00001 #define HASH_TABLE_BITS 8
00002 #define HASH_TABLE_SIZE (1<<HASH_TABLE_BITS)
00003 #define BUCKETS 16
00004
00005 #include "runtime.h"
00006 #include "io.c"
00007 #include "map.c"
00008 #include "copy.c"
00009 #include "probes.c"
00010
00011 MODULE_DESCRIPTION("SystemTap probe: shellsnoop");
00012 MODULE_AUTHOR("Martin Hunt <hunt@redhat.com>");
00013
00014 MAP pids, arglist ;
00015
00016 int inst_do_execve (char * filename, char __user *__user *argv, char __user *__user *envp, struct pt_regs * regs)
00017 {
00018 struct map_node_str *ptr;
00019
00020
00021
00022
00023 if (!strcmp(current->comm,"bash") || !strcmp(current->comm,"sh") || !strcmp(current->comm, "zsh")
00024 || !strcmp(current->comm, "tcsh") || !strcmp(current->comm, "pdksh"))
00025 {
00026 dlog ("%d\t%d\t%d\t%s ", current->uid, current->pid, current->parent->pid, filename);
00027
00028 _stp_map_key_long (pids, current->pid);
00029 _stp_map_set_int64 (pids, 1);
00030
00031 _stp_list_clear (arglist);
00032 _stp_copy_argv_from_user (arglist, argv);
00033 foreach (arglist, ptr)
00034 printk ("%s ", ptr->str);
00035 printk ("\n");
00036 }
00037 jprobe_return();
00038 return 0;
00039 }
00040
00041 struct file * inst_filp_open (const char * filename, int flags, int mode)
00042 {
00043 _stp_map_key_long (pids, current->pid);
00044 if (_stp_map_get_int64 (pids))
00045 dlog ("%d\t%d\t%s\tO %s\n", current->pid, current->parent->pid, current->comm, filename);
00046
00047 jprobe_return();
00048 return 0;
00049 }
00050
00051 asmlinkage ssize_t inst_sys_read (unsigned int fd, char __user * buf, size_t count)
00052 {
00053 _stp_map_key_long (pids, current->pid);
00054 if (_stp_map_get_int64 (pids))
00055 dlog ("%d\t%d\t%s\tR %d\n", current->pid, current->parent->pid, current->comm, fd);
00056
00057 jprobe_return();
00058 return 0;
00059 }
00060
00061 asmlinkage ssize_t inst_sys_write (unsigned int fd, const char __user * buf, size_t count)
00062 {
00063 size_t len;
00064 char str[256];
00065 _stp_map_key_long (pids, current->pid);
00066 if (_stp_map_get_int64 (pids))
00067 {
00068 if (count < 64)
00069 len = count;
00070 else
00071 len = 64;
00072 len = _stp_strncpy_from_user(str, buf, len);
00073 if (len < 0) len = 0;
00074 str[len] = 0;
00075 dlog ("%d\t%d\t%s\tW %s\n", current->pid, current->parent->pid, current->comm, str);
00076 }
00077
00078 jprobe_return();
00079 return 0;
00080 }
00081
00082 static struct jprobe dtr_probes[] = {
00083 {
00084 .kp.addr = (kprobe_opcode_t *)"do_execve",
00085 .entry = (kprobe_opcode_t *) inst_do_execve
00086 },
00087 {
00088 .kp.addr = (kprobe_opcode_t *)"filp_open",
00089 .entry = (kprobe_opcode_t *) inst_filp_open
00090 },
00091 {
00092 .kp.addr = (kprobe_opcode_t *)"sys_read",
00093 .entry = (kprobe_opcode_t *) inst_sys_read
00094 },
00095 {
00096 .kp.addr = (kprobe_opcode_t *)"sys_write",
00097 .entry = (kprobe_opcode_t *) inst_sys_write
00098 },
00099 };
00100
00101 #define MAX_DTR_ROUTINE (sizeof(dtr_probes)/sizeof(struct jprobe))
00102
00103 static int init_dtr(void)
00104 {
00105 int ret;
00106
00107 pids = _stp_map_new (10000, INT64);
00108 arglist = _stp_list_new (10, STRING);
00109
00110 ret = _stp_register_jprobes (dtr_probes, MAX_DTR_ROUTINE);
00111
00112 dlog("instrumentation is enabled...\n");
00113 return ret;
00114 }
00115
00116 static void cleanup_dtr(void)
00117 {
00118 _stp_unregister_jprobes (dtr_probes, MAX_DTR_ROUTINE);
00119 _stp_map_del (pids);
00120 dlog("EXIT\n");
00121 }
00122
00123 module_init(init_dtr);
00124 module_exit(cleanup_dtr);
00125 MODULE_LICENSE("GPL");
00126