I am trying to trace execve
syscall using trace-cmd
tool.
Used the following command:
sudo trace-cmd record -e sys_enter_execve
After that, checking the report using trace-cmd report
command.
I get the following output:
sh-23111 [000] 5407.107802: sys_enter_execve: filename: 0x562068f47c5b, argv: 0x7ffcfca12470, envp: 0x7ffcfca16d48
cat-23112 [002] 5407.109992: sys_enter_execve: filename: 0x557c3bc02e68, argv: 0x557c3bc02a48, envp: 0x557c3bc02d48
sh-23113 [001] 5408.108031: sys_enter_execve: filename: 0x562068f47c5b, argv: 0x7ffcfca12470, envp: 0x7ffcfca16d48
cat-23114 [002] 5408.110124: sys_enter_execve: filename: 0x55903af67e68, argv: 0x55903af67a48, envp: 0x55903af67d48
ls-23115 [000] 5408.315533: sys_enter_execve: filename: 0x560abfa6ab80, argv: 0x560abf958ff0, envp: 0x560abfa191b0
wicd-23116 [001] 5409.033154: sys_enter_execve: filename: 0x55d37d268780, argv: 0x55d37d264670, envp: 0x55d37d192aa0
wicd-23116 [001] 5409.033306: sys_enter_execve: filename: 0x55d37d257bd0, argv: 0x55d37d257dd0, envp: 0x55d37d0def50
wicd-23116 [001] 5409.033348: sys_enter_execve: filename: 0x55d37d25dda0, argv: 0x55d37d25bc50, envp: 0x55d37d03b010
sh-23117 [001] 5409.108217: sys_enter_execve: filename: 0x562068f47c5b, argv: 0x7ffcfca12470, envp: 0x7ffcfca16d48
cat-23118 [003] 5409.110340: sys_enter_execve: filename: 0x55741cd14e68, argv: 0x55741cd14a48, envp: 0x55741cd14d48
sh-23119 [000] 5410.108211: sys_enter_execve: filename: 0x562068f47c5b, argv: 0x7ffcfca12470, envp: 0x7ffcfca16d48
cat-23120 [003] 5410.110380: sys_enter_execve: filename: 0x55bc9dbe9e68, argv: 0x55bc9dbe9a48, envp: 0x55bc9dbe9d48
whoami-23121 [000] 5410.359650: sys_enter_execve: filename: 0x560abfa10eb0, argv: 0x560abfa06930, envp: 0x560abfa191b0
sh-23122 [001] 5411.107828: sys_enter_execve: filename: 0x562068f47c5b, argv: 0x7ffcfca12470, envp: 0x7ffcfca16d48
cat-23123 [002] 5411.109948: sys_enter_execve: filename: 0x5562b6173e68, argv: 0x5562b6173a48, envp: 0x5562b6173d48
sh-23124 [002] 5412.107690: sys_enter_execve: filename: 0x562068f47c5b, argv: 0x7ffcfca12470, envp: 0x7ffcfca16d48
cat-23125 [000] 5412.109763: sys_enter_execve: filename: 0x563c0915fe68, argv: 0x563c0915fa48, envp: 0x563c0915fd48
sh-23126 [000] 5413.107416: sys_enter_execve: filename: 0x562068f47c5b, argv: 0x7ffcfca12470, envp: 0x7ffcfca16d48
cat-23127 [003] 5413.109513: sys_enter_execve: filename: 0x55b50ec8ae68, argv: 0x55b50ec8aa48, envp: 0x55b50ec8ad48
ifconfig-23128 [001] 5414.033416: sys_enter_execve: filename: 0x55d37d268780, argv: 0x55d37d264670, envp: 0x55d37d192aa0
ifconfig-23128 [001] 5414.033563: sys_enter_execve: filename: 0x55d37d257bd0, argv: 0x55d37d257dd0, envp: 0x55d37d0def50
ifconfig-23128 [001] 5414.033603: sys_enter_execve: filename: 0x55d37d25dda0, argv: 0x55d37d25bc50, envp: 0x55d37d03b010
sh-23129 [000] 5414.107440: sys_enter_execve: filename: 0x562068f47c5b, argv: 0x7ffcfca12470, envp: 0x7ffcfca16d48
cat-23130 [002] 5414.109633: sys_enter_execve: filename: 0x55b27defae68, argv: 0x55b27defaa48, envp: 0x55b27defad48
sh-23131 [002] 5415.107934: sys_enter_execve: filename: 0x562068f47c5b, argv: 0x7ffcfca12470, envp: 0x7ffcfca16d48
...
...
The output shows passed argument raw address.
Is there a way to get the filename ascii string rather than only memory address?
BTW I tried changing current_tracer to function_graph
from nop
, but that didn’t work.