1#!/usr/sbin/dtrace -s 2/* - 3 * Copyright (c) 2014-2016 Devin Teske <dteske@FreeBSD.org> 4 * All rights reserved. 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 * 26 * $Title: dtrace(1) script to log process(es) entering syscall::kill $ 27 * $FreeBSD: releng/10.3/share/dtrace/watch_kill 294888 2016-01-27 05:04:17Z dteske $ 28 */ 29 30#pragma D option quiet 31#pragma D option dynvarsize=16m 32#pragma D option switchrate=10hz 33 34/*********************************************************/ 35 36syscall::execve:entry /* probe ID 1 */ 37{ 38 this->caller_execname = execname; 39} 40 41/*********************************************************/ 42 43syscall::kill:entry /* probe ID 2 */ 44{ 45 this->pid_to_kill = (pid_t)arg0; 46 this->kill_signal = (int)arg1; 47 48 /* 49 * Examine process, parent process, and grandparent process details 50 */ 51 52 /******************* CURPROC *******************/ 53 54 this->proc = curthread->td_proc; 55 this->pid0 = this->proc->p_pid; 56 this->uid0 = this->proc->p_ucred->cr_uid; 57 this->gid0 = this->proc->p_ucred->cr_rgid; 58 this->p_args = this->proc->p_args; 59 this->ar_length = this->p_args ? this->p_args->ar_length : 0; 60 this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); 61 62 this->arg0_0 = this->ar_length > 0 ? 63 this->ar_args : stringof(this->proc->p_comm); 64 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 65 this->ar_args += this->len; 66 this->ar_length -= this->len; 67 68 this->arg0_1 = this->ar_length > 0 ? this->ar_args : ""; 69 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 70 this->ar_args += this->len; 71 this->ar_length -= this->len; 72 73 this->arg0_2 = this->ar_length > 0 ? this->ar_args : ""; 74 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 75 this->ar_args += this->len; 76 this->ar_length -= this->len; 77 78 this->arg0_3 = this->ar_length > 0 ? this->ar_args : ""; 79 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 80 this->ar_args += this->len; 81 this->ar_length -= this->len; 82 83 this->arg0_4 = this->ar_length > 0 ? "..." : ""; 84 85 /******************* PPARENT *******************/ 86 87 this->proc = this->proc->p_pptr; 88 this->pid1 = this->proc->p_pid; 89 this->uid1 = this->proc->p_ucred->cr_uid; 90 this->gid1 = this->proc->p_ucred->cr_rgid; 91 this->p_args = this->proc ? this->proc->p_args : 0; 92 this->ar_length = this->p_args ? this->p_args->ar_length : 0; 93 this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); 94 95 this->arg1_0 = this->ar_length > 0 ? 96 this->ar_args : stringof(this->proc->p_comm); 97 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 98 this->ar_args += this->len; 99 this->ar_length -= this->len; 100 101 this->arg1_1 = this->ar_length > 0 ? this->ar_args : ""; 102 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 103 this->ar_args += this->len; 104 this->ar_length -= this->len; 105 106 this->arg1_2 = this->ar_length > 0 ? this->ar_args : ""; 107 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 108 this->ar_args += this->len; 109 this->ar_length -= this->len; 110 111 this->arg1_3 = this->ar_length > 0 ? this->ar_args : ""; 112 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 113 this->ar_args += this->len; 114 this->ar_length -= this->len; 115 116 this->arg1_4 = this->ar_length > 0 ? "..." : ""; 117 118 /******************* GPARENT *******************/ 119 120 this->proc = this->proc->p_pptr; 121 this->pid2 = this->proc->p_pid; 122 this->uid2 = this->proc->p_ucred->cr_uid; 123 this->gid2 = this->proc->p_ucred->cr_rgid; 124 this->p_args = this->proc ? this->proc->p_args : 0; 125 this->ar_length = this->p_args ? this->p_args->ar_length : 0; 126 this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); 127 128 this->arg2_0 = this->ar_length > 0 ? 129 this->ar_args : stringof(this->proc->p_comm); 130 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 131 this->ar_args += this->len; 132 this->ar_length -= this->len; 133 134 this->arg2_1 = this->ar_length > 0 ? this->ar_args : ""; 135 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 136 this->ar_args += this->len; 137 this->ar_length -= this->len; 138 139 this->arg2_2 = this->ar_length > 0 ? this->ar_args : ""; 140 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 141 this->ar_args += this->len; 142 this->ar_length -= this->len; 143 144 this->arg2_3 = this->ar_length > 0 ? this->ar_args : ""; 145 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 146 this->ar_args += this->len; 147 this->ar_length -= this->len; 148 149 this->arg2_4 = this->ar_length > 0 ? "..." : ""; 150 151 /******************* APARENT *******************/ 152 153 this->proc = this->proc->p_pptr; 154 this->pid3 = this->proc->p_pid; 155 this->uid3 = this->proc->p_ucred->cr_uid; 156 this->gid3 = this->proc->p_ucred->cr_rgid; 157 this->p_args = this->proc ? this->proc->p_args : 0; 158 this->ar_length = this->p_args ? this->p_args->ar_length : 0; 159 this->ar_args = (char *)(this->p_args ? this->p_args->ar_args : 0); 160 161 this->arg3_0 = this->ar_length > 0 ? 162 this->ar_args : stringof(this->proc->p_comm); 163 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 164 this->ar_args += this->len; 165 this->ar_length -= this->len; 166 167 this->arg3_1 = this->ar_length > 0 ? this->ar_args : ""; 168 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 169 this->ar_args += this->len; 170 this->ar_length -= this->len; 171 172 this->arg3_2 = this->ar_length > 0 ? this->ar_args : ""; 173 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 174 this->ar_args += this->len; 175 this->ar_length -= this->len; 176 177 this->arg3_3 = this->ar_length > 0 ? this->ar_args : ""; 178 this->len = this->ar_length > 0 ? strlen(this->ar_args) + 1 : 0; 179 this->ar_args += this->len; 180 this->ar_length -= this->len; 181 182 this->arg3_4 = this->ar_length > 0 ? "..." : ""; 183 184 /***********************************************/ 185 186 /* 187 * Print process, parent, and grandparent details 188 */ 189 190 printf("%Y %s[%d]: ", timestamp + 1406598400000000000, 191 this->caller_execname, this->pid1); 192 printf("%s", this->arg0_0); 193 printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1); 194 printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2); 195 printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3); 196 printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4); 197 printf(" (sending signal %u to pid %u)", 198 this->kill_signal, this->pid_to_kill); 199 printf("\n"); 200 201 printf(" -+= %05d %d.%d %s", 202 this->pid3, this->uid3, this->gid3, this->arg3_0); 203 printf("%s%s", this->arg3_1 != "" ? " " : "", this->arg3_1); 204 printf("%s%s", this->arg3_2 != "" ? " " : "", this->arg3_2); 205 printf("%s%s", this->arg3_3 != "" ? " " : "", this->arg3_3); 206 printf("%s%s", this->arg3_4 != "" ? " " : "", this->arg3_4); 207 printf("%s", this->arg3_0 != "" ? "\n" : ""); 208 209 printf(" \-+= %05d %d.%d %s", 210 this->pid2, this->uid2, this->gid2, this->arg2_0); 211 printf("%s%s", this->arg2_1 != "" ? " " : "", this->arg2_1); 212 printf("%s%s", this->arg2_2 != "" ? " " : "", this->arg2_2); 213 printf("%s%s", this->arg2_3 != "" ? " " : "", this->arg2_3); 214 printf("%s%s", this->arg2_4 != "" ? " " : "", this->arg2_4); 215 printf("%s", this->arg2_0 != "" ? "\n" : ""); 216 217 printf(" \-+= %05d %d.%d %s", 218 this->pid1, this->uid1, this->gid1, this->arg1_0); 219 printf("%s%s", this->arg1_1 != "" ? " " : "", this->arg1_1); 220 printf("%s%s", this->arg1_2 != "" ? " " : "", this->arg1_2); 221 printf("%s%s", this->arg1_3 != "" ? " " : "", this->arg1_3); 222 printf("%s%s", this->arg1_4 != "" ? " " : "", this->arg1_4); 223 printf("%s", this->arg1_0 != "" ? "\n" : ""); 224 225 printf(" \-+= %05d %d.%d %s", 226 this->pid0, this->uid0, this->gid0, this->arg0_0); 227 printf("%s%s", this->arg0_1 != "" ? " " : "", this->arg0_1); 228 printf("%s%s", this->arg0_2 != "" ? " " : "", this->arg0_2); 229 printf("%s%s", this->arg0_3 != "" ? " " : "", this->arg0_3); 230 printf("%s%s", this->arg0_4 != "" ? " " : "", this->arg0_4); 231 printf("%s", this->arg0_0 != "" ? "\n" : ""); 232} 233