diff options
Diffstat (limited to 'runtime/docs/html/dir_000001.html')
| -rw-r--r-- | runtime/docs/html/dir_000001.html | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/runtime/docs/html/dir_000001.html b/runtime/docs/html/dir_000001.html new file mode 100644 index 00000000..b2802585 --- /dev/null +++ b/runtime/docs/html/dir_000001.html @@ -0,0 +1,91 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<html><head><meta http-equiv="Content-Type" content="text/html;charset=iso-8859-1"> +<title>SystemTap: probes/shellsnoop/ Directory Reference</title> +<link href="doxygen.css" rel="stylesheet" type="text/css"> +</head><body> +<!-- Generated by Doxygen 1.4.1 --> +<div class="qindex"><a class="qindex" href="index.html">Main Page</a> | <a class="qindex" href="annotated.html">Data Structures</a> | <a class="qindex" href="dirs.html">Directories</a> | <a class="qindex" href="files.html">File List</a> | <a class="qindex" href="functions.html">Data Fields</a> | <a class="qindex" href="globals.html">Globals</a> | <a class="qindex" href="pages.html">Related Pages</a></div> +<div class="nav"> +<a class="el" href="dir_000000.html">probes</a> / <a class="el" href="dir_000001.html">shellsnoop</a></div> +<h1>shellsnoop Directory Reference</h1>Snoops on what commands are being run by shells. +<a href="#_details">More...</a><table border="0" cellpadding="0" cellspacing="0"> +<tr><td></td></tr> +<tr><td colspan="2"><br><h2>Files</h2></td></tr> +<tr><td class="memItemLeft" nowrap align="right" valign="top">file </td><td class="memItemRight" valign="bottom"><b>dtr.c</b> <a href="shellsnoop_2dtr_8c-source.html">[code]</a></td></tr> + +<tr><td class="memItemLeft" nowrap align="right" valign="top">file </td><td class="memItemRight" valign="bottom"><b>dtr.mod.c</b> <a href="dtr_8mod_8c-source.html">[code]</a></td></tr> + +<tr><td class="memItemLeft" nowrap align="right" valign="top">file </td><td class="memItemRight" valign="bottom"><b>README</b> <a href="probes_2shellsnoop_2README-source.html">[code]</a></td></tr> + +</table> +<hr><a name="_details"></a><h2>Detailed Description</h2> +Snoops on what commands are being run by shells. +<p> +This is a translation of on an old dtr probe. It demonstrates maps, lists, and how to use _stp_copy_argv_from_user() and _stp_strncpy_from_user().<p> +Original dtr source:<p> +<div class="fragment"><pre class="fragment"> +# shellsnoop.probe - snoop shell execution as it occurs. +# clone of dtrace shellsnoop example + +global { + long @pids[long]; +} + +probe do_execve:entry { + char __user *vstr; + char str[256]; + int len; + + /* watch shells only */ + /* FIXME: detect more shells, like csh, tcsh, zsh */ + + if (!strcmp(current->comm,"bash") || !strcmp(current->comm,"sh") || !strcmp(current->comm, "zsh") + || !strcmp(current->comm, "tcsh") || !strcmp(current->comm, "pdksh")) + { + dlog ("%d\t%d\t%d\t%s ", current->uid, current->pid, current->parent->pid, filename); + @pids[current->pid] = 1; + + /* print out argv, ignoring argv[0] */ + if (argv) argv++; + while (argv != NULL) + { + if (get_user (vstr, argv)) + break; + if (!vstr) + break; + len = dtr_strncpy_from_user(str, vstr, 256); + str[len] = 0; + printk ("%s ", str); + argv++; + } + printk ("\n"); + } +} + +# use filp_open because copy_from_user not needed there +probe filp_open:entry { + if (@pids[current->pid]) + dlog ("%d\t%d\t%s\tO %s\n", current->pid, current->parent->pid, current->comm, filename); +} + +probe sys_read:entry { + if (@pids[current->pid]) + dlog ("%d\t%d\t%s\tR %d\n", current->pid, current->parent->pid, current->comm, fd); +} + +probe sys_write:entry { + size_t len; + char str[256]; + if (@pids[current->pid]) + { + if (count < 64) len = count; + else len = 64; + if (len = dtr_strncpy_from_user(str, buf, len)) { + str[len] = 0; + dlog ("%d\t%d\t%s\tW %s\n", current->pid, current->parent->pid, current->comm, str); + } + } +} +</pre></div> <hr size="1"><address style="align: right;"><small> +Generated on Tue Mar 22 00:32:02 2005 for SystemTap.</small></body> +</html> |