Claudio Fontana(deleted)
|
TraceEvent: detecting fork/exec and spawn idiomatic sequences
|
Claudio Fontana(deleted)
10/20/2018 5:42 AM
post119225
|
TraceEvent: detecting fork/exec and spawn idiomatic sequences
Hi all,
I am trying to detect process creation and process "renames", in particular looking at the fork/exec and spawn sequences
from a POSIX perspective.
When looking at the PROCESS class of events I am seeing the following when running a command on the shell (in this case
the command "cat"):
t:0x54f21c6ce18 CPU:01 PROCESS :PROCCREATE ppid:483347 pid:1064985
t:0x54f21d07a5b CPU:01 PROCESS :PROCCREATE_NAME ppid:483347 pid:1064985 name:bin/sh
t:0x54f21dc5a56 CPU:01 PROCESS :PROCCREATE ppid:1064985 pid:1064986
t:0x54f21f2d4ca CPU:01 PROCESS :PROCCREATE_NAME ppid:483347 pid:1064985 name:proc/boot/cat
t:0x54f21f2ed36 CPU:01 PROCESS :PROCDESTROY ppid:1064985 pid:1064986
Can I rely on this sequence to represent the usual fork()/exec() pattern? Is it the same in the case of spawn()?
I noticed in particular that the first PROCCREATE_NAME seems to correspond to a fork(), as the name of the new process
matches the parent shell bin/sh, which is shown in the "initial state" sequence of pseudo-PROCCREATE_NAME events as bin/
sh.
The second PROCCREATE_NAME differs from the preceding PROCCREATE in pid and ppid.
The second PROCCREATE seems to refer to a "dummy" process, which is destroyed just after its creation, while the second
PROCCREATE_NAME seems to refer to the first pid, and thus I map this to "exec()".
Am I looking at this correctly? Is this always the case that this sequence is followed for the creation of new processes
?
Thank you as always for your helpful comments,
Claudio
|
|
|