From b9c556e44326b40b2c927a0a5b5626332a8c9587 Mon Sep 17 00:00:00 2001 From: hunt Date: Tue, 22 Mar 2005 08:57:11 +0000 Subject: *** empty log message *** --- .../html/probes_2shellsnoop_2README-source.html | 85 ++++++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 runtime/docs/html/probes_2shellsnoop_2README-source.html (limited to 'runtime/docs/html/probes_2shellsnoop_2README-source.html') diff --git a/runtime/docs/html/probes_2shellsnoop_2README-source.html b/runtime/docs/html/probes_2shellsnoop_2README-source.html new file mode 100644 index 00000000..2a2ac71d --- /dev/null +++ b/runtime/docs/html/probes_2shellsnoop_2README-source.html @@ -0,0 +1,85 @@ + + +SystemTap: probes/shellsnoop/README Source File + + + +
Main Page | Data Structures | Directories | File List | Data Fields | Globals | Related Pages
+
+probes / shellsnoop
+

README

00001 /** @dir shellsnoop
+00002 Snoops on what commands are being run by shells.
+00003 
+00004 This is a translation of on an old dtr probe. It demonstrates maps,
+00005 lists, and how to use _stp_copy_argv_from_user() and  _stp_strncpy_from_user().
+00006 
+00007 Original dtr source:
+00008 
+00009 \verbatim
+00010 # shellsnoop.probe - snoop shell execution as it occurs.
+00011 # clone of dtrace shellsnoop example
+00012 
+00013 global {
+00014   long @pids[long];
+00015 }
+00016 
+00017 probe do_execve:entry {
+00018   char __user *vstr;
+00019   char str[256];
+00020   int len;
+00021 
+00022   /* watch shells only */
+00023   /* FIXME: detect more shells, like csh, tcsh, zsh */
+00024 
+00025   if (!strcmp(current->comm,"bash") || !strcmp(current->comm,"sh") || !strcmp(current->comm, "zsh")
+00026       || !strcmp(current->comm, "tcsh") || !strcmp(current->comm, "pdksh"))
+00027     {
+00028       dlog ("%d\t%d\t%d\t%s ", current->uid, current->pid, current->parent->pid, filename);
+00029       @pids[current->pid] = 1;
+00030 
+00031       /* print out argv, ignoring argv[0] */
+00032       if (argv) argv++;
+00033       while (argv != NULL)
+00034         {
+00035           if (get_user (vstr, argv))
+00036             break;
+00037           if (!vstr)
+00038             break;
+00039           len = dtr_strncpy_from_user(str, vstr, 256);
+00040           str[len] = 0;
+00041           printk ("%s ", str);
+00042           argv++;
+00043         }
+00044       printk ("\n");
+00045     }
+00046 }
+00047 
+00048 # use filp_open because copy_from_user not needed there
+00049 probe filp_open:entry {
+00050   if (@pids[current->pid])
+00051     dlog ("%d\t%d\t%s\tO %s\n", current->pid, current->parent->pid, current->comm, filename);
+00052 }
+00053 
+00054 probe sys_read:entry {
+00055   if (@pids[current->pid])
+00056     dlog ("%d\t%d\t%s\tR %d\n", current->pid, current->parent->pid, current->comm, fd);
+00057 }
+00058 
+00059 probe sys_write:entry {
+00060   size_t len;
+00061   char str[256];
+00062   if (@pids[current->pid])
+00063     {
+00064       if (count < 64) len = count;
+00065       else len = 64;
+00066       if (len = dtr_strncpy_from_user(str, buf, len)) {
+00067         str[len] = 0;
+00068         dlog ("%d\t%d\t%s\tW %s\n", current->pid, current->parent->pid, current->comm, str);
+00069         }
+00070     }
+00071 }
+00072 \endverbatim
+00073 */
+
+Generated on Tue Mar 22 00:32:02 2005 for SystemTap. + -- cgit