https://github.com/kxxt/tracexec Skip to content Navigation Menu Toggle navigation Sign in * Product + Actions Automate any workflow + Packages Host and manage packages + Security Find and fix vulnerabilities + Codespaces Instant dev environments + Copilot Write better code with AI + Code review Manage code changes + Issues Plan and track work + Discussions Collaborate outside of code Explore + All features + Documentation + GitHub Skills + Blog * Solutions For + Enterprise + Teams + Startups + Education By Solution + CI/CD & Automation + DevOps + DevSecOps Resources + Learning Pathways + White papers, Ebooks, Webinars + Customer Stories + Partners * Open Source + GitHub Sponsors Fund open source developers + The ReadME Project GitHub community articles Repositories + Topics + Trending + Collections * Pricing Search or jump to... Search code, repositories, users, issues, pull requests... Search [ ] Clear Search syntax tips Provide feedback We read every piece of feedback, and take your input very seriously. [ ] [ ] Include my email address so I can be contacted Cancel Submit feedback Saved searches Use saved searches to filter your results more quickly Name [ ] Query [ ] To see all available qualifiers, see our documentation. Cancel Create saved search Sign in Sign up You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert {{ message }} kxxt / tracexec Public * Notifications * Fork 1 * Star 105 * A small utility for tracing execve{,at} and pre-exec behavior. License GPL-2.0 license 105 stars 1 fork Branches Tags Activity Star Notifications * Code * Issues 10 * Pull requests 0 * Actions * Projects 0 * Security * Insights Additional navigation options * Code * Issues * Pull requests * Actions * Projects * Security * Insights kxxt/tracexec This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. main BranchesTags Go to file Code Folders and files Name Name Last commit Last commit message date Latest commit History 433 Commits .cargo .cargo .github/workflows .github/ workflows casts casts fixtures fixtures screenshots screenshots src src .editorconfig .editorconfig .gitignore .gitignore .whitesource .whitesource CHANGELOG.md CHANGELOG.md Cargo.lock Cargo.lock Cargo.toml Cargo.toml LICENSE LICENSE README.md README.md TODO TODO about.hbs about.hbs about.toml about.toml deny.toml deny.toml rustfmt.toml rustfmt.toml typos.toml typos.toml View all files Repository files navigation * README * GPL-2.0 license tracexec A small utility for tracing execve{,at} and pre-exec behavior. tracexec helps you to figure out what and how programs get executed when you execute a command. It's useful for debugging build systems, understanding what shell scripts actually do, figuring out what programs does a proprietary software run, etc. Showcases TUI mode with pseudo terminal In TUI mode with a pseudo terminal, you can view the details of exec events and interact with the processes within the pseudo terminal at ease. TUI demo Tracing setuid binaries With root privileges, you can also trace setuid binaries and see how they work. But do note that this is not compatible with seccomp-bpf optimization so it is much less performant. sudo tracexec --user $(whoami) tui -t -- sudo ls Tracing sudo ls Nested setuid binary tracing is also possible: A real world use case is to trace extra-x86_64-build(Arch Linux's build tool that requires sudo): Tracing extra-x86_64-build In this real world example, we can easily see that _FORTIFY_SOURCE is redefined from 2 to 3, which lead to a compiler error. Log mode In log mode, by default, tracexec will print filename, argv and the diff of the environment variables and file descriptors. example: tracexec log -- bash (In an interactive bash shell) asciicast Reconstruct the command line with --show-cmdline $ tracexec log --show-cmdline -- # example: $ tracexec log --show-cmdline -- firefox asciicast Try to reproduce stdio in the reconstructed command line --stdio-in-cmdline and --fd-in-cmdline can be used to reproduce (hopefully) the stdio used by a process. But do note that the result might be inaccurate when pipes, sockets, etc are involved. tracexec log --show-cmdline --stdio-in-cmdline -- bash asciicast Show the interpreter indicated by shebang with --show-interpreter And show the cwd with --show-cwd. $ tracexec log --show-interpreter --show-cwd -- # example: Running Arch Linux makepkg $ tracexec log --show-interpreter --show-cwd -- makepkg -f asciicast Installation From source Via cargo: cargo install tracexec --bin tracexec You can also install tracexec from AUR. Binary You can download the binary from the release page You can also install tracexec-bin from AUR. Usage General CLI help: A small utility for tracing execve{,at} and pre-exec behavior Usage: tracexec [OPTIONS] Commands: log Run tracexec in logging mode tui Run tracexec in TUI mode, stdin/out/err are redirected to /dev/null by default help Print this message or the help of the given subcommand(s) Options: --color Control whether colored output is enabled. This flag has no effect on TUI mode. [default: auto] [possible values: auto, always, never] -C, --cwd Change current directory to this path before doing anything -u, --user Run as user. This option is only available when running tracexec as root -h, --help Print help -V, --version Print version TUI Mode: Run tracexec in TUI mode, stdin/out/err are redirected to /dev/null by default Usage: tracexec tui [OPTIONS] -- ... Arguments: ... command to be executed Options: --seccomp-bpf seccomp-bpf filtering option [default: auto] [possible values: auto, on, off] --successful-only Only show successful calls --fd-in-cmdline [Experimental] Try to reproduce file descriptors in commandline. This might result in an unexecutable cmdline if pipes, sockets, etc. are involved. --stdio-in-cmdline [Experimental] Try to reproduce stdio in commandline. This might result in an unexecutable cmdline if pipes, sockets, etc. are involved. --show-all-events Set the default filter to show all events. This option can be used in combination with --filter-exclude to exclude some unwanted events. --filter Set the default filter for events. [default: warning,error,exec,tracee-exit] --filter-include Aside from the default filter, also include the events specified here. [default: ] --filter-exclude Exclude the events specified here from the default filter. [default: ] -t, --tty Allocate a pseudo terminal and show it alongside the TUI -f, --follow Keep the event list scrolled to the bottom --terminate-on-exit Instead of waiting for the root child to exit, terminate when the TUI exits --kill-on-exit Instead of waiting for the root child to exit, kill when the TUI exits -A, --active-pane Set the default active pane to use when TUI launches [default: terminal] [possible values: terminal, events] -L, --layout Set the layout of the TUI when it launches [default: horizontal] [possible values: horizontal, vertical] -F, --frame-rate Set the frame rate of the TUI [default: 60.0] -h, --help Print help Log Mode: Run tracexec in logging mode Usage: tracexec log [OPTIONS] -- ... Arguments: ... command to be executed Options: --show-cmdline Print commandline that (hopefully) reproduces what was executed. Note: file descriptors are not handled for now. --show-interpreter Try to show script interpreter indicated by shebang --more-colors More colors --less-colors Less colors --diff-fd Diff file descriptors with the original std{in/out/err} --no-diff-fd Do not diff file descriptors --show-fd Show file descriptors --no-show-fd Do not show file descriptors --diff-env Diff environment variables with the original environment --no-diff-env Do not diff environment variables --show-env Show environment variables --no-show-env Do not show environment variables --show-comm Show comm --no-show-comm Do not show comm --show-argv Show argv --no-show-argv Do not show argv --show-filename Show filename --no-show-filename Do not show filename --show-cwd Show cwd --no-show-cwd Do not show cwd --decode-errno Decode errno values --no-decode-errno --seccomp-bpf seccomp-bpf filtering option [default: auto] [possible values: auto, on, off] --successful-only Only show successful calls --fd-in-cmdline [Experimental] Try to reproduce file descriptors in commandline. This might result in an unexecutable cmdline if pipes, sockets, etc. are involved. --stdio-in-cmdline [Experimental] Try to reproduce stdio in commandline. This might result in an unexecutable cmdline if pipes, sockets, etc. are involved. --show-all-events Set the default filter to show all events. This option can be used in combination with --filter-exclude to exclude some unwanted events. --filter Set the default filter for events. [default: warning,error,exec,tracee-exit] --filter-include Aside from the default filter, also include the events specified here. [default: ] --filter-exclude Exclude the events specified here from the default filter. [default: ] -o, --output Output, stderr by default. A single hyphen '-' represents stdout. -h, --help Print help The recommended way to use tracexec is to create an alias with your favorite options in your bashrc: alias tracex='tracexec log --show-cmdline --show-interpreter --show-children --show-filename --' alias txtui='tracexec tui -t --' # Now you can use tracex txtui Known issues * Non UTF-8 strings are converted to UTF-8 in a lossy way, which means that the output may be inaccurate. * The output is not stable yet, which means that the output may change in the future. * Test coverage is not good enough. * The pseudo terminal can't pass through certain key combinations and terminal features. Origin This project was born out of the need to trace the execution of programs. Initially I simply use strace -Y -f -qqq -s99999 -e trace= execve,execveat . But the output is still too verbose so that's why I created this project. Credits This project takes inspiration from strace and lurk. About A small utility for tracing execve{,at} and pre-exec behavior. Topics ptrace tracer command-line-tool strace execve tracexec Resources Readme License GPL-2.0 license Activity Stars 105 stars Watchers 2 watching Forks 1 fork Report repository Releases 21 v0.1.0 Latest May 8, 2024 + 20 releases Languages * Rust 99.1% * Other 0.9% Footer (c) 2024 GitHub, Inc. Footer navigation * Terms * Privacy * Security * Status * Docs * Contact * Manage cookies * Do not share my personal information You can't perform that action at this time.