%( kernel_v < "3.7" %? # execve _____________________________________________________ # # In kernels < 3.7, sys_execve() was in arch-specific code (and had # varying arguments). It was just a wrapper around generic # do_execve(), but the wrapper could error out before calling # do_execve(). So, we'll have to handle it in arch-specific tapset # code to catch all calls. # # int sys_execve(unsigned long a0, unsigned long a1, unsigned long a2, # unsigned long a3, unsigned long a4, unsigned long a5, # struct pt_regs *regs) @define _SYSCALL_EXECVE_NAME %( name = "execve" %) @define _SYSCALL_EXECVE_ARGSTR %( argstr = sprintf("%s, %s, %s", filename, args, env_str) %) probe syscall.execve = dw_syscall.execve !, nd_syscall.execve {} probe syscall.execve.return = dw_syscall.execve.return !, nd_syscall.execve.return {} # dw_execve _____________________________________________________ probe dw_syscall.execve = kernel.function("sys_execve").call { @_SYSCALL_EXECVE_NAME filename = user_string_quoted($a0) args = __get_argv($a1, 0) env_str = __get_argv($a2, 0) @_SYSCALL_EXECVE_ARGSTR } probe dw_syscall.execve.return = kernel.function("sys_execve").return { @_SYSCALL_EXECVE_NAME @SYSC_RETVALSTR($return) } # nd_execve _____________________________________________________ probe nd_syscall.execve = kprobe.function("sys_execve") { @_SYSCALL_EXECVE_NAME filename = user_string_quoted(pointer_arg(1)) args = __get_argv(pointer_arg(2), 0) env_str = __get_argv(pointer_arg(3), 0) @_SYSCALL_EXECVE_ARGSTR } probe nd_syscall.execve.return = kprobe.function("sys_execve").return { @_SYSCALL_EXECVE_NAME @SYSC_RETVALSTR(returnval()) } # # In kernels < 3.7, sys_execve() was in arch-specific code (and had # varying arguments). It was just a wrapper around generic # do_execve(), but the wrapper could error out before calling # do_execve(). So, we'll have to handle it in arch-specific tapset # code to catch all calls. # execve _____________________________________________________ # # long compat_sys_execve(unsigned long a0, unsigned long a1, unsigned long a2, # unsigned long a3, unsigned long a4, unsigned long a5, # struct pt_regs *regs) probe syscall.compat_execve = dw_syscall.compat_execve !, nd_syscall.compat_execve ? {} probe syscall.compat_execve.return = dw_syscall.compat_execve.return !, nd_syscall.compat_execve.return ? {} # dw_compat_execve _____________________________________________________ probe dw_syscall.compat_execve = kernel.function("compat_sys_execve").call ? { @_SYSCALL_EXECVE_NAME filename = user_string_quoted($a0) args = __get_compat_argv($a1, 0) env_str = __get_compat_argv($a2, 0) @_SYSCALL_EXECVE_ARGSTR } probe dw_syscall.compat_execve.return = kernel.function("compat_sys_execve").return ? { @_SYSCALL_EXECVE_NAME @SYSC_RETVALSTR($return) } # nd_compat_execve _____________________________________________________ probe nd_syscall.compat_execve = kprobe.function("compat_sys_execve") ? { @_SYSCALL_EXECVE_NAME filename = user_string_quoted(pointer_arg(1)) args = __get_compat_argv(pointer_arg(2), 0) env_str = __get_compat_argv(pointer_arg(3), 0) @_SYSCALL_EXECVE_ARGSTR } probe nd_syscall.compat_execve.return = kprobe.function("compat_sys_execve").return ? { @_SYSCALL_EXECVE_NAME @SYSC_RETVALSTR(returnval()) } %)