Sysinternals ProcDump porting for Linux
Microsoft has released, on its GitHub repository, an interesting Linux porting of ProcDump from Sysinternals suite.
Like the Windows version, ProcDump allows developers to create core dumps of their application based on performance triggers.
Furthermore, ProcDump is also useful for forensics analysts, that use its output in order to analyze memory dump of a suspicious process.
The only requirement is
Microsoft suggest to install the tool using the package manager:
- Add the Microsoft Product feed:
curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/microsoft.gpg
sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-ubuntu-xenial-prod xenial main" > etc/apt/sources.list.d/microsoft.list'
sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-ubuntu-trusty-prod trusty main" > /etc/apt/sources.list.d/microsoft.list'
Register the Microsoft Product feed Ubuntu 16.04
- Install Procdump
sudo apt-get update sudo apt-get install procdump
Microsoft says that the tool has been tested only on Ubuntu 14.04+ with Linux Kernels version 3.5+
However, i've successful installed ProcDump on my Debian 9 (Kernel 4.9.51-1), starting from sourcecode.
In order to compile ProcDump, first you need to satisfy some requirements:
- GNU Make
Then, the process is pretty simple:
- Clone the repo
git clone https://github.com/microsoft/ProcDump-for-Linux
- Run make from the project root
cd ProcDump-for-Linux make
- The procdump executable will be placed into the bin directory
The following examples all target a process with pid == 1234
Create a core dump immediately:
sudo procdump -p 1234
Create 3 core dumps 10 seconds apart:
sudo procdump -n 3 -p 1234
Create 3 core dumps 5 seconds apart:
sudo procdump -n -s 5 -p 1234
Create a core dump each time the process has CPU usage >= 65%, up to 3 times, with at least 10 seconds between each dump:
sudo procdump -C 65 -n 3 -p 1234