How to intercept temporary files created by a program? [duplicate]
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
This question already has an answer here:
How to access temporary file straight after creation?
4 answers
TL;DR: I know a program creates and then deletes files in /tmp
. How can I intercept them for examination ?
Context:
There's a particular .jar
file, which I don't trust; for some reason its source code contains an ftm method and has capability to make connections, which is evident from network-related syscalls in output of strace
(and when I mean connection, I don't mean unix domain sockets, it's AF_INET6
). I've examined with Wireshark and saw no outgoing TCP or UDP connections during it's use.
However, I still don't quite trust it. From the output of strace
I've seen that it's creating temporary files in /tmp
and then deletes them. Is there a way to intercept those files to examine their contents ?
files security tmp
marked as duplicate by Sergiy Kolodyazhnyy, kenorb, RalfFriedl, Isaac, Kiwy Sep 11 at 12:55
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
 |Â
show 6 more comments
up vote
2
down vote
favorite
This question already has an answer here:
How to access temporary file straight after creation?
4 answers
TL;DR: I know a program creates and then deletes files in /tmp
. How can I intercept them for examination ?
Context:
There's a particular .jar
file, which I don't trust; for some reason its source code contains an ftm method and has capability to make connections, which is evident from network-related syscalls in output of strace
(and when I mean connection, I don't mean unix domain sockets, it's AF_INET6
). I've examined with Wireshark and saw no outgoing TCP or UDP connections during it's use.
However, I still don't quite trust it. From the output of strace
I've seen that it's creating temporary files in /tmp
and then deletes them. Is there a way to intercept those files to examine their contents ?
files security tmp
marked as duplicate by Sergiy Kolodyazhnyy, kenorb, RalfFriedl, Isaac, Kiwy Sep 11 at 12:55
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
3
LD_PRELOAD intercepting unlink before calling java.... serverfault.com/questions/75927/blocking-rm-rf-for-application
â Rui F Ribeiro
Sep 10 at 20:50
@RuiFRibeiro Thanks for the link. Tried the suggestion, madeunlink.so
. Now difference betweenls /tmp
before and after running the command. I'm no expert on shared libraries, or Java, but seems likeunlink.so
wasn't used by it, so just a guess but maybe Java doesn't useunlink()
. I'm hoping someone can suggest a more or less universal way, because I want this to work consistently. I don't care how the program in question is done, I just want to see its temp files.
â Sergiy Kolodyazhnyy
Sep 10 at 21:00
doesstrace
show anything being written to said files? (strace
may need flags to increase how much it logs)
â thrig
Sep 10 at 21:01
@thrig Withstrace -f -e open,write,unlink java -jar file.jar input.txt
I see there are writes to particular file descriptors. There'sopenat(AT_FDCWD, "/tmp/imageio1355028222376675525.tmp", O_WRONLY|O_CREAT|O_EXCL, 0600) = 16
, and data written to it appears to be the header of the output png file. So it writes output file totmp
first. I also see another temp file being opened and reopened as fd 4:openat(AT_FDCWD, "/tmp/hsperfdata_xie", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
But I don't see any writes to fd 4. Makes no sense to createO_RDONLY
file and keep it empty
â Sergiy Kolodyazhnyy
Sep 10 at 21:12
2
As to the files rather than your Q,/tmp/hsperfdata_$user/
is 'HotSpot performance data' created automatically by the Sun/Oracle/OpenJDK JVM (which is codenamed HotSpot) with the JVM pid as filename and used by utilities likejps jstat jmap jconsole
. See e.g. stackoverflow.com/questions/76327/⦠stackoverflow.com/questions/3806758/â¦
â dave_thompson_085
Sep 11 at 1:09
 |Â
show 6 more comments
up vote
2
down vote
favorite
up vote
2
down vote
favorite
This question already has an answer here:
How to access temporary file straight after creation?
4 answers
TL;DR: I know a program creates and then deletes files in /tmp
. How can I intercept them for examination ?
Context:
There's a particular .jar
file, which I don't trust; for some reason its source code contains an ftm method and has capability to make connections, which is evident from network-related syscalls in output of strace
(and when I mean connection, I don't mean unix domain sockets, it's AF_INET6
). I've examined with Wireshark and saw no outgoing TCP or UDP connections during it's use.
However, I still don't quite trust it. From the output of strace
I've seen that it's creating temporary files in /tmp
and then deletes them. Is there a way to intercept those files to examine their contents ?
files security tmp
This question already has an answer here:
How to access temporary file straight after creation?
4 answers
TL;DR: I know a program creates and then deletes files in /tmp
. How can I intercept them for examination ?
Context:
There's a particular .jar
file, which I don't trust; for some reason its source code contains an ftm method and has capability to make connections, which is evident from network-related syscalls in output of strace
(and when I mean connection, I don't mean unix domain sockets, it's AF_INET6
). I've examined with Wireshark and saw no outgoing TCP or UDP connections during it's use.
However, I still don't quite trust it. From the output of strace
I've seen that it's creating temporary files in /tmp
and then deletes them. Is there a way to intercept those files to examine their contents ?
This question already has an answer here:
How to access temporary file straight after creation?
4 answers
files security tmp
files security tmp
asked Sep 10 at 20:45
Sergiy Kolodyazhnyy
7,95011848
7,95011848
marked as duplicate by Sergiy Kolodyazhnyy, kenorb, RalfFriedl, Isaac, Kiwy Sep 11 at 12:55
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
marked as duplicate by Sergiy Kolodyazhnyy, kenorb, RalfFriedl, Isaac, Kiwy Sep 11 at 12:55
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
3
LD_PRELOAD intercepting unlink before calling java.... serverfault.com/questions/75927/blocking-rm-rf-for-application
â Rui F Ribeiro
Sep 10 at 20:50
@RuiFRibeiro Thanks for the link. Tried the suggestion, madeunlink.so
. Now difference betweenls /tmp
before and after running the command. I'm no expert on shared libraries, or Java, but seems likeunlink.so
wasn't used by it, so just a guess but maybe Java doesn't useunlink()
. I'm hoping someone can suggest a more or less universal way, because I want this to work consistently. I don't care how the program in question is done, I just want to see its temp files.
â Sergiy Kolodyazhnyy
Sep 10 at 21:00
doesstrace
show anything being written to said files? (strace
may need flags to increase how much it logs)
â thrig
Sep 10 at 21:01
@thrig Withstrace -f -e open,write,unlink java -jar file.jar input.txt
I see there are writes to particular file descriptors. There'sopenat(AT_FDCWD, "/tmp/imageio1355028222376675525.tmp", O_WRONLY|O_CREAT|O_EXCL, 0600) = 16
, and data written to it appears to be the header of the output png file. So it writes output file totmp
first. I also see another temp file being opened and reopened as fd 4:openat(AT_FDCWD, "/tmp/hsperfdata_xie", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
But I don't see any writes to fd 4. Makes no sense to createO_RDONLY
file and keep it empty
â Sergiy Kolodyazhnyy
Sep 10 at 21:12
2
As to the files rather than your Q,/tmp/hsperfdata_$user/
is 'HotSpot performance data' created automatically by the Sun/Oracle/OpenJDK JVM (which is codenamed HotSpot) with the JVM pid as filename and used by utilities likejps jstat jmap jconsole
. See e.g. stackoverflow.com/questions/76327/⦠stackoverflow.com/questions/3806758/â¦
â dave_thompson_085
Sep 11 at 1:09
 |Â
show 6 more comments
3
LD_PRELOAD intercepting unlink before calling java.... serverfault.com/questions/75927/blocking-rm-rf-for-application
â Rui F Ribeiro
Sep 10 at 20:50
@RuiFRibeiro Thanks for the link. Tried the suggestion, madeunlink.so
. Now difference betweenls /tmp
before and after running the command. I'm no expert on shared libraries, or Java, but seems likeunlink.so
wasn't used by it, so just a guess but maybe Java doesn't useunlink()
. I'm hoping someone can suggest a more or less universal way, because I want this to work consistently. I don't care how the program in question is done, I just want to see its temp files.
â Sergiy Kolodyazhnyy
Sep 10 at 21:00
doesstrace
show anything being written to said files? (strace
may need flags to increase how much it logs)
â thrig
Sep 10 at 21:01
@thrig Withstrace -f -e open,write,unlink java -jar file.jar input.txt
I see there are writes to particular file descriptors. There'sopenat(AT_FDCWD, "/tmp/imageio1355028222376675525.tmp", O_WRONLY|O_CREAT|O_EXCL, 0600) = 16
, and data written to it appears to be the header of the output png file. So it writes output file totmp
first. I also see another temp file being opened and reopened as fd 4:openat(AT_FDCWD, "/tmp/hsperfdata_xie", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
But I don't see any writes to fd 4. Makes no sense to createO_RDONLY
file and keep it empty
â Sergiy Kolodyazhnyy
Sep 10 at 21:12
2
As to the files rather than your Q,/tmp/hsperfdata_$user/
is 'HotSpot performance data' created automatically by the Sun/Oracle/OpenJDK JVM (which is codenamed HotSpot) with the JVM pid as filename and used by utilities likejps jstat jmap jconsole
. See e.g. stackoverflow.com/questions/76327/⦠stackoverflow.com/questions/3806758/â¦
â dave_thompson_085
Sep 11 at 1:09
3
3
LD_PRELOAD intercepting unlink before calling java.... serverfault.com/questions/75927/blocking-rm-rf-for-application
â Rui F Ribeiro
Sep 10 at 20:50
LD_PRELOAD intercepting unlink before calling java.... serverfault.com/questions/75927/blocking-rm-rf-for-application
â Rui F Ribeiro
Sep 10 at 20:50
@RuiFRibeiro Thanks for the link. Tried the suggestion, made
unlink.so
. Now difference between ls /tmp
before and after running the command. I'm no expert on shared libraries, or Java, but seems like unlink.so
wasn't used by it, so just a guess but maybe Java doesn't use unlink()
. I'm hoping someone can suggest a more or less universal way, because I want this to work consistently. I don't care how the program in question is done, I just want to see its temp files.â Sergiy Kolodyazhnyy
Sep 10 at 21:00
@RuiFRibeiro Thanks for the link. Tried the suggestion, made
unlink.so
. Now difference between ls /tmp
before and after running the command. I'm no expert on shared libraries, or Java, but seems like unlink.so
wasn't used by it, so just a guess but maybe Java doesn't use unlink()
. I'm hoping someone can suggest a more or less universal way, because I want this to work consistently. I don't care how the program in question is done, I just want to see its temp files.â Sergiy Kolodyazhnyy
Sep 10 at 21:00
does
strace
show anything being written to said files? (strace
may need flags to increase how much it logs)â thrig
Sep 10 at 21:01
does
strace
show anything being written to said files? (strace
may need flags to increase how much it logs)â thrig
Sep 10 at 21:01
@thrig With
strace -f -e open,write,unlink java -jar file.jar input.txt
I see there are writes to particular file descriptors. There's openat(AT_FDCWD, "/tmp/imageio1355028222376675525.tmp", O_WRONLY|O_CREAT|O_EXCL, 0600) = 16
, and data written to it appears to be the header of the output png file. So it writes output file to tmp
first. I also see another temp file being opened and reopened as fd 4: openat(AT_FDCWD, "/tmp/hsperfdata_xie", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
But I don't see any writes to fd 4. Makes no sense to create O_RDONLY
file and keep it emptyâ Sergiy Kolodyazhnyy
Sep 10 at 21:12
@thrig With
strace -f -e open,write,unlink java -jar file.jar input.txt
I see there are writes to particular file descriptors. There's openat(AT_FDCWD, "/tmp/imageio1355028222376675525.tmp", O_WRONLY|O_CREAT|O_EXCL, 0600) = 16
, and data written to it appears to be the header of the output png file. So it writes output file to tmp
first. I also see another temp file being opened and reopened as fd 4: openat(AT_FDCWD, "/tmp/hsperfdata_xie", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
But I don't see any writes to fd 4. Makes no sense to create O_RDONLY
file and keep it emptyâ Sergiy Kolodyazhnyy
Sep 10 at 21:12
2
2
As to the files rather than your Q,
/tmp/hsperfdata_$user/
is 'HotSpot performance data' created automatically by the Sun/Oracle/OpenJDK JVM (which is codenamed HotSpot) with the JVM pid as filename and used by utilities like jps jstat jmap jconsole
. See e.g. stackoverflow.com/questions/76327/⦠stackoverflow.com/questions/3806758/â¦â dave_thompson_085
Sep 11 at 1:09
As to the files rather than your Q,
/tmp/hsperfdata_$user/
is 'HotSpot performance data' created automatically by the Sun/Oracle/OpenJDK JVM (which is codenamed HotSpot) with the JVM pid as filename and used by utilities like jps jstat jmap jconsole
. See e.g. stackoverflow.com/questions/76327/⦠stackoverflow.com/questions/3806758/â¦â dave_thompson_085
Sep 11 at 1:09
 |Â
show 6 more comments
2 Answers
2
active
oldest
votes
up vote
5
down vote
accepted
Better yet, if you want to reverse engineer a nefarious Java binary, rather than trying to intercept files, decompile the suspect .jar
file.
For it, you can use CFR - another java decompiler
CFR will decompile modern Java features - up to and including much of
Java 9, but is written entirely in Java 6, so will work anywhere
To use, simply run the specific version jar, with the class name(s)
you want to decompile (either as a path to a class file, or as a fully
qualified classname on your classpath). (--help to list arguments).
Alternately, to decompile an entire jar, simply provide the jar path,
and if you want to emit files (which you probably do!) add --outputdir
/tmp/putithere
There are no lack of alternatives, however the CFR project seems to be well maintained, having a 2018 update.
Disclaimer: I have not done reverse engineering to Java/JAR binaries since 2005
2
While this is a great answer to the A/B problem presented in the question, it doesn't actually answer it as written.
â Nonny Moose
Sep 11 at 2:00
@NonnyMoose Indeed. I proposed the OP a LD_PRELOAD in comments but apparently something is amiss.
â Rui F Ribeiro
Sep 11 at 6:14
add a comment |Â
up vote
1
down vote
Note: improved solution posted at duplicate question
From reading How to access temporary file straight after creation? I got the idea of using inotify
and creating a hard-link to file itself. This of course is a race condition, since file could be unlinked before hard link is created, however I did manage to recover the data in the temporary file the application is creating. Here's a short pipeline put together in terminal tab A, with terminal tab B running the actual command:
inotifywait -m -r /tmp/hsperfdata_xie/ 2>&1 |
while IFS= read -r line; do
awk '$2 == "CREATE"system("ln /tmp/hsperfdata_xie/"$3" /tmp/BACKUP")' <<< "$line"
echo "$line" # unnecessary, only if you want to know what's inotify is writing
done
The 3 disadvantages are:
- race condition (explained above)
- I put together
awk
very quickly for one specific file; but a more general and flexibleawk
command that parsesinotifywatch
output and joins pathnames$1
with filenames in$3
would have to take a bit of time to parse the lines,sprintf()
everything to variable, and pass tosystem()
, which may go back to previous bullet point - by the time parsing is done, there's no file to link. - requires two terminal tabs, although one could put the whole pipeline into background. A smarter way would be to have a full Python script with forked subprocesses and actually use
inotify
Python modules ( which maybe something I'll do in future).
As for file in question, it appears as some form of binary data, with recurring 0...sun.rt._sync_Inflations
and 0...sun.rt._sync_Deflations
strings (which may be related to Java multithreading). But for the purpose of this question, it's irrelevant - we already have. The only thing I wanted is to obtain the file itself.
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
5
down vote
accepted
Better yet, if you want to reverse engineer a nefarious Java binary, rather than trying to intercept files, decompile the suspect .jar
file.
For it, you can use CFR - another java decompiler
CFR will decompile modern Java features - up to and including much of
Java 9, but is written entirely in Java 6, so will work anywhere
To use, simply run the specific version jar, with the class name(s)
you want to decompile (either as a path to a class file, or as a fully
qualified classname on your classpath). (--help to list arguments).
Alternately, to decompile an entire jar, simply provide the jar path,
and if you want to emit files (which you probably do!) add --outputdir
/tmp/putithere
There are no lack of alternatives, however the CFR project seems to be well maintained, having a 2018 update.
Disclaimer: I have not done reverse engineering to Java/JAR binaries since 2005
2
While this is a great answer to the A/B problem presented in the question, it doesn't actually answer it as written.
â Nonny Moose
Sep 11 at 2:00
@NonnyMoose Indeed. I proposed the OP a LD_PRELOAD in comments but apparently something is amiss.
â Rui F Ribeiro
Sep 11 at 6:14
add a comment |Â
up vote
5
down vote
accepted
Better yet, if you want to reverse engineer a nefarious Java binary, rather than trying to intercept files, decompile the suspect .jar
file.
For it, you can use CFR - another java decompiler
CFR will decompile modern Java features - up to and including much of
Java 9, but is written entirely in Java 6, so will work anywhere
To use, simply run the specific version jar, with the class name(s)
you want to decompile (either as a path to a class file, or as a fully
qualified classname on your classpath). (--help to list arguments).
Alternately, to decompile an entire jar, simply provide the jar path,
and if you want to emit files (which you probably do!) add --outputdir
/tmp/putithere
There are no lack of alternatives, however the CFR project seems to be well maintained, having a 2018 update.
Disclaimer: I have not done reverse engineering to Java/JAR binaries since 2005
2
While this is a great answer to the A/B problem presented in the question, it doesn't actually answer it as written.
â Nonny Moose
Sep 11 at 2:00
@NonnyMoose Indeed. I proposed the OP a LD_PRELOAD in comments but apparently something is amiss.
â Rui F Ribeiro
Sep 11 at 6:14
add a comment |Â
up vote
5
down vote
accepted
up vote
5
down vote
accepted
Better yet, if you want to reverse engineer a nefarious Java binary, rather than trying to intercept files, decompile the suspect .jar
file.
For it, you can use CFR - another java decompiler
CFR will decompile modern Java features - up to and including much of
Java 9, but is written entirely in Java 6, so will work anywhere
To use, simply run the specific version jar, with the class name(s)
you want to decompile (either as a path to a class file, or as a fully
qualified classname on your classpath). (--help to list arguments).
Alternately, to decompile an entire jar, simply provide the jar path,
and if you want to emit files (which you probably do!) add --outputdir
/tmp/putithere
There are no lack of alternatives, however the CFR project seems to be well maintained, having a 2018 update.
Disclaimer: I have not done reverse engineering to Java/JAR binaries since 2005
Better yet, if you want to reverse engineer a nefarious Java binary, rather than trying to intercept files, decompile the suspect .jar
file.
For it, you can use CFR - another java decompiler
CFR will decompile modern Java features - up to and including much of
Java 9, but is written entirely in Java 6, so will work anywhere
To use, simply run the specific version jar, with the class name(s)
you want to decompile (either as a path to a class file, or as a fully
qualified classname on your classpath). (--help to list arguments).
Alternately, to decompile an entire jar, simply provide the jar path,
and if you want to emit files (which you probably do!) add --outputdir
/tmp/putithere
There are no lack of alternatives, however the CFR project seems to be well maintained, having a 2018 update.
Disclaimer: I have not done reverse engineering to Java/JAR binaries since 2005
edited Sep 10 at 21:20
answered Sep 10 at 21:15
Rui F Ribeiro
36.8k1273117
36.8k1273117
2
While this is a great answer to the A/B problem presented in the question, it doesn't actually answer it as written.
â Nonny Moose
Sep 11 at 2:00
@NonnyMoose Indeed. I proposed the OP a LD_PRELOAD in comments but apparently something is amiss.
â Rui F Ribeiro
Sep 11 at 6:14
add a comment |Â
2
While this is a great answer to the A/B problem presented in the question, it doesn't actually answer it as written.
â Nonny Moose
Sep 11 at 2:00
@NonnyMoose Indeed. I proposed the OP a LD_PRELOAD in comments but apparently something is amiss.
â Rui F Ribeiro
Sep 11 at 6:14
2
2
While this is a great answer to the A/B problem presented in the question, it doesn't actually answer it as written.
â Nonny Moose
Sep 11 at 2:00
While this is a great answer to the A/B problem presented in the question, it doesn't actually answer it as written.
â Nonny Moose
Sep 11 at 2:00
@NonnyMoose Indeed. I proposed the OP a LD_PRELOAD in comments but apparently something is amiss.
â Rui F Ribeiro
Sep 11 at 6:14
@NonnyMoose Indeed. I proposed the OP a LD_PRELOAD in comments but apparently something is amiss.
â Rui F Ribeiro
Sep 11 at 6:14
add a comment |Â
up vote
1
down vote
Note: improved solution posted at duplicate question
From reading How to access temporary file straight after creation? I got the idea of using inotify
and creating a hard-link to file itself. This of course is a race condition, since file could be unlinked before hard link is created, however I did manage to recover the data in the temporary file the application is creating. Here's a short pipeline put together in terminal tab A, with terminal tab B running the actual command:
inotifywait -m -r /tmp/hsperfdata_xie/ 2>&1 |
while IFS= read -r line; do
awk '$2 == "CREATE"system("ln /tmp/hsperfdata_xie/"$3" /tmp/BACKUP")' <<< "$line"
echo "$line" # unnecessary, only if you want to know what's inotify is writing
done
The 3 disadvantages are:
- race condition (explained above)
- I put together
awk
very quickly for one specific file; but a more general and flexibleawk
command that parsesinotifywatch
output and joins pathnames$1
with filenames in$3
would have to take a bit of time to parse the lines,sprintf()
everything to variable, and pass tosystem()
, which may go back to previous bullet point - by the time parsing is done, there's no file to link. - requires two terminal tabs, although one could put the whole pipeline into background. A smarter way would be to have a full Python script with forked subprocesses and actually use
inotify
Python modules ( which maybe something I'll do in future).
As for file in question, it appears as some form of binary data, with recurring 0...sun.rt._sync_Inflations
and 0...sun.rt._sync_Deflations
strings (which may be related to Java multithreading). But for the purpose of this question, it's irrelevant - we already have. The only thing I wanted is to obtain the file itself.
add a comment |Â
up vote
1
down vote
Note: improved solution posted at duplicate question
From reading How to access temporary file straight after creation? I got the idea of using inotify
and creating a hard-link to file itself. This of course is a race condition, since file could be unlinked before hard link is created, however I did manage to recover the data in the temporary file the application is creating. Here's a short pipeline put together in terminal tab A, with terminal tab B running the actual command:
inotifywait -m -r /tmp/hsperfdata_xie/ 2>&1 |
while IFS= read -r line; do
awk '$2 == "CREATE"system("ln /tmp/hsperfdata_xie/"$3" /tmp/BACKUP")' <<< "$line"
echo "$line" # unnecessary, only if you want to know what's inotify is writing
done
The 3 disadvantages are:
- race condition (explained above)
- I put together
awk
very quickly for one specific file; but a more general and flexibleawk
command that parsesinotifywatch
output and joins pathnames$1
with filenames in$3
would have to take a bit of time to parse the lines,sprintf()
everything to variable, and pass tosystem()
, which may go back to previous bullet point - by the time parsing is done, there's no file to link. - requires two terminal tabs, although one could put the whole pipeline into background. A smarter way would be to have a full Python script with forked subprocesses and actually use
inotify
Python modules ( which maybe something I'll do in future).
As for file in question, it appears as some form of binary data, with recurring 0...sun.rt._sync_Inflations
and 0...sun.rt._sync_Deflations
strings (which may be related to Java multithreading). But for the purpose of this question, it's irrelevant - we already have. The only thing I wanted is to obtain the file itself.
add a comment |Â
up vote
1
down vote
up vote
1
down vote
Note: improved solution posted at duplicate question
From reading How to access temporary file straight after creation? I got the idea of using inotify
and creating a hard-link to file itself. This of course is a race condition, since file could be unlinked before hard link is created, however I did manage to recover the data in the temporary file the application is creating. Here's a short pipeline put together in terminal tab A, with terminal tab B running the actual command:
inotifywait -m -r /tmp/hsperfdata_xie/ 2>&1 |
while IFS= read -r line; do
awk '$2 == "CREATE"system("ln /tmp/hsperfdata_xie/"$3" /tmp/BACKUP")' <<< "$line"
echo "$line" # unnecessary, only if you want to know what's inotify is writing
done
The 3 disadvantages are:
- race condition (explained above)
- I put together
awk
very quickly for one specific file; but a more general and flexibleawk
command that parsesinotifywatch
output and joins pathnames$1
with filenames in$3
would have to take a bit of time to parse the lines,sprintf()
everything to variable, and pass tosystem()
, which may go back to previous bullet point - by the time parsing is done, there's no file to link. - requires two terminal tabs, although one could put the whole pipeline into background. A smarter way would be to have a full Python script with forked subprocesses and actually use
inotify
Python modules ( which maybe something I'll do in future).
As for file in question, it appears as some form of binary data, with recurring 0...sun.rt._sync_Inflations
and 0...sun.rt._sync_Deflations
strings (which may be related to Java multithreading). But for the purpose of this question, it's irrelevant - we already have. The only thing I wanted is to obtain the file itself.
Note: improved solution posted at duplicate question
From reading How to access temporary file straight after creation? I got the idea of using inotify
and creating a hard-link to file itself. This of course is a race condition, since file could be unlinked before hard link is created, however I did manage to recover the data in the temporary file the application is creating. Here's a short pipeline put together in terminal tab A, with terminal tab B running the actual command:
inotifywait -m -r /tmp/hsperfdata_xie/ 2>&1 |
while IFS= read -r line; do
awk '$2 == "CREATE"system("ln /tmp/hsperfdata_xie/"$3" /tmp/BACKUP")' <<< "$line"
echo "$line" # unnecessary, only if you want to know what's inotify is writing
done
The 3 disadvantages are:
- race condition (explained above)
- I put together
awk
very quickly for one specific file; but a more general and flexibleawk
command that parsesinotifywatch
output and joins pathnames$1
with filenames in$3
would have to take a bit of time to parse the lines,sprintf()
everything to variable, and pass tosystem()
, which may go back to previous bullet point - by the time parsing is done, there's no file to link. - requires two terminal tabs, although one could put the whole pipeline into background. A smarter way would be to have a full Python script with forked subprocesses and actually use
inotify
Python modules ( which maybe something I'll do in future).
As for file in question, it appears as some form of binary data, with recurring 0...sun.rt._sync_Inflations
and 0...sun.rt._sync_Deflations
strings (which may be related to Java multithreading). But for the purpose of this question, it's irrelevant - we already have. The only thing I wanted is to obtain the file itself.
edited Sep 10 at 22:24
answered Sep 10 at 22:01
Sergiy Kolodyazhnyy
7,95011848
7,95011848
add a comment |Â
add a comment |Â
3
LD_PRELOAD intercepting unlink before calling java.... serverfault.com/questions/75927/blocking-rm-rf-for-application
â Rui F Ribeiro
Sep 10 at 20:50
@RuiFRibeiro Thanks for the link. Tried the suggestion, made
unlink.so
. Now difference betweenls /tmp
before and after running the command. I'm no expert on shared libraries, or Java, but seems likeunlink.so
wasn't used by it, so just a guess but maybe Java doesn't useunlink()
. I'm hoping someone can suggest a more or less universal way, because I want this to work consistently. I don't care how the program in question is done, I just want to see its temp files.â Sergiy Kolodyazhnyy
Sep 10 at 21:00
does
strace
show anything being written to said files? (strace
may need flags to increase how much it logs)â thrig
Sep 10 at 21:01
@thrig With
strace -f -e open,write,unlink java -jar file.jar input.txt
I see there are writes to particular file descriptors. There'sopenat(AT_FDCWD, "/tmp/imageio1355028222376675525.tmp", O_WRONLY|O_CREAT|O_EXCL, 0600) = 16
, and data written to it appears to be the header of the output png file. So it writes output file totmp
first. I also see another temp file being opened and reopened as fd 4:openat(AT_FDCWD, "/tmp/hsperfdata_xie", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4
But I don't see any writes to fd 4. Makes no sense to createO_RDONLY
file and keep it emptyâ Sergiy Kolodyazhnyy
Sep 10 at 21:12
2
As to the files rather than your Q,
/tmp/hsperfdata_$user/
is 'HotSpot performance data' created automatically by the Sun/Oracle/OpenJDK JVM (which is codenamed HotSpot) with the JVM pid as filename and used by utilities likejps jstat jmap jconsole
. See e.g. stackoverflow.com/questions/76327/⦠stackoverflow.com/questions/3806758/â¦â dave_thompson_085
Sep 11 at 1:09