Microsoft has ported the popular Sysinternals Procmon utility to Linux so that users can monitor running processes’ activity.
Procmon is a Windows utility that monitors the system calls, Registry access, and file activity for processes running in the operating system.
This monitoring of processes allows users to diagnose problems with programs crashing, heavy resource utilization, and even potential malware infections.
This week Microsoft has released a Linux version of the popular Procmon utility that Linux users can monitor running processes, as shown in the demo below.
When using Procmon on Linux, you can specify the process IDs that you would like to monitor or specific system calls using the following arguments:
Usage: procmon [OPTIONS]
OPTIONS
-h/--help Prints this help screen
-p/--pids Comma separated list of process ids to monitor
-e/--events Comma separated list of system calls to monitor
-c/--collect [FILEPATH] Option to start Procmon in a headless mode
-f/--file FILEPATH Open a Procmon trace file
For example, to monitor the process IDs 738 and 2657.
sudo procmon -p 738,2657
To monitor PID 738 for listed all read and write calls, you would use the following command.
sudo procmon -p 738 -e read,write
For more information on how to use Procmon in Linux, you can see its GitHub page.
Building Procmon for Linux
Microsoft provides instructions on building Procmon in on their GitHub page, which we have slightly modified to include all requirements.
To compile Procmon for Linux, Microsoft states that you will need to be running Ubuntu 18.04 LTS or later, have CMake 3.13 or later, and libsqlite3-dev installed.
To set up the development environment to compile Procmon, you should run the following
sudo apt-get update
sudo apt-get -y install bison build-essential flex git libedit-dev libllvm6.0 llvm-6.0-dev libclang-6.0-dev python zlib1g-dev libelf-dev cmake libsqlite3-dev
Now you need to build BCC using the following commands:
git clone --branch tag_v0.10.0 https://github.com/iovisor/bcc.git
mkdir bcc/build
cd bcc/build
cmake .. -DCMAKE_INSTALL_PREFIX=/usr
make
sudo make install
Finally, you can build Procmon with these commands:
cd ../..
git clone https://github.com/Microsoft/Procmon-for-Linux
cd Procmon-for-Linux
mkdir build
cd build
cmake ..
make
make install
Once Procmon is compiled, it will be installed to /usr/bin/procmon. Unfortunately, Procmon cannot be compiled under WSL due to the lack of Kernel event tracing.
