00001 #define HASH_TABLE_BITS 8
00002 #define HASH_TABLE_SIZE (1<<HASH_TABLE_BITS)
00003 #define BUCKETS 16
00004
00005 #define STP_NETLINK_ONLY
00006 #define STP_NUM_STRINGS 1
00007
00008 #include "runtime.h"
00009 #include "map.c"
00010 #include "copy.c"
00011 #include "probes.c"
00012
00013 MODULE_DESCRIPTION("SystemTap probe: shellsnoop");
00014 MODULE_AUTHOR("Martin Hunt <hunt@redhat.com>");
00015
00016 MAP pids, arglist ;
00017
00018 int inst_do_execve (char * filename, char __user *__user *argv, char __user *__user *envp, struct pt_regs * regs)
00019 {
00020 struct map_node_str *ptr;
00021
00022
00023
00024
00025 if (!strcmp(current->comm,"bash") || !strcmp(current->comm,"sh") || !strcmp(current->comm, "zsh")
00026 || !strcmp(current->comm, "tcsh") || !strcmp(current->comm, "pdksh"))
00027 {
00028 _stp_printf ("%d\t%d\t%d\t%s ", current->uid, current->pid, current->parent->pid, filename);
00029
00030 _stp_map_key_long (pids, current->pid);
00031 _stp_map_set_int64 (pids, 1);
00032
00033 _stp_list_clear (arglist);
00034 _stp_copy_argv_from_user (arglist, argv);
00035
00036 foreach (arglist, ptr)
00037 _stp_printf ("%s ", ptr->str);
00038
00039 _stp_print_flush();
00040 }
00041 jprobe_return();
00042 return 0;
00043 }
00044
00045 struct file * inst_filp_open (const char * filename, int flags, int mode)
00046 {
00047 _stp_map_key_long (pids, current->pid);
00048 if (_stp_map_get_int64 (pids))
00049 _stp_printf ("%d\t%d\t%s\tO %s", current->pid, current->parent->pid, current->comm, filename);
00050
00051 _stp_print_flush();
00052 jprobe_return();
00053 return 0;
00054 }
00055
00056 asmlinkage ssize_t inst_sys_read (unsigned int fd, char __user * buf, size_t count)
00057 {
00058 _stp_map_key_long (pids, current->pid);
00059 if (_stp_map_get_int64 (pids))
00060 _stp_printf ("%d\t%d\t%s\tR %d", current->pid, current->parent->pid, current->comm, fd);
00061
00062 _stp_print_flush();
00063 jprobe_return();
00064 return 0;
00065 }
00066
00067 asmlinkage ssize_t inst_sys_write (unsigned int fd, const char __user * buf, size_t count)
00068 {
00069 _stp_map_key_long (pids, current->pid);
00070 if (_stp_map_get_int64 (pids))
00071 {
00072 String str = _stp_string_init (0);
00073 _stp_string_from_user(str, buf, count);
00074 _stp_printf ("%d\t%d\t%s\tW %s", current->pid, current->parent->pid, current->comm, str->buf);
00075 _stp_print_flush();
00076 }
00077
00078 jprobe_return();
00079 return 0;
00080 }
00081
00082 static struct jprobe dtr_probes[] = {
00083 {
00084 .kp.addr = (kprobe_opcode_t *)"do_execve",
00085 .entry = (kprobe_opcode_t *) inst_do_execve
00086 },
00087 {
00088 .kp.addr = (kprobe_opcode_t *)"filp_open",
00089 .entry = (kprobe_opcode_t *) inst_filp_open
00090 },
00091 {
00092 .kp.addr = (kprobe_opcode_t *)"sys_read",
00093 .entry = (kprobe_opcode_t *) inst_sys_read
00094 },
00095 {
00096 .kp.addr = (kprobe_opcode_t *)"sys_write",
00097 .entry = (kprobe_opcode_t *) inst_sys_write
00098 },
00099 };
00100
00101 #define MAX_DTR_ROUTINE (sizeof(dtr_probes)/sizeof(struct jprobe))
00102
00103 static int init_dtr(void)
00104 {
00105 int ret;
00106
00107 if (_stp_netlink_open() < 0)
00108 return -1;
00109
00110 pids = _stp_map_new (10000, INT64);
00111 arglist = _stp_list_new (10, STRING);
00112
00113 ret = _stp_register_jprobes (dtr_probes, MAX_DTR_ROUTINE);
00114
00115 _stp_log("instrumentation is enabled... %s\n", __this_module.name);
00116 return ret;
00117 }
00118
00119 static void probe_exit (void)
00120 {
00121 _stp_unregister_jprobes (dtr_probes, MAX_DTR_ROUTINE);
00122
00123 _stp_print ("In probe_exit now.");
00124 _stp_map_del (pids);
00125 _stp_print_flush();
00126 }
00127
00128
00129 static void cleanup_dtr(void)
00130 {
00131 _stp_netlink_close();
00132
00133 }
00134
00135 module_init(init_dtr);
00136 module_exit(cleanup_dtr);
00137 MODULE_LICENSE("GPL");
00138