means needed to monitor file access.

**theKbStockpiler** · 03-20-2011

I am in need of a way to distiguish what processes are opening a particular file. Any other reverse engineering tricks would be greatly appreciated!

Thanks in advance!

**Nagarjuna** · 03-20-2011

I believe fuser should accomplish what you seek.

fuser - man page

lsof is also a handy command that displays files opened by users and applications.

lsof - man page

Another way of finding out what files a process is using is by the /proc directory. Each process is listed here by it's PID. If you enter it's directory, you will find another directory which has links to the files in which that process is accessing.

You will need to know the PID of the process first:

ps -e | grep chromium

Code:

 5345 tty1     00:00:24 chromium

ls -la /proc/5345/fd

Code:

total 0
dr-x------ 2 root    root   0 Mar 20 16:07 .
dr-xr-xr-x 7 tristan users  0 Mar 20 16:07 ..
lr-x------ 1 root    root  64 Mar 20 16:07 0 -> /dev/null
lrwx------ 1 root    root  64 Mar 20 16:07 1 -> /dev/tty1
l-wx------ 1 root    root  64 Mar 20 16:07 10 -> pipe:[7059]
lr-x------ 1 root    root  64 Mar 20 16:07 11 -> /usr/lib/chromium/chrome.pak (deleted)
lr-x------ 1 root    root  64 Mar 20 16:07 12 -> /usr/lib/chromium/locales/en-US.pak (deleted)
lr-x------ 1 root    root  64 Mar 20 16:07 13 -> /dev/urandom
lrwx------ 1 root    root  64 Mar 20 16:07 14 -> socket:[137193]
lrwx------ 1 root    root  64 Mar 20 16:07 15 -> socket:[139066]
lr-x------ 1 root    root  64 Mar 20 16:07 16 -> anon_inode:[eventfd]
lr-x------ 1 root    root  64 Mar 20 16:12 17 -> pipe:[139067]
l-wx------ 1 root    root  64 Mar 20 16:12 18 -> pipe:[139067]
lrwx------ 1 root    root  64 Mar 20 16:12 19 -> socket:[140712]
lrwx------ 1 root    root  64 Mar 20 16:07 2 -> /dev/tty1
lrwx------ 1 root    root  64 Mar 20 16:12 20 -> socket:[140713]
lrwx------ 1 root    root  64 Mar 20 16:12 21 -> /dev/shm/.org.chromium.YZsTyB (deleted)
lrwx------ 1 root    root  64 Mar 20 16:12 22 -> /dev/shm/.org.chromium.I2ZOdr (deleted)
lr-x------ 1 root    root  64 Mar 20 16:12 23 -> /home/tristan/.config/chromium/Dictionaries/en-US-1-2.bdic
lrwx------ 1 root    root  64 Mar 20 16:12 24 -> socket:[162119]
lrwx------ 1 root    root  64 Mar 20 16:12 25 -> socket:[162120]
lrwx------ 1 root    root  64 Mar 20 16:12 26 -> socket:[162121]
lrwx------ 1 root    root  64 Mar 20 16:07 3 -> anon_inode:[eventpoll]
lr-x------ 1 root    root  64 Mar 20 16:07 4 -> pipe:[7058]
lrwx------ 1 root    root  64 Mar 20 16:07 5 -> socket:[7588]
lrwx------ 1 root    root  64 Mar 20 16:07 6 -> socket:[7592]
lrwx------ 1 root    root  64 Mar 20 16:07 7 -> socket:[139065]
l-wx------ 1 root    root  64 Mar 20 16:07 8 -> pipe:[7058]
lr-x------ 1 root    root  64 Mar 20 16:07 9 -> pipe:[7059]

You can do this all in one command:

Code:

PROC=`ps -e | grep <process-name> | cut -d ' ' -f2` && ls -la /proc/$PROC/fd

The above works on my system. Just be sure to replace "<process-name>" with what ever process your investigating.

I hope this helps.

**theKbStockpiler** · 03-21-2011

What I want to try to do is monitor an application all the way from clicking on an Icon to exiting. Would you know what application or daemon interacts with init to spawn a process for an application. Is it the desktop?

If you do a search on this all there is , is how to start one automatically with a script but not an interactive application from a desktop icon.Thanks for your expertise!

Thread Tools

Display

means needed to monitor file access.

Thanks for the much needed info!

Posting Permissions