spieglt / whatfiles Goto Github PK

Log what files are accessed by any Linux process

License: GNU General Public License v3.0

Makefile 2.25% C 97.75%

filesystem-events digital-forensics linux-utilities

whatfiles's Introduction

whatfiles

Whatfiles is a Linux utility that logs what files another program reads/writes/creates/deletes on your system. It traces any new processes and threads that are created by the targeted process as well.

Rationale:

I've long been frustrated at the lack of a simple utility to see which files a process touches from main() to exit. Whether you don't trust a software vendor or are concerned about malware, it's important to be able to know what a program or installer does to your system. lsof only observes a moment in time and strace is large and somewhat complicated.

Sample output:

mode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-clone-tool, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-heal-tool, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-perspective-clone-tool, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-convolve-tool, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-smudge-tool, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-dodge-burn-tool, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-desaturate-tool, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /home/theron/.gimp-2.8/plug-ins, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /usr/lib/gimp/2.0/plug-ins, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /home/theron/.gimp-2.8/pluginrc, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /usr/share/locale/en_US/LC_MESSAGES/gimp20-std-plug-ins.mo, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /usr/lib/gimp/2.0/plug-ins/script-fu, syscall: openat(), PID: 8566, process: gimp
mode:  read, file: /etc/ld.so.cache, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode:  read, file: /etc/ld.so.cache, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode:  read, file: /usr/lib/libgimpui-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode:  read, file: /usr/lib/libgimpwidgets-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode:  read, file: /usr/lib/libgimpwidgets-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode:  read, file: /usr/lib/libgimp-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode:  read, file: /usr/lib/libgimpcolor-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu

Use:

basic use, launches ls and writes output to a log file in the current directory:

$ whatfiles ls -lah ~/Documents
specify output file location with -o:

$ whatfiles -o MyLogFile cd ..
include debug output, print to stdout rather than log file:

$ whatfiles -d -s apt install zoom
attach to currently running process (requires root privileges):

$ sudo whatfiles -p 1234

Distribution

Ready-to-use binaries are on the releases page! Someone also kindly added it to the Arch repository, and letompouce set up a GitLab pipeline as well.

Compilation (requires `gcc` and `make`):

$ cd whatfiles
$ make
$ sudo make install

Supports x86, x86_64, ARM32, and ARM64 architectures.

Questions that could be asked at some point:

Isn't this just a reimplementation of strace -fe trace=creat,open,openat,unlink,unlinkat ./program?

Yes. Though it aims to be simpler and more user friendly.
Are there Mac and Windows versions?

No. Tracing syscalls on Mac requires task_for_pid(), which requires code signing, which I can't get to work, and anyway I have no interest in paying Apple $100/year to write free software. dtruss on Mac can be used to follow a single process and its children, though the -t flag seems to only accept a single syscall to filter on. fs_usage does something similar though I'm not sure if it follows child processes/threads. Process Monitor for Windows is pretty great.

Known issues:

Tabs crash when whatfiles is used to launch Firefox. (Attaching with -p [PID] once it's running works fine, as does using whatfiles to launch a second Firefox window if one's already open.)

Planned features:

None currently, open to requests and PRs.

Thank you for your interest, and please also check out Cloaker, Nestur, and Flying Carpet!

whatfiles's People

Contributors

Stargazers

Watchers

whatfiles's Issues

Small mention in the readme about 'fs_usage': macOS equivalent

It might be worth noting in the "faq" section related to macOS, that it's possible to use macOS equivalent (more or less) of whatfiles tool that is named fs_usage, example:

➜  ~ sudo fs_usage | grep open
08:12:58  open              /dev/dtracehelper                                                                0.000043   xpcproxy    
08:12:58  open              private/etc/.mdns_debug                                                          0.000020   xpcproxy    
08:12:58  open              /dev/dtracehelper                                                                0.000031   sshd-keygen-
08:12:58  lstat64           /private/var/db/dslocal/nodes/Default/users/antek.plist                          0.000035   opendirector
08:12:58  open              /private/var/db/dslocal/nodes/Default/users/antek.plist                          0.000033   opendirector
08:12:58  fstat64                                                                                            0.000002   opendirector
08:12:58  mmap                                                                                               0.000024   opendirector
08:12:58  close                                                                                              0.000010   opendirector
08:12:58  lstat64           /private/var/db/dslocal/nodes/Default/users/antek.plist                          0.000039   opendirector
08:12:58  open              /private/var/db/dslocal/nodes/Default/users/antek.plist                          0.000030   opendirector
08:12:58  fstat64                                                                                            0.000002   opendirector
08:12:58  mmap                                                                                               0.000022   opendirector
08:12:58  close                                                                                              0.000008   opendirector
08:12:58  lstat64           /private/var/db/dslocal/nodes/Default/users/antek.plist                          0.000032   opendirector
08:12:58  open              /private/var/db/dslocal/nodes/Default/users/antek.plist                          0.000034   opendirector
08:12:58  fstat64                                                                                            0.000002   opendirector
08:12:58  mmap                                                                                               0.000021   opendirector
08:12:58  close                                                                                              0.000008   opendirector
08:12:58  lstat64           /private/var/db/dslocal/nodes/Default/config/shadowhash.plist                    0.000024   opendirector
08:12:58  open              /private/var/db/dslocal/nodes/Default/config/shadowhash.plist                    0.000031   opendirector
08:12:58  fstat64                                                                                            0.000002   opendirector
08:12:58  mmap                                                                                               0.000010   opendirector
08:12:58  close                                                                                              0.000005   opendirector
08:12:58  open              /Library/Managed Preferences>>>>>>>>>>>>>>>>>>>>>>>>>>>>                         0.000012   cfprefsd    
08:12:58  open              /Library/Managed Preferences>>>>>>>>>>>>>>>>>>>>>>>>>>>>                         0.000007   cfprefsd    
08:12:58  open              ot/Library/Preferences/ByHost/sshd.073E22C9-237F-51B8-B997-117E9F4B2625.plist    0.000014   cfprefsd

it's a part of the OS, so no need to install anything.

deletion of process from hashmap failed

on every command executed, whatfiles is exiting with "deletion of {process id} from hashmap failed" after successfully showing all needed information as below;

exited 18896 at entry to syscall
deletion of 18896 from hashmap failed
all children exited

Will it be a version release for packaging?

Thank you for this great tool.

I am interested in creating an Arch Linux package. Will it be a version release?

Addition of a build system generator

I suggest to reuse a higher level build system than your current small make script so that powerful checks for software features will become easier.

Does not compile on Raspbian (stretch) on RpI B+

pi@slade-pi-1b:~ $ uname -a
Linux slade-pi-1b 4.19.66+ #1253 Thu Aug 15 11:37:30 BST 2019 armv6l GNU/Linux
pi@slade-pi-1b:~ $ make --version
GNU Make 4.1
pi@slade-pi-1b:~ $ gcc --version
gcc (Raspbian 6.3.0-18+rpi1+deb9u1) 6.3.0 20170516
pi@slade-pi-1b:~ $ cat /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 9 (stretch)"
NAME="Raspbian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
VERSION_CODENAME=stretch
ID=raspbian
ID_LIKE=debian
pi@slade-pi-1b:~ $ git clone https://github.com/spieglt/whatfiles.git
...
✔ ~/whatfiles [master|✔]
20:02 $ make
gcc -Wall -o bin/whatfiles src/whatfiles.c src/attach.c src/utilities.c src/hashmap.c src/strings.c
src/whatfiles.c:22:46: warning: ‘struct user_regs_struct’ declared inside parameter list will not be visible outside of this definition or declaration
void check_syscall(pid_t current_pid, struct user_regs_struct regs, HashMap map)
^~~~~~~~~~~~~~~~
src/whatfiles.c:22:63: error: parameter 2 (‘regs’) has incomplete type
void check_syscall(pid_t current_pid, struct user_regs_struct regs, HashMap map)
^~~~
src/whatfiles.c: In function ‘step_syscall’:
src/whatfiles.c:164:29: error: storage size of ‘regs’ isn’t known
struct user_regs_struct regs;
^~~~
src/whatfiles.c:164:29: warning: unused variable ‘regs’ [-Wunused-variable]
src/utilities.c: In function ‘peek_filename’:
src/utilities.c:78:18: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
long addr = (long)p_reg;
^
Makefile:8: recipe for target 'bin/whatfiles' failed
make: *** [bin/whatfiles] Error 1
✘-2 ~/whatfiles [master|✔]

Let me know if you need any additional information.

Does not compile - multiple definition of Debug,Handle,LastSyscall and DebugStats

This is on Fedora Rawhide with gcc-10.1.1:
gcc -Wall -o bin/whatfiles src/whatfiles.c src/attach.c src/utilities.c src/hashmap.c src/strings.c
/usr/bin/ld: /tmp/ccQ3yzmx.o:(.bss+0x0): multiple definition of DebugStats'; /tmp/ccU4Rmdu.o:(.bss+0x0): first defined here /usr/bin/ld: /tmp/ccQ3yzmx.o:(.bss+0x8): multiple definition of Debug'; /tmp/ccU4Rmdu.o:(.bss+0x8): first defined here
/usr/bin/ld: /tmp/ccQ3yzmx.o:(.bss+0x10): multiple definition of Handle'; /tmp/ccU4Rmdu.o:(.bss+0x10): first defined here /usr/bin/ld: /tmp/ccQ3yzmx.o:(.bss+0x20): multiple definition of LastSyscall'; /tmp/ccU4Rmdu.o:(.bss+0x20): first defined here
/usr/bin/ld: /tmp/ccYoBtdu.o:(.bss+0x0): multiple definition of DebugStats'; /tmp/ccU4Rmdu.o:(.bss+0x0): first defined here /usr/bin/ld: /tmp/ccYoBtdu.o:(.bss+0x8): multiple definition of Debug'; /tmp/ccU4Rmdu.o:(.bss+0x8): first defined here
/usr/bin/ld: /tmp/ccYoBtdu.o:(.bss+0x10): multiple definition of Handle'; /tmp/ccU4Rmdu.o:(.bss+0x10): first defined here /usr/bin/ld: /tmp/ccYoBtdu.o:(.bss+0x20): multiple definition of LastSyscall'; /tmp/ccU4Rmdu.o:(.bss+0x20): first defined here
/usr/bin/ld: /tmp/ccUyQNjw.o:(.bss+0x0): multiple definition of `DebugStats'; /tmp/ccU4Rmdu.o:(.bss+0x0): first defined here
collect2: error: ld returned 1 exit status

The problem is that you define those variables in an include file and everywhere this file gets included, the variable is defined again. See variable definition vs. declaration here: https://stackoverflow.com/questions/19326789/variable-declaration-vs-definition.

Remove unnecessary null pointer checks

An extra null pointer check is not needed in functions like the following.