larytet · July 7, 2017 03:17
diff --git a/exec.stp b/exec.stp
 probe kprocess.exec
 {
 	%{HIT_MAP_INC(HIT_MAP_KPROCESS_EXEC)%}
 	tid = tid()
 	if (stringat(filename,0) == 0x22) // filename starts with a quotation mark
 	{
 		MAP_SYSCALL_EXEC_NAME[tid] = filename 
 		MAP_SYSCALL_EXEC_ARGV[tid] = args
 	}
 	else  // failed to recog the filename, trigger do_execve
 	{
 		%{HIT_MAP_INC(HIT_MAP_KPROCESS_EXEC_MISS)%}
 		MAP_SYSCALL_DOEXECV_NAME[tid] = @choose_defined($filename, $name)
 		MAP_SYSCALL_DOEXECV_ARGV[tid] = @choose_defined($__argv, $argv)
 	}
 }

 probe kernel.function("do_execve")
 {
 	%{HIT_MAP_INC(HIT_MAP_KERNEL_FUNCTION_DO_EXECVE)%}
 	
 	// see http://lxr.free-electrons.com/source/fs/exec.c#L1805 : I have filename, __argv, __envp
 	// see http://lxr.free-electrons.com/source/include/linux/fs.h#L2293
 	// I want to do something like
 	// MAP_SYSCALL_EXEC_NAME[tid] = pointer_arg(1) // @cast(pointer_arg(1), "filename", "kernel<linux/fs.h>")->name
 	// MAP_SYSCALL_EXEC_ARGV[tid] = user_string(pointer_arg(2))
 	// MAP_SYSCALL_EXEC_ENVP[tid] = user_string(pointer_arg(3))
 	// but it does not work - fails in user_string()
 	tid = tid()
 	if (tid in MAP_SYSCALL_DOEXECV_NAME)
 	{
 		%{HIT_MAP_INC(HIT_MAP_KPROCESS_DOEXECVE_HIT)%}

 		filename = user_string(MAP_SYSCALL_DOEXECV_NAME[tid])
 		args = __get_argv(MAP_SYSCALL_DOEXECV_ARGV[tid], 0)
 		MAP_SYSCALL_EXEC_NAME[tid] = filename
 		MAP_SYSCALL_EXEC_ARGV[tid] = args
 	}
 }

 function send_syscall_exec(name, argv)
 %{
 	sendIncidentChars2(INCIDENT_TYPE_KPROCESS_EXEC, (u8*)STAP_ARG_name, (u8*)STAP_ARG_argv);
 %}

 probe kprocess.exec_complete
 {
 	%{HIT_MAP_INC(HIT_MAP_KPROCESS_EXEC_COMPLETE)%}
 	if ($return >= 0)
 	{
 		%{HIT_MAP_INC(HIT_MAP_KPROCESS_EXEC_OK)%}
 		tid = tid()
 		send_syscall_exec(MAP_SYSCALL_EXEC_NAME[tid], MAP_SYSCALL_EXEC_ARGV[tid])
 	}
 	else
 	{
 		%{HIT_MAP_INC(HIT_MAP_KPROCESS_EXEC_ERR)%}
 	}
 }
	probe kprocess.exec
	{
	%{HIT_MAP_INC(HIT_MAP_KPROCESS_EXEC)%}
	tid = tid()
	if (stringat(filename,0) == 0x22) // filename starts with a quotation mark
	{
	MAP_SYSCALL_EXEC_NAME[tid] = filename
	MAP_SYSCALL_EXEC_ARGV[tid] = args
	}
	else // failed to recog the filename, trigger do_execve
	{
	%{HIT_MAP_INC(HIT_MAP_KPROCESS_EXEC_MISS)%}
	MAP_SYSCALL_DOEXECV_NAME[tid] = @choose_defined($filename, $name)
	MAP_SYSCALL_DOEXECV_ARGV[tid] = @choose_defined($__argv, $argv)
	}
	}

	probe kernel.function("do_execve")
	{
	%{HIT_MAP_INC(HIT_MAP_KERNEL_FUNCTION_DO_EXECVE)%}

	// see http://lxr.free-electrons.com/source/fs/exec.c#L1805 : I have filename, __argv, __envp
	// see http://lxr.free-electrons.com/source/include/linux/fs.h#L2293
	// I want to do something like
	// MAP_SYSCALL_EXEC_NAME[tid] = pointer_arg(1) // @cast(pointer_arg(1), "filename", "kernel<linux/fs.h>")->name
	// MAP_SYSCALL_EXEC_ARGV[tid] = user_string(pointer_arg(2))
	// MAP_SYSCALL_EXEC_ENVP[tid] = user_string(pointer_arg(3))
	// but it does not work - fails in user_string()
	tid = tid()
	if (tid in MAP_SYSCALL_DOEXECV_NAME)
	{
	%{HIT_MAP_INC(HIT_MAP_KPROCESS_DOEXECVE_HIT)%}

	filename = user_string(MAP_SYSCALL_DOEXECV_NAME[tid])
	args = __get_argv(MAP_SYSCALL_DOEXECV_ARGV[tid], 0)
	MAP_SYSCALL_EXEC_NAME[tid] = filename
	MAP_SYSCALL_EXEC_ARGV[tid] = args
	}
	}

	function send_syscall_exec(name, argv)
	%{
	sendIncidentChars2(INCIDENT_TYPE_KPROCESS_EXEC, (u8)STAP_ARG_name, (u8)STAP_ARG_argv);
	%}

	probe kprocess.exec_complete
	{
	%{HIT_MAP_INC(HIT_MAP_KPROCESS_EXEC_COMPLETE)%}
	if ($return >= 0)
	{
	%{HIT_MAP_INC(HIT_MAP_KPROCESS_EXEC_OK)%}
	tid = tid()
	send_syscall_exec(MAP_SYSCALL_EXEC_NAME[tid], MAP_SYSCALL_EXEC_ARGV[tid])
	}
	else
	{
	%{HIT_MAP_INC(HIT_MAP_KPROCESS_EXEC_ERR)%}
	}
	}