Trace system calls (syscalls)

python-ptrace can trace system calls using PTRACE_SYSCALL.

PtraceSyscall

ptrace.syscall module contains PtraceSyscall class: it’s a parser of Linux syscalls similar to strace program.

Example:

connect(5, <sockaddr_in sin_family=AF_INET, sin_port=53, sin_addr=212.27.54.252>, 28) = 0
open('/usr/lib/i686/cmov/libcrypto.so.0.9.8', 0, 0 <read only>) = 4
mmap2(0xb7e87000, 81920, 3, 2066, 4, 297) = 0xb7e87000
rt_sigaction(SIGWINCH, 0xbfb7d4a8, 0xbfb7d41c, 8) = 0

You can get more information: result type, value address, argument types, and argument names.

Examples:

long open(const char* filename='/usr/lib/i686/cmov/libcrypto.so.0.9.8' at 0xb7efc027, int flags=0, int mode=0 <read only>) = 4
long fstat64(unsigned long fd=4, struct stat* buf=0xbfa46e2c) = 0
long set_robust_list(struct robust_list_head* head=0xb7be5710, size_t len_ptr=12) = 0

strace.py

Program strace.py is very close to strace program: display syscalls of a program. Example:

Features

  • Nice output of signal: see [[signal|python-ptrace signal handling]]
  • Supports multiple processes
  • Can trace running process
  • Can display arguments name, type and address
  • Option --filename to show only syscall using file names
  • Option --socketcall to show only syscall related to network (socket usage)
  • Option --syscalls to list all known syscalls

Example

$ ./strace.py /bin/ls
execve(/bin/ls, [['/bin/ls'],|[/* 40 vars */]]) = 756
brk(0)                                   = 0x0805c000
access('/etc/ld.so.nohwcap', 0)          = -2 (No such file or directory)
mmap2(NULL, 8192, 3, 34, -1, 0)          = 0xb7f56000
access('/etc/ld.so.preload', 4)          = -2 (No such file or directory)
(...)
close(1)                                 = 0
munmap(0xb7c5c000, 4096)                 = 0
exit_group(0)
---done---

Options

The program has many options. Example with --socketcall (display only network functions):

$ ./strace.py --socketcall nc localhost 8080
execve(/bin/nc, [['/bin/nc',|'localhost', '8080']], [[/*|40 vars */]]) = 12948
socket(AF_FILE, SOCK_STREAM, 0)          = 3
connect(3, <sockaddr_un sun_family=AF_FILE, sun_path=/var/run/nscd/socket>, 110) = -2 (No such file or directory)
socket(AF_FILE, SOCK_STREAM, 0)          = 3
connect(3, <sockaddr_un sun_family=AF_FILE, sun_path=/var/run/nscd/socket>, 110) = -2 (No such file or directory)
socket(AF_INET, SOCK_STREAM, 6)          = 3
setsockopt(3, SOL_SOCKET, SO_REUSEADDR, 3217455272L, 4) = 0
connect(3, <sockaddr_in sin_family=AF_INET, sin_port=8080, sin_addr=127.0.0.1>, 16) = -111 (Connection refused)
(...)