Procmon alternative for Linux - Main webpage

This is a kernel module that hijacks sys_calls and printfs messages whenever a sys_call is called. In the future, instead of printfs-ing messages, some kind of events will be sent to an UI which will be similar to what Procmon (for Windows) offers right now.

Keep in mind that this is a WIP and you can end up with a totally frozen kernel!

In order to build this module you'll need some basic stuff (make, gcc) and the headers of the kernel you're running on. Once you have all those you just need to run make inside the root folder.

Loading the module isn't any different from loading any other module. insmod procmon.ko for loading it and rmmod procmon.ko for unloading it.

To start the actual hijack process, once loaded the module, run sysctl procmon.state=1. Once started, you'll probably want to run ./procmon-viewer to see an actual output.

To stop it just run hit Ctrl + C. To stop the module run sysctl procmon.state=0.

Keep in mind that the module will protect your kernel while unloading. That means that if any process (both in userland and in the kernel itself) expect to call one of the hijacked syscalls, the module will wait those processes to run what they need to run. This may take from 1ms to days. If there's a really long delay, try killing/restarting some processes that may have scheduled a call. For example, the module won't unload until you press Enter on all consoles that had any activity while the module was loaded.

The UI part will be based on rbcurses (may change). You'll need Ruby 1.9.3 or newer and Ruby-dev to play with this part. Note that this is experimental and has absolutely no support at the moment. Basic instructions:

First you need to build the Ruby C extension that will allow playing with kmod from Ruby. Go to the procmon/ui and run ruby extconf.rb and then make. If everything went fine you'll be able to run sudo ruby procmon.rb in the root directory.

I'm completely aware of kprobes, perf and all other kernel debug systems/methods. Probably all of them work better than Procmon, but they have one disadvantage: they require you to recompile the kernel or they are not enabled by default in some distros.

Yet another reason: I have fun doing it! I don't seek for this project to be merged into mainline nor being used by every Linux user out there. I'm doing it for myself. Anyways, I'd be glad if it works for you too :)

On the other hand, Procmon will just work. What this module does to just work is hijack/replace all (relevant/interesting) syscalls from the syscall table. While this is risky, it will allow you to have a similar tool to Procmon for Windows, without having to recompile the kernel.

Just send me patches, if they are ok I'll give you push access :)

About the editing, note that I'm using TABs, so please keep it that way.

The license is WTFPL (Do What The Fuck You Want To Public License), but keep in mind it's good for both sides if you use this project, fix/add things and push them back.