#!/bin/bash## execsnoop - trace process exec() with arguments.#

1. #!/bin/bash
2. #
3. # execsnoop - trace process exec() with arguments.
4. # Written using Linux ftrace.
5. #
6. # This shows the execution of new processes, especially short-lived ones that
7. # can be missed by sampling tools such as top(1).
8. #
9. # USAGE: ./execsnoop [-hrt] [-n name]
10. #
11. # REQUIREMENTS: FTRACE and KPROBE CONFIG, sched:sched_process_fork tracepoint,
12. # and either the sys_execve, stub_execve or do_execve kernel function. You may
13. # already have these on recent kernels. And awk.
14. #
15. # This traces exec() from the fork()->exec() sequence, which means it won't
16. # catch new processes that only fork(). With the -r option, it will also catch
17. # processes that re-exec. It makes a best-effort attempt to retrieve the program
18. # arguments and PPID; if these are unavailable, 0 and "[?]" are printed
19. # respectively. There is also a limit to the number of arguments printed (by
20. # default, 8), which can be increased using -a.
21. #
22. # This implementation is designed to work on older kernel versions, and without
23. # kernel debuginfo. It works by dynamic tracing an execve kernel function to
24. # read the arguments from the %si register. The sys_execve function is tried
25. # first, then stub_execve and do_execve. The sched:sched_process_fork
26. # tracepoint is used to get the PPID. This program is a workaround that should be
27. # improved in the future when other kernel capabilities are made available. If
28. # you need a more reliable tool now, then consider other tracing alternatives
29. # (eg, SystemTap). This tool is really a proof of concept to see what ftrace can
30. # currently do.
31. #
32. # From perf-tools: https://github.com/brendangregg/perf-tools
33. #
34. # See the execsnoop(8) man page (in perf-tools) for more info.
35. #
36. # COPYRIGHT: Copyright (c) 2014 Brendan Gregg.
37. #
38. # This program is free software; you can redistribute it and/or
39. # modify it under the terms of the GNU General Public License
40. # as published by the Free Software Foundation; either version 2
41. # of the License, or (at your option) any later version.
42. #
43. # This program is distributed in the hope that it will be useful,
44. # but WITHOUT ANY WARRANTY; without even the implied warranty of
45. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
46. # GNU General Public License for more details.
47. #
48. # You should have received a copy of the GNU General Public License
49. # along with this program; if not, write to the Free Software Foundation,
50. # Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
51. #
52. # (http://www.gnu.org/copyleft/gpl.html)
53. #
54. # 07-Jul-2014 Brendan Gregg Created this.
55.  
56. ### default variables
57. tracing=/sys/kernel/debug/tracing
58. flock=/var/tmp/.ftrace-lock; wroteflock=0
59. opt_duration=0; duration=; opt_name=0; name=; opt_time=0; opt_reexec=0
60. opt_argc=0; argc=8; max_argc=16; ftext=
61. trap ':' INT QUIT TERM PIPE HUP # sends execution to end tracing section
62.  
63. function usage {
64. cat <<-END >&2
65. USAGE: execsnoop [-hrt] [-a argc] [-d secs] [name]
66. -d seconds # trace duration, and use buffers
67. -a argc # max args to show (default 8)
68. -r # include re-execs
69. -t # include time (seconds)
70. -h # this usage message
71. name # process name to match (REs allowed)
72. eg,
73. execsnoop # watch exec()s live (unbuffered)
74. execsnoop -d 1 # trace 1 sec (buffered)
75. execsnoop grep # trace process names containing grep
76. execsnoop 'udevd$' # process names ending in "udevd"
77.  
78. See the man page and example file for more info.
79. END
80. exit
81. }
82.  
83. function warn {
84. if ! eval "$@"; then
85. echo >&2 "WARNING: command failed \"$@\""
86. fi
87. }
88.  
89. function end {
90. # disable tracing
91. echo 2>/dev/null
92. echo "Ending tracing..." 2>/dev/null
93. cd $tracing
94. warn "echo 0 > events/kprobes/$kname/enable"
95. warn "echo 0 > events/sched/sched_process_fork/enable"
96. warn "echo -:$kname >> kprobe_events"
97. warn "echo > trace"
98. (( wroteflock )) && warn "rm $flock"
99. }
100.  
101. function die {
102. echo >&2 "$@"
103. exit 1
104. }
105.  
106. function edie {
107. # die with a quiet end()
108. echo >&2 "$@"
109. exec >/dev/null 2>&1
110. end
111. exit 1
112. }
113.  
114. ### process options
115. while getopts a:d:hrt opt
116. do
117. case $opt in
118. a) opt_argc=1; argc=$OPTARG ;;
119. d) opt_duration=1; duration=$OPTARG ;;
120. r) opt_reexec=1 ;;
121. t) opt_time=1 ;;
122. h|?) usage ;;
123. esac
124. done
125. shift $(( $OPTIND - 1 ))
126. if (( $# )); then
127. opt_name=1
128. name=$1
129. shift
130. fi
131. (( $# )) && usage
132.  
133. ### option logic
134. (( opt_pid && opt_name )) && die "ERROR: use either -p or -n."
135. (( opt_pid )) && ftext=" issued by PID $pid"
136. (( opt_name )) && ftext=" issued by process name \"$name\""
137. (( opt_file )) && ftext="$ftext for filenames containing \"$file\""
138. (( opt_argc && argc > max_argc )) && die "ERROR: max -a argc is $max_argc."
139. if (( opt_duration )); then
140. echo "Tracing exec()s$ftext for $duration seconds (buffered)..."
141. else
142. echo "Tracing exec()s$ftext. Ctrl-C to end."
143. fi
144.  
145. ### select awk
146. if (( opt_duration )); then
147. [[ -x /usr/bin/mawk ]] && awk=mawk || awk=awk
148. else
149. # workarounds for mawk/gawk fflush behavior
150. if [[ -x /usr/bin/gawk ]]; then
151. awk=gawk
152. elif [[ -x /usr/bin/mawk ]]; then
153. awk="mawk -W interactive"
154. else
155. awk=awk
156. fi
157. fi
158.  
159. ### check permissions
160. cd $tracing || die "ERROR: accessing tracing. Root user? Kernel has FTRACE?
161. debugfs mounted? (mount -t debugfs debugfs /sys/kernel/debug)"
162.  
163. ### ftrace lock
164. [[ -e $flock ]] && die "ERROR: ftrace may be in use by PID $(cat $flock) $flock"
165. echo $$ > $flock || die "ERROR: unable to write $flock."
166. wroteflock=1
167.  
168. ### build probe
169. if [[ -x /usr/bin/getconf ]]; then
170. bits=$(getconf LONG_BIT)
171. else
172. bits=64
173. [[ $(uname -m) == i* ]] && bits=32
174. fi
175. (( offset = bits / 8 ))
176. function makeprobe {
177. func=$1
178. kname=execsnoop_$func
179. kprobe="p:$kname $func"
180. i=0
181. while (( i < argc + 1 )); do
182. # p:kname do_execve +0(+0(%si)):string +0(+8(%si)):string ...
183. kprobe="$kprobe +0(+$(( i * offset ))(%si)):string"
184. (( i++ ))
185. done
186. }
187. # try in this order: sys_execve, stub_execve, do_execve
188. makeprobe sys_execve
189.  
190. ### setup and begin tracing
191. echo nop > current_tracer
192. if ! echo $kprobe >> kprobe_events 2>/dev/null; then
193. makeprobe stub_execve
194. if ! echo $kprobe >> kprobe_events 2>/dev/null; then
195. makeprobe do_execve
196. if ! echo $kprobe >> kprobe_events 2>/dev/null; then
197. edie "ERROR: adding a kprobe for execve. Exiting."
198. fi
199. fi
200. fi
201. if ! echo 1 > events/kprobes/$kname/enable; then
202. edie "ERROR: enabling kprobe for execve. Exiting."
203. fi
204. if ! echo 1 > events/sched/sched_process_fork/enable; then
205. edie "ERROR: enabling sched:sched_process_fork tracepoint. Exiting."
206. fi
207. echo "Instrumenting $func"
208. (( opt_time )) && printf "%-16s " "TIMEs"
209. printf "%6s %6s %s\n" "PID" "PPID" "ARGS"
210.  
211. #
212. # Determine output format. It may be one of the following (newest first):
213. # TASK-PID CPU# |||| TIMESTAMP FUNCTION
214. # TASK-PID CPU# TIMESTAMP FUNCTION
215. # To differentiate between them, the number of header fields is counted,
216. # and an offset set, to skip the extra column when needed.
217. #
218. offset=$($awk 'BEGIN { o = 0; }
219. $1 == "#" && $2 ~ /TASK/ && NF == 6 { o = 1; }
220. $2 ~ /TASK/ { print o; exit }' trace)
221.  
222. ### print trace buffer
223. warn "echo > trace"
224. ( if (( opt_duration )); then
225. # wait then dump buffer
226. sleep $duration
227. cat -v trace
228. else
229. # print buffer live
230. cat -v trace_pipe
231. fi ) | $awk -v o=$offset -v opt_name=$opt_name -v name=$name \
232. -v opt_duration=$opt_duration -v opt_time=$opt_time -v kname=$kname \
233. -v opt_reexec=$opt_reexec '
234. # common fields
235. $1 != "#" {
236. # task name can contain dashes
237. comm = pid = $1
238. sub(/-[0-9][0-9]*/, "", comm)
239. sub(/.*-/, "", pid)
240. }
241.  
242. $1 != "#" && $(4+o) ~ /sched_process_fork/ {
243. cpid=$0
244. sub(/.* child_pid=/, "", cpid)
245. sub(/ .*/, "", cpid)
246. getppid[cpid] = pid
247. delete seen[pid]
248. }
249.  
250. $1 != "#" && $(4+o) ~ kname {
251. if (seen[pid])
252. next
253. if (opt_name && comm !~ name)
254. next
255.  
256. #
257. # examples:
258. # ... arg1="/bin/echo" arg2="1" arg3="2" arg4="3" ...
259. # ... arg1="sleep" arg2="2" arg3=(fault) arg4="" ...
260. # ... arg1="" arg2=(fault) arg3="" arg4="" ...
261. # the last example is uncommon, and may be a race.
262. #
263. if ($0 ~ /arg1=""/) {
264. args = comm " [?]"
265. } else {
266. args=$0
267. sub(/ arg[0-9]*=\(fault\).*/, "", args)
268. sub(/.*arg1="/, "", args)
269. gsub(/" arg[0-9]*="/, " ", args)
270. sub(/"$/, "", args)
271. if ($0 !~ /\(fault\)/)
272. args = args " [...]"
273. }
274.  
275. if (opt_time) {
276. time = $(3+o); sub(":", "", time)
277. printf "%-16s ", time
278. }
279. printf "%6s %6d %s\n", pid, getppid[pid], args
280. if (!opt_duration)
281. fflush()
282. if (!opt_reexec) {
283. seen[pid] = 1
284. delete getppid[pid]
285. }
286. }
287.  
288. $0 ~ /LOST.*EVENT[S]/ { print "WARNING: " $0 > "/dev/stderr" }
289. '
290.  
291. ### end tracing
292. end