Files

 4fb1860

/

execsnoop.py

Copy path

Blame

Blame

Latest commit

 

History

History

executable file

·

166 lines (145 loc) · 5.01 KB

 4fb1860

/

execsnoop.py

Top

File metadata and controls

• Code
• Blame

executable file

·

166 lines (145 loc) · 5.01 KB

Raw

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

#!/usr/bin/python

# @lint-avoid-python-3-compatibility-imports

#

# execsnoop Trace new processes via exec() syscalls.

# For Linux, uses BCC, eBPF. Embedded C.

#

# USAGE: execsnoop [-h] [-t] [-x] [-n NAME]

#

# This currently will print up to a maximum of 19 arguments, plus the process

# name, so 20 fields in total (MAXARG).

#

# This won't catch all new processes: an application may fork() but not exec().

#

# Copyright 2016 Netflix, Inc.

# Licensed under the Apache License, Version 2.0 (the "License")

#

# 07-Feb-2016 Brendan Gregg Created this.

from __future__ import print_function

from bcc import BPF

import argparse

import re

# arguments

examples = """examples:

./execsnoop # trace all exec() syscalls

./execsnoop -x # include failed exec()s

./execsnoop -t # include timestamps

./execsnoop -n main # only print command lines containing "main"

"""

parser = argparse.ArgumentParser(

description="Trace exec() syscalls",

formatter_class=argparse.RawDescriptionHelpFormatter,

epilog=examples)

parser.add_argument("-t", "--timestamp", action="store_true",

help="include timestamp on output")

parser.add_argument("-x", "--fails", action="store_true",

help="include failed exec()s")

parser.add_argument("-n", "--name",

help="only print commands matching this name (regex), any arg")

args = parser.parse_args()

# define BPF program

bpf_text = """

#include <uapi/linux/ptrace.h>

#include <linux/sched.h>

#include <linux/fs.h>

#define MAXARG 20

#define ARGSIZE 64

static int print_arg(void *ptr) {

// Fetch an argument, and print using bpf_trace_printk(). This is a work

// around until we have a binary trace interface for passing event data to

// bcc. Since exec()s should be low frequency, the additional overhead in

// this case should not be a problem.

const char *argp = NULL;

char buf[ARGSIZE] = {};

bpf_probe_read(&argp, sizeof(argp), ptr);

if (argp == NULL) return 0;

bpf_probe_read(&buf, sizeof(buf), (void *)(argp));

bpf_trace_printk("ARG %s\\n", buf);

return 1;

}

int kprobe__sys_execve(struct pt_regs *ctx, struct filename *filename,

const char __user *const __user *__argv,

const char __user *const __user *__envp)

{

char fname[ARGSIZE] = {};

bpf_probe_read(&fname, sizeof(fname), (void *)(filename));

bpf_trace_printk("ARG %s\\n", fname);

int i = 1; // skip first arg, as we printed fname

// unrolled loop to walk argv[] (MAXARG)

if (print_arg((void *)&__argv[i]) == 0) goto out; i++;

if (print_arg((void *)&__argv[i]) == 0) goto out; i++;

if (print_arg((void *)&__argv[i]) == 0) goto out; i++;

if (print_arg((void *)&__argv[i]) == 0) goto out; i++;

if (print_arg((void *)&__argv[i]) == 0) goto out; i++;

if (print_arg((void *)&__argv[i]) == 0) goto out; i++;

if (print_arg((void *)&__argv[i]) == 0) goto out; i++;

if (print_arg((void *)&__argv[i]) == 0) goto out; i++;

if (print_arg((void *)&__argv[i]) == 0) goto out; i++;

if (print_arg((void *)&__argv[i]) == 0) goto out; i++; // X

if (print_arg((void *)&__argv[i]) == 0) goto out; i++;

if (print_arg((void *)&__argv[i]) == 0) goto out; i++;

if (print_arg((void *)&__argv[i]) == 0) goto out; i++;

if (print_arg((void *)&__argv[i]) == 0) goto out; i++;

if (print_arg((void *)&__argv[i]) == 0) goto out; i++;

if (print_arg((void *)&__argv[i]) == 0) goto out; i++;

if (print_arg((void *)&__argv[i]) == 0) goto out; i++;

if (print_arg((void *)&__argv[i]) == 0) goto out; i++;

if (print_arg((void *)&__argv[i]) == 0) goto out; i++;

if (print_arg((void *)&__argv[i]) == 0) goto out; i++; // XX

bpf_trace_printk("ARG ...\\n"); // truncated

out:

return 0;

}

int kretprobe__sys_execve(struct pt_regs *ctx)

{

bpf_trace_printk("RET %d\\n", ctx->ax);

return 0;

}

"""

# initialize BPF

b = BPF(text=bpf_text)

# header

if args.timestamp:

print("%-8s" % ("TIME(s)"), end="")

print("%-16s %-6s %3s %s" % ("PCOMM", "PID", "RET", "ARGS"))

start_ts = 0

cmd = {}

pcomm = {}

# format output

while 1:

(task, pid, cpu, flags, ts, msg) = b.trace_fields()

try:

(type, arg) = msg.split(" ", 1)

except ValueError:

continue

if start_ts == 0:

start_ts = ts

if type == "RET":

if pid not in cmd:

# zero args

cmd[pid] = ""

pcomm[pid] = ""

skip = 0

if args.name:

if not re.search(args.name, cmd[pid]):

skip = 1

if not args.fails and int(arg) < 0:

skip = 1

if skip:

del cmd[pid]

del pcomm[pid]

continue

# output

if args.timestamp:

print("%-8.3f" % (ts - start_ts), end="")

print("%-16s %-6s %3s %s" % (pcomm[pid], pid, arg, cmd[pid]))

del cmd[pid]

del pcomm[pid]

else:

# build command line string

if pid in cmd:

cmd[pid] = cmd[pid] + " " + arg

else:

cmd[pid] = arg

if pid not in pcomm:

pcomm[pid] = task