1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
#define HASH_TABLE_BITS 8
#define HASH_TABLE_SIZE (1<<HASH_TABLE_BITS)
#define BUCKETS 16 /* largest histogram width */
#include "runtime.h"
#include "io.c"
#include "map.c"
#include "copy.c"
#include "probes.c"
MODULE_DESCRIPTION("SystemTap probe: shellsnoop");
MODULE_AUTHOR("Martin Hunt <hunt@redhat.com>");
MAP pids, arglist ;
int inst_do_execve (char * filename, char __user *__user *argv, char __user *__user *envp, struct pt_regs * regs)
{
struct map_node_str *ptr;
/* watch shells only */
/* FIXME: detect more shells, like csh, tcsh, zsh */
if (!strcmp(current->comm,"bash") || !strcmp(current->comm,"sh") || !strcmp(current->comm, "zsh")
|| !strcmp(current->comm, "tcsh") || !strcmp(current->comm, "pdksh"))
{
dlog ("%d\t%d\t%d\t%s ", current->uid, current->pid, current->parent->pid, filename);
_stp_map_key_long (pids, current->pid);
_stp_map_set_int64 (pids, 1);
_stp_copy_argv_from_user (arglist, argv);
foreach (arglist, ptr)
printk ("%s ", ptr->str);
printk ("\n");
}
jprobe_return();
return 0;
}
struct file * inst_filp_open (const char * filename, int flags, int mode)
{
_stp_map_key_long (pids, current->pid);
if (_stp_map_get_int64 (pids))
dlog ("%d\t%d\t%s\tO %s\n", current->pid, current->parent->pid, current->comm, filename);
jprobe_return();
return 0;
}
asmlinkage ssize_t inst_sys_read (unsigned int fd, char __user * buf, size_t count)
{
_stp_map_key_long (pids, current->pid);
if (_stp_map_get_int64 (pids))
dlog ("%d\t%d\t%s\tR %d\n", current->pid, current->parent->pid, current->comm, fd);
jprobe_return();
return 0;
}
asmlinkage ssize_t inst_sys_write (unsigned int fd, const char __user * buf, size_t count)
{
size_t len;
char str[256];
_stp_map_key_long (pids, current->pid);
if (_stp_map_get_int64 (pids))
{
if (count < 64)
len = count;
else
len = 64;
len = _stp_strncpy_from_user(str, buf, len);
if (len < 0) len = 0;
str[len] = 0;
dlog ("%d\t%d\t%s\tW %s\n", current->pid, current->parent->pid, current->comm, str);
}
jprobe_return();
return 0;
}
static struct jprobe dtr_probes[] = {
{
.kp.addr = (kprobe_opcode_t *)"do_execve",
.entry = (kprobe_opcode_t *) inst_do_execve
},
{
.kp.addr = (kprobe_opcode_t *)"filp_open",
.entry = (kprobe_opcode_t *) inst_filp_open
},
{
.kp.addr = (kprobe_opcode_t *)"sys_read",
.entry = (kprobe_opcode_t *) inst_sys_read
},
{
.kp.addr = (kprobe_opcode_t *)"sys_write",
.entry = (kprobe_opcode_t *) inst_sys_write
},
};
#define MAX_DTR_ROUTINE (sizeof(dtr_probes)/sizeof(struct jprobe))
static int init_dtr(void)
{
int ret;
pids = _stp_map_new (10000, INT64);
arglist = _stp_list_new (10, STRING);
ret = _stp_register_jprobes (dtr_probes, MAX_DTR_ROUTINE);
dlog("instrumentation is enabled...\n");
return ret;
}
static void cleanup_dtr(void)
{
_stp_unregister_jprobes (dtr_probes, MAX_DTR_ROUTINE);
_stp_map_del (pids);
dlog("EXIT\n");
}
module_init(init_dtr);
module_exit(cleanup_dtr);
MODULE_LICENSE("GPL");
|
