An experimental eBPF tool for extracting SQLite queries made by any arbitrary binary. Works with executables both dynamically and statically linked against libsqlite3.
Builds every public release of SQLite to know where to reach into in opaque structs the program passes into the SQLite API.
Install the required dependencies (linux only):
- clang
- bpftool
- pahole (
dwarves) - libelf-dev
# building
makeAttaching uprobes requires privileged execution. The full access of sudo can be partially avoided by giving the binary specific capabilities.
sudo setcap cap_bpf,cap_perfmon,cap_sys_admin+ep ./build/sqlite_trace# Targeting a known binary or shared library
sudo ./build/sqlite_trace --lib /path/to/binary_or_object \
--capture-values \ # trace out values of parameters passed to sql queries
--ndjson trace.ndjson # newline delimited JSON output for parsed queries
# Already-running program
sudo ./build/sqlite_trace --pid 91242Read about it in our blog post here
Programs that statically link against libsqlite3 sometimes have a missing zSql field. Programs like codex however have all their queries captured regardless however. This is probably related to prepared statements clearing out the sql field once the bytecode for the query is pre-generated. Hooking sqlite3_prepare_* functions in statically linked programs is probably possible, but requires more investigation to get right.