README
¶
execve-printer
The program is attached to the sys_enter_execve tracepoint, which is a special point in the kernel's execution where the execve() system call is entered.
When the execve() system call is invoked, this eBPF program will execute and print a message to the kernel log using the bpf_printk() function.
This program stops when you hit Ctrl+c.
Usage
make build
sudo ./execve-printer
<...>-1074677 [001] d...1 506309.848867: bpf_trace_printk: invoke sys_enter_execve
<...>-1074678 [001] d...1 506309.853706: bpf_trace_printk: invoke sys_enter_execve
node-1074680 [000] d...1 506310.736524: bpf_trace_printk: invoke sys_enter_execve
<...>-1074681 [001] d...1 506310.737897: bpf_trace_printk: invoke sys_enter_execve
node-1074682 [000] d...1 506310.740691: bpf_trace_printk: invoke sys_enter_execve
sh-1074683 [000] d...1 506310.743042: bpf_trace_printk: invoke sys_enter_execve
node-1074684 [000] d...1 506310.755259: bpf_trace_printk: invoke sys_enter_execve
<...>-1074685 [001] d...1 506310.756726: bpf_trace_printk: invoke sys_enter_execve
cpuUsage.sh-1074686 [000] d...1 506310.758702: bpf_trace_printk: invoke sys_enter_execve
Implementation
- See
/sys/kernel/debug/tracing/eventsto find available tracepoints. - Write the C program which is attached to the
sys_enter_execvetracepoint and prints a message when theexecve()is invoked. - Run
make generateto compiles a C source code into eBPF bytecode and then emits a Go file containing the eBPF. - Scan
/sys/kernel/debug/tracing/trace_pipeto print kernel logs usingbpf_printk().
Documentation
Source Files
Click to show internal directories.
Click to hide internal directories.