execve-printer

README

execve-printer

The program is attached to the sys_enter_execve tracepoint, which is a special point in the kernel's execution where the execve() system call is entered. When the execve() system call is invoked, this eBPF program will execute and print a message to the kernel log using the bpf_printk() function. This program stops when you hit Ctrl+c.

Usage

make build
sudo ./execve-printer 
           <...>-1074677 [001] d...1 506309.848867: bpf_trace_printk: invoke sys_enter_execve

           <...>-1074678 [001] d...1 506309.853706: bpf_trace_printk: invoke sys_enter_execve

            node-1074680 [000] d...1 506310.736524: bpf_trace_printk: invoke sys_enter_execve

           <...>-1074681 [001] d...1 506310.737897: bpf_trace_printk: invoke sys_enter_execve

            node-1074682 [000] d...1 506310.740691: bpf_trace_printk: invoke sys_enter_execve

              sh-1074683 [000] d...1 506310.743042: bpf_trace_printk: invoke sys_enter_execve

            node-1074684 [000] d...1 506310.755259: bpf_trace_printk: invoke sys_enter_execve

           <...>-1074685 [001] d...1 506310.756726: bpf_trace_printk: invoke sys_enter_execve

     cpuUsage.sh-1074686 [000] d...1 506310.758702: bpf_trace_printk: invoke sys_enter_execve

Implementation

1. See /sys/kernel/debug/tracing/events to find available tracepoints.
2. Write the C program which is attached to the sys_enter_execve tracepoint and prints a message when the execve() is invoked.
3. Run make generate to compiles a C source code into eBPF bytecode and then emits a Go file containing the eBPF.
4. Scan /sys/kernel/debug/tracing/trace_pipe to print kernel logs using bpf_printk().