82 lines
4.4 KiB
Plaintext
82 lines
4.4 KiB
Plaintext
The following is a demonstration of the lastwords command,
|
|
|
|
|
|
Here we run lastwords to catch syscalls from processes named "bash" as they
|
|
exit,
|
|
|
|
# ./lastwords bash
|
|
Tracing... Waiting for bash to exit...
|
|
1091567219163679 1861 bash sigaction 0 0
|
|
1091567219177487 1861 bash sigaction 0 0
|
|
1091567219189692 1861 bash sigaction 0 0
|
|
1091567219202085 1861 bash sigaction 0 0
|
|
1091567219214553 1861 bash sigaction 0 0
|
|
1091567219226690 1861 bash sigaction 0 0
|
|
1091567219238786 1861 bash sigaction 0 0
|
|
1091567219251697 1861 bash sigaction 0 0
|
|
1091567219265770 1861 bash sigaction 0 0
|
|
1091567219294110 1861 bash gtime 42a7c194 0
|
|
1091567219428305 1861 bash write 5 0
|
|
1091567219451138 1861 bash setcontext 0 0
|
|
1091567219473911 1861 bash sigaction 0 0
|
|
1091567219516487 1861 bash stat64 0 0
|
|
1091567219547973 1861 bash open64 4 0
|
|
1091567219638345 1861 bash write 5 0
|
|
1091567219658886 1861 bash close 0 0
|
|
1091567219689094 1861 bash open64 4 0
|
|
1091567219704301 1861 bash fstat64 0 0
|
|
1091567219731796 1861 bash read 2fe 0
|
|
1091567219745541 1861 bash close 0 0
|
|
1091567219768536 1861 bash lwp_sigmask ffbffeff 0
|
|
1091567219787494 1861 bash ioctl 0 0
|
|
1091567219801338 1861 bash setpgrp 6a3 0
|
|
1091567219814067 1861 bash ioctl 0 0
|
|
1091567219825791 1861 bash lwp_sigmask ffbffeff 0
|
|
1091567219847778 1861 bash setpgrp 0 0
|
|
TIME PID EXEC SYSCALL RETURN ERR
|
|
|
|
In another window, a bash shell was executed and then exited normally. The
|
|
last few system calls that the bash shell made can be seen above.
|
|
|
|
|
|
|
|
|
|
In the following example we moniter the exit of bash shells again, but this
|
|
time the bash shell sends itself a "kill -8",
|
|
|
|
# ./lastwords bash
|
|
Tracing... Waiting for bash to exit...
|
|
1091650185555391 1865 bash sigaction 0 0
|
|
1091650185567963 1865 bash sigaction 0 0
|
|
1091650185580316 1865 bash sigaction 0 0
|
|
1091650185592381 1865 bash sigaction 0 0
|
|
1091650185605046 1865 bash sigaction 0 0
|
|
1091650185618451 1865 bash sigaction 0 0
|
|
1091650185647663 1865 bash gtime 42a7c1e7 0
|
|
1091650185794626 1865 bash kill 0 0
|
|
1091650185836941 1865 bash lwp_sigmask ffbffeff 0
|
|
1091650185884145 1865 bash stat64 0 0
|
|
1091650185916135 1865 bash open64 4 0
|
|
1091650186005673 1865 bash write b 0
|
|
1091650186025782 1865 bash close 0 0
|
|
1091650186052002 1865 bash open64 4 0
|
|
1091650186067538 1865 bash fstat64 0 0
|
|
1091650186094289 1865 bash read 309 0
|
|
1091650186108086 1865 bash close 0 0
|
|
1091650186129965 1865 bash lwp_sigmask ffbffeff 0
|
|
1091650186149092 1865 bash ioctl 0 0
|
|
1091650186162614 1865 bash setpgrp 6a3 0
|
|
1091650186175457 1865 bash ioctl 0 0
|
|
1091650186187206 1865 bash lwp_sigmask ffbffeff 0
|
|
1091650186209514 1865 bash setpgrp 0 0
|
|
1091650186225307 1865 bash sigaction 0 0
|
|
1091650186238832 1865 bash getpid 749 0
|
|
1091650186260149 1865 bash kill 0 0
|
|
1091650186277925 1865 bash setcontext 0 0
|
|
TIME PID EXEC SYSCALL RETURN ERR
|
|
|
|
The last few system calls are different, we can see the kill system call
|
|
before bash exits.
|
|
|
|
|