IBM Support

PROBEVUE: EXECVE() WITH ARGUMENTS AND ENVIRONMENT

Technical Blog Post


Abstract

PROBEVUE: EXECVE() WITH ARGUMENTS AND ENVIRONMENT

Body

This small probevue script shows you how to track the 'execve()' calls along with the arguments and environment passed to the program executed.

 

The script tracks 'execve()' calls performed by a given process only. The 'when' filter in the 'execve()' probe can be changed to anything else like an executable name, a pid or else. It is not advised however to completely remove the filter as doing so would simply track all the 'execve()' calls performed by all the process on the machine.

 

This small example tracks 'execve()' calls performed by any executable named 'db2sysc'. The script needs to be executed as root like this:

 

  # probevue -s 8 -o execve3.out execve3.pb

 

You can simply interrupt the script when you are done. The result will be stored in a file called 'execve3.out' and look like this:

 

  [db2sysc - 15401286 - 31916419] execve(/home/dalla/sqllib/bin/db2vend)
  av[0]: db2vend (PD Vendor Process - 258)
  av[1]: 3
  av[2]: /home/dalla/sqllib/db2dump/DIAG0000/
  av[3]: 0
  av[4]: 780000000000000,780000000000000,6f50000,33c00435,0,0
  av[5]: 540431955306975648
  ev[0]: DB2LIB=/home/dalla/sqllib/lib
  ev[1]: DB2_TOOLS_BIN=
  ev[2]: DB2_HOME=/home/dalla/sqllib
  ev[3]: db2trc=/home/dalla/build/cur/common/db2trc
  ev[4]: HOME=/home/dalla
  ev[5]: PWD=/home/dalla/tmp
  ev[6]: TZ=EST5EDT
  ev[7]: DB2COMM=TCPIP

  [db2sysc - 19464572 - 74187157] execve(/home/dalla/sqllib/bin/db2fmp)
  av[0]: db2fmp
  av[1]: 1,0,0,0,1,0,0,0,0000,1,0,995bc4,14,1e014,2,0,1,41fc0,
         780000010000000,780000010000000,1600000,1fc0042
  b,2,900049c
  ev[0]: DB2LIB=/home/dalla/sqllib/lib
  ev[1]: DB2_TOOLS_BIN=
  ev[2]: DB2_HOME=/home/dalla/sqllib
  ev[3]: db2trc=/home/dalla/build/cur/common/db2trc
  ev[4]: HOME=/home/dalla
  ev[5]: PWD=/home/dalla/tmp
  ev[6]: TZ=EST5EDT
  ev[7]: DB2COMM=TCPIP

 

The script is here. Note that since there is no concept of 'while/for' loop in probevue we have to handle values one by one.

 

/*
 * execve3.pb: Print the arguments, including ev, when execve()'ing.
 *
 * Run as user 'root' using the following command line:
 *
 *     probevue -s 8 -o execve3.out execve3.pb
 *
 *
 * dalla
 */

int execve(char *path, char *av, char *ep);


/*
 * execve(): There is no 'loop' (while, for) possible in probevue so
 *           this has to be done one by one... Currently reads up to
 *           8 arguments and up to 8 environment variables.
 */
@@syscall:*:execve:entry
when (__pname == "db2")
{
    __auto String       buf[256];
    __auto long long   *addr[8];
    __auto void        *ptr;


    /*
     * Print the call.
     */
    buf = get_userstring((void *) __arg1, 256);
    printf("[%s - %d - %d] execve(%s)\n", __pname, __pid, __tid, buf);


    /*
     * Now deal with 'av[]' array.
     */
    copy_userdata(__arg2, addr);

    ptr = (void *) addr[0];
    if (ptr) { /* av[0] */
        buf = get_userstring(ptr, 256);
        printf("av[0]: %s\n", buf);

        ptr = (void *) addr[1];
        if (ptr) { /* av[1] */
            buf = get_userstring(ptr, 256);
            printf("av[1]: %s\n", buf);

            ptr = (void *) addr[2];
            if (ptr) { /* av[2] */
                buf = get_userstring(ptr, 256);
                printf("av[2]: %s\n", buf);

                ptr = (void *) addr[3];
                if (ptr) { /* av[3] */
                    buf = get_userstring(ptr, 256);
                    printf("av[3]: %s\n", buf);

                    ptr = (void *) addr[4];
                    if (ptr) { /* av[4] */
                        buf = get_userstring(ptr, 256);
                        printf("av[4]: %s\n", buf);

                        ptr = (void *) addr[5];
                        if (ptr) { /* av[5] */
                            buf = get_userstring(ptr, 256);
                            printf("av[5]: %s\n", buf);

                            ptr = (void *) addr[6];
                            if (ptr) { /* av[6] */
                                buf = get_userstring(ptr, 256);
                                printf("av[6]: %s\n", buf);

                                ptr = (void *) addr[7];
                                if (ptr) { /* av[7] */
                                    buf = get_userstring(ptr, 256);
                                    printf("av[7]: %s\n", buf);
                                }
                            }
                        }
                    }
                }
            }
        }
    }


    /*
     * Now deal with ev[] array.
     */
    copy_userdata(__arg3, addr);

    ptr = (void *) addr[0];
    if (ptr) { /* ev[0] */
        buf = get_userstring(ptr, 256);
        printf("ev[0]: %s\n", buf);

        ptr = (void *) addr[1];
        if (ptr) { /* ev[1] */
            buf = get_userstring(ptr, 256);
            printf("ev[1]: %s\n", buf);

            ptr = (void *) addr[2];
            if (ptr) { /* ev[2] */
                buf = get_userstring(ptr, 256);
                printf("ev[2]: %s\n", buf);

                ptr = (void *) addr[3];
                if (ptr) { /* ev[3] */
                    buf = get_userstring(ptr, 256);
                    printf("ev[3]: %s\n", buf);

                    ptr = (void *) addr[4];
                    if (ptr) { /* ev[4] */
                        buf = get_userstring(ptr, 256);
                        printf("ev[4]: %s\n", buf);

                        ptr = (void *) addr[5];
                        if (ptr) { /* ev[5] */
                            buf = get_userstring(ptr, 256);
                            printf("ev[5]: %s\n", buf);

                            ptr = (void *) addr[6];
                            if (ptr) { /* ev[6] */
                                buf = get_userstring(ptr, 256);
                                printf("ev[6]: %s\n", buf);

                                ptr = (void *) addr[7];
                                if (ptr) { /* ev[7] */
                                    buf = get_userstring(ptr, 256);
                                    printf("ev[7]: %s\n", buf);
                                }
                            }
                        }
                    }
                }
            }
        }
    }

    printf("\n");
}

 

[{"Business Unit":{"code":"BU029","label":"Data and AI"}, "Product":{"code":"SSEPGG","label":"DB2 for Linux, UNIX and Windows"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":""}]

UID

ibm13286425