1#!/usr/bin/python 2# 3# strlen_snoop Trace strlen() library function for a given PID. 4# For Linux, uses BCC, eBPF. Embedded C. 5# 6# USAGE: strlensnoop PID 7# 8# Try running this on a separate bash shell. 9# 10# Written as a basic example of BCC and uprobes. 11# 12# Copyright 2016 Netflix, Inc. 13# Licensed under the Apache License, Version 2.0 (the "License") 14 15from __future__ import print_function 16from bcc import BPF 17from os import getpid 18import sys 19 20if len(sys.argv) < 2: 21 print("USAGE: strlensnoop PID") 22 exit() 23pid = sys.argv[1] 24 25# load BPF program 26bpf_text = """ 27#include <uapi/linux/ptrace.h> 28int printarg(struct pt_regs *ctx) { 29 if (!PT_REGS_PARM1(ctx)) 30 return 0; 31 32 u32 pid = bpf_get_current_pid_tgid(); 33 if (pid != PID) 34 return 0; 35 36 char str[80] = {}; 37 bpf_probe_read(&str, sizeof(str), (void *)PT_REGS_PARM1(ctx)); 38 bpf_trace_printk("%s\\n", &str); 39 40 return 0; 41}; 42""" 43bpf_text = bpf_text.replace('PID', pid) 44b = BPF(text=bpf_text) 45b.attach_uprobe(name="c", sym="strlen", fn_name="printarg") 46 47# header 48print("%-18s %-16s %-6s %s" % ("TIME(s)", "COMM", "PID", "STRLEN")) 49 50# format output 51me = getpid() 52while 1: 53 try: 54 (task, pid, cpu, flags, ts, msg) = b.trace_fields() 55 except ValueError: 56 continue 57 if pid == me or msg == "": 58 continue 59 print("%-18.9f %-16s %-6d %s" % (ts, task, pid, msg)) 60