|
9 | 9 | # USAGE: ./execsnoop [-hrt] [-n name] |
10 | 10 | # |
11 | 11 | # REQUIREMENTS: FTRACE and KPROBE CONFIG, sched:sched_process_fork tracepoint, |
12 | | -# and either the stub_execve() or do_execve() kernel function. You may already |
13 | | -# have these on recent kernels. And awk. |
| 12 | +# and either the sys_execve, stub_execve or do_execve kernel function. You may |
| 13 | +# already have these on recent kernels. And awk. |
14 | 14 | # |
15 | 15 | # This traces exec() from the fork()->exec() sequence, which means it won't |
16 | 16 | # catch new processes that only fork(). With the -r option, it will also catch |
|
21 | 21 | # |
22 | 22 | # This implementation is designed to work on older kernel versions, and without |
23 | 23 | # kernel debuginfo. It works by dynamic tracing an execve kernel function to |
24 | | -# read the arguments from the %si register. The stub_execve() function is tried |
25 | | -# first, and then the do_execve() function. The sched:sched_process_fork |
26 | | -# tracepoint, is used for the PPID. This program is a workaround that should be |
| 24 | +# read the arguments from the %si register. The sys_execve function is tried |
| 25 | +# first, then stub_execve and do_execve. The sched:sched_process_fork |
| 26 | +# tracepoint is used to get the PPID. This program is a workaround that should be |
27 | 27 | # improved in the future when other kernel capabilities are made available. If |
28 | 28 | # you need a more reliable tool now, then consider other tracing alternatives |
29 | 29 | # (eg, SystemTap). This tool is really a proof of concept to see what ftrace can |
@@ -184,15 +184,15 @@ function makeprobe { |
184 | 184 | (( i++ )) |
185 | 185 | done |
186 | 186 | } |
187 | | -# try stub_execve() first, then do_execve() and sys_execve |
188 | | -makeprobe stub_execve |
| 187 | +# try in this order: sys_execve, stub_execve, do_execve |
| 188 | +makeprobe sys_execve |
189 | 189 |
|
190 | 190 | ### setup and begin tracing |
191 | 191 | echo nop > current_tracer |
192 | 192 | if ! echo $kprobe >> kprobe_events 2>/dev/null; then |
193 | | - makeprobe do_execve |
| 193 | + makeprobe stub_execve |
194 | 194 | if ! echo $kprobe >> kprobe_events 2>/dev/null; then |
195 | | - makeprobe sys_execve |
| 195 | + makeprobe do_execve |
196 | 196 | if ! echo $kprobe >> kprobe_events 2>/dev/null; then |
197 | 197 | edie "ERROR: adding a kprobe for execve. Exiting." |
198 | 198 | fi |
|
204 | 204 | if ! echo 1 > events/sched/sched_process_fork/enable; then |
205 | 205 | edie "ERROR: enabling sched:sched_process_fork tracepoint. Exiting." |
206 | 206 | fi |
| 207 | +echo "Instrumenting $func" |
207 | 208 | (( opt_time )) && printf "%-16s " "TIMEs" |
208 | 209 | printf "%6s %6s %s\n" "PID" "PPID" "ARGS" |
209 | 210 |
|
|
0 commit comments