Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/keisku/execve-printer
The eBPF program will execute and print a message when the `execve()` system call is invoked
https://github.com/keisku/execve-printer
ebpf golang
Last synced: 23 days ago
JSON representation
The eBPF program will execute and print a message when the `execve()` system call is invoked
- Host: GitHub
- URL: https://github.com/keisku/execve-printer
- Owner: keisku
- License: apache-2.0
- Created: 2023-01-06T06:39:09.000Z (almost 2 years ago)
- Default Branch: main
- Last Pushed: 2023-01-06T06:56:08.000Z (almost 2 years ago)
- Last Synced: 2024-10-14T14:21:15.314Z (2 months ago)
- Topics: ebpf, golang
- Language: Go
- Homepage:
- Size: 12.7 KB
- Stars: 3
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# execve-printer
The program is attached to the `sys_enter_execve` tracepoint, which is a special point in the kernel's execution where the `execve()` system call is entered.
When the `execve()` system call is invoked, this eBPF program will execute and print a message to the kernel log using the `bpf_printk()` function.
This program stops when you hit Ctrl+c.## Usage
```bash
make build
sudo ./execve-printer
<...>-1074677 [001] d...1 506309.848867: bpf_trace_printk: invoke sys_enter_execve<...>-1074678 [001] d...1 506309.853706: bpf_trace_printk: invoke sys_enter_execve
node-1074680 [000] d...1 506310.736524: bpf_trace_printk: invoke sys_enter_execve
<...>-1074681 [001] d...1 506310.737897: bpf_trace_printk: invoke sys_enter_execve
node-1074682 [000] d...1 506310.740691: bpf_trace_printk: invoke sys_enter_execve
sh-1074683 [000] d...1 506310.743042: bpf_trace_printk: invoke sys_enter_execve
node-1074684 [000] d...1 506310.755259: bpf_trace_printk: invoke sys_enter_execve
<...>-1074685 [001] d...1 506310.756726: bpf_trace_printk: invoke sys_enter_execve
cpuUsage.sh-1074686 [000] d...1 506310.758702: bpf_trace_printk: invoke sys_enter_execve
```## Implementation
1. See `/sys/kernel/debug/tracing/events` to find available tracepoints.
2. Write the C program which is attached to the `sys_enter_execve` tracepoint and prints a message when the `execve()` is invoked.
3. Run `make generate` to compiles a C source code into eBPF bytecode and then emits a Go file containing the eBPF.
4. Scan `/sys/kernel/debug/tracing/trace_pipe` to print kernel logs using `bpf_printk()`.