How to log every instruction and change in memory in any process
I read here this:
Falco depends on a kernel module that taps into the stream of system calls on a machine and passes those system calls to user space.
(Emphasis mine).
That hints at the possibility of logging arbitrary instruction invocations from arbitrary processes (but not quite), which is what I would like to know how to do.
I've been recommended ptrace/strace/dtrace/gdb (I have a Mac), but I would like to know what low-level, probably kernel-level feature I could write a kernel module for that would log any process already running in the background on my machine. In the same way that ps
lists the running processes, and top
keeps an updated panel of them with some stats, I would like to basically control a process completely. That is, given pid 123
, I would do pause 123
or step 123
to pause or make one step in the program, and then inspect 123
to look at the complete memory layout of the computer to see what the memory is that has changed. All of this without ptrace/dtrace/strace/gdb.
This is probably a broad topic, but I would like to be pointed to the right area on where to look for more information. Specifically this seems like it could be a kernel module, and so access some features exposed by the kernel API. I'm not sure though if this is technically possible (to watch any process from the outside, at any time, and control its evaluation), or if any part of this is possible. I would first like to know what parts of this are/aren't possible, and then where I can look for more information.
The few tutorials on gdb
I've seen all want you to run/invoke your program/script with gdb
directly, as in gdb myscript
. That makes sense how it could get access to the stepping/pausing/etc. behaviors of the program. But I would like to go further than that. Instead of requiring your program (like gdb) to invoke the program directly, instead it works by attaching to a program already running in the background. And then, just by attaching to the program from the outside, it allows you to pause/step/inspect/etc.. Not sure if this is possible. But this way I could inspect the daemons and other things my computer is doing from the get go.
kernel process
New contributor
add a comment |
I read here this:
Falco depends on a kernel module that taps into the stream of system calls on a machine and passes those system calls to user space.
(Emphasis mine).
That hints at the possibility of logging arbitrary instruction invocations from arbitrary processes (but not quite), which is what I would like to know how to do.
I've been recommended ptrace/strace/dtrace/gdb (I have a Mac), but I would like to know what low-level, probably kernel-level feature I could write a kernel module for that would log any process already running in the background on my machine. In the same way that ps
lists the running processes, and top
keeps an updated panel of them with some stats, I would like to basically control a process completely. That is, given pid 123
, I would do pause 123
or step 123
to pause or make one step in the program, and then inspect 123
to look at the complete memory layout of the computer to see what the memory is that has changed. All of this without ptrace/dtrace/strace/gdb.
This is probably a broad topic, but I would like to be pointed to the right area on where to look for more information. Specifically this seems like it could be a kernel module, and so access some features exposed by the kernel API. I'm not sure though if this is technically possible (to watch any process from the outside, at any time, and control its evaluation), or if any part of this is possible. I would first like to know what parts of this are/aren't possible, and then where I can look for more information.
The few tutorials on gdb
I've seen all want you to run/invoke your program/script with gdb
directly, as in gdb myscript
. That makes sense how it could get access to the stepping/pausing/etc. behaviors of the program. But I would like to go further than that. Instead of requiring your program (like gdb) to invoke the program directly, instead it works by attaching to a program already running in the background. And then, just by attaching to the program from the outside, it allows you to pause/step/inspect/etc.. Not sure if this is possible. But this way I could inspect the daemons and other things my computer is doing from the get go.
kernel process
New contributor
add a comment |
I read here this:
Falco depends on a kernel module that taps into the stream of system calls on a machine and passes those system calls to user space.
(Emphasis mine).
That hints at the possibility of logging arbitrary instruction invocations from arbitrary processes (but not quite), which is what I would like to know how to do.
I've been recommended ptrace/strace/dtrace/gdb (I have a Mac), but I would like to know what low-level, probably kernel-level feature I could write a kernel module for that would log any process already running in the background on my machine. In the same way that ps
lists the running processes, and top
keeps an updated panel of them with some stats, I would like to basically control a process completely. That is, given pid 123
, I would do pause 123
or step 123
to pause or make one step in the program, and then inspect 123
to look at the complete memory layout of the computer to see what the memory is that has changed. All of this without ptrace/dtrace/strace/gdb.
This is probably a broad topic, but I would like to be pointed to the right area on where to look for more information. Specifically this seems like it could be a kernel module, and so access some features exposed by the kernel API. I'm not sure though if this is technically possible (to watch any process from the outside, at any time, and control its evaluation), or if any part of this is possible. I would first like to know what parts of this are/aren't possible, and then where I can look for more information.
The few tutorials on gdb
I've seen all want you to run/invoke your program/script with gdb
directly, as in gdb myscript
. That makes sense how it could get access to the stepping/pausing/etc. behaviors of the program. But I would like to go further than that. Instead of requiring your program (like gdb) to invoke the program directly, instead it works by attaching to a program already running in the background. And then, just by attaching to the program from the outside, it allows you to pause/step/inspect/etc.. Not sure if this is possible. But this way I could inspect the daemons and other things my computer is doing from the get go.
kernel process
New contributor
I read here this:
Falco depends on a kernel module that taps into the stream of system calls on a machine and passes those system calls to user space.
(Emphasis mine).
That hints at the possibility of logging arbitrary instruction invocations from arbitrary processes (but not quite), which is what I would like to know how to do.
I've been recommended ptrace/strace/dtrace/gdb (I have a Mac), but I would like to know what low-level, probably kernel-level feature I could write a kernel module for that would log any process already running in the background on my machine. In the same way that ps
lists the running processes, and top
keeps an updated panel of them with some stats, I would like to basically control a process completely. That is, given pid 123
, I would do pause 123
or step 123
to pause or make one step in the program, and then inspect 123
to look at the complete memory layout of the computer to see what the memory is that has changed. All of this without ptrace/dtrace/strace/gdb.
This is probably a broad topic, but I would like to be pointed to the right area on where to look for more information. Specifically this seems like it could be a kernel module, and so access some features exposed by the kernel API. I'm not sure though if this is technically possible (to watch any process from the outside, at any time, and control its evaluation), or if any part of this is possible. I would first like to know what parts of this are/aren't possible, and then where I can look for more information.
The few tutorials on gdb
I've seen all want you to run/invoke your program/script with gdb
directly, as in gdb myscript
. That makes sense how it could get access to the stepping/pausing/etc. behaviors of the program. But I would like to go further than that. Instead of requiring your program (like gdb) to invoke the program directly, instead it works by attaching to a program already running in the background. And then, just by attaching to the program from the outside, it allows you to pause/step/inspect/etc.. Not sure if this is possible. But this way I could inspect the daemons and other things my computer is doing from the get go.
kernel process
kernel process
New contributor
New contributor
New contributor
asked 6 mins ago
user10869858user10869858
11
11
New contributor
New contributor
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
user10869858 is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f493620%2fhow-to-log-every-instruction-and-change-in-memory-in-any-process%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
user10869858 is a new contributor. Be nice, and check out our Code of Conduct.
user10869858 is a new contributor. Be nice, and check out our Code of Conduct.
user10869858 is a new contributor. Be nice, and check out our Code of Conduct.
user10869858 is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f493620%2fhow-to-log-every-instruction-and-change-in-memory-in-any-process%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown