Tracing system calls on Linux is straightforward. The
ptrace API lets
one process trace all system calls made by another process, and the
ptrace to allow a user to do the
Mac OS X
Tracing system calls on Mac OS X is a little harder, but more powerful.
dtrace system ships with Macs starting with Mac OS X 10.5. Unlike
strace, however, support for dtrace has to be built in to programs. Mac
OS X ships with several thousand probes (the attachment points), and most
normal monitoring is covered. Brendan Gregg’s blog has a Mac OS X-specific
dtrace page, as an example, and there are other useful tutorials
Apple added ptrace to Mac OS X, maybe. There’s a man page for it, but no strace program for user-level use. I’ll have to try writing some code.
There are ways to hook/override program and system functions at runtime. These work but aren’t truly supported, so are of most use for debugging situations.
Amit Singh went the kernel extension approach to get access to system calls
While there are definitely nefarious uses for this stuff, it can be used for developers too. For example, this paper talks about rootkits, but the techniques also make for great developer tools.
The equivalent to ptrace on BSD is ktrace. Unfortunately, ktrace is not available on Mac OS X. That’s annoying, because it is complementary to DTrace, which is an awesome sysop-level tool, but does not give complete access to all system calls. Mac OS X had ktrace in 10.4 and earlier.
There is the amazing Process Monitor, which traces all file and registry actions. However, this is strictly a user-level program, you work with it through its GUI. It’s very useful, but does not give you system-call level access from your own source code.
There is a fairly new project called StraceNT. It comes with source code.
Dr. Memory comes with “strace for Windows” called drstrace.
Event Tracing for Windows (ETW) is the Microsoft official technique, and has several programs layered on top.
There is Logger and LogView, also Microsoft tools
There is NtTrace
This is a python build tool that watches for files that have changed as a result of running a command. It uses strace on Linux but does filetime watching on Windows, so maybe look for how to get Python on Windows to use one of the other file monitoring solutions?
The tup build tool uses DLL injection on Windows to detect file I/O.
The ninja tool also does filesystem watching, I think.
Google “building in the cloud”
This is a FUSE-based approach, so not exactly tracing system calls.