Hi, I found that some commands for example cd,pwd can't be recorded. Is it only the process has the pid will be right?

Hey @chaishiqi,

You are, essentially, correct. cd, pwd, echo are shell built-in commands. What usually makes this a bit confusing is that some of these commands are also provided as binaries in the /bin directory (cd is not one of those, but the other two are). Shell built-ins don't use the execv()/execve() syscall, which is where Snoopy interposes itself to catch the commands. So, unless you explicitly tell your shell to use /bin/echo by specifying the full path, it will use its built-in version instead.

And just to clarify another caveat, which you might stumble upon too - Snoopy cannot record commands executed by the statically linked binaries, due to the nature of "triggering" mechanism that Snoopy uses, which is based on dynamic loading that statically linked binaries simply don't use.

Understand，thanks very much for your answer.