1294548Sdteske#!/usr/sbin/dtrace -s 2294548Sdteske/* - 3294548Sdteske * Copyright (c) 2014 Devin Teske <dteske@FreeBSD.org> 4294548Sdteske * All rights reserved. 5294548Sdteske * Redistribution and use in source and binary forms, with or without 6294548Sdteske * modification, are permitted provided that the following conditions 7294548Sdteske * are met: 8294548Sdteske * 1. Redistributions of source code must retain the above copyright 9294548Sdteske * notice, this list of conditions and the following disclaimer. 10294548Sdteske * 2. Redistributions in binary form must reproduce the above copyright 11294548Sdteske * notice, this list of conditions and the following disclaimer in the 12294548Sdteske * documentation and/or other materials provided with the distribution. 13294548Sdteske * 14294548Sdteske * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15294548Sdteske * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16294548Sdteske * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17294548Sdteske * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18294548Sdteske * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19294548Sdteske * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20294548Sdteske * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21294548Sdteske * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22294548Sdteske * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23294548Sdteske * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24294548Sdteske * SUCH DAMAGE. 25294548Sdteske * 26294888Sdteske * $Title: dtrace(1) script to log process(es) entering syscall::execve $ 27294548Sdteske * $FreeBSD$ 28294548Sdteske */ 29294548Sdteske 30294548Sdteske#pragma D option quiet 31294548Sdteske#pragma D option dynvarsize=16m 32294548Sdteske#pragma D option switchrate=10hz 33294548Sdteske 34294548Sdteske/*********************************************************/ 35294548Sdteske 36294548Sdteskesyscall::execve:entry /* probe ID 1 */ 37294548Sdteske{ 38294548Sdteske this->caller_execname = execname; 39294548Sdteske} 40294548Sdteske 41294548Sdteske/*********************************************************/ 42294548Sdteske 43294548Sdteskesyscall::execve:return /execname != this->caller_execname/ /* probe ID 2 */ 44294548Sdteske{ 45294548Sdteske /* 46294548Sdteske * Examine process, parent process, and grandparent process details 47294548Sdteske */ 48294548Sdteske 49294548Sdteske /******************* CURPROC *******************/ 50294548Sdteske 51294548Sdteske this->proc = curthread->td_proc; 52294548Sdteske this->pid0 = this->proc->p_pid; 53294548Sdteske this->uid0 = this->proc->p_ucred->cr_uid; 54294548Sdteske this->gid0 = this->proc->p_ucred->cr_rgid; 55294548Sdteske this->p_args = this->proc->p_args; 56294548Sdteske this->ar_length = this->p_args ? this->p_args->ar_length : 0; 57294548Sdteske this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); 58294548Sdteske 59294548Sdteske this->arg0_0 = this->ar_length > 0 ? 60294548Sdteske this->ar_args : stringof(this->proc->p_comm); 61294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 62294548Sdteske this->ar_args += this->len; 63294548Sdteske this->ar_length -= this->len; 64294548Sdteske 65294548Sdteske this->arg0_1 = this->ar_length > 0 ? this->ar_args : ""; 66294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 67294548Sdteske this->ar_args += this->len; 68294548Sdteske this->ar_length -= this->len; 69294548Sdteske 70294548Sdteske this->arg0_2 = this->ar_length > 0 ? this->ar_args : ""; 71294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 72294548Sdteske this->ar_args += this->len; 73294548Sdteske this->ar_length -= this->len; 74294548Sdteske 75294548Sdteske this->arg0_3 = this->ar_length > 0 ? this->ar_args : ""; 76294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 77294548Sdteske this->ar_args += this->len; 78294548Sdteske this->ar_length -= this->len; 79294548Sdteske 80294548Sdteske this->arg0_4 = this->ar_length > 0 ? "..." : ""; 81294548Sdteske 82294548Sdteske /******************* PPARENT *******************/ 83294548Sdteske 84294548Sdteske this->proc = this->proc->p_pptr; 85294548Sdteske this->pid1 = this->proc->p_pid; 86294548Sdteske this->uid1 = this->proc->p_ucred->cr_uid; 87294548Sdteske this->gid1 = this->proc->p_ucred->cr_rgid; 88294548Sdteske this->p_args = this->proc ? this->proc->p_args : 0; 89294548Sdteske this->ar_length = this->p_args ? this->p_args->ar_length : 0; 90294548Sdteske this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); 91294548Sdteske 92294548Sdteske this->arg1_0 = this->ar_length > 0 ? 93294548Sdteske this->ar_args : stringof(this->proc->p_comm); 94294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 95294548Sdteske this->ar_args += this->len; 96294548Sdteske this->ar_length -= this->len; 97294548Sdteske 98294548Sdteske this->arg1_1 = this->ar_length > 0 ? this->ar_args : ""; 99294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 100294548Sdteske this->ar_args += this->len; 101294548Sdteske this->ar_length -= this->len; 102294548Sdteske 103294548Sdteske this->arg1_2 = this->ar_length > 0 ? this->ar_args : ""; 104294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 105294548Sdteske this->ar_args += this->len; 106294548Sdteske this->ar_length -= this->len; 107294548Sdteske 108294548Sdteske this->arg1_3 = this->ar_length > 0 ? this->ar_args : ""; 109294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 110294548Sdteske this->ar_args += this->len; 111294548Sdteske this->ar_length -= this->len; 112294548Sdteske 113294548Sdteske this->arg1_4 = this->ar_length > 0 ? "..." : ""; 114294548Sdteske 115294548Sdteske /******************* GPARENT *******************/ 116294548Sdteske 117294548Sdteske this->proc = this->proc->p_pptr; 118294548Sdteske this->pid2 = this->proc->p_pid; 119294548Sdteske this->uid2 = this->proc->p_ucred->cr_uid; 120294548Sdteske this->gid2 = this->proc->p_ucred->cr_rgid; 121294548Sdteske this->p_args = this->proc ? this->proc->p_args : 0; 122294548Sdteske this->ar_length = this->p_args ? this->p_args->ar_length : 0; 123294548Sdteske this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); 124294548Sdteske 125294548Sdteske this->arg2_0 = this->ar_length > 0 ? 126294548Sdteske this->ar_args : stringof(this->proc->p_comm); 127294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 128294548Sdteske this->ar_args += this->len; 129294548Sdteske this->ar_length -= this->len; 130294548Sdteske 131294548Sdteske this->arg2_1 = this->ar_length > 0 ? this->ar_args : ""; 132294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 133294548Sdteske this->ar_args += this->len; 134294548Sdteske this->ar_length -= this->len; 135294548Sdteske 136294548Sdteske this->arg2_2 = this->ar_length > 0 ? this->ar_args : ""; 137294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 138294548Sdteske this->ar_args += this->len; 139294548Sdteske this->ar_length -= this->len; 140294548Sdteske 141294548Sdteske this->arg2_3 = this->ar_length > 0 ? this->ar_args : ""; 142294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 143294548Sdteske this->ar_args += this->len; 144294548Sdteske this->ar_length -= this->len; 145294548Sdteske 146294548Sdteske this->arg2_4 = this->ar_length > 0 ? "..." : ""; 147294548Sdteske 148294548Sdteske /******************* APARENT *******************/ 149294548Sdteske 150294548Sdteske this->proc = this->proc->p_pptr; 151294548Sdteske this->pid3 = this->proc->p_pid; 152294548Sdteske this->uid3 = this->proc->p_ucred->cr_uid; 153294548Sdteske this->gid3 = this->proc->p_ucred->cr_rgid; 154294548Sdteske this->p_args = this->proc ? this->proc->p_args : 0; 155294548Sdteske this->ar_length = this->p_args ? this->p_args->ar_length : 0; 156294548Sdteske this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); 157294548Sdteske 158294548Sdteske this->arg3_0 = this->ar_length > 0 ? 159294548Sdteske this->ar_args : stringof(this->proc->p_comm); 160294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 161294548Sdteske this->ar_args += this->len; 162294548Sdteske this->ar_length -= this->len; 163294548Sdteske 164294548Sdteske this->arg3_1 = this->ar_length > 0 ? this->ar_args : ""; 165294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 166294548Sdteske this->ar_args += this->len; 167294548Sdteske this->ar_length -= this->len; 168294548Sdteske 169294548Sdteske this->arg3_2 = this->ar_length > 0 ? this->ar_args : ""; 170294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 171294548Sdteske this->ar_args += this->len; 172294548Sdteske this->ar_length -= this->len; 173294548Sdteske 174294548Sdteske this->arg3_3 = this->ar_length > 0 ? this->ar_args : ""; 175294548Sdteske this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 176294548Sdteske this->ar_args += this->len; 177294548Sdteske this->ar_length -= this->len; 178294548Sdteske 179294548Sdteske this->arg3_4 = this->ar_length > 0 ? "..." : ""; 180294548Sdteske 181294548Sdteske /***********************************************/ 182294548Sdteske 183294548Sdteske /* 184294548Sdteske * Print process, parent, and grandparent details 185294548Sdteske */ 186294548Sdteske 187294548Sdteske printf("%Y %s[%d]: ", timestamp + 1406598400000000000, 188294548Sdteske this->caller_execname, this->pid1); 189294548Sdteske printf("%s", this->arg0_0); 190294548Sdteske printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1); 191294548Sdteske printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2); 192294548Sdteske printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3); 193294548Sdteske printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4); 194294548Sdteske printf("\n"); 195294548Sdteske 196294548Sdteske printf(" -+= %05d %d.%d %s", 197294548Sdteske this->pid3, this->uid3, this->gid3, this->arg3_0); 198294548Sdteske printf("%s%s", this->arg3_1 != "" ? " " : "", this->arg3_1); 199294548Sdteske printf("%s%s", this->arg3_2 != "" ? " " : "", this->arg3_2); 200294548Sdteske printf("%s%s", this->arg3_3 != "" ? " " : "", this->arg3_3); 201294548Sdteske printf("%s%s", this->arg3_4 != "" ? " " : "", this->arg3_4); 202294548Sdteske printf("%s", this->arg3_0 != "" ? "\n" : ""); 203294548Sdteske 204294548Sdteske printf(" \-+= %05d %d.%d %s", 205294548Sdteske this->pid2, this->uid2, this->gid2, this->arg2_0); 206294548Sdteske printf("%s%s", this->arg2_1 != "" ? " " : "", this->arg2_1); 207294548Sdteske printf("%s%s", this->arg2_2 != "" ? " " : "", this->arg2_2); 208294548Sdteske printf("%s%s", this->arg2_3 != "" ? " " : "", this->arg2_3); 209294548Sdteske printf("%s%s", this->arg2_4 != "" ? " " : "", this->arg2_4); 210294548Sdteske printf("%s", this->arg2_0 != "" ? "\n" : ""); 211294548Sdteske 212294548Sdteske printf(" \-+= %05d %d.%d %s", 213294548Sdteske this->pid1, this->uid1, this->gid1, this->arg1_0); 214294548Sdteske printf("%s%s", this->arg1_1 != "" ? " " : "", this->arg1_1); 215294548Sdteske printf("%s%s", this->arg1_2 != "" ? " " : "", this->arg1_2); 216294548Sdteske printf("%s%s", this->arg1_3 != "" ? " " : "", this->arg1_3); 217294548Sdteske printf("%s%s", this->arg1_4 != "" ? " " : "", this->arg1_4); 218294548Sdteske printf("%s", this->arg1_0 != "" ? "\n" : ""); 219294548Sdteske 220294548Sdteske printf(" \-+= %05d %d.%d %s", 221294548Sdteske this->pid0, this->uid0, this->gid0, this->arg0_0); 222294548Sdteske printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1); 223294548Sdteske printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2); 224294548Sdteske printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3); 225294548Sdteske printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4); 226294548Sdteske printf("%s", this->arg0_0 != "" ? "\n" : ""); 227294548Sdteske} 228