#!\/usr\/bin\/sh
\n#
\n# shellsnoop – A program to print read\/write details from shells,
\n# such as keystrokes and command outputs.
\n# Written using DTrace (Solaris 10 build 69).
\n#
\n# 21-Jan-2005, ver 0.80 (check for newer versions)
\n#
\n#
\n# USAGE: shellsnoop [-hqsv] [-p PID] [-u UID]
\n#
\n# shellsnoop # default output
\n#
\n# -s # include start time, us
\n# -q # quiet, only print data
\n# -v # include start time, string
\n# -p PID # process ID to snoop
\n# -u UID # user ID to snoop
\n#
\n# eg,
\n# shellsnoop -v # human readable timestamps
\n# shellsnoop -p 1892 # snoop this PID only
\n# shellsnoop -qp 1892 # watch this PID data only
\n#
\n# FIELDS:
\n#
\n# UID User ID
\n# PID process ID
\n# PPID parent process ID
\n# COMM command name
\n# DIR direction (R read, W write)
\n# TEXT text contained in the read\/write
\n# TIME timestamp for the command, us
\n# STRTIME timestamp for the command, string
\n#
\n# SEE ALSO: ttywatcher
\n#
\n# Standard Disclaimer: This is freeware, use at your own risk.
\n#
\n# Author: Brendan Gregg [Sydney, Australia]
\n#
\n# 28-Mar-2004 Brendan Gregg Created this.
\n# 21-Jan-2005 ” ” Wrapped in sh to provide options.
\n#<\/p>\n
##############################
\n# — Process Arguments —
\n#
\nopt_pid=0; opt_uid=0; opt_time=0; opt_timestr=0; opt_quiet=0; opt_debug=0
\nfilter=0; pid=0; uid=0<\/p>\n
while getopts dhp:qsu:v name
\ndo
\n case $name in
\n d) opt_debug=1 ;;
\n p) opt_pid=1; pid=$OPTARG ;;
\n q) opt_quiet=1 ;;
\n s) opt_time=1 ;;
\n u) opt_uid=1; uid=$OPTARG ;;
\n v) opt_timestr=1 ;;
\n h|?) cat <<-END >&2
\n USAGE: shellsnoop [-hqsv] [-p PID] [-u UID]
\n shellsnoop # default output
\n -q # quiet, only print data
\n -s # include start time, us
\n -v # include start time, string
\n -p PID # process ID to snoop
\n -u UID # user ID to snoop
\n END
\n exit 1
\n esac
\ndone<\/p>\n
if [ $opt_quiet -eq 1 ]; then
\n opt_time=0; opt_timestr=0
\nfi
\nif [ $opt_pid -eq 1 -o $opt_uid -eq 1 ]; then
\n filter=1
\nfi<\/p>\n
#################################
\n# — Main Program, DTrace —
\n#
\ndtrace -n ‘
\n \/*
\n ** Command line arguments
\n *\/
\n inline int OPT_debug = ‘$opt_debug’;
\n inline int OPT_quiet = ‘$opt_quiet’;
\n inline int OPT_pid = ‘$opt_pid’;
\n inline int OPT_uid = ‘$opt_uid’;
\n inline int OPT_time = ‘$opt_time’;
\n inline int OPT_timestr = ‘$opt_timestr’;
\n inline int FILTER = ‘$filter’;
\n inline int PID = ‘$pid’;
\n inline int UID = ‘$uid’;<\/p>\n
#pragma D option quiet<\/p>\n
\/*
\n ** Print header
\n *\/
\n dtrace:::BEGIN \/OPT_time == 1\/ {
\n printf(“%-14s “,”TIME”);
\n }
\n dtrace:::BEGIN \/OPT_timestr == 1\/ {
\n printf(“%-20s “,”STRTIME”);
\n }
\n dtrace:::BEGIN \/OPT_quiet == 0\/ {
\n printf(“%5s %5s %8s %3s %s\\n”,”PID”,”PPID”,”CMD”,”DIR”,”TEXT”);
\n }<\/p>\n
\/*
\n ** Remember this PID is a shell child
\n *\/
\n syscall::exec:entry, syscall::exece:entry
\n \/execname == “sh” || execname == “ksh” || execname == “csh” ||
\n execname == “tcsh” || execname == “zsh” || execname == “bash”\/
\n{
\n child[pid] = 1;<\/p>\n
\/* debug *\/
\n this->parent = (char *)curthread->t_procp->p_parent->p_user.u_comm;
\n OPT_debug == 1 ? printf(“PID %d CMD %s started. (%s)\\n”,
\n pid, execname, stringof(this->parent)) : 1;
\n }
\n syscall::exec:entry, syscall::exece:entry
\n \/(OPT_pid == 1 && PID != ppid) || (OPT_uid == 1 && UID != uid)\/
\n {
\n \/* forget if filtered *\/
\n child[pid] = 0;
\n }<\/p>\n
\/*
\n ** Print shell keystrokes
\n *\/
\n syscall::write:entry, syscall::read:entry
\n \/(execname == “sh” || execname == “ksh” || execname == “csh” ||
\n execname == “tcsh” || execname == “zsh” || execname == “bash”)
\n && (arg0 >= 0 && arg0 <= 2)\/\n {\n self->buf = arg1;
\n self->len = arg2;
\n }
\n syscall::write:entry, syscall::read:entry
\n \/(OPT_pid == 1 && PID != pid) || (OPT_uid == 1 && UID != uid)\/
\n {
\n self->buf = NULL;
\n self->len = 0;
\n }
\n syscall::write:return, syscall::read:return
\n \/self->buf != NULL && child[pid] == 0 && OPT_time == 1\/ {
\n printf(“%-14d “,timestamp\/1000);
\n }
\n syscall::write:return, syscall::read:return
\n \/self->buf != NULL && child[pid] == 0 && OPT_timestr == 1\/ {
\n printf(“%-20Y “,walltimestamp);
\n }
\n syscall::write:return, syscall::read:return
\n \/self->buf != NULL && child[pid] == 0 && OPT_quiet == 0\/
\n {
\n this->text = (char *)copyin(self->buf, self->len);<\/p>\n
printf(“%5d %5d %8s %3s %s\\n”, pid, curpsinfo->pr_ppid, execname,
\n probefunc == “read” ? “R” : “W”, stringof(this->text));
\n self->buf = NULL;
\n self->len = 0;
\n }
\n syscall::write:return
\n \/self->buf != NULL && child[pid] == 0 && OPT_quiet == 1\/
\n {
\n this->text = (char *)copyin(self->buf, self->len);
\n printf(“%s”,stringof(this->text));
\n self->buf = NULL;
\nself->len = 0;
\n }
\n syscall::read:return
\n \/self->buf != NULL && child[pid] == 0 && OPT_quiet == 1\/
\n {
\n self->buf = NULL;
\n self->len = 0;
\n }<\/p>\n
\/*
\n ** Print command output
\n *\/
\n syscall::write:entry, syscall::read:entry
\n \/child[pid] == 1 && (arg0 == 1 || arg0 == 2)\/
\n {
\n self->buf = arg1;
\n self->len = arg2;
\n }
\n syscall::write:return, syscall::read:return
\n \/self->buf != NULL && OPT_time == 1\/ {
\n printf(“%-14d “,timestamp\/1000);
\n }
\n syscall::write:return, syscall::read:return
\n \/self->buf != NULL && OPT_timestr == 1\/ {
\n printf(“%-20Y “,walltimestamp);
\n }
\n syscall::write:return, syscall::read:return
\n \/self->buf != NULL && OPT_quiet == 0\/
\n {
\n this->text = (char *)copyin(self->buf, self->len);<\/p>\n
printf(“%5d %5d %8s %3s %s”, pid, curpsinfo->pr_ppid, execname,
\n probefunc == “read” ? “R” : “W”, stringof(this->text));<\/p>\n
\/* here we check if a newline is needed *\/
\n this->length = strlen(this->text);
\n printf(“%s”, this->text[this->length – 1] == ‘\\’\\\\n\\” ? “” : “\\n”);
\n self->buf = NULL;
\n self->len = 0;
\n }
\n syscall::write:return, syscall::read:return
\n \/self->buf != NULL && OPT_quiet == 1\/
\n {
\n this->text = (char *)copyin(self->buf, self->len);
\n printf(“%s”,stringof(this->text));
\n self->buf = NULL;
\n self->len = 0;
\n }<\/p>\n
\/*
\n ** Cleanup
\n *\/
\n fbt:genunix:exit:entry
\n {
\n child[pid] = 0;<\/p>\n
\/* debug *\/
\n this->parent = (char *)curthread->t_procp->p_parent->p_user.u_comm;
\n OPT_debug == 1 ? printf(“PID %d CMD %s exited. (%s)\\n”,
\n pid,execname, stringof(this->parent)) : 1;
\n }
\n‘<\/p>\n","protected":false},"excerpt":{"rendered":"
#!\/usr\/bin\/sh # # shellsnoop – A program to print read\/write details from shells, # such as keystrokes and command outputs.…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,10],"tags":[],"class_list":["post-515","post","type-post","status-publish","format-standard","hentry","category-computer-stuff","category-solaris"],"_links":{"self":[{"href":"http:\/\/www.theblane.com\/blog\/wp-json\/wp\/v2\/posts\/515","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.theblane.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.theblane.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.theblane.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.theblane.com\/blog\/wp-json\/wp\/v2\/comments?post=515"}],"version-history":[{"count":1,"href":"http:\/\/www.theblane.com\/blog\/wp-json\/wp\/v2\/posts\/515\/revisions"}],"predecessor-version":[{"id":516,"href":"http:\/\/www.theblane.com\/blog\/wp-json\/wp\/v2\/posts\/515\/revisions\/516"}],"wp:attachment":[{"href":"http:\/\/www.theblane.com\/blog\/wp-json\/wp\/v2\/media?parent=515"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.theblane.com\/blog\/wp-json\/wp\/v2\/categories?post=515"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.theblane.com\/blog\/wp-json\/wp\/v2\/tags?post=515"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}