1#!/usr/sbin/dtrace -s 2/* 3 * whatexec.d - Examine the type of files exec'd. 4 * Written using DTrace (Solaris 10 3/05) 5 * 6 * This prints the first four chacacters of files that are executed. 7 * This traces the kernel function findexec_by_hdr(), which checks for 8 * a known magic number in the file's header. 9 * 10 * The idea came from a demo I heard about from the UK, where a 11 * "blue screen of death" was displayed for "MZ" files (although I 12 * haven't seen the script or the demo). 13 * 14 * 25-Apr-2006, ver 0.70 15 * 16 * USAGE: whatexec.d (early release, check for updates) 17 * 18 * FIELDS: 19 * PEXEC parent command name 20 * EXEC pathname to file exec'd 21 * OK is type runnable, Y/N 22 * TYPE first four characters from file 23 * 24 * COPYRIGHT: Copyright (c) 2006 Brendan Gregg. 25 * 26 * CDDL HEADER START 27 * 28 * The contents of this file are subject to the terms of the 29 * Common Development and Distribution License, Version 1.0 only 30 * (the "License"). You may not use this file except in compliance 31 * with the License. 32 * 33 * You can obtain a copy of the license at Docs/cddl1.txt 34 * or http://www.opensolaris.org/os/licensing. 35 * See the License for the specific language governing permissions 36 * and limitations under the License. 37 * 38 * CDDL HEADER END 39 * 40 * 11-Feb-2006 Brendan Gregg Created this. 41 */ 42 43#pragma D option quiet 44 45this char *buf; 46 47dtrace:::BEGIN 48{ 49 printf("%-16s %-38s %2s %s\n", "PEXEC", "EXEC", "OK", "TYPE"); 50} 51 52fbt::gexec:entry 53{ 54 self->file = cleanpath((*(struct vnode **)arg0)->v_path); 55 self->ok = 1; 56} 57 58fbt::findexec_by_hdr:entry 59/self->ok/ 60{ 61 bcopy(args[0], this->buf = alloca(5), 4); 62 this->buf[4] = '\0'; 63 self->hdr = stringof(this->buf); 64} 65 66fbt::findexec_by_hdr:return 67/self->ok/ 68{ 69 printf("%-16s %-38s %2s %S\n", execname, self->file, 70 arg1 == NULL ? "N" : "Y", self->hdr); 71 self->hdr = 0; 72} 73 74fbt::gexec:return 75{ 76 self->file = 0; 77 self->ok = 0; 78} 79