관리-도구

편집 파일: sysc_compat_execve.stp

%( kernel_v < "3.7" %? # execve _____________________________________________________ # # asmlinkage long sys32_execve(char __user *name, compat_uptr_t __user *argv, # compat_uptr_t __user *envp, struct pt_regs *regs) @define _SYSCALL_COMPAT_EXECVE_NAME %( name = "execve" %) @define _SYSCALL_COMPAT_EXECVE_ARGSTR %( argstr = sprintf("%s, %s, %s", filename, args, env_str) %) probe syscall.compat_execve = dw_syscall.compat_execve !, nd_syscall.compat_execve ? {} probe syscall.compat_execve.return = dw_syscall.compat_execve.return !, nd_syscall.compat_execve.return ? {} # dw_compat_execve _____________________________________________________ probe dw_syscall.compat_execve = kernel.function("sys32_execve").call ? { @_SYSCALL_COMPAT_EXECVE_NAME filename = user_string_quoted($name) args = __get_compat_argv($argv, 0) env_str = __get_compat_argv($envp, 0) @_SYSCALL_COMPAT_EXECVE_ARGSTR } probe dw_syscall.compat_execve.return = kernel.function("sys32_execve").return ? { @_SYSCALL_COMPAT_EXECVE_NAME @SYSC_RETVALSTR($return) } # nd_compat_execve _____________________________________________________ probe nd_syscall.compat_execve = kprobe.function("sys32_execve") ? { asmlinkage() @_SYSCALL_COMPAT_EXECVE_NAME filename = user_string_quoted(pointer_arg(1)) args = __get_compat_argv(pointer_arg(2), 0) env_str = __get_compat_argv(pointer_arg(3), 0) @_SYSCALL_COMPAT_EXECVE_ARGSTR } probe nd_syscall.compat_execve.return = kprobe.function("sys32_execve").return ? { @_SYSCALL_COMPAT_EXECVE_NAME @SYSC_RETVALSTR(returnval()) } %)