#!/usr/sbin/dtrace -s /* * newproc.d - snoop new processes as they are executed. DTrace OneLiner. * * This is a DTrace OneLiner from the DTraceToolkit. * * 15-May-2005 Brendan Gregg Created this. */ /* * Updated to capture arguments in OS X. Unfortunately this isn't straight forward... */ #pragma D option quiet this unsigned long long argv_ptr; /* Wide enough for 64 bit user procs */ this char *psargs; proc:::exec-success { print_pid[pid] = 1; /* This pid emerged from an exec, make a note of that. */ } /* * The "this" variables are local to (all) of the following syscall::mmap:return probes, * and only those probes. They must be initialized before use in each new firing. */ syscall::mmap:return { this->argc = 0; /* Disable argument collection until we notice an exec-success */ this->psargs = 0; } syscall::mmap:return / print_pid[pid] / { print_pid[pid] = 0; this->is64Bit = curpsinfo->pr_dmodel == PR_MODEL_ILP32 ? 0 : 1; this->wordsize = this->is64Bit ? 8 : 4; this->argc = curpsinfo->pr_argc; this->argc = (this->argc < 0) ? 0 : this->argc; /* Safety */ this->argv_ptr = curpsinfo->pr_argv; this->psargs = ""; printf("%d %s ", pid, this->is64Bit ? "64b" : "32b"); } syscall::mmap:return / this->argc / { this->here_argv = copyin(this->argv_ptr, this->wordsize); this->arg = this->is64Bit ? *(unsigned long long*)(this->here_argv) : *(unsigned long*)(this->here_argv); this->here_arg = copyinstr(this->arg); this->psargs = strjoin(strjoin(this->psargs," "), this->here_arg); this->argv_ptr += this->wordsize; this->argc--; } syscall::mmap:return / this->argc / { this->here_argv = copyin(this->argv_ptr, this->wordsize); this->arg = this->is64Bit ? *(unsigned long long*)(this->here_argv) : *(unsigned long*)(this->here_argv); this->here_arg = copyinstr(this->arg); this->psargs = strjoin(strjoin(this->psargs," "), this->here_arg); this->argv_ptr += this->wordsize; this->argc--; } syscall::mmap:return / this->argc / { this->here_argv = copyin(this->argv_ptr, this->wordsize); this->arg = this->is64Bit ? *(unsigned long long*)(this->here_argv) : *(unsigned long*)(this->here_argv); this->here_arg = copyinstr(this->arg); this->psargs = strjoin(strjoin(this->psargs," "), this->here_arg); this->argv_ptr += this->wordsize; this->argc--; } syscall::mmap:return / this->argc / { this->here_argv = copyin(this->argv_ptr, this->wordsize); this->arg = this->is64Bit ? *(unsigned long long*)(this->here_argv) : *(unsigned long*)(this->here_argv); this->here_arg = copyinstr(this->arg); this->psargs = strjoin(strjoin(this->psargs," "), this->here_arg); this->argv_ptr += this->wordsize; this->argc--; } syscall::mmap:return / this->argc / { this->here_argv = copyin(this->argv_ptr, this->wordsize); this->arg = this->is64Bit ? *(unsigned long long*)(this->here_argv) : *(unsigned long*)(this->here_argv); this->here_arg = copyinstr(this->arg); this->psargs = strjoin(strjoin(this->psargs," "), this->here_arg); this->argv_ptr += this->wordsize; this->argc--; } syscall::mmap:return / this->argc / { this->here_argv = copyin(this->argv_ptr, this->wordsize); this->arg = this->is64Bit ? *(unsigned long long*)(this->here_argv) : *(unsigned long*)(this->here_argv); this->here_arg = copyinstr(this->arg); this->psargs = strjoin(strjoin(this->psargs," "), this->here_arg); this->argv_ptr += this->wordsize; this->argc--; } syscall::mmap:return / this->psargs / { printf("%s%s\n",stringof(this->psargs), this->argc > 0 ? " (...)" : " "); this->psargs = 0; this->argc = 0; }