SystemTap: probes/shellsnoop/dtr.c Source File

00001 #define HASH_TABLE_BITS 8
+00002 #define HASH_TABLE_SIZE (1<<HASH_TABLE_BITS)
+00003 #define BUCKETS 16 /* largest histogram width */
+00004 
+00005 #include "runtime.h"
+00006 #include "io.c"
+00007 #include "map.c"
+00008 #include "copy.c"
+00009 #include "probes.c"
+00010 
+00011 MODULE_DESCRIPTION("SystemTap probe: shellsnoop");
+00012 MODULE_AUTHOR("Martin Hunt <hunt@redhat.com>");
+00013 
+00014 MAP pids, arglist ;
+00015 
+00016 int inst_do_execve (char * filename, char __user *__user *argv, char __user *__user *envp, struct pt_regs * regs)
+00017 {
+00018   struct map_node_str *ptr;
+00019 
+00020   /* watch shells only */
+00021   /* FIXME: detect more shells, like csh, tcsh, zsh */
+00022   
+00023   if (!strcmp(current->comm,"bash") || !strcmp(current->comm,"sh") || !strcmp(current->comm, "zsh")
+00024       || !strcmp(current->comm, "tcsh") || !strcmp(current->comm, "pdksh"))
+00025     {
+00026       dlog ("%d\t%d\t%d\t%s ", current->uid, current->pid, current->parent->pid, filename);
+00027 
+00028       _stp_map_key_long (pids, current->pid);
+00029       _stp_map_set_int64 (pids, 1);
+00030       
+00031       _stp_list_clear (arglist);
+00032       _stp_copy_argv_from_user (arglist, argv);
+00033       foreach (arglist, ptr)
+00034         printk ("%s ", ptr->str);
+00035       printk ("\n");
+00036     }
+00037   jprobe_return();
+00038   return 0;
+00039 }
+00040 
+00041 struct file * inst_filp_open (const char * filename, int flags, int mode)
+00042 {
+00043   _stp_map_key_long (pids, current->pid);
+00044   if (_stp_map_get_int64 (pids))
+00045     dlog ("%d\t%d\t%s\tO %s\n", current->pid, current->parent->pid, current->comm, filename);
+00046   
+00047   jprobe_return();
+00048   return 0;
+00049 }
+00050 
+00051 asmlinkage ssize_t inst_sys_read (unsigned int fd, char __user * buf, size_t count)
+00052 {
+00053   _stp_map_key_long (pids, current->pid);
+00054   if (_stp_map_get_int64 (pids))
+00055     dlog ("%d\t%d\t%s\tR %d\n", current->pid, current->parent->pid, current->comm, fd);
+00056   
+00057   jprobe_return();
+00058   return 0;
+00059 }
+00060 
+00061 asmlinkage ssize_t inst_sys_write (unsigned int fd, const char __user * buf, size_t count)
+00062 {
+00063   size_t len;
+00064   char str[256];
+00065   _stp_map_key_long (pids, current->pid);
+00066   if (_stp_map_get_int64 (pids))
+00067     {
+00068       if (count < 64) 
+00069         len = count;
+00070       else 
+00071         len = 64;
+00072       len = _stp_strncpy_from_user(str, buf, len);
+00073       if (len < 0) len = 0;
+00074       str[len] = 0;
+00075       dlog ("%d\t%d\t%s\tW %s\n", current->pid, current->parent->pid, current->comm, str);
+00076     }
+00077   
+00078   jprobe_return();
+00079   return 0;
+00080 }
+00081 
+00082 static struct jprobe dtr_probes[] = {
+00083   {
+00084     .kp.addr = (kprobe_opcode_t *)"do_execve",
+00085     .entry = (kprobe_opcode_t *) inst_do_execve
+00086   },
+00087   {
+00088     .kp.addr = (kprobe_opcode_t *)"filp_open",
+00089     .entry = (kprobe_opcode_t *) inst_filp_open
+00090   },
+00091   {
+00092     .kp.addr = (kprobe_opcode_t *)"sys_read",
+00093     .entry = (kprobe_opcode_t *) inst_sys_read
+00094   },
+00095   {
+00096     .kp.addr = (kprobe_opcode_t *)"sys_write",
+00097     .entry = (kprobe_opcode_t *) inst_sys_write
+00098   },
+00099 };
+00100 
+00101 #define MAX_DTR_ROUTINE (sizeof(dtr_probes)/sizeof(struct jprobe))
+00102 
+00103 static int init_dtr(void)
+00104 {
+00105   int ret;
+00106 
+00107   pids = _stp_map_new (10000, INT64);
+00108   arglist = _stp_list_new (10, STRING);
+00109 
+00110   ret = _stp_register_jprobes (dtr_probes, MAX_DTR_ROUTINE);
+00111 
+00112   dlog("instrumentation is enabled...\n");
+00113   return ret;
+00114 }
+00115 
+00116 static void cleanup_dtr(void)
+00117 {
+00118   _stp_unregister_jprobes (dtr_probes, MAX_DTR_ROUTINE);
+00119   _stp_map_del (pids);
+00120   dlog("EXIT\n");
+00121 }
+00122 
+00123 module_init(init_dtr);
+00124 module_exit(cleanup_dtr);
+00125 MODULE_LICENSE("GPL");
+00126 
+