Sysinternals ProcDump porting for Linux

Microsoft has released, on its GitHub repository, an interesting Linux porting of ProcDump from Sysinternals suite.

Like the Windows version, ProcDump allows developers to create core dumps of their application based on performance triggers.

Furthermore, ProcDump is also useful for forensics analysts, that use its output in order to analyze memory dump of a suspicious process.


Installation

The only requirement is gdb (>=7.7.1).
Microsoft suggest to install the tool using the package manager:

  1. Add the Microsoft Product feed:
    curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
    sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/microsoft.gpg
  2. Register the Microsoft Product feedUbuntu 16.04
    sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-ubuntu-xenial-prod xenial main" > etc/apt/sources.list.d/microsoft.list'
    

    Ubuntu 14.04

    sudo sh -c 'echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-ubuntu-trusty-prod trusty main" > /etc/apt/sources.list.d/microsoft.list'
  3. Install Procdump
sudo apt-get update
sudo apt-get install procdump

Microsoft says that the tool has been tested only on Ubuntu 14.04+ with Linux Kernels version 3.5+
However, i’ve successful installed ProcDump on my Debian 9 (Kernel 4.9.51-1), starting from sourcecode.

In order to compile ProcDump, first you need to satisfy some requirements:

  • git
  • GDB
  • GCC
  • GNU Make

Then, the process is pretty simple:

  1. Clone the repo
    git clone https://github.com/microsoft/ProcDump-for-Linux
  2. Run make from the project root
    cd ProcDump-for-Linux
    make
  3. The procdump executable will be placed into the bin directory

Usage examples

ProcDump in use

The following examples all target a process with pid == 1234

Create a core dump immediately:

sudo procdump -p 1234

Create 3 core dumps 10 seconds apart:

sudo procdump -n 3 -p 1234

Create 3 core dumps 5 seconds apart:

sudo procdump -n -s 5 -p 1234

Create a core dump each time the process has CPU usage >= 65%, up to 3 times, with at least 10 seconds between each dump:

sudo procdump -C 65 -n 3 -p 1234

More information and downloads

Comments