Whatfiles 是一个 Linux 工具，它可以记录其他程序在你的系统上读/写/创建/删除的文件

Whatfiles 是一个 Linux 工具，它可以记录其他程序在你的系统上读/写/创建/删除的文件

whatfiles

Whatfiles is a Linux utility that logs what files other programs read/write/create/delete on your system. It traces any new processes and threads that are created as well.

Rationale:

I've long been frustrated at the lack of a simple utility to see which files a process touches from main() to exit. Whether you don't trust a software vendor or are concerned about malware, it's important to be able to know what a program or installer does to your system. lsof only observes a moment in time and strace is large and somewhat complicated.

Sample output:

mode: read, file: /home/theron/.gimp-2.8/tool-options/gimp-clone-tool, syscall: openat(), PID: 8566, process: gimpmode: read, file: /home/theron/.gimp-2.8/tool-options/gimp-heal-tool, syscall: openat(), PID: 8566, process: gimpmode: read, file: /home/theron/.gimp-2.8/tool-options/gimp-perspective-clone-tool, syscall: openat(), PID: 8566, process: gimpmode: read, file: /home/theron/.gimp-2.8/tool-options/gimp-convolve-tool, syscall: openat(), PID: 8566, process: gimpmode: read, file: /home/theron/.gimp-2.8/tool-options/gimp-smudge-tool, syscall: openat(), PID: 8566, process: gimpmode: read, file: /home/theron/.gimp-2.8/tool-options/gimp-dodge-burn-tool, syscall: openat(), PID: 8566, process: gimpmode: read, file: /home/theron/.gimp-2.8/tool-options/gimp-desaturate-tool, syscall: openat(), PID: 8566, process: gimpmode: read, file: /home/theron/.gimp-2.8/plug-ins, syscall: openat(), PID: 8566, process: gimpmode: read, file: /usr/lib/gimp/2.0/plug-ins, syscall: openat(), PID: 8566, process: gimpmode: read, file: /home/theron/.gimp-2.8/pluginrc, syscall: openat(), PID: 8566, process: gimpmode: read, file: /usr/share/locale/en_US/LC_MESSAGES/gimp20-std-plug-ins.mo, syscall: openat(), PID: 8566, process: gimpmode: read, file: /usr/lib/gimp/2.0/plug-ins/script-fu, syscall: openat(), PID: 8566, process: gimpmode: read, file: /etc/ld.so.cache, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fumode: read, file: /etc/ld.so.cache, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fumode: read, file: /usr/lib/libgimpui-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fumode: read, file: /usr/lib/libgimpwidgets-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fumode: read, file: /usr/lib/libgimpwidgets-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fumode: read, file: /usr/lib/libgimp-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fumode: read, file: /usr/lib/libgimpcolor-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu

Use:

basic use, launches ls and writes output to a log file in the current directory: $ whatfiles ls -lah ~/Documents specify output file location with -o: $ whatfiles -o MyLogFile cd .. include debug output, print to stdout rather than log file: $ whatfiles -d -s apt install zoom attach to currently running process (requires root privileges): $ sudo whatfiles -p 1234

Compilation (requires gcc and make):

$ cd whatfiles$ make$ sudo make install

Questions that could be asked at some point:

Isn't this just a reimplementation of strace -fe trace=creat,open,openat,unlink,unlinkat ./program? Yes. Though it aims to be simpler and more user friendly. Are there Mac and Windows versions? No. Tracing syscalls on Mac requires task_for_pid(), which requires code signing, which I can't get to work, and anyway I have no interest in paying Apple $100/year to write free software. Process Monitor for Windows is pretty great.

Known issues:

Tabs crash when whatfiles is used to launch Firefox. (Attaching with -p [PID] once it's running works fine, as does using whatfiles to launch a second Firefox window if one's already open.)

Thank you for your interest, and please also check out Cloaker, Nestur, and Flying Carpet!

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。