watch_execve revision 294888
1#!/usr/sbin/dtrace -s 2/* - 3 * Copyright (c) 2014 Devin Teske <dteske@FreeBSD.org> 4 * All rights reserved. 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 * 26 * $Title: dtrace(1) script to log process(es) entering syscall::execve $ 27 * $FreeBSD: stable/10/share/dtrace/watch_execve 294888 2016-01-27 05:04:17Z dteske $ 28 */ 29 30#pragma D option quiet 31#pragma D option dynvarsize=16m 32#pragma D option switchrate=10hz 33 34/*********************************************************/ 35 36syscall::execve:entry /* probe ID 1 */ 37{ 38 this->caller_execname = execname; 39} 40 41/*********************************************************/ 42 43syscall::execve:return /execname != this->caller_execname/ /* probe ID 2 */ 44{ 45 /* 46 * Examine process, parent process, and grandparent process details 47 */ 48 49 /******************* CURPROC *******************/ 50 51 this->proc = curthread->td_proc; 52 this->pid0 = this->proc->p_pid; 53 this->uid0 = this->proc->p_ucred->cr_uid; 54 this->gid0 = this->proc->p_ucred->cr_rgid; 55 this->p_args = this->proc->p_args; 56 this->ar_length = this->p_args ? this->p_args->ar_length : 0; 57 this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); 58 59 this->arg0_0 = this->ar_length > 0 ? 60 this->ar_args : stringof(this->proc->p_comm); 61 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 62 this->ar_args += this->len; 63 this->ar_length -= this->len; 64 65 this->arg0_1 = this->ar_length > 0 ? this->ar_args : ""; 66 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 67 this->ar_args += this->len; 68 this->ar_length -= this->len; 69 70 this->arg0_2 = this->ar_length > 0 ? this->ar_args : ""; 71 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 72 this->ar_args += this->len; 73 this->ar_length -= this->len; 74 75 this->arg0_3 = this->ar_length > 0 ? this->ar_args : ""; 76 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 77 this->ar_args += this->len; 78 this->ar_length -= this->len; 79 80 this->arg0_4 = this->ar_length > 0 ? "..." : ""; 81 82 /******************* PPARENT *******************/ 83 84 this->proc = this->proc->p_pptr; 85 this->pid1 = this->proc->p_pid; 86 this->uid1 = this->proc->p_ucred->cr_uid; 87 this->gid1 = this->proc->p_ucred->cr_rgid; 88 this->p_args = this->proc ? this->proc->p_args : 0; 89 this->ar_length = this->p_args ? this->p_args->ar_length : 0; 90 this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); 91 92 this->arg1_0 = this->ar_length > 0 ? 93 this->ar_args : stringof(this->proc->p_comm); 94 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 95 this->ar_args += this->len; 96 this->ar_length -= this->len; 97 98 this->arg1_1 = this->ar_length > 0 ? this->ar_args : ""; 99 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 100 this->ar_args += this->len; 101 this->ar_length -= this->len; 102 103 this->arg1_2 = this->ar_length > 0 ? this->ar_args : ""; 104 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 105 this->ar_args += this->len; 106 this->ar_length -= this->len; 107 108 this->arg1_3 = this->ar_length > 0 ? this->ar_args : ""; 109 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 110 this->ar_args += this->len; 111 this->ar_length -= this->len; 112 113 this->arg1_4 = this->ar_length > 0 ? "..." : ""; 114 115 /******************* GPARENT *******************/ 116 117 this->proc = this->proc->p_pptr; 118 this->pid2 = this->proc->p_pid; 119 this->uid2 = this->proc->p_ucred->cr_uid; 120 this->gid2 = this->proc->p_ucred->cr_rgid; 121 this->p_args = this->proc ? this->proc->p_args : 0; 122 this->ar_length = this->p_args ? this->p_args->ar_length : 0; 123 this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); 124 125 this->arg2_0 = this->ar_length > 0 ? 126 this->ar_args : stringof(this->proc->p_comm); 127 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 128 this->ar_args += this->len; 129 this->ar_length -= this->len; 130 131 this->arg2_1 = this->ar_length > 0 ? this->ar_args : ""; 132 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 133 this->ar_args += this->len; 134 this->ar_length -= this->len; 135 136 this->arg2_2 = this->ar_length > 0 ? this->ar_args : ""; 137 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 138 this->ar_args += this->len; 139 this->ar_length -= this->len; 140 141 this->arg2_3 = this->ar_length > 0 ? this->ar_args : ""; 142 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 143 this->ar_args += this->len; 144 this->ar_length -= this->len; 145 146 this->arg2_4 = this->ar_length > 0 ? "..." : ""; 147 148 /******************* APARENT *******************/ 149 150 this->proc = this->proc->p_pptr; 151 this->pid3 = this->proc->p_pid; 152 this->uid3 = this->proc->p_ucred->cr_uid; 153 this->gid3 = this->proc->p_ucred->cr_rgid; 154 this->p_args = this->proc ? this->proc->p_args : 0; 155 this->ar_length = this->p_args ? this->p_args->ar_length : 0; 156 this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); 157 158 this->arg3_0 = this->ar_length > 0 ? 159 this->ar_args : stringof(this->proc->p_comm); 160 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 161 this->ar_args += this->len; 162 this->ar_length -= this->len; 163 164 this->arg3_1 = this->ar_length > 0 ? this->ar_args : ""; 165 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 166 this->ar_args += this->len; 167 this->ar_length -= this->len; 168 169 this->arg3_2 = this->ar_length > 0 ? this->ar_args : ""; 170 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 171 this->ar_args += this->len; 172 this->ar_length -= this->len; 173 174 this->arg3_3 = this->ar_length > 0 ? this->ar_args : ""; 175 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 176 this->ar_args += this->len; 177 this->ar_length -= this->len; 178 179 this->arg3_4 = this->ar_length > 0 ? "..." : ""; 180 181 /***********************************************/ 182 183 /* 184 * Print process, parent, and grandparent details 185 */ 186 187 printf("%Y %s[%d]: ", timestamp + 1406598400000000000, 188 this->caller_execname, this->pid1); 189 printf("%s", this->arg0_0); 190 printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1); 191 printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2); 192 printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3); 193 printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4); 194 printf("\n"); 195 196 printf(" -+= %05d %d.%d %s", 197 this->pid3, this->uid3, this->gid3, this->arg3_0); 198 printf("%s%s", this->arg3_1 != "" ? " " : "", this->arg3_1); 199 printf("%s%s", this->arg3_2 != "" ? " " : "", this->arg3_2); 200 printf("%s%s", this->arg3_3 != "" ? " " : "", this->arg3_3); 201 printf("%s%s", this->arg3_4 != "" ? " " : "", this->arg3_4); 202 printf("%s", this->arg3_0 != "" ? "\n" : ""); 203 204 printf(" \-+= %05d %d.%d %s", 205 this->pid2, this->uid2, this->gid2, this->arg2_0); 206 printf("%s%s", this->arg2_1 != "" ? " " : "", this->arg2_1); 207 printf("%s%s", this->arg2_2 != "" ? " " : "", this->arg2_2); 208 printf("%s%s", this->arg2_3 != "" ? " " : "", this->arg2_3); 209 printf("%s%s", this->arg2_4 != "" ? " " : "", this->arg2_4); 210 printf("%s", this->arg2_0 != "" ? "\n" : ""); 211 212 printf(" \-+= %05d %d.%d %s", 213 this->pid1, this->uid1, this->gid1, this->arg1_0); 214 printf("%s%s", this->arg1_1 != "" ? " " : "", this->arg1_1); 215 printf("%s%s", this->arg1_2 != "" ? " " : "", this->arg1_2); 216 printf("%s%s", this->arg1_3 != "" ? " " : "", this->arg1_3); 217 printf("%s%s", this->arg1_4 != "" ? " " : "", this->arg1_4); 218 printf("%s", this->arg1_0 != "" ? "\n" : ""); 219 220 printf(" \-+= %05d %d.%d %s", 221 this->pid0, this->uid0, this->gid0, this->arg0_0); 222 printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1); 223 printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2); 224 printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3); 225 printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4); 226 printf("%s", this->arg0_0 != "" ? "\n" : ""); 227} 228