diff options
Diffstat (limited to 'runtime/probes/shellsnoop')
| -rw-r--r-- | runtime/probes/shellsnoop/Makefile | 11 | ||||
| -rw-r--r-- | runtime/probes/shellsnoop/README | 67 | ||||
| -rwxr-xr-x | runtime/probes/shellsnoop/build | 16 | ||||
| -rw-r--r-- | runtime/probes/shellsnoop/dtr.c | 125 |
4 files changed, 219 insertions, 0 deletions
diff --git a/runtime/probes/shellsnoop/Makefile b/runtime/probes/shellsnoop/Makefile new file mode 100644 index 00000000..8fff0dc4 --- /dev/null +++ b/runtime/probes/shellsnoop/Makefile @@ -0,0 +1,11 @@ +# Makefile +# +# +# make -C path/to/kernel/src M=`pwd` modules STP_RUNTIME=path_to_systemtap_rt + +CFLAGS += -I $(STP_RUNTIME) -D KALLSYMS_LOOKUP_NAME=$(KALLSYMS_LOOKUP_NAME) \ + -D KALLSYMS_LOOKUP=$(KALLSYMS_LOOKUP) +obj-m := dtr.o + +clean: + /bin/rm -rf *.o *.ko *~ *.mod.c .*.cmd .tmp_versions diff --git a/runtime/probes/shellsnoop/README b/runtime/probes/shellsnoop/README new file mode 100644 index 00000000..fee5e4c1 --- /dev/null +++ b/runtime/probes/shellsnoop/README @@ -0,0 +1,67 @@ +Sample probe. + +This is a translation of on an old dtr probe: + +# shellsnoop.probe - snoop shell execution as it occurs. +# clone of dtrace shellsnoop example + +global { + long @pids[long]; +} + +probe do_execve:entry { + char __user *vstr; + char str[256]; + int len; + + /* watch shells only */ + /* FIXME: detect more shells, like csh, tcsh, zsh */ + + if (!strcmp(current->comm,"bash") || !strcmp(current->comm,"sh") || !strcmp(current->comm, "zsh") + || !strcmp(current->comm, "tcsh") || !strcmp(current->comm, "pdksh")) + { + dlog ("%d\t%d\t%d\t%s ", current->uid, current->pid, current->parent->pid, filename); + @pids[current->pid] = 1; + + /* print out argv, ignoring argv[0] */ + if (argv) argv++; + while (argv != NULL) + { + if (get_user (vstr, argv)) + break; + if (!vstr) + break; + len = dtr_strncpy_from_user(str, vstr, 256); + str[len] = 0; + printk ("%s ", str); + argv++; + } + printk ("\n"); + } +} + +# use filp_open because copy_from_user not needed there +probe filp_open:entry { + if (@pids[current->pid]) + dlog ("%d\t%d\t%s\tO %s\n", current->pid, current->parent->pid, current->comm, filename); +} + +probe sys_read:entry { + if (@pids[current->pid]) + dlog ("%d\t%d\t%s\tR %d\n", current->pid, current->parent->pid, current->comm, fd); +} + +probe sys_write:entry { + size_t len; + char str[256]; + if (@pids[current->pid]) + { + if (count < 64) len = count; + else len = 64; + if (len = dtr_strncpy_from_user(str, buf, len)) { + str[len] = 0; + dlog ("%d\t%d\t%s\tW %s\n", current->pid, current->parent->pid, current->comm, str); + } + } +} + diff --git a/runtime/probes/shellsnoop/build b/runtime/probes/shellsnoop/build new file mode 100755 index 00000000..3713f08a --- /dev/null +++ b/runtime/probes/shellsnoop/build @@ -0,0 +1,16 @@ +#!/bin/bash + +KVERSION=`uname -r` +echo $KVERSION +KALLSYMS_LOOKUP_NAME=`grep " kallsyms_lookup_name" /boot/System.map-$KVERSION |awk '{print $1}'` +KALLSYMS_LOOKUP=`grep " kallsyms_lookup$" /boot/System.map-$KVERSION |awk '{print $1}'` + +make V=1 -C /lib/modules/`uname -r`/build M=`pwd` modules \ + KALLSYMS_LOOKUP_NAME=0x$KALLSYMS_LOOKUP_NAME \ + KALLSYMS_LOOKUP=0x$KALLSYMS_LOOKUP \ + STP_RUNTIME=`pwd`/../.. + + + + + diff --git a/runtime/probes/shellsnoop/dtr.c b/runtime/probes/shellsnoop/dtr.c new file mode 100644 index 00000000..12fddaa8 --- /dev/null +++ b/runtime/probes/shellsnoop/dtr.c @@ -0,0 +1,125 @@ +#define HASH_TABLE_BITS 8 +#define HASH_TABLE_SIZE (1<<HASH_TABLE_BITS) +#define BUCKETS 16 /* largest histogram width */ + +#include "runtime.h" +#include "io.c" +#include "map.c" +#include "copy.c" +#include "probes.c" + +MODULE_DESCRIPTION("SystemTap probe: shellsnoop"); +MODULE_AUTHOR("Martin Hunt <hunt@redhat.com>"); + +MAP pids, arglist ; + +int inst_do_execve (char * filename, char __user *__user *argv, char __user *__user *envp, struct pt_regs * regs) +{ + struct map_node_str *ptr; + + /* watch shells only */ + /* FIXME: detect more shells, like csh, tcsh, zsh */ + + if (!strcmp(current->comm,"bash") || !strcmp(current->comm,"sh") || !strcmp(current->comm, "zsh") + || !strcmp(current->comm, "tcsh") || !strcmp(current->comm, "pdksh")) + { + dlog ("%d\t%d\t%d\t%s ", current->uid, current->pid, current->parent->pid, filename); + + _stp_map_key_long (pids, current->pid); + _stp_map_set_int64 (pids, 1); + + _stp_copy_argv_from_user (arglist, argv); + foreach (arglist, ptr) + printk ("%s ", ptr->str); + printk ("\n"); + } + jprobe_return(); + return 0; +} + +struct file * inst_filp_open (const char * filename, int flags, int mode) +{ + _stp_map_key_long (pids, current->pid); + if (_stp_map_get_int64 (pids)) + dlog ("%d\t%d\t%s\tO %s\n", current->pid, current->parent->pid, current->comm, filename); + + jprobe_return(); + return 0; +} + +asmlinkage ssize_t inst_sys_read (unsigned int fd, char __user * buf, size_t count) +{ + _stp_map_key_long (pids, current->pid); + if (_stp_map_get_int64 (pids)) + dlog ("%d\t%d\t%s\tR %d\n", current->pid, current->parent->pid, current->comm, fd); + + jprobe_return(); + return 0; +} + +asmlinkage ssize_t inst_sys_write (unsigned int fd, const char __user * buf, size_t count) +{ + size_t len; + char str[256]; + _stp_map_key_long (pids, current->pid); + if (_stp_map_get_int64 (pids)) + { + if (count < 64) + len = count; + else + len = 64; + len = _stp_strncpy_from_user(str, buf, len); + if (len < 0) len = 0; + str[len] = 0; + dlog ("%d\t%d\t%s\tW %s\n", current->pid, current->parent->pid, current->comm, str); + } + + jprobe_return(); + return 0; +} + +static struct jprobe dtr_probes[] = { + { + .kp.addr = (kprobe_opcode_t *)"do_execve", + .entry = (kprobe_opcode_t *) inst_do_execve + }, + { + .kp.addr = (kprobe_opcode_t *)"filp_open", + .entry = (kprobe_opcode_t *) inst_filp_open + }, + { + .kp.addr = (kprobe_opcode_t *)"sys_read", + .entry = (kprobe_opcode_t *) inst_sys_read + }, + { + .kp.addr = (kprobe_opcode_t *)"sys_write", + .entry = (kprobe_opcode_t *) inst_sys_write + }, +}; + +#define MAX_DTR_ROUTINE (sizeof(dtr_probes)/sizeof(struct jprobe)) + +static int init_dtr(void) +{ + int ret; + + pids = _stp_map_new (10000, INT64); + arglist = _stp_list_new (10, STRING); + + ret = _stp_register_jprobes (dtr_probes, MAX_DTR_ROUTINE); + + dlog("instrumentation is enabled...\n"); + return ret; +} + +static void cleanup_dtr(void) +{ + _stp_unregister_jprobes (dtr_probes, MAX_DTR_ROUTINE); + _stp_map_del (pids); + dlog("EXIT\n"); +} + +module_init(init_dtr); +module_exit(cleanup_dtr); +MODULE_LICENSE("GPL"); + |