ansaurus

Question

How to find out where all a closed source application is writing to?

Answer 1

+2 A:

you could use strace.

David Feurle 2010-09-08 09:06:40

Answer 2

+5 A:

In unix systems, you can use strace to print out a trace of all the system calls made and signals received by a process:

$ strace ./notmyapp

grep can be used to limit the output to subset of system calls:

$ strace ./notmyapp 2>&1 | egrep '(open|write)'

eugene y 2010-09-08 09:07:33

@eugene: In the trace output, should I be looking only for the `open()` statements?

Lazer 2010-09-08 09:19:27

@Lazer: I believe that you're looking for `open()` (in writing mode) and `write()` system calls

eugene y 2010-09-08 09:30:06

Answer 3

+1 A:

You could try running it as a user which has no rights to write anywhere on any drive. Then you get an error message when it tries to create/write the first file. Log that directory/file and give write rights to it, then repeat until there are no more error messages.

Péter Török 2010-09-08 09:07:57

Answer 4

+24 A:

strace, ktrace/kdump, truss, dtruss, or whatever other program your platform provides for tracing system calls is probably what you're looking for.

Expect lots of output from any of those. To figure out what files the application is reading and writing to, you might want to limit the output to just a few syscalls. strace -eopen ./notmyapp, for example.

The application might also fork off child processes to do some of its work. With most system call tracers, you'll have to be specific about tracing those child processes as well. With strace, that'd be strace -f ./notmyapp.

rafl 2010-09-08 09:16:56

+1 for `-eopen` and considering non-linux platforms.

Johnsyweb 2010-09-08 09:29:44

@rafl: the problem is that `notmyapp` is supposed to produce a prompt and wait for my inputs before doing something (except what it does in the background). I am using `strace -f ./notmyapp` and I do not get a prompt at all, but a lot of different threads and some system calls.

Lazer 2010-09-08 11:08:50

You probably don't want yo launch your application under strace then. Instead, just start your application normally, and attach strace to it later, using `strace -p $pid` and your application's process id you discovered earlier using, for example, `ps`.

rafl 2010-09-08 11:35:59

+1 for comment and +1 for answer

Daniel 2010-09-08 11:46:51

@rafl : thanks!

Lazer 2010-09-08 12:05:19

Answer 5

+2 A:

You say in response to rafl's answer that notmyapp is supposed to produce a prompt and wait for [...] inputs before doing something.

Put your inputs in advance into a plain text file (say, responses.txt), one input per line. Then use strace, as suggested to track calls to open() or write() piping in the contents of responses.txt:

$ strace -eopen -ewrite ./notmyapp < responses.txt

If you're expecting a lot of file access, then you may want to pipe the output to your favourite pager or editor:

$ strace -eopen -ewrite ./notmyapp < responses.txt | vim -R -

strace is a powerful tool. For more information, consult man strace.

Johnsyweb 2010-09-08 11:28:12

ansaurus

tags:

views:

answers:

How to find out where all a closed source application is writing to?

related questions