extrace
Extract files from archives
TLDR
Trace all program executions occurring on the system
Run a command and only trace descendants of this command
Print the current working [d]irectory of each process
Resolve the full path of each executable
Display the [u]ser running each process
SYNOPSIS
extrace [-h|-V] [-k kallsyms] [-m mem] pid...
PARAMETERS
-h, --help
Display help message and exit
-V, --version
Output version information and exit
-k FILE, --kallsyms=FILE
Use FILE as kernel symbols (default: /proc/kallsyms)
-m FILE, --mem=FILE
Use FILE as memory dump (default: /proc/kcore)
DESCRIPTION
extrace is a specialized Linux utility designed to retrieve the full command-line arguments (argv) and environment variables of a running process directly from kernel memory. Unlike standard tools like ps(1) which truncate long command lines (limited to 15-16 characters per argument), extrace bypasses these restrictions by parsing the kernel's process descriptor structures.
It operates by reading the system symbol table from /proc/kallsyms to locate kernel data structures, then accessing the physical memory dump via /proc/kcore. This allows reconstruction of the original process invocation, making it invaluable for debugging, forensics, and monitoring processes with extensive arguments or environments.
Primarily used in security analysis, system administration, and incident response, extrace requires root privileges due to its need to access kernel memory. It's lightweight, written in C, and typically found in forensic toolkits or installed via source compilation from its GitHub repository maintained by Eric Paris.
Output includes the process PID, parent PID, UID, effective UID, command name, full argv array, and environment variables, presented in a readable format. While powerful, it's most effective on systems with debugging symbols enabled.
CAVEATS
Requires root privileges; slow on systems with large RAM; may fail if kernel lacks debug symbols or on virtualized environments with memory restrictions.
Deprecated in modern kernels favoring /proc/PID/cmdline enhancements.
EXAMPLE USAGE
extrace 1234
Outputs: PID:1234 PPID:1 UID:0 argv[0]='/bin/bash' argv[1]='--long-option-with-args' ... ENV=VAR1=value ...
REQUIREMENTS
Linux kernel with /proc filesystem; root access; compatible with x86/x86_64 (limited ARM support).
HISTORY
Originally developed by Eric Paris around 2008 for Fedora debugging; released as open-source tool. Evolved for kernel 2.6+ compatibility, with updates for newer architectures. Maintained sporadically on GitHub.
