Technical Blog Post
Abstract
PROBEVUE: EXECVE() WITH ARGUMENTS AND ENVIRONMENT
Body
This small probevue script shows you how to track the 'execve()' calls along with the arguments and environment passed to the program executed.
The script tracks 'execve()' calls performed by a given process only. The 'when' filter in the 'execve()' probe can be changed to anything else like an executable name, a pid or else. It is not advised however to completely remove the filter as doing so would simply track all the 'execve()' calls performed by all the process on the machine.
This small example tracks 'execve()' calls performed by any executable named 'db2sysc'. The script needs to be executed as root like this:
# probevue -s 8 -o execve3.out execve3.pb
You can simply interrupt the script when you are done. The result will be stored in a file called 'execve3.out' and look like this:
[db2sysc - 15401286 - 31916419] execve(/home/dalla/sqllib/bin/db2vend)
av[0]: db2vend (PD Vendor Process - 258)
av[1]: 3
av[2]: /home/dalla/sqllib/db2dump/DIAG0000/
av[3]: 0
av[4]: 780000000000000,780000000000000,6f50000,33c00435,0,0
av[5]: 540431955306975648
ev[0]: DB2LIB=/home/dalla/sqllib/lib
ev[1]: DB2_TOOLS_BIN=
ev[2]: DB2_HOME=/home/dalla/sqllib
ev[3]: db2trc=/home/dalla/build/cur/common/db2trc
ev[4]: HOME=/home/dalla
ev[5]: PWD=/home/dalla/tmp
ev[6]: TZ=EST5EDT
ev[7]: DB2COMM=TCPIP
[db2sysc - 19464572 - 74187157] execve(/home/dalla/sqllib/bin/db2fmp)
av[0]: db2fmp
av[1]: 1,0,0,0,1,0,0,0,0000,1,0,995bc4,14,1e014,2,0,1,41fc0,
780000010000000,780000010000000,1600000,1fc0042
b,2,900049c
ev[0]: DB2LIB=/home/dalla/sqllib/lib
ev[1]: DB2_TOOLS_BIN=
ev[2]: DB2_HOME=/home/dalla/sqllib
ev[3]: db2trc=/home/dalla/build/cur/common/db2trc
ev[4]: HOME=/home/dalla
ev[5]: PWD=/home/dalla/tmp
ev[6]: TZ=EST5EDT
ev[7]: DB2COMM=TCPIP
The script is here. Note that since there is no concept of 'while/for' loop in probevue we have to handle values one by one.
/*
* execve3.pb: Print the arguments, including ev, when execve()'ing.
*
* Run as user 'root' using the following command line:
*
* probevue -s 8 -o execve3.out execve3.pb
*
*
* dalla
*/
int execve(char *path, char *av, char *ep);
/*
* execve(): There is no 'loop' (while, for) possible in probevue so
* this has to be done one by one... Currently reads up to
* 8 arguments and up to 8 environment variables.
*/
@@syscall:*:execve:entry
when (__pname == "db2")
{
__auto String buf[256];
__auto long long *addr[8];
__auto void *ptr;
/*
* Print the call.
*/
buf = get_userstring((void *) __arg1, 256);
printf("[%s - %d - %d] execve(%s)\n", __pname, __pid, __tid, buf);
/*
* Now deal with 'av[]' array.
*/
copy_userdata(__arg2, addr);
ptr = (void *) addr[0];
if (ptr) { /* av[0] */
buf = get_userstring(ptr, 256);
printf("av[0]: %s\n", buf);
ptr = (void *) addr[1];
if (ptr) { /* av[1] */
buf = get_userstring(ptr, 256);
printf("av[1]: %s\n", buf);
ptr = (void *) addr[2];
if (ptr) { /* av[2] */
buf = get_userstring(ptr, 256);
printf("av[2]: %s\n", buf);
ptr = (void *) addr[3];
if (ptr) { /* av[3] */
buf = get_userstring(ptr, 256);
printf("av[3]: %s\n", buf);
ptr = (void *) addr[4];
if (ptr) { /* av[4] */
buf = get_userstring(ptr, 256);
printf("av[4]: %s\n", buf);
ptr = (void *) addr[5];
if (ptr) { /* av[5] */
buf = get_userstring(ptr, 256);
printf("av[5]: %s\n", buf);
ptr = (void *) addr[6];
if (ptr) { /* av[6] */
buf = get_userstring(ptr, 256);
printf("av[6]: %s\n", buf);
ptr = (void *) addr[7];
if (ptr) { /* av[7] */
buf = get_userstring(ptr, 256);
printf("av[7]: %s\n", buf);
}
}
}
}
}
}
}
}
/*
* Now deal with ev[] array.
*/
copy_userdata(__arg3, addr);
ptr = (void *) addr[0];
if (ptr) { /* ev[0] */
buf = get_userstring(ptr, 256);
printf("ev[0]: %s\n", buf);
ptr = (void *) addr[1];
if (ptr) { /* ev[1] */
buf = get_userstring(ptr, 256);
printf("ev[1]: %s\n", buf);
ptr = (void *) addr[2];
if (ptr) { /* ev[2] */
buf = get_userstring(ptr, 256);
printf("ev[2]: %s\n", buf);
ptr = (void *) addr[3];
if (ptr) { /* ev[3] */
buf = get_userstring(ptr, 256);
printf("ev[3]: %s\n", buf);
ptr = (void *) addr[4];
if (ptr) { /* ev[4] */
buf = get_userstring(ptr, 256);
printf("ev[4]: %s\n", buf);
ptr = (void *) addr[5];
if (ptr) { /* ev[5] */
buf = get_userstring(ptr, 256);
printf("ev[5]: %s\n", buf);
ptr = (void *) addr[6];
if (ptr) { /* ev[6] */
buf = get_userstring(ptr, 256);
printf("ev[6]: %s\n", buf);
ptr = (void *) addr[7];
if (ptr) { /* ev[7] */
buf = get_userstring(ptr, 256);
printf("ev[7]: %s\n", buf);
}
}
}
}
}
}
}
}
printf("\n");
}
UID
ibm13286425