About systemcall #2945

skandbug · 2023-03-31T13:13:09Z

skandbug
Mar 31, 2023

Tracee is a great tool. But I don't know how to get the system calls that the program runs through her.
e.g.,:
ls command's: execve,brk,arch_prctl,mmap....

geyslan · 2023-03-31T13:20:04Z

geyslan
Mar 31, 2023
Maintainer

Tracee is a great tool.

@skandbug Thanks for loving tracee.

But I don't know how to get the system calls that the program runs through her. e.g.,: ls command's: execve,brk,arch_prctl,mmap....

Please, try like this:

sudo ./dist/tracee -f comm=ls -f e=brk,arch_prctl,mmap

And running ls in other terminal tracee will output this:

TIME             UID    COMM             PID     TID     RET              EVENT                     ARGS
10:15:38:238468  1000   ls               476785  476785  94688011005952   brk                       addr: 0x0
10:15:38:238577  1000   ls               476785  476785  -22              arch_prctl                option: 12289, addr: 140721550348768
10:15:38:238664  1000   ls               476785  476785  140329938677760  mmap                      addr: 0x0, length: 171339, prot: PROT_READ, flags: 2, fd: 3, off: 0
10:15:38:238723  1000   ls               476785  476785  140329938669568  mmap                      addr: 0x0, length: 8192, prot: PROT_READ|PROT_WRITE, flags: 34, fd: -1, off: 0
10:15:38:238743  1000   ls               476785  476785  140329938620416  mmap                      addr: 0x0, length: 45128, prot: PROT_READ, flags: 2050, fd: 3, off: 0
10:15:38:238756  1000   ls               476785  476785  140329938632704  mmap                      addr: 0x7fa11c24c000, length: 20480, prot: PROT_READ|PROT_EXEC, flags: 2066, fd: 3, off: 12288
10:15:38:238792  1000   ls               476785  476785  140329938653184  mmap                      addr: 0x7fa11c251000, length: 8192, prot: PROT_READ, flags: 2066, fd: 3, off: 32768
10:15:38:238815  1000   ls               476785  476785  140329938661376  mmap                      addr: 0x7fa11c253000, length: 8192, prot: PROT_READ|PROT_WRITE, flags: 2066, fd: 3, off: 36864
10:15:38:238875  1000   ls               476785  476785  140329936625664  mmap                      addr: 0x0, length: 1994096, prot: PROT_READ, flags: 2050, fd: 3, off: 0
10:15:38:238890  1000   ls               476785  476785  140329936764928  mmap                      addr: 0x7fa11c084000, length: 1417216, prot: PROT_READ|PROT_EXEC, flags: 2066, fd: 3, off: 139264
10:15:38:238921  1000   ls               476785  476785  140329938182144  mmap                      addr: 0x7fa11c1de000, length: 360448, prot: PROT_READ, flags: 2066, fd: 3, off: 1556480
10:15:38:238943  1000   ls               476785  476785  140329938542592  mmap                      addr: 0x7fa11c236000, length: 24576, prot: PROT_READ|PROT_WRITE, flags: 2066, fd: 3, off: 1916928
10:15:38:238973  1000   ls               476785  476785  140329938567168  mmap                      addr: 0x7fa11c23c000, length: 52592, prot: PROT_READ|PROT_WRITE, flags: 50, fd: -1, off: 0
10:15:38:239033  1000   ls               476785  476785  140329936613376  mmap                      addr: 0x0, length: 12288, prot: PROT_READ|PROT_WRITE, flags: 34, fd: -1, off: 0
10:15:38:239051  1000   ls               476785  476785  0                arch_prctl                option: 4098, addr: 140329936615232
10:15:38:239482  1000   ls               476785  476785  94688011005952   brk                       addr: 0x0
10:15:38:239492  1000   ls               476785  476785  94688011141120   brk                       addr: 0x561e4544c000
10:15:38:239535  1000   ls               476785  476785  140329932029952  mmap                      addr: 0x0, length: 3061808, prot: PROT_READ, flags: 2, fd: 3, off: 0

For more see: https://aquasecurity.github.io/tracee/dev/docs/filters/filtering/

Closing as not an issue, but feel free to ask.

0 replies

skandbug · 2023-03-31T13:28:17Z

skandbug
Mar 31, 2023
Author

However, if you trace an executable program, the system calls are not fixed.
How do we get the sequence of system calls for an application?

0 replies

yanivagman · 2023-03-31T14:26:07Z

yanivagman
Mar 31, 2023
Maintainer

@skandbug you can use the "syscalls" set to get what you want, simply add the following filter:
-f set=syscalls

23 replies

skandbug May 7, 2023
Author

Such as tracking programs running in docker containers (e.g, browsers), Android apps running in lcx containers.

skandbug May 7, 2023
Author

https://aquasecurity.github.io/tracee/v0.14/classic-docs/docs/integrating/container-engines/

See the support for containers here.
But I don't know how the lxc container is supported, please tell me.

rafaeldtinoco May 8, 2023

lxc/lxd containers aren't supported (just as regular OS processes) for now.

skandbug May 13, 2023
Author

Thanks!

skandbug May 13, 2023
Author

Such as: strace ls -l | grep *.log
When strace initiates a trace, it will execute the target command ls -l | grep *.log.
In the powerful tracee, do we provide a similar function.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

About systemcall #2945

{{title}}

Replies: 3 comments 23 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

Select a reply

About systemcall #2945

skandbug Mar 31, 2023

Replies: 3 comments · 23 replies

geyslan Mar 31, 2023 Maintainer

skandbug Mar 31, 2023 Author

yanivagman Mar 31, 2023 Maintainer

skandbug May 7, 2023 Author

skandbug May 7, 2023 Author

rafaeldtinoco May 8, 2023

skandbug May 13, 2023 Author

skandbug May 13, 2023 Author

skandbug
Mar 31, 2023

Replies: 3 comments 23 replies

geyslan
Mar 31, 2023
Maintainer

skandbug
Mar 31, 2023
Author

yanivagman
Mar 31, 2023
Maintainer

skandbug May 7, 2023
Author

skandbug May 7, 2023
Author

skandbug May 13, 2023
Author

skandbug May 13, 2023
Author