33 lines
928 B
Plaintext
Executable File
33 lines
928 B
Plaintext
Executable File
#!/usr/bin/env bpftrace
|
|
/*
|
|
* execsnoop.bt Trace new processes via exec() syscalls.
|
|
* For Linux, uses bpftrace and eBPF.
|
|
*
|
|
* This traces when processes call exec(). It is handy for identifying new
|
|
* processes created via the usual fork()->exec() sequence. Note that the
|
|
* return value is not currently traced, so the exec() may have failed.
|
|
*
|
|
* TODO: switch to tracepoints args. Support more args. Include retval.
|
|
*
|
|
* This is a bpftrace version of the bcc tool of the same name.
|
|
*
|
|
* 15-Nov-2017 Brendan Gregg Created this.
|
|
* 11-Sep-2018 " " Switched to use join().
|
|
*/
|
|
|
|
#ifndef BPFTRACE_HAVE_BTF
|
|
#include <linux/sched.h>
|
|
#endif
|
|
|
|
BEGIN
|
|
{
|
|
printf("%-15s %-7s %-7s %s\n", "TIME", "PID", "PPID", "ARGS");
|
|
}
|
|
|
|
tracepoint:syscalls:sys_enter_exec*
|
|
{
|
|
$task = (struct task_struct *)curtask;
|
|
printf("%15s %-7d %-7d ", strftime("%H:%M:%S.%f", nsecs), pid, $task->real_parent->pid);
|
|
join(args.argv);
|
|
}
|