Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

execsnoop doesn't work with kernel 4.17+ #93

Open
mphilipps opened this issue Feb 18, 2020 · 7 comments
Open

execsnoop doesn't work with kernel 4.17+ #93

mphilipps opened this issue Feb 18, 2020 · 7 comments

Comments

@mphilipps
Copy link

hi

This implementation is designed to work on older kernel versions, and without kernel debuginfo.

would be nice if it would also work on more recent kernel versions. I have tried changing the makeprobe call use __x64_sys_execve, but then half the output is gibberish. Unsure on how I have to adjust the output format of the probe.

@positron96
Copy link

Huh, so you say that is won't work on most modern installations? I've just spent half an hour trying to make it work on ubuntu 18.04 with 5.3 kernel...

@mayank-ramnani
Copy link

mayank-ramnani commented May 26, 2020

I confirmed this on Centos 8 with 4.18 kernel and Redhat 8.1 with 4.18 kernel.
Saw no output apart from these two services:

 46758  41533 /usr/lib/systemd/systemd-cgroups-agent /user.slice/user-1000.slice/user@1000.service/tracker-extract.service
 46791  46775 /usr/lib/systemd/systemd-cgroups-agent /system.slice/systemd-hostnamed.service

Changing the system call being probed from sys_execve to __x64_sys_execve makes it work for Ubuntu 20.4 with kernel 5.4 but the arguments are printed as gibberish.

<...>-49283 [000] .... 41154.763005: exec: (__x64_sys_execve+0x0/0x50) filename="@"V" arg1=(fault) arg2="" arg3="

This could be because from 4.17+, arguments are not sent through registers directly but as a part of pt_regs struct which is passed instead.

@paulmenzel
Copy link

Without __x64_sys_execve it quits right away in Debian sid/unstable with Linux 5.10-rc4.

$ sudo ./execsnoop
Tracing exec()s. Ctrl-C to end.
ERROR: adding a kprobe for execve. Exiting.

@dongho-jung
Copy link

If you still have an issue, try this version of execsnoop https://github.com/iovisor/bcc/blob/master/tools/execsnoop.py that is maintained by bcc and looks more recent

@adam505hq
Copy link

Same here on Arch 5.10.33-1-lts x86_64

ERROR: adding a kprobe for execve. Exiting.

@rajagennu
Copy link

Any update on this issue please ?

@pomoke
Copy link

pomoke commented Nov 19, 2024

Try something else, like execsnoop.bt in bpftrace.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

8 participants