-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdotsnoop.bt
62 lines (49 loc) · 1.11 KB
/
dotsnoop.bt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
/*
* dotsnoop.bt [Hidden file snoop tool]
*
* Usage: sudo bpftrace dotsnoop.bt
*
* Author: Jonathan Cormier <jonathan@cormier.co>
*/
#ifndef BPFTRACE_BTF
#include <linux/path.h>
#include <linux/dcache.h>
#include <linux/fs.h>
#endif
kprobe:vfs_open
{
$path = (struct path *)arg0;
$dentry = $path->dentry;
$name = str($dentry->d_name.name);
if (strncmp($name, ".", 1) == 0) {
$depth = 0;
while ($dentry != 0) {
$entry_name = str($dentry->d_name.name);
if ($depth > 32 || strncmp($entry_name, "/", 1) == 0) {
break;
}
// Store current dentry name
@path_components[$depth] = $entry_name;
$depth++;
// Move up to parent
$dentry = $dentry->d_parent;
}
printf("Hidden file access:\n");
printf("-------------------\n");
printf(" File: /");
$i = $depth - 1;
while($i >= 0) {
printf("%s", @path_components[$i]);
if ($i > 0) {
printf("/");
}
$i--;
}
printf("\n");
printf(" Process: %s (PID: %d)\n", comm, pid);
printf(" UID: %d\n", uid);
printf(" Time: %lld\n", nsecs);
printf("-------------------\n");
}
clear(@path_components);
}