head 1.1; branch 1.1.1; access; symbols netbsd-11-0-RC4:1.1.1.1 netbsd-11-0-RC3:1.1.1.1 netbsd-11-0-RC2:1.1.1.1 netbsd-11-0-RC1:1.1.1.1 perseant-exfatfs-base-20250801:1.1.1.1 netbsd-11:1.1.1.1.0.30 netbsd-11-base:1.1.1.1 netbsd-10-1-RELEASE:1.1.1.1 perseant-exfatfs-base-20240630:1.1.1.1 perseant-exfatfs:1.1.1.1.0.28 perseant-exfatfs-base:1.1.1.1 netbsd-8-3-RELEASE:1.1.1.1 netbsd-9-4-RELEASE:1.1.1.1 netbsd-10-0-RELEASE:1.1.1.1 netbsd-10-0-RC6:1.1.1.1 netbsd-10-0-RC5:1.1.1.1 netbsd-10-0-RC4:1.1.1.1 netbsd-10-0-RC3:1.1.1.1 netbsd-10-0-RC2:1.1.1.1 netbsd-10-0-RC1:1.1.1.1 netbsd-10:1.1.1.1.0.26 netbsd-10-base:1.1.1.1 netbsd-9-3-RELEASE:1.1.1.1 cjep_sun2x-base1:1.1.1.1 cjep_sun2x:1.1.1.1.0.24 cjep_sun2x-base:1.1.1.1 cjep_staticlib_x-base1:1.1.1.1 netbsd-9-2-RELEASE:1.1.1.1 cjep_staticlib_x:1.1.1.1.0.22 cjep_staticlib_x-base:1.1.1.1 netbsd-9-1-RELEASE:1.1.1.1 phil-wifi-20200421:1.1.1.1 phil-wifi-20200411:1.1.1.1 is-mlppp:1.1.1.1.0.20 is-mlppp-base:1.1.1.1 phil-wifi-20200406:1.1.1.1 netbsd-8-2-RELEASE:1.1.1.1 netbsd-9-0-RELEASE:1.1.1.1 netbsd-9-0-RC2:1.1.1.1 netbsd-9-0-RC1:1.1.1.1 phil-wifi-20191119:1.1.1.1 netbsd-9:1.1.1.1.0.18 netbsd-9-base:1.1.1.1 phil-wifi-20190609:1.1.1.1 netbsd-8-1-RELEASE:1.1.1.1 netbsd-8-1-RC1:1.1.1.1 pgoyette-compat-merge-20190127:1.1.1.1 pgoyette-compat-20190127:1.1.1.1 pgoyette-compat-20190118:1.1.1.1 pgoyette-compat-1226:1.1.1.1 pgoyette-compat-1126:1.1.1.1 pgoyette-compat-1020:1.1.1.1 pgoyette-compat-0930:1.1.1.1 pgoyette-compat-0906:1.1.1.1 pgoyette-compat-0728:1.1.1.1 netbsd-8-0-RELEASE:1.1.1.1 phil-wifi:1.1.1.1.0.16 phil-wifi-base:1.1.1.1 pgoyette-compat-0625:1.1.1.1 netbsd-8-0-RC2:1.1.1.1 pgoyette-compat-0521:1.1.1.1 pgoyette-compat-0502:1.1.1.1 pgoyette-compat-0422:1.1.1.1 netbsd-8-0-RC1:1.1.1.1 pgoyette-compat-0415:1.1.1.1 pgoyette-compat-0407:1.1.1.1 pgoyette-compat-0330:1.1.1.1 pgoyette-compat-0322:1.1.1.1 pgoyette-compat-0315:1.1.1.1 pgoyette-compat:1.1.1.1.0.14 pgoyette-compat-base:1.1.1.1 matt-nb8-mediatek:1.1.1.1.0.12 matt-nb8-mediatek-base:1.1.1.1 perseant-stdc-iso10646:1.1.1.1.0.10 perseant-stdc-iso10646-base:1.1.1.1 netbsd-8:1.1.1.1.0.8 netbsd-8-base:1.1.1.1 prg-localcount2-base3:1.1.1.1 prg-localcount2-base2:1.1.1.1 prg-localcount2-base1:1.1.1.1 prg-localcount2:1.1.1.1.0.6 prg-localcount2-base:1.1.1.1 pgoyette-localcount-20170426:1.1.1.1 bouyer-socketcan-base1:1.1.1.1 pgoyette-localcount-20170320:1.1.1.1 bouyer-socketcan:1.1.1.1.0.4 bouyer-socketcan-base:1.1.1.1 pgoyette-localcount-20170107:1.1.1.1 pgoyette-localcount-20161104:1.1.1.1 localcount-20160914:1.1.1.1 pgoyette-localcount-20160806:1.1.1.1 pgoyette-localcount-20160726:1.1.1.1 pgoyette-localcount:1.1.1.1.0.2 pgoyette-localcount-base:1.1.1.1 dtracetoolkit-2015-09-29:1.1.1.1 FreeBSD:1.1.1; locks; strict; comment @# @; 1.1 date 2015.09.30.22.01.07; author christos; state Exp; branches 1.1.1.1; next ; commitid d9nN99160jbCfkDy; 1.1.1.1 date 2015.09.30.22.01.07; author christos; state Exp; branches; next ; commitid d9nN99160jbCfkDy; desc @@ 1.1 log @Initial revision @ text @#!/bin/sh # # shellsnoop - A program to print read/write details from shells, # such as keystrokes and command outputs. # Written using DTrace (Solaris 10 3/05). # # This program sounds somewhat dangerous (snooping keystrokes), but is # no more so than /usr/bin/truss, and both need root or dtrace privileges to # run. In fact, less dangerous, as we only print visible text (not password # text, for example). Having said that, it goes without saying that this # program shouldn't be used for breeching privacy of other users. # # This was written as a tool to demonstrate the capabilities of DTrace. # # $Id: shellsnoop 19 2007-09-12 07:47:59Z brendan $ # # USAGE: shellsnoop [-hqsv] [-p PID] [-u UID] # # -q # quiet, only print data # -s # include start time, us # -v # include start time, string # -p PID # process ID to snoop # -u UID # user ID to snoop # eg, # shellsnoop # default output # shellsnoop -v # human readable timestamps # shellsnoop -p 1892 # snoop this PID only # shellsnoop -qp 1892 # watch this PID data only # # FIELDS: # UID User ID # PID process ID # PPID parent process ID # COMM command name # DIR direction (R read, W write) # TEXT text contained in the read/write # TIME timestamp for the command, us # STRTIME timestamp for the command, string # # SEE ALSO: ttywatcher # # COPYRIGHT: Copyright (c) 2005 Brendan Gregg. # # CDDL HEADER START # # The contents of this file are subject to the terms of the # Common Development and Distribution License, Version 1.0 only # (the "License"). You may not use this file except in compliance # with the License. # # You can obtain a copy of the license at Docs/cddl1.txt # or http://www.opensolaris.org/os/licensing. # See the License for the specific language governing permissions # and limitations under the License. # # CDDL HEADER END # # Author: Brendan Gregg [Sydney, Australia] # # 28-Mar-2004 Brendan Gregg Created this. # 21-Jan-2005 " " Wrapped in sh to provide options. # 30-Nov-2005 " " Fixed trailing buffer text bug. # 30-Nov-2005 " " Fixed sh no keystroke text in quiet bug. # 30-Nov-2005 " " Last update. # ############################## # --- Process Arguments --- # opt_pid=0; opt_uid=0; opt_time=0; opt_timestr=0; opt_quiet=0; opt_debug=0 filter=0; pid=0; uid=0 while getopts dhp:qsu:v name do case $name in d) opt_debug=1 ;; p) opt_pid=1; pid=$OPTARG ;; q) opt_quiet=1 ;; s) opt_time=1 ;; u) opt_uid=1; uid=$OPTARG ;; v) opt_timestr=1 ;; h|?) cat <<-END >&2 USAGE: shellsnoop [-hqsv] [-p PID] [-u UID] shellsnoop # default output -q # quiet, only print data -s # include start time, us -v # include start time, string -p PID # process ID to snoop -u UID # user ID to snoop END exit 1 esac done if [ $opt_quiet -eq 1 ]; then opt_time=0; opt_timestr=0 fi if [ $opt_pid -eq 1 -o $opt_uid -eq 1 ]; then filter=1 fi ################################# # --- Main Program, DTrace --- # dtrace -n ' /* * Command line arguments */ inline int OPT_debug = '$opt_debug'; inline int OPT_quiet = '$opt_quiet'; inline int OPT_pid = '$opt_pid'; inline int OPT_uid = '$opt_uid'; inline int OPT_time = '$opt_time'; inline int OPT_timestr = '$opt_timestr'; inline int FILTER = '$filter'; inline int PID = '$pid'; inline int UID = '$uid'; #pragma D option quiet #pragma D option switchrate=20hz /* * Print header */ dtrace:::BEGIN /OPT_time == 1/ { printf("%-14s ","TIME"); } dtrace:::BEGIN /OPT_timestr == 1/ { printf("%-20s ","STRTIME"); } dtrace:::BEGIN /OPT_quiet == 0/ { printf("%5s %5s %8s %3s %s\n", "PID", "PPID", "CMD", "DIR", "TEXT"); } /* * Remember this PID is a shell child */ syscall::execve:entry /execname == "sh" || execname == "ksh" || execname == "csh" || execname == "tcsh" || execname == "zsh" || execname == "bash"/ { child[pid] = 1; } syscall::execve:entry /(OPT_pid == 1 && PID != ppid) || (OPT_uid == 1 && UID != uid)/ { /* forget if filtered */ child[pid] = 0; } /* * Print shell keystrokes */ syscall::write:entry, syscall::read:entry /(execname == "sh" || execname == "ksh" || execname == "csh" || execname == "tcsh" || execname == "zsh" || execname == "bash") && (arg0 >= 0 && arg0 <= 2)/ { self->buf = arg1; } syscall::write:entry, syscall::read:entry /(OPT_pid == 1 && PID != pid) || (OPT_uid == 1 && UID != uid)/ { self->buf = 0; } syscall::write:return, syscall::read:return /self->buf && child[pid] == 0 && OPT_time == 1/ { printf("%-14d ", timestamp/1000); } syscall::write:return, syscall::read:return /self->buf && child[pid] == 0 && OPT_timestr == 1/ { printf("%-20Y ", walltimestamp); } syscall::write:return, syscall::read:return /self->buf && child[pid] == 0 && OPT_quiet == 0/ { this->text = (char *)copyin(self->buf, arg0); this->text[arg0] = '\'\\0\''; printf("%5d %5d %8s %3s %s\n", pid, curpsinfo->pr_ppid, execname, probefunc == "read" ? "R" : "W", stringof(this->text)); } syscall::write:return /self->buf && child[pid] == 0 && OPT_quiet == 1/ { this->text = (char *)copyin(self->buf, arg0); this->text[arg0] = '\'\\0\''; printf("%s", stringof(this->text)); } syscall::read:return /self->buf && execname == "sh" && child[pid] == 0 && OPT_quiet == 1/ { this->text = (char *)copyin(self->buf, arg0); this->text[arg0] = '\'\\0\''; printf("%s", stringof(this->text)); } syscall::write:return, syscall::read:return /self->buf && child[pid] == 0/ { self->buf = 0; } /* * Print command output */ syscall::write:entry, syscall::read:entry /child[pid] == 1 && (arg0 == 1 || arg0 == 2)/ { self->buf = arg1; } syscall::write:return, syscall::read:return /self->buf && OPT_time == 1/ { printf("%-14d ", timestamp/1000); } syscall::write:return, syscall::read:return /self->buf && OPT_timestr == 1/ { printf("%-20Y ", walltimestamp); } syscall::write:return, syscall::read:return /self->buf && OPT_quiet == 0/ { this->text = (char *)copyin(self->buf, arg0); this->text[arg0] = '\'\\0\''; printf("%5d %5d %8s %3s %s", pid, curpsinfo->pr_ppid, execname, probefunc == "read" ? "R" : "W", stringof(this->text)); /* here we check if a newline is needed */ this->length = strlen(this->text); printf("%s", this->text[this->length - 1] == '\'\\n\'' ? "" : "\n"); self->buf = 0; } syscall::write:return, syscall::read:return /self->buf && OPT_quiet == 1/ { this->text = (char *)copyin(self->buf, arg0); this->text[arg0] = '\'\\0\''; printf("%s", stringof(this->text)); self->buf = 0; } /* * Cleanup */ syscall::exit:entry { child[pid] = 0; /* debug */ this->parent = (char *)curthread->td_proc->p_pptr->p_comm; OPT_debug == 1 ? printf("PID %d CMD %s exited. (%s)\n", pid, execname, stringof(this->parent)) : 1; } ' @ 1.1.1.1 log @Import the dtrace toolkit from FreeBSD; simple scripts such as dtruss work unmodified. For others we'll need to add the missing probes and adjust. This is not attached to the build. @ text @@