鎺ヤ娇鐢ㄨ嚜宸辩殑姹囩紪鎸囦护杩涜绯荤粺璋冪敤銆備繚瀛橀渶瑕佷紶閫掔殑鍙橀噺鍜岀郴缁熻皟鐢ㄧ殑娆℃暟銆傚湪cpu瀵勫瓨鍣ㄤ腑锛岃繘绋嬮€氳繃瀵勫瓨鍣ㄤ腑淇濆瓨鐨勭郴缁熻皟鐢ㄥ彿杩涘叆鍐呮牳鎬侊紝璇嗗埆绯荤粺鍑芥暟锛屾墽琛岀郴缁熻皟鐢ㄣ€傜郴缁熻皟鐢ㄧ粨鏉熴€傜粨鏋溿€佽繑鍥炲€煎拰鍙傛暟瀛樻斁鍦ㄥ瘎瀛樺櫒涓紝鐢ㄦ埛绋嬪簭浠庝腑鑾峰彇缁撴灉銆傛棭鏈熺殑绯荤粺璋冪敤鏄€氳繃杞腑鏂疄鐜扮殑銆傝Е鍙戯紝姣斿32浣峹86锛岀郴缁熻皟鐢ㄧ殑涓柇鍙锋槸128锛屾墍浠ヤ細瑙﹀彂杞腑鏂繘鍏ョ郴缁熻皟鐢紝閫氳繃INT0x80鎸囦护杩涘叆鍐呮牳鎬侊紝璇诲彇瀵勫瓨鍣ㄤ腑瀛樻斁鐨勫€煎苟鍦ㄧ郴缁熻皟鐢ㄨ〃涓壘鍒板搴旂殑绯荤粺璋冪敤骞舵墽琛岋紝鍥犱负浠ヨ蒋涓柇鐨勫舰寮忚Е鍙戠郴缁熻皟鐢ㄤ唬浠烽珮鏄傦紝鎵€浠ラ€愭笎閫€鍑鸿閲庯紝杞€屼娇鐢ㄦ眹缂栨寚浠YSENTER鎴朣YSCALL鐨勫舰寮忔潵瑙﹀彂绯荤粺璋冪敤锛岀浉姣旇蒋涓柇瑙﹀彂鐨勬柟寮忥紝鍑忓皯浜嗘煡璇腑鏂悜閲忕殑娆℃暟锛屽琛ㄧ瓑绯诲垪鎿嶄綔锛屾€ц兘鎻愬崌銆傛垜浠彲浠ヤ娇鐢╯trace鍛戒护鑾峰彇杩涚▼鐨勭郴缁熻皟鐢ㄣ€傚父鐢ㄧ敤娉曞涓?strace-p#鏌ョ湅鏌愪釜杩涚▼鐨勭郴缁熻皟鐢?strace#鏌ョ湅鏌愪釜甯哥敤鍛戒护鎴栬繘绋嬬殑绯荤粺璋冪敤姣斿鍐欎竴涓緢绠€鍗曠殑鎵撳嵃鍑芥暟璋冭瘯锛岋紙杩欎釜program绋嶅悗灏嗙敤浣滆璺熻釜绋嬪簭)#include#includeintmain(){for(;;){printf("pid=%dn",getpid());鐫¤锛?锛夛紱}return0;}$gcc-oprintprint.c閫氳繃strace鏌ョ湅杩涚▼锛屽彲浠ョ湅鍒扮郴缁熻皟鐢╟entos@xxxxxx:/app/gowork/stramgrpc/c$strace./printexecve("./print",["./print"],[/*51vars*/])=0......getpid()=23419fstat(1,{st_mode=S_IFCHR|0620,st_rdev=makedev(136,0),...})=0brk(NULL)=0x55e3343e2000brk(0x55e334403000)=0x55e334403000write(1,"pid=23419n",10pid=23419)=10nanosleep({2,t_sleeptv_nsec=0},0x7ffd2a()=20d37(1,"pid=23419n",10pid=23419)=10nanosleep({tv_sec=2,tv_nsec=0},^Cstrace:Process23419detachedstrace鍛戒护鏄敤C璇█瀹炵幇鐨勶紝鍩轰簬ptrace绯荤粺璋冪敤锛岀敱浜庢湇鍔″櫒绯荤粺涓嶅悓锛岀郴缁熻皟鐢ㄦ満鍒朵篃浼氱浉搴斿彂鐢熷彉鍖栵紝鎵€浠trace婧愮爜涓湁寰堝棰勫鐞嗗櫒浠g爜锛岃璧锋潵闈炲父鍚冨姏馃樀馃樀馃樀馃樀銆傜敱浜嶨olang灏佽浜嗙郴缁熻皟鐢ㄥ寘锛屽彲浠ョ洿鎺ラ€氳繃姹囩紪鎵ц绯荤粺璋冪敤锛屼篃鍙互浣跨敤Golang瀹炵幇涓€涓畝鍗曠殑ptrace宸ュ叿鏉ョ洃鎺ц繘绋嬬殑绯荤粺璋冪敤銆傝繖閲屾垜浠富瑕佸叧娉▁86_64Linux绯荤粺璋冪敤銆俻trace瑕佸疄鐜颁竴涓猵trace宸ュ叿锛岄鍏堣瀵筽trace鍋氫竴浜涗簡瑙o紝鐪嬬湅c鏍囧噯搴撶殑瀹氫箟瑙勫垯銆俵ongptrace(intrequest,pid_tpid,void*addr,void*data);ptrace闇€瑕佷紶鍏ュ洓涓弬鏁帮細pid鐢ㄤ簬浼犲叆鐩爣杩涚▼锛屽嵆瑕佽窡韪殑杩涚▼鐨刾id锛沘ddr鍜宒ata鐢ㄤ簬浼犲叆鍐呭瓨鍦板潃鍜岃拷鍔犲湴鍧€锛岄€氬父鍦ㄧ郴缁熻皟鐢ㄧ粨鏉熷悗璇诲彇浼犲叆鐨勫弬鏁拌幏鍙栫郴缁熻皟鐢ㄧ粨鏋滐紝鏍规嵁鎿嶄綔涓嶅悓浼氭湁鎵€涓嶅悓銆俽equest鐢ㄤ簬閫夋嫨涓€涓鍙锋爣蹇楋紝鍐呮牳浼氭牴鎹繖涓爣蹇楁潵鍐冲畾浣跨敤鍝釜鍐呮牳鍑芥暟鏉ユ墽琛屻€傛帴涓嬫潵锛屾垜浠皢浠嬬粛瑕佷娇鐢ㄧ殑鍏抽敭绗﹀彿鏍囧織銆俽equest鐨勫彲閫夊€糚TRACE_ATTACH鍙戝嚭闄勫姞鍒拌繘绋嬪苟寮€濮嬭窡韪殑璇锋眰锛岀浉鍙嶏紝PTRACE_DETACH鏂紑涓庤繘绋嬬殑杩炴帴骞剁粨鏉熻窡韪€傝皟鐢ㄨ鍛戒护鍚庯紝琚窡韪繘绋嬩細鍚憈racker杩涚▼鍙戦€佷俊鍙凤紝tracker杩涚▼闇€瑕佷娇鐢╳aitpid鑾峰彇淇″彿锛岃繘琛屽悗缁殑绯荤粺璋冪敤璺熻釜銆侾TRACE_SYSCALL鍙戝嚭绯荤粺璋冪敤璺熻釜鍛戒护銆備娇鐢ㄨ閫夐」鏃讹紝琚窡韪繘绋嬩細鍦ㄨ繘鍏ョ郴缁熻皟鐢ㄥ墠鎴栫粨鏉熷悗鍋滄銆傝繖鏃秚racker杩涚▼鍙互浣跨敤waitpid绯荤粺璋冪敤鎺ユ敹琚窡韪柟銆傞€氱煡锛屼互渚垮垎鏋愭鏃剁殑鍦板潃绌洪棿鍜岀郴缁熻皟鐢ㄧ浉鍏充俊鎭紱PTRACE_GETREGS鍜孭TRACE_SETREGS鐢ㄤ簬璁剧疆鍜岃鍙朇PU瀵勫瓨鍣ㄣ€傚湪x86_64Linux涓婏紝绯荤粺璋冪敤鍙峰瓨鏀惧湪orig_rax瀵勫瓨鍣ㄤ腑锛屽叾浠栧弬鏁板瓨鏀惧湪rdi銆乺si銆乺dx绛夊瘎瀛樺櫒涓紝杩斿洖鏃讹紝杩斿洖鍊煎瓨鏀惧湪rax瀵勫瓨鍣ㄤ腑锛汸TRACE_TRACEME锛氳杩涚▼鍏佽琚叾鐖惰繘绋嬭窡韪紙forstrace+commandform锛夈€?.....杩樻湁寰堝鍏朵粬鐨勪娇鐢ㄦ柟娉曘€傛湁鍏磋叮鐨勫悓瀛﹀彲浠ラ槄璇汇€婃繁鍏ョ悊瑙inux鍐呮牳涓庢灦鏋?13.3.3杩借釜绯荤粺璋冪敤銆媑o鐨勫疄鐜般€侴o鎻愪緵浜嗕竴涓猻yscall鍖咃紝鍙互鐩存帴璋冪敤姹囩紪浠g爜杩涜绯荤粺璋冪敤銆傛湰妗堜緥鍩轰簬go1.13.5鐨剆yscall鍖呫€傝瀹炵幇杩涚▼璺熻釜锛岄渶瑕佷袱涓繘绋嬶紝涓€涓槸琚窡韪€咃紙tracee锛夛紝鍙︿竴涓槸璺熻釜鍣紙tracer锛夛紝鐢ㄤ簬鎵撳嵃鍑鸿璺熻釜杩涚▼鍙戠敓鐨勭郴缁熻皟鐢ㄣ€傛垜浠娇鐢╣o鏉ュ疄鐜颁竴涓猼racer锛宼racee浣跨敤涓婇潰鐨刢浠g爜銆傝繖涓兂娉曟槸鍚姩涓€涓繘绋嬩綔涓鸿璺熻釜鐨勮繘绋嬭璺熻釜鑰呫€倀racer鐨勫疄鐜板師鐞嗛鍏堜娇鐢≒TRACE_ATTACH鏉ヨ窡韪猼racee杩涚▼锛岀劧鍚庝娇鐢╳ait绯荤粺璋冪敤鑾峰彇琚窡韪€呭彂閫佺殑淇″彿銆傛鏃秚racer杩涚▼鍜宼racee杩涚▼鍦ㄥ唴鏍镐腑寤虹珛浜嗚仈绯汇€?/go涓搴旂殑搴撳嚱鏁板涓媨...}鎺ヤ笅鏉ワ紝tracer杩涚▼閫氳繃鏃犻檺寰幆璇诲彇tracee绯荤粺璋冪敤銆傝鍙栬繘绋嬮鍏堥€氳繃PTRACE_SYSCALL绛夊緟琚窡韪繘绋嬭繘鍏ョ郴缁熻皟鐢紝閫氳繃wait绛夊緟琚窡韪繘绋嬭繘鍏ユ兂瑕佺殑鐘舵€併€傝繖鏃讹紝琚窡韪殑杩涚▼骞舵病鏈夎绯荤粺璋冪敤鎹曡幏锛岀浉褰撲簬鏆傚仠鍦ㄧ郴缁熻皟鐢ㄧ殑鍏ュ彛澶勩€?/go涓搴旂殑搴撳嚱鏁板涓媏rrerror){...}鎺ヤ笅鏉ラ€氳繃PTRACE_GETREGS鑾峰彇瀵勫瓨鍣ㄥ弬鏁帮紝鍖呮嫭绯荤粺璋冪敤鍙风瓑鍙傛暟銆俧uncPtraceGetRegs(pidint,regsout*PtraceRegs)(errerror){...}鎺ヤ笅鏉ワ紝浣跨敤鍙︿竴涓狿TRACE_SYSCALL锛屽苟绛夊緟鑾峰彇绯荤粺璋冪敤骞剁瓑寰呯郴缁熻皟鐢ㄨ繑鍥炪€傛鏃秚racee杩涚▼杩涘叆鍐呮牳鎬佹墽琛岀郴缁熻皟鐢紝绯荤粺璋冪敤杩斿洖鍚庯紝tracer杩涚▼鍗冲彲鑾峰彇杩斿洖缁撴灉锛涗娇鐢≒TRACE_GETREGS閫氳繃瀵勫瓨鍣ㄥ弬鏁拌幏鍙栬繑鍥炵粨鏋滃苟杩涘叆涓嬩竴涓惊鐜紝鍑虹幇寮傚父锛屼娇鐢≒TRACE_DETACH鏂紑璺熻釜鐘舵€佸疄鐜皌ypesyscallTask鈥嬧€媠truct{IDuint64Namestring}//x86_64涓婄殑绯荤粺璋冪敤鍙峰搴旂郴缁熻皟鐢ㄥ悕varsTask=[]syscallTask鈥嬧€媨{0,"read"},{1,"write"},{2,"open"},{3,"close"},{4,"stat"},......//鐪佺暐澶}funcmain(){//娉ㄥ唽鐘舵€佹暟鎹畍arregssyscall.PtraceRegs//绛夊緟鐘舵€乿arwsstatussyscall.WaitStatus//鍙拷韪繘绋媝idpid:=13070fmt.Println(pid)varerrerror//PTRACE_ATTACH鐨勫皝瑁咃紝浣跨敤attach杩炴帴骞惰窡韪繘绋媏rr=syscall.PtraceAttach(pid)iferr!=nil{fmt.Println(err)return}syscall.Wait4(pid,&wsstatus,0,nil)//濡傛灉寮傚父閫€鍑猴紝鍒欐柇寮€deferfunc(){//灏佽PTRACE_DETACH锛屾柇寮€trackererr=syscall.PtraceDetach(pid)iferr!=nil{fmt.Println("PtraceDetacherr:",閿欒锛夎繑鍥炶繑鍥瀩syscall.Wait4锛坧id锛?wsstatus锛?锛宯il锛墋锛?//寰幆鑾峰彇for{fmt.Println("")//绛夊緟tracee杩涘叆绯荤粺璋冪敤syscall.PtraceSyscall(pid,0)//浣跨敤wait绯荤粺璋冪敤锛屼紶鍏ョ瓑寰呯姸鎬佹寚閽坃,err:=绯荤粺璋冪敤銆俉ait4(pid,&wsstatus,0,nil)iferr!=nil{fmt.Println("line501",err)return}//濡傛灉tracee閫€鍑猴紝鎵撳嵃杩涚▼鐨勯€€鍑虹爜ifwsstatus.Exited(){fmt.Println("------閫€鍑虹姸鎬?,wsstatus.ExitStatus())returnreturn}//鏍规嵁wsstatus鍒ゆ柇tracee鏄惁鏀跺埌涓€嬧€嬫柇淇″彿锛屽閿洏ctrl+C绛?/濡傛灉鏄?濡傛灉wsstatus.StopSignal().String()=="interrupt"{syscall.PtraceSyscall(pid,int(wsstatus.StopSignal()))fmt.Println("sendinterruptsigtopid")//printtraceeExitcodefmt.Println("------exitstatus",wsstatus.ExitStatus())returnreturn}//灏佽PTRACE_GETREGS锛岃幏鍙栧瘎瀛樺櫒鏁版嵁淇濆瓨鍦╮egs涓璭rr=syscall.PtraceGetRegs(pid,®s)iferr!=nil{fmt.Println("PtraceGetRegserr:",err.Error())return}//鎵撳嵃绯荤粺璋冪敤鍚嶇Оfmt.Println("insyscall:",sTask[regs.Orig_rax].濮撳悕锛?/娆′袱缁凱TRACE_SYSCALL鍜寃aitpid锛岀瓑寰卼racee绯荤粺璋冪敤杩斿洖//鐢ㄤ簬鑾峰彇绯荤粺璋冪敤杩斿洖鍚庣殑鍙傛暟syscall.PtraceSyscall(pid,0)_,err=syscall.Wait4(pid,&wsstatus,0,nil)iferr!=nil{fmt.Println("line518",err)return}//濡傛灉tracee閫€鍑猴紝鎵撳嵃杩涚▼鐨勯€€鍑虹爜ifwsstatus.Exited(){fmt.Println("------exitstatus",wsstatus.ExitStatus())return}//鍚屼笂锛屽垽鏂繘绋嬫槸鍚﹁淇″彿涓柇ifwsstatus.StopSignal().String()=="interrupt"{syscall.PtraceSyscall(pid,int(wsstatus.StopSignal()))fmt銆侾rintln("sendinterruptsigtopid")fmt.Println("------exitstatus",wsstatus.ExitStatus())}//鑾峰彇杩斿洖鐨勫瘎瀛樺櫒鐘舵€乪rr=syscall.PtraceGetRegs(pid,®s)iferr!=nil{fmt.Println("PtraceGetRegserr:",err.Error())return}//鎵撳嵃瀵勫瓨鍣ㄤ腑淇濆瓨鐨勮繑鍥炲€煎弬鏁癴mt.Println("syscallreturn:",regs.Rax)}use杩欎釜鐢ㄤ緥娴嬭瘯涓婇潰鐨刣emo$./print$gobuild-ogostracemain.go$sudo./gostraceoutput:centos@XXXXXXX:/app/gowork/gostraces#sudo./gostrace20533insyscall:restart_syscallsyscallreturn:0insyscall:getpidsyscallreturn:20533insyscall:writesyscallreturn:10insyscall:nanosleepsyscallreturn:0insyscall:getpidsyscallreturn:20533#杩欓噷ctrl+c涓柇涓婇潰鐨勬墦鍗拌繃绋?sendto-exitstatus-1PrtraceDetach杩欐牱鐨勮繃绋嬫瘮杈冮€氳繃strace鑾峰緱鐨勭郴缁熻皟鐢╣uozhaocoder@guozhaocoder-PC:/app/GoWork/stramgrpc$sudostrace-p27579strace:Process27579attachedrestart_syscall(<...resuminginterruptednanosleep...>)=0getpid()=27579write(1,"pid=27579\n",10)=10nanosleep({tv_sec=2,tv_nsec=0},0x7ffeda284d00)=0getpid()=27579write(1,"pid=27579\n",10)=10nanosleep锛坽tv_sec=2锛宼v_nsec=0}锛寋tv_sec=1锛宼v_nsec=173442353}锛?锛烢RESTART_RESTARTBLOCK(Interruptedbysignal)---SIGINT{si_signo=SIGINT,si_code=SI_KERNEL}---+++killedbySIGINT+++鍙互鐪嬪埌鏈€绠€鍗曠増strace鐨勯鏈熷姛鑳藉凡缁忓疄鐜颁簡銆備笌strace鐩告瘮灏戜簡涓€涓郴缁熻皟鐢ㄥ弬鏁帮紝浼犻€掑弬鏁扮殑鍑芥暟闇€瑕佸叿浣撳埌绯荤粺璋冪敤璇诲彇瀵勫瓨鍣ㄤ腑鐨勬暟鎹紝鏈夊叴瓒g殑鍚屽鍙互鑰冭檻瀹炵幇浠ヤ笅鍙傝€冩枃绔犮€婃繁鍏ョ悊瑙inux鍐呮牳涓庢灦鏋勩€婥hapter13SystemCall銆婃繁鍏ョ悊瑙inux鍐呮牳銆婥hapter10SystemCall
