Discussion:
dtrace modify exec syscall
(too old to reply)
Olaf Bohlen
2011-08-10 08:12:23 UTC
Permalink
Raw Message
Hello,

for some strange reasons ;) I want to use dtrace to modify a exec*
syscall when it's entered.
So, if someone calls "./foobar.ksh" I want the exec to call
/usr/bin/date instead.

But somehow this does not work. I think it's too late to modify arg0
when exece() is already called, am I right?

This is my try:

#!/usr/sbin/dtrace -s
#pragma D option destructive

syscall::exec*:entry
/copyinstr(arg0) == "./foobar.ksh" /
{
printf("exec arg0: %s\n", copyinstr(arg0));
copyout("/usr/bin/date", arg0, 14);
}

Yours
--
Olaf Bohlen      <olafbohlen-gM/Ye1E23mwN+***@public.gmane.org>
Fon: +49 172 4561817         RIPE: DARK-RIPE
UKW/DSC: 211501050 DH6432 S/Y Annemarie (HX)
Angelo Rajadurai
2011-08-10 14:41:18 UTC
Permalink
Raw Message
Hi Olaf,

This scripts works for me. I tried it on a Solaris 11 Express x86 machine.

You can always catch it a little early. For example when the open system call happens.

#!/usr/sbin/dtrace -s
#pragma D option destructive

syscall::open*:entry
/copyinstr(arg0) == "./foobar.ksh" /
{
printf("open arg0: %s\n", copyinstr(arg0));
copyout("./bar.ksh", arg0, 10);
}

BTW, I have no idea what the side effects are for doing stuff like this. So please be careful using these types of scripts in production.

-Angelo
Post by Olaf Bohlen
Hello,
for some strange reasons ;) I want to use dtrace to modify a exec*
syscall when it's entered.
So, if someone calls "./foobar.ksh" I want the exec to call
/usr/bin/date instead.
But somehow this does not work. I think it's too late to modify arg0
when exece() is already called, am I right?
#!/usr/sbin/dtrace -s
#pragma D option destructive
syscall::exec*:entry
/copyinstr(arg0) == "./foobar.ksh" /
{
printf("exec arg0: %s\n", copyinstr(arg0));
copyout("/usr/bin/date", arg0, 14);
}
Yours
--
Fon: +49 172 4561817 RIPE: DARK-RIPE
UKW/DSC: 211501050 DH6432 S/Y Annemarie (HX)
_______________________________________________
dtrace-discuss mailing list
Olaf Bohlen
2011-08-11 11:59:15 UTC
Permalink
Raw Message
Hi Angelo,
Post by Angelo Rajadurai
This scripts works for me. I tried it on a Solaris 11 Express x86 machine.
You can always catch it a little early. For example when the open system call happens.
...
Post by Angelo Rajadurai
BTW, I have no idea what the side effects are for doing stuff like this.
So please be careful using these types of scripts in production.
Thank you for your reply. My script works now for me. It did not caught the exec probe, because my shell never tried to exec() the script :)
The ksh does a stat() before exec() and the script was simply not there...so ksh bailed out before exec() :) My fault..

Thanks for all other replies,

Olaf

Loading...