1235368Sgnn#!/usr/sbin/dtrace -s 2235368Sgnn/* 3235368Sgnn * whatexec.d - Examine the type of files exec'd. 4235368Sgnn * Written using DTrace (Solaris 10 3/05) 5235368Sgnn * 6235368Sgnn * This prints the first four chacacters of files that are executed. 7235368Sgnn * This traces the kernel function findexec_by_hdr(), which checks for 8235368Sgnn * a known magic number in the file's header. 9235368Sgnn * 10235368Sgnn * The idea came from a demo I heard about from the UK, where a 11235368Sgnn * "blue screen of death" was displayed for "MZ" files (although I 12235368Sgnn * haven't seen the script or the demo). 13235368Sgnn * 14235368Sgnn * $Id: whatexec.d 3 2007-08-01 10:50:08Z brendan $ 15235368Sgnn * 16235368Sgnn * USAGE: whatexec.d (early release, check for updates) 17235368Sgnn * 18235368Sgnn * FIELDS: 19235368Sgnn * PEXEC parent command name 20235368Sgnn * EXEC pathname to file exec'd 21235368Sgnn * OK is type runnable, Y/N 22235368Sgnn * TYPE first four characters from file 23235368Sgnn * 24235368Sgnn * COPYRIGHT: Copyright (c) 2006 Brendan Gregg. 25235368Sgnn * 26235368Sgnn * CDDL HEADER START 27235368Sgnn * 28235368Sgnn * The contents of this file are subject to the terms of the 29235368Sgnn * Common Development and Distribution License, Version 1.0 only 30235368Sgnn * (the "License"). You may not use this file except in compliance 31235368Sgnn * with the License. 32235368Sgnn * 33235368Sgnn * You can obtain a copy of the license at Docs/cddl1.txt 34235368Sgnn * or http://www.opensolaris.org/os/licensing. 35235368Sgnn * See the License for the specific language governing permissions 36235368Sgnn * and limitations under the License. 37235368Sgnn * 38235368Sgnn * CDDL HEADER END 39235368Sgnn * 40235368Sgnn * 11-Feb-2006 Brendan Gregg Created this. 41235368Sgnn * 25-Apr-2006 " " Last update. 42235368Sgnn */ 43235368Sgnn 44235368Sgnn#pragma D option quiet 45235368Sgnn 46235368Sgnnthis char *buf; 47235368Sgnn 48235368Sgnndtrace:::BEGIN 49235368Sgnn{ 50235368Sgnn printf("%-16s %-38s %2s %s\n", "PEXEC", "EXEC", "OK", "TYPE"); 51235368Sgnn} 52235368Sgnn 53235368Sgnnfbt::gexec:entry 54235368Sgnn{ 55235368Sgnn self->file = cleanpath((*(struct vnode **)arg0)->v_path); 56235368Sgnn self->ok = 1; 57235368Sgnn} 58235368Sgnn 59235368Sgnnfbt::findexec_by_hdr:entry 60235368Sgnn/self->ok/ 61235368Sgnn{ 62235368Sgnn bcopy(args[0], this->buf = alloca(5), 4); 63235368Sgnn this->buf[4] = '\0'; 64235368Sgnn self->hdr = stringof(this->buf); 65235368Sgnn} 66235368Sgnn 67235368Sgnnfbt::findexec_by_hdr:return 68235368Sgnn/self->ok/ 69235368Sgnn{ 70235368Sgnn printf("%-16s %-38s %2s %S\n", execname, self->file, 71235368Sgnn arg1 == NULL ? "N" : "Y", self->hdr); 72235368Sgnn self->hdr = 0; 73235368Sgnn} 74235368Sgnn 75235368Sgnnfbt::gexec:return 76235368Sgnn{ 77235368Sgnn self->file = 0; 78235368Sgnn self->ok = 0; 79235368Sgnn} 80