An Investigative Debugging Toolbox

avdi

Avdi Grimm

Posted on November 8, 2020

An Investigative Debugging Toolbox

Last week I ran an experimental workshop on Investigative Debugging. It was a lot of fun and the attendees seemed to get a lot out of it. Afterwards I sent out some extra reference material, including this Linux-oriented list of investigative debugging tools!

The focus here is on “surveillance tools” – utilities that give you observability into exactly what programs are really doing at runtime. It’s far from complete, but it represents a ton of research and I hope you find it helpful!

Tool Description
BCC tools A collection of over 70 specialized tracing and performance profiling tools built on BPF.
bpftrace A Linux tool analogous to DTrace, built on BPF. bpftrace enables users to compose “questions” at the command-line, using a concise AWK-inspired syntax, for which they would once have had to use (or create) a dedicated tracing tool. It is often possible to recreate BCC tools using bpftrace commands. But when a dedicated BCC tool exists for a given query, using it may be easier than hand-rolling a bpftrace command.
Docker A technology for isolating Linux-based services into containers, each with their own isolated filesystem, process table, and virtual network. Containers are useful from an investigative debugging standpoint because they enable us to isolate and observe how a process interacts with its environment.
docker diff Get a comprehensive list of all files changed within a Docker container.
ftrace A low-level, “kind of janky” (Julia Evans’ words) interface to Linux kprobe and uprobe tracing.
HTTP_PROXY, http_proxy, HTTPS_PROXY These environment variables are sometimes respected by programs as a way to configure a SOCKS proxy.
LD_PRELOAD An environment variable that can be used to force a program to link to arbitrary libraries before running. This can be used to substitute user-provided functions that override default behavior with e.g. tracing instrumentation.
ldd List all the libraries that an ELF executable links to.
lsof List open filehandles, including network connections.
LTTng A linux tracing framework. I believe this is now one of the inputs to BPF?
ltrace Trace library calls.
mitmproxy An interactive HTTP proxy server that can log and inspect requests and responses. Can be configured as either a SOCKS proxy or a transparent proxy.
nm List all the names (e.g. function names) in an ELF executable/library.
Postman A workspace for experimenting with and documenting HTTP calls, which can also act as a mitmproxy-like request inspector for other processes.
readelf A general tool for inspecting and dumping information about ELF executables and libraries.
strace Trace system calls.
strings Dump all the static strings found in an ELF executable or library.
tplist A BCC tool for listing all USDT tracepoints available in a process.
uflow A BCC tool for tracing method calls and returns in high-level languages like Python, Ruby, and Java. May be installed somewhere weird and not in the path, like /usr/sbin/lib/uflow
WireShark The preeminent tool for tapping into and dissecting IP network traffic at the packet level.
💖 💪 🙅 🚩
avdi
Avdi Grimm

Posted on November 8, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related

An Investigative Debugging Toolbox
resources An Investigative Debugging Toolbox

November 8, 2020