Skip to content

Instantly share code, notes, and snippets.

@clementnuss

clementnuss/eBPF-execve-argv-envp-print.md

Created November 28, 2023 13:36
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save clementnuss/fe35950fe53defa0f85da20de5559bdf to your computer and use it in GitHub Desktop.
Save clementnuss/fe35950fe53defa0f85da20de5559bdf to your computer and use it in GitHub Desktop.
Download ZIP
eBPF - using bpftrace to debug argv and env of an executable
Raw
eBPF-execve-argv-envp-print.md

Using eBPF to print argv and envp when running a specific file

With bpftrace on Linux, it's quite simple to monitor when a specific binary is run, and to print it's args and the environment variables passed to it.

This can be done with the following bpftrace "program":

tracepoint:syscalls:sys_enter_execve
/str(args->filename) == "/etc/network/if-up.d/resolved" /
{
  printf("%s %s\n", comm, str(args->filename));
  join(args->argv);
  join(args->envp, "\n");
}

which you can run as follows: bpftrace resolved_trace.bt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment