1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
// Copyright (C) 2005, 2006 IBM Corp.
//
// This file is part of systemtap, and is free software. You can
// redistribute it and/or modify it under the terms of the GNU General
// Public License (GPL); either version 2, or (at your option) any
// later version.
/* record the newly created process name */
function log_execve_tracedata(var_id:long, var:long)
%{
long tmp=(long)THIS->var;
_lket_trace(_GROUP_PROCESS, THIS->var_id, "%0s", (char *)tmp);
%}
/* record the newly forked process id */
function log_fork_tracedata(var_id:long, var:long)
%{
pid_t pid = (pid_t)THIS->var;
_lket_trace(_GROUP_PROCESS, THIS->var_id, "%4b", (_FMT_)pid);
%}
/************************************************************
* This function could be used to take a snapshot of all the *
* processes. It's not a probe, so the data format doesn't *
* follow the format used by probe handlers *
************************************************************/
function process_snapshot()
%{
struct task_struct *tsk;
struct list_head *cur, *head;
int cpu = smp_processor_id();
char *total_length;
head = &(current->tasks);
/* iterate all the processes, and record the pid and process
name for each entry */
list_for_each(cur, head) {
tsk = (struct task_struct *)(list_entry(cur, struct task_struct, tasks));
_lket_trace(_GROUP_PROCESS, _HOOKID_PROCESS_SNAPSHOT, "%4b%0s",
(_FMT_)tsk->pid, tsk->comm);
total_length = &_stp_pbuf[cpu][STP_PRINT_BUF_START];
*(int16_t *)total_length = _stp_pbuf_len[cpu] - 4;
_stp_print_flush();
}
%}
probe addevent.process
= addevent.process.execve,
addevent.process.fork
{}
/*
we should capture both do_execve for 64-bit app
and compat_do_execve for 32-bit app
*/
probe addevent.process.execve
+= _addevent.process.execve
{
update_record()
}
probe _addevent.process.execve
= process.exec
{
if(filter_by_pid() == 1 ) {
log_execve_tracedata(HOOKID_PROCESS_EXECVE, $filename)
}
}
probe addevent.process.fork
+= _addevent.process.fork
{
update_record()
}
probe _addevent.process.fork
= process.create
{
if(filter_by_pid() == 1 ) {
log_fork_tracedata(HOOKID_PROCESS_FORK, new_pid)
}
}
|
