Ptrwatch is a Linux CLI tool for observing pointer chains in real time.
Ptrwatch dynamically links libpwu. Release +0.1.4 is required. Visit the page and follow installation instructions.
Ptrwatch also links libncurses. To build ptrwatch, you'll additionally need the ncurses development library. Consult your distro's wiki for details.
Fetch the repo:
$ git clone https://github.com/vykt/ptrwatch
Generate build files:
$ cd ptrscan && ./buildgen.sh
Build the release:
$ cd build && make watch
Check the install script & install:
$ cd .. && sudo ./install.sh
To provide ptrwatch with pointer chains you must specify them in a config file. An example config ptrwatch.cfg is included in the root of the repo.
The config file can contain 3 types of lines.lank lines are allowed:
Comments begin with a '#' and span the entire line.
config:
# this is a comment
output:
<none>
Titles begin with a '>' and span the entire line. Titles have a red colour and should be used to provide structure to the output of ptrwatch.
config:
>this is a title
output:
this is a title
Entries display the value at the end of a pointer chain. An entry takes the following format:
<description>:<type>:<start_backing_file> <offsets>
description is a string displayed besides the value read from the pointer chain.
type can be any of:
- uint8
- int8
- uint16
- int16
- uint32
- int32
- uint64
- int64
- float
- double
- string:[len]
Note that the string type takes an additional length parameter [len].
start_backing_file can either be the string representation of the backing file (e.g. 'libc.so.6') or a starting address in written in hexadecimal with a '0x' prefix.
offsets are a space delimited list of offsets. The final offset is dereferenced as type and displayed.
See the provided ptrwatch.cfg for examples.
Watch pointer chains of process example_proc using the default ptrwatch.cfg config:
ptrwatch example_proc
Watch pointer chains of process with PID 1234, using new_config.cfg as the config file:
ptrwatch -c new_config.cfg 1234