一,工具简介
filelife 追踪短生命周期的文件:那些在追踪过程中被创建然后又被删除的文件。
二,代码示例
#!/usr/bin/env python
from __future__ import print_function
from bcc import BPF
import argparse
from time import strftime
# arguments
examples = """examples:
./filelife # trace lifecycle of file(create->remove)
./filelife -p 181 # only trace PID 181
"""
parser = argparse.ArgumentParser(
description="Trace lifecycle of file",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=examples)
parser.add_argument("-p", "--pid",
help="trace this PID only")
parser.add_argument("--ebpf", action="store_true",
help=argparse.SUPPRESS)
args = parser.parse_args()
debug = 0
# define BPF program
bpf_text = """
#include <uapi/linux/ptrace.h>
#include <linux/fs.h>
#include <linux/sc