GitHub - Query-Doctor/sqlite-trace: 🤯 Extract SQLite queries processes make with eBPF · GitHub
/" data-turbo-transient="true" />
Skip to content
Search or jump to...
Search code, repositories, users, issues, pull requests...
-->
Search
Clear
Search syntax tips
Provide feedback
--><br>We read every piece of feedback, and take your input very seriously.
Include my email address so I can be contacted
Cancel
Submit feedback
Saved searches
Use saved searches to filter your results more quickly
-->
Name
Query
To see all available qualifiers, see our documentation.
Cancel
Create saved search
Sign in
/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up
Appearance settings
Resetting focus
You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.
Dismiss alert
{{ message }}
Uh oh!
There was an error while loading. Please reload this page.
Query-Doctor
sqlite-trace
Public
Notifications<br>You must be signed in to change notification settings
Fork
Star
main
BranchesTags
Go to file
CodeOpen more actions menu
Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit
History<br>14 Commits<br>14 Commits
.btf-cache
.btf-cache
.github/workflows
.github/workflows
fixtures
fixtures
src
src
tools
tools
.clangd
.clangd
.dockerignore
.dockerignore
.gitignore
.gitignore
Dockerfile
Dockerfile
Makefile
Makefile
README.md
README.md
docker-entrypoint.sh
docker-entrypoint.sh
ebpf.yaml
ebpf.yaml
gen_btf.sh
gen_btf.sh
run_tests.sh
run_tests.sh
seed.sql
seed.sql
watch_dbsize.sh
watch_dbsize.sh
View all files
Repository files navigation
SQLite Trace
An experimental eBPF tool for extracting SQLite queries made by any arbitrary binary. Works with executables both dynamically and statically linked against libsqlite3.
Builds every public release of SQLite to know where to reach into in opaque structs the program passes into the SQLite API.
Usage
Install the required dependencies (linux only):
clang
bpftool
pahole (dwarves)
libelf-dev
# building<br>make
Attaching uprobes requires privileged execution. The full access of sudo can be partially avoided by giving the binary specific capabilities.
sudo setcap cap_bpf,cap_perfmon,cap_sys_admin+ep ./build/sqlite_trace
# Targeting a known binary or shared library<br>sudo ./build/sqlite_trace --lib /path/to/binary_or_object \<br>--capture-values \ # trace out values of parameters passed to sql queries<br>--ndjson trace.ndjson # newline delimited JSON output for parsed queries
# Already-running program<br>sudo ./build/sqlite_trace --pid 91242
Read about it in our blog post here
Limitations
Programs that statically link against libsqlite3 sometimes have a missing zSql field. Programs like codex however have all their queries captured regardless however. This is probably related to prepared statements clearing out the sql field once the bytecode for the query is pre-generated. Hooking sqlite3_prepare_* functions in statically linked programs is probably possible, but requires more investigation to get right.
Tested programs
sqlite3
fossil
codex
authelia
bun (it has builtin sqlite support)
About
🤯 Extract SQLite queries processes make with eBPF
Resources
Readme
Uh oh!
There was an error while loading. Please reload this page.
Activity
Custom properties
Stars
star
Watchers
watching
Forks
forks
Report repository
Releases
No releases published
Packages
Uh oh!
There was an error while loading. Please reload this page.
Contributors
Uh oh!
There was an error while loading. Please reload this page.
Languages
74.4%
Shell<br>13.0%
Python<br>7.5%
Makefile<br>3.9%
Dockerfile<br>1.2%
You can’t perform that action at this time.