Skip to content

Instantly share code, notes, and snippets.

@garenchan

garenchan/bt

Last active July 20, 2023 02:48
Show Gist options
  • Save garenchan/80d0672129c42e4070dfdea55f6c685d to your computer and use it in GitHub Desktop.
Save garenchan/80d0672129c42e4070dfdea55f6c685d to your computer and use it in GitHub Desktop.
Download ZIP
execsnoop.bt
Raw
bt
#!/usr/bin/env bpftrace
#include <linux/sched.h>
BEGIN
{
printf("Trace new processes via exec() syscalls. Hit Ctrl-C to end.\n");
}
tracepoint:syscalls:sys_enter_exec*
{
printf("%s %-5d %-5d %s ---> %s ---> ", strftime("%Y-%m-%d %H:%M:%S", nsecs), pid, curtask->real_parent->pid, curtask->real_parent->comm, comm);
join(args->argv);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment