From b9c556e44326b40b2c927a0a5b5626332a8c9587 Mon Sep 17 00:00:00 2001 From: hunt Date: Tue, 22 Mar 2005 08:57:11 +0000 Subject: *** empty log message *** --- runtime/docs/html/dir_000001.html | 91 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 runtime/docs/html/dir_000001.html (limited to 'runtime/docs/html/dir_000001.html') diff --git a/runtime/docs/html/dir_000001.html b/runtime/docs/html/dir_000001.html new file mode 100644 index 00000000..b2802585 --- /dev/null +++ b/runtime/docs/html/dir_000001.html @@ -0,0 +1,91 @@ + + +SystemTap: probes/shellsnoop/ Directory Reference + + + +
Main Page | Data Structures | Directories | File List | Data Fields | Globals | Related Pages
+
+probes / shellsnoop
+

shellsnoop Directory Reference

Snoops on what commands are being run by shells. +More... + + + + + + + + +

Files

file  dtr.c [code]
file  dtr.mod.c [code]
file  README [code]
+

Detailed Description

+Snoops on what commands are being run by shells. +

+This is a translation of on an old dtr probe. It demonstrates maps, lists, and how to use _stp_copy_argv_from_user() and _stp_strncpy_from_user().

+Original dtr source:

+

+# shellsnoop.probe - snoop shell execution as it occurs.
+# clone of dtrace shellsnoop example
+
+global {
+  long @pids[long];
+}
+
+probe do_execve:entry {
+  char __user *vstr;
+  char str[256];
+  int len;
+
+  /* watch shells only */
+  /* FIXME: detect more shells, like csh, tcsh, zsh */
+
+  if (!strcmp(current->comm,"bash") || !strcmp(current->comm,"sh") || !strcmp(current->comm, "zsh")
+      || !strcmp(current->comm, "tcsh") || !strcmp(current->comm, "pdksh"))
+    {
+      dlog ("%d\t%d\t%d\t%s ", current->uid, current->pid, current->parent->pid, filename);
+      @pids[current->pid] = 1;
+
+      /* print out argv, ignoring argv[0] */
+      if (argv) argv++;
+      while (argv != NULL)
+        {
+          if (get_user (vstr, argv))
+            break;
+          if (!vstr)
+            break;
+          len = dtr_strncpy_from_user(str, vstr, 256);
+          str[len] = 0;
+          printk ("%s ", str);
+          argv++;
+        }
+      printk ("\n");
+    }
+}
+
+# use filp_open because copy_from_user not needed there
+probe filp_open:entry {
+  if (@pids[current->pid])
+    dlog ("%d\t%d\t%s\tO %s\n", current->pid, current->parent->pid, current->comm, filename);
+}
+
+probe sys_read:entry {
+  if (@pids[current->pid])
+    dlog ("%d\t%d\t%s\tR %d\n", current->pid, current->parent->pid, current->comm, fd);
+}
+
+probe sys_write:entry {
+  size_t len;
+  char str[256];
+  if (@pids[current->pid])
+    {
+      if (count < 64) len = count;
+      else len = 64;
+      if (len = dtr_strncpy_from_user(str, buf, len)) {
+        str[len] = 0;
+        dlog ("%d\t%d\t%s\tW %s\n", current->pid, current->parent->pid, current->comm, str);
+        }
+    }
+}
+
+Generated on Tue Mar 22 00:32:02 2005 for SystemTap. + -- cgit