1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><meta http-equiv="Content-Type" content="text/html;charset=iso-8859-1">
<title>SystemTap: probes/shellsnoop/ Directory Reference</title>
<link href="doxygen.css" rel="stylesheet" type="text/css">
</head><body>
<!-- Generated by Doxygen 1.4.1 -->
<div class="qindex"><a class="qindex" href="index.html">Main Page</a> | <a class="qindex" href="annotated.html">Data Structures</a> | <a class="qindex" href="dirs.html">Directories</a> | <a class="qindex" href="files.html">File List</a> | <a class="qindex" href="functions.html">Data Fields</a> | <a class="qindex" href="globals.html">Globals</a> | <a class="qindex" href="pages.html">Related Pages</a></div>
<div class="nav">
<a class="el" href="dir_000000.html">probes</a> / <a class="el" href="dir_000001.html">shellsnoop</a></div>
<h1>shellsnoop Directory Reference</h1>Snoops on what commands are being run by shells.
<a href="#_details">More...</a><table border="0" cellpadding="0" cellspacing="0">
<tr><td></td></tr>
<tr><td colspan="2"><br><h2>Files</h2></td></tr>
<tr><td class="memItemLeft" nowrap align="right" valign="top">file </td><td class="memItemRight" valign="bottom"><b>dtr.c</b> <a href="shellsnoop_2dtr_8c-source.html">[code]</a></td></tr>
<tr><td class="memItemLeft" nowrap align="right" valign="top">file </td><td class="memItemRight" valign="bottom"><b>README</b> <a href="probes_2shellsnoop_2README-source.html">[code]</a></td></tr>
</table>
<hr><a name="_details"></a><h2>Detailed Description</h2>
Snoops on what commands are being run by shells.
<p>
This is a translation of on an old dtr probe. It demonstrates maps, lists, and how to use <a class="el" href="copy_8c.html#a2">_stp_copy_argv_from_user()</a> and <a class="el" href="copy_8c.html#a0">_stp_strncpy_from_user()</a>.<p>
Original dtr source:<p>
<div class="fragment"><pre class="fragment">
# shellsnoop.probe - snoop shell execution as it occurs.
# clone of dtrace shellsnoop example
global {
long @pids[long];
}
probe do_execve:entry {
char __user *vstr;
char str[256];
int len;
/* watch shells only */
/* FIXME: detect more shells, like csh, tcsh, zsh */
if (!strcmp(current->comm,"bash") || !strcmp(current->comm,"sh") || !strcmp(current->comm, "zsh")
|| !strcmp(current->comm, "tcsh") || !strcmp(current->comm, "pdksh"))
{
dlog ("%d\t%d\t%d\t%s ", current->uid, current->pid, current->parent->pid, filename);
@pids[current->pid] = 1;
/* print out argv, ignoring argv[0] */
if (argv) argv++;
while (argv != NULL)
{
if (get_user (vstr, argv))
break;
if (!vstr)
break;
len = dtr_strncpy_from_user(str, vstr, 256);
str[len] = 0;
printk ("%s ", str);
argv++;
}
printk ("\n");
}
}
# use filp_open because copy_from_user not needed there
probe filp_open:entry {
if (@pids[current->pid])
dlog ("%d\t%d\t%s\tO %s\n", current->pid, current->parent->pid, current->comm, filename);
}
probe sys_read:entry {
if (@pids[current->pid])
dlog ("%d\t%d\t%s\tR %d\n", current->pid, current->parent->pid, current->comm, fd);
}
probe sys_write:entry {
size_t len;
char str[256];
if (@pids[current->pid])
{
if (count < 64) len = count;
else len = 64;
if (len = dtr_strncpy_from_user(str, buf, len)) {
str[len] = 0;
dlog ("%d\t%d\t%s\tW %s\n", current->pid, current->parent->pid, current->comm, str);
}
}
}
</pre></div> <hr size="1"><address style="align: right;"><small>
Generated on Tue Mar 22 10:27:36 2005 for SystemTap.</small></body>
</html>
|
