Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/keisku/execve-printer

The eBPF program will execute and print a message when the `execve()` system call is invoked
https://github.com/keisku/execve-printer

ebpf golang

Last synced: 23 days ago
JSON representation

The eBPF program will execute and print a message when the `execve()` system call is invoked

Awesome Lists containing this project

README

        

# execve-printer

The program is attached to the `sys_enter_execve` tracepoint, which is a special point in the kernel's execution where the `execve()` system call is entered.
When the `execve()` system call is invoked, this eBPF program will execute and print a message to the kernel log using the `bpf_printk()` function.
This program stops when you hit Ctrl+c.

## Usage

```bash
make build
sudo ./execve-printer
<...>-1074677 [001] d...1 506309.848867: bpf_trace_printk: invoke sys_enter_execve

<...>-1074678 [001] d...1 506309.853706: bpf_trace_printk: invoke sys_enter_execve

node-1074680 [000] d...1 506310.736524: bpf_trace_printk: invoke sys_enter_execve

<...>-1074681 [001] d...1 506310.737897: bpf_trace_printk: invoke sys_enter_execve

node-1074682 [000] d...1 506310.740691: bpf_trace_printk: invoke sys_enter_execve

sh-1074683 [000] d...1 506310.743042: bpf_trace_printk: invoke sys_enter_execve

node-1074684 [000] d...1 506310.755259: bpf_trace_printk: invoke sys_enter_execve

<...>-1074685 [001] d...1 506310.756726: bpf_trace_printk: invoke sys_enter_execve

cpuUsage.sh-1074686 [000] d...1 506310.758702: bpf_trace_printk: invoke sys_enter_execve
```

## Implementation

1. See `/sys/kernel/debug/tracing/events` to find available tracepoints.
2. Write the C program which is attached to the `sys_enter_execve` tracepoint and prints a message when the `execve()` is invoked.
3. Run `make generate` to compiles a C source code into eBPF bytecode and then emits a Go file containing the eBPF.
4. Scan `/sys/kernel/debug/tracing/trace_pipe` to print kernel logs using `bpf_printk()`.