I'm not familiar with the Windows version of ProcMon, but judging by the Linux version, that looks like it's primarily replicating the function of `strace` in a CLI GUI.
Worth reading Joe Damato's excellent article on strace: https://blog.packagecloud.io/eng/2016/02/29/how-does-strace-...
This seems to be using eBPF, so presumably your kernel will have to support that (only stating Ubuntu 18.04 is a bit unfortunate).
Sorta related: If y’all haven’t used netdata - wow - it blew my socks off last night. I have it installed on all my hosts now and it’s already helping me diagnose a redis bgsave issue that I didn’t realize existed. Really well put together software.
What are the differences between this and htop, by example?
I know htop can strace processes with the "s" key.
Because Ubuntu 18.04 is used for the development environment, it relies on pretty old dependencies.
Bug report: https://github.com/Sysinternals/ProcMon-for-Linux/issues/44
While I see a lot of comparisons to htop, I wonder how this compares to sysdig? I’ve found sysdig to be an invaluable swiss army knife of debugging performance issues; the only difficult part is finding the right documentation among the cloud offering of the same name.
I've been looking at a few eBPF tracing implementations around GitHub recently to try and get my head round it, and this codebase has to be one of the best documented (if not best written) examples out there. Kudos.
Even though I don't use procmon on windows basically never. Sysinternals on linux could be useful especially with same gui as on windows. It would be great to see autoruns and tcpview on linux.
Licensed under MIT.
This looks like an amazing tool, can't wait to begin using it.
I remember the first time I discovered Sysinternals tools for Windows. It was a game-changer for me. Especially Autoruns and Process Explorer
This will come in handy during DFIR, although we have different workflows for doing live analysis on machines for now.
I never thought I'd say this, but: Thank you, Microsoft, for making useful, user-friendly software.
Sysinternals is under Microsoft since 2006. Is this the ‘extend’ stage?
Why are libllvm6.0 llvm-6.0-dev and libclang-6.0-dev needed for this?
Just out of curiosity, How is this tool different when compared to htop
Something that is really cool about Sysinternals tools are that they have a pretty usable GUI (granted, once you need to understand what does each UI icon do). Mimicking this experience in the TUI/terminal would certainly be a challenge. I would love to have a Procmon and ProcessExplorer equivalent with the GUI on Linux and macOS.