#!/bin/bash # # execsnoop - trace process exec() with arguments. # Written using Linux ftrace. # # This shows the execution of new processes, especially short-lived ones that # can be missed by sampling tools such as top(1). # # USAGE: ./execsnoop [-hrt] [-n name] # # REQUIREMENTS: FTRACE and KPROBE CONFIG, sched:sched_process_fork tracepoint, # and either the sys_execve, stub_execve or do_execve kernel function. You may # already have these on recent kernels. And awk. # # This traces exec() from the fork()->exec() sequence, which means it won't # catch new processes that only fork(). With the -r option, it will also catch # processes that re-exec. It makes a best-effort attempt to retrieve the program # arguments and PPID; if these are unavailable, 0 and "[?]" are printed # respectively. There is also a limit to the number of arguments printed (by # default, 8), which can be increased using -a. # # This implementation is designed to work on older kernel versions, and without # kernel debuginfo. It works by dynamic tracing an execve kernel function to # read the arguments from the %si register. The sys_execve function is tried # first, then stub_execve and do_execve. The sched:sched_process_fork # tracepoint is used to get the PPID. This program is a workaround that should be # improved in the future when other kernel capabilities are made available. If # you need a more reliable tool now, then consider other tracing alternatives # (eg, SystemTap). This tool is really a proof of concept to see what ftrace can # currently do. # # From perf-tools: https://github.com/brendangregg/perf-tools # # See the execsnoop(8) man page (in perf-tools) for more info. # # COPYRIGHT: Copyright (c) 2014 Brendan Gregg. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software Foundation, # Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # # (http://www.gnu.org/copyleft/gpl.html) # # 07-Jul-2014 Brendan Gregg Created this. ### default variables setglobal tracing = '/sys/kernel/debug/tracing' setglobal flock = '/var/tmp/.ftrace-lock'; setglobal wroteflock = '0' setglobal opt_duration = '0'; setglobal duration = ''; setglobal opt_name = '0'; setglobal name = ''; setglobal opt_time = '0'; setglobal opt_reexec = '0' setglobal opt_argc = '0'; setglobal argc = '8'; setglobal max_argc = '16'; setglobal ftext = '' trap ':' INT QUIT TERM PIPE HUP # sends execution to end tracing section proc usage { cat << """ >&2 USAGE: execsnoop [-hrt] [-a argc] [-d secs] [name] -d seconds # trace duration, and use buffers -a argc # max args to show (default 8) -r # include re-execs -t # include time (seconds) -h # this usage message name # process name to match (REs allowed) eg, execsnoop # watch exec()s live (unbuffered) execsnoop -d 1 # trace 1 sec (buffered) execsnoop grep # trace process names containing grep execsnoop 'log$' # filenames ending in "log" See the man page and example file for more info. """ > !2 USAGE: execsnoop [-hrt] [-a argc] [-d secs] [name] -d seconds # trace duration, and use buffers -a argc # max args to show (default 8) -r # include re-execs -t # include time (seconds) -h # this usage message name # process name to match (REs allowed) eg, execsnoop # watch exec()s live (unbuffered) execsnoop -d 1 # trace 1 sec (buffered) execsnoop grep # trace process names containing grep execsnoop 'log$' # filenames ending in "log" See the man page and example file for more info. END exit } proc warn { if ! eval @Argv { echo >&2 "WARNING: command failed \"$ifsjoin(Argv)> !2 "WARNING: command failed \"$@\"" } } proc end { # disable tracing echo !2 >/dev/null echo "Ending tracing..." !2 >/dev/null cd $tracing warn "echo 0 > events/kprobes/$kname/enable" warn "echo 0 > events/sched/sched_process_fork/enable" warn "echo -:$kname >> kprobe_events" warn "echo > trace" sh-expr ' wroteflock ' && warn "rm $flock" } proc die { echo >&2 @Argv> !2 "$@" exit 1 } proc edie { # die with a quiet end() echo >&2 @Argv> !2 "$@" exec >/dev/null !2 > !1 end exit 1 } ### process options while getopts a:d:hrt opt { match $opt { with a setglobal opt_argc = '1'; setglobal argc = $OPTARG with d setglobal opt_duration = '1'; setglobal duration = $OPTARG with r setglobal opt_reexec = '1' with t setglobal opt_time = '1' with h|? usage } } shift $shExpr(' $OPTIND - 1 ') if sh-expr ' $# ' { setglobal opt_name = '1' setglobal name = $1 shift } sh-expr ' $# ' && usage ### option logic sh-expr ' opt_pid && opt_name ' && die "ERROR: use either -p or -n." sh-expr ' opt_pid ' && setglobal ftext = "" issued by PID $pid"" sh-expr ' opt_name ' && setglobal ftext = "" issued by process name \"$name"\"" sh-expr ' opt_file ' && setglobal ftext = ""$ftext for filenames containing \"$file"\"" sh-expr ' opt_argc && argc > max_argc ' && die "ERROR: max -a argc is $max_argc." if sh-expr ' opt_duration ' { echo "Tracing exec()s$ftext for $duration seconds (buffered)..." } else { echo "Tracing exec()s$ftext. Ctrl-C to end." } ### select awk if sh-expr ' opt_duration ' { [[ -x /usr/bin/mawk ]] && setglobal awk = 'mawk' || setglobal awk = 'awk' } else { # workarounds for mawk/gawk fflush behavior if [[ -x /usr/bin/gawk ]] { setglobal awk = 'gawk' } elif [[ -x /usr/bin/mawk ]] { setglobal awk = '"mawk -W interactive'" } else { setglobal awk = 'awk' } } ### check permissions cd $tracing || die "ERROR: accessing tracing. Root user? Kernel has FTRACE? debugfs mounted? (mount -t debugfs debugfs /sys/kernel/debug)" ### ftrace lock [[ -e $flock ]] && die "ERROR: ftrace may be in use by PID $[cat $flock] $flock" echo $Pid > $flock || die "ERROR: unable to write $flock." setglobal wroteflock = '1' ### build probe if [[ -x /usr/bin/getconf ]] { setglobal bits = $[getconf LONG_BIT] } else { setglobal bits = '64' [[ $(uname -m) == i* ]] && setglobal bits = '32' } sh-expr ' offset = bits / 8 ' proc makeprobe { setglobal func = $1 setglobal kname = "execsnoop_$func" setglobal kprobe = ""p:$kname $func"" setglobal i = '0' while sh-expr ' i < argc + 1 ' { # p:kname do_execve +0(+0(%si)):string +0(+8(%si)):string ... setglobal kprobe = ""$kprobe +0(+$shExpr(' i * offset ')(%si)):string"" sh-expr ' i++ ' } } # try in this order: sys_execve, stub_execve, do_execve makeprobe sys_execve ### setup and begin tracing echo nop > current_tracer if ! echo $kprobe >> kprobe_events !2 >/dev/null { makeprobe stub_execve if ! echo $kprobe >> kprobe_events !2 >/dev/null { makeprobe do_execve if ! echo $kprobe >> kprobe_events !2 >/dev/null { edie "ERROR: adding a kprobe for execve. Exiting." } } } if ! echo 1 > events/kprobes/$kname/enable { edie "ERROR: enabling kprobe for execve. Exiting." } if ! echo 1 > events/sched/sched_process_fork/enable { edie "ERROR: enabling sched:sched_process_fork tracepoint. Exiting." } echo "Instrumenting $func" sh-expr ' opt_time ' && printf "%-16s " "TIMEs" printf "%6s %6s %s\n" "PID" "PPID" "ARGS" # # Determine output format. It may be one of the following (newest first): # TASK-PID CPU# |||| TIMESTAMP FUNCTION # TASK-PID CPU# TIMESTAMP FUNCTION # To differentiate between them, the number of header fields is counted, # and an offset set, to skip the extra column when needed. # setglobal offset = $[$awk 'BEGIN { o = 0; } $1 == "#" && $2 ~ /TASK/ && NF == 6 { o = 1; } $2 ~ /TASK/ { print o; exit }' trace] ### print trace buffer warn "echo > trace" shell { if sh-expr ' opt_duration ' { # wait then dump buffer sleep $duration cat -v trace } else { # print buffer live cat -v trace_pipe } } | $awk -v o=$offset -v opt_name=$opt_name -v name=$name \ -v opt_duration=$opt_duration -v opt_time=$opt_time -v kname=$kname \ -v opt_reexec=$opt_reexec ' # common fields $1 != "#" { # task name can contain dashes comm = pid = $1 sub(/-[0-9][0-9]*/, "", comm) sub(/.*-/, "", pid) } $1 != "#" && $(4+o) ~ /sched_process_fork/ { cpid=$0 sub(/.* child_pid=/, "", cpid) sub(/ .*/, "", cpid) getppid[cpid] = pid delete seen[pid] } $1 != "#" && $(4+o) ~ kname { if (seen[pid]) next if (opt_name && comm !~ name) next # # examples: # ... arg1="/bin/echo" arg2="1" arg3="2" arg4="3" ... # ... arg1="sleep" arg2="2" arg3=(fault) arg4="" ... # ... arg1="" arg2=(fault) arg3="" arg4="" ... # the last example is uncommon, and may be a race. # if ($0 ~ /arg1=""/) { args = comm " [?]" } else { args=$0 sub(/ arg[0-9]*=\(fault\).*/, "", args) sub(/.*arg1="/, "", args) gsub(/" arg[0-9]*="/, " ", args) sub(/"$/, "", args) if ($0 !~ /\(fault\)/) args = args " [...]" } if (opt_time) { time = $(3+o); sub(":", "", time) printf "%-16s ", time } printf "%6s %6d %s\n", pid, getppid[pid], args if (!opt_duration) fflush() if (!opt_reexec) { seen[pid] = 1 delete getppid[pid] } } $0 ~ /LOST.*EVENT[S]/ { print "WARNING: " $0 > "/dev/stderr" } ' ### end tracing end