1 1.1 christos #!/bin/sh 2 1.1 christos # 3 1.1 christos # shellsnoop - A program to print read/write details from shells, 4 1.1 christos # such as keystrokes and command outputs. 5 1.1 christos # Written using DTrace (Solaris 10 3/05). 6 1.1 christos # 7 1.1 christos # This program sounds somewhat dangerous (snooping keystrokes), but is 8 1.1 christos # no more so than /usr/bin/truss, and both need root or dtrace privileges to 9 1.1 christos # run. In fact, less dangerous, as we only print visible text (not password 10 1.1 christos # text, for example). Having said that, it goes without saying that this 11 1.1 christos # program shouldn't be used for breeching privacy of other users. 12 1.1 christos # 13 1.1 christos # This was written as a tool to demonstrate the capabilities of DTrace. 14 1.1 christos # 15 1.1 christos # $Id: shellsnoop,v 1.1.1.1 2015/09/30 22:01:06 christos Exp $ 16 1.1 christos # 17 1.1 christos # USAGE: shellsnoop [-hqsv] [-p PID] [-u UID] 18 1.1 christos # 19 1.1 christos # -q # quiet, only print data 20 1.1 christos # -s # include start time, us 21 1.1 christos # -v # include start time, string 22 1.1 christos # -p PID # process ID to snoop 23 1.1 christos # -u UID # user ID to snoop 24 1.1 christos # eg, 25 1.1 christos # shellsnoop # default output 26 1.1 christos # shellsnoop -v # human readable timestamps 27 1.1 christos # shellsnoop -p 1892 # snoop this PID only 28 1.1 christos # shellsnoop -qp 1892 # watch this PID data only 29 1.1 christos # 30 1.1 christos # FIELDS: 31 1.1 christos # UID User ID 32 1.1 christos # PID process ID 33 1.1 christos # PPID parent process ID 34 1.1 christos # COMM command name 35 1.1 christos # DIR direction (R read, W write) 36 1.1 christos # TEXT text contained in the read/write 37 1.1 christos # TIME timestamp for the command, us 38 1.1 christos # STRTIME timestamp for the command, string 39 1.1 christos # 40 1.1 christos # SEE ALSO: ttywatcher 41 1.1 christos # 42 1.1 christos # COPYRIGHT: Copyright (c) 2005 Brendan Gregg. 43 1.1 christos # 44 1.1 christos # CDDL HEADER START 45 1.1 christos # 46 1.1 christos # The contents of this file are subject to the terms of the 47 1.1 christos # Common Development and Distribution License, Version 1.0 only 48 1.1 christos # (the "License"). You may not use this file except in compliance 49 1.1 christos # with the License. 50 1.1 christos # 51 1.1 christos # You can obtain a copy of the license at Docs/cddl1.txt 52 1.1 christos # or http://www.opensolaris.org/os/licensing. 53 1.1 christos # See the License for the specific language governing permissions 54 1.1 christos # and limitations under the License. 55 1.1 christos # 56 1.1 christos # CDDL HEADER END 57 1.1 christos # 58 1.1 christos # Author: Brendan Gregg [Sydney, Australia] 59 1.1 christos # 60 1.1 christos # 28-Mar-2004 Brendan Gregg Created this. 61 1.1 christos # 21-Jan-2005 " " Wrapped in sh to provide options. 62 1.1 christos # 30-Nov-2005 " " Fixed trailing buffer text bug. 63 1.1 christos # 30-Nov-2005 " " Fixed sh no keystroke text in quiet bug. 64 1.1 christos # 30-Nov-2005 " " Last update. 65 1.1 christos # 66 1.1 christos 67 1.1 christos 68 1.1 christos ############################## 69 1.1 christos # --- Process Arguments --- 70 1.1 christos # 71 1.1 christos opt_pid=0; opt_uid=0; opt_time=0; opt_timestr=0; opt_quiet=0; opt_debug=0 72 1.1 christos filter=0; pid=0; uid=0 73 1.1 christos 74 1.1 christos while getopts dhp:qsu:v name 75 1.1 christos do 76 1.1 christos case $name in 77 1.1 christos d) opt_debug=1 ;; 78 1.1 christos p) opt_pid=1; pid=$OPTARG ;; 79 1.1 christos q) opt_quiet=1 ;; 80 1.1 christos s) opt_time=1 ;; 81 1.1 christos u) opt_uid=1; uid=$OPTARG ;; 82 1.1 christos v) opt_timestr=1 ;; 83 1.1 christos h|?) cat <<-END >&2 84 1.1 christos USAGE: shellsnoop [-hqsv] [-p PID] [-u UID] 85 1.1 christos shellsnoop # default output 86 1.1 christos -q # quiet, only print data 87 1.1 christos -s # include start time, us 88 1.1 christos -v # include start time, string 89 1.1 christos -p PID # process ID to snoop 90 1.1 christos -u UID # user ID to snoop 91 1.1 christos END 92 1.1 christos exit 1 93 1.1 christos esac 94 1.1 christos done 95 1.1 christos 96 1.1 christos if [ $opt_quiet -eq 1 ]; then 97 1.1 christos opt_time=0; opt_timestr=0 98 1.1 christos fi 99 1.1 christos if [ $opt_pid -eq 1 -o $opt_uid -eq 1 ]; then 100 1.1 christos filter=1 101 1.1 christos fi 102 1.1 christos 103 1.1 christos 104 1.1 christos ################################# 105 1.1 christos # --- Main Program, DTrace --- 106 1.1 christos # 107 1.1 christos dtrace -n ' 108 1.1 christos /* 109 1.1 christos * Command line arguments 110 1.1 christos */ 111 1.1 christos inline int OPT_debug = '$opt_debug'; 112 1.1 christos inline int OPT_quiet = '$opt_quiet'; 113 1.1 christos inline int OPT_pid = '$opt_pid'; 114 1.1 christos inline int OPT_uid = '$opt_uid'; 115 1.1 christos inline int OPT_time = '$opt_time'; 116 1.1 christos inline int OPT_timestr = '$opt_timestr'; 117 1.1 christos inline int FILTER = '$filter'; 118 1.1 christos inline int PID = '$pid'; 119 1.1 christos inline int UID = '$uid'; 120 1.1 christos 121 1.1 christos #pragma D option quiet 122 1.1 christos #pragma D option switchrate=20hz 123 1.1 christos 124 1.1 christos /* 125 1.1 christos * Print header 126 1.1 christos */ 127 1.1 christos dtrace:::BEGIN /OPT_time == 1/ 128 1.1 christos { 129 1.1 christos printf("%-14s ","TIME"); 130 1.1 christos } 131 1.1 christos dtrace:::BEGIN /OPT_timestr == 1/ 132 1.1 christos { 133 1.1 christos printf("%-20s ","STRTIME"); 134 1.1 christos } 135 1.1 christos dtrace:::BEGIN /OPT_quiet == 0/ 136 1.1 christos { 137 1.1 christos printf("%5s %5s %8s %3s %s\n", "PID", "PPID", "CMD", "DIR", "TEXT"); 138 1.1 christos } 139 1.1 christos 140 1.1 christos /* 141 1.1 christos * Remember this PID is a shell child 142 1.1 christos */ 143 1.1 christos syscall::execve:entry 144 1.1 christos /execname == "sh" || execname == "ksh" || execname == "csh" || 145 1.1 christos execname == "tcsh" || execname == "zsh" || execname == "bash"/ 146 1.1 christos { 147 1.1 christos child[pid] = 1; 148 1.1 christos 149 1.1 christos } 150 1.1 christos syscall::execve:entry 151 1.1 christos /(OPT_pid == 1 && PID != ppid) || (OPT_uid == 1 && UID != uid)/ 152 1.1 christos { 153 1.1 christos /* forget if filtered */ 154 1.1 christos child[pid] = 0; 155 1.1 christos } 156 1.1 christos 157 1.1 christos /* 158 1.1 christos * Print shell keystrokes 159 1.1 christos */ 160 1.1 christos syscall::write:entry, syscall::read:entry 161 1.1 christos /(execname == "sh" || execname == "ksh" || execname == "csh" || 162 1.1 christos execname == "tcsh" || execname == "zsh" || execname == "bash") 163 1.1 christos && (arg0 >= 0 && arg0 <= 2)/ 164 1.1 christos { 165 1.1 christos self->buf = arg1; 166 1.1 christos } 167 1.1 christos syscall::write:entry, syscall::read:entry 168 1.1 christos /(OPT_pid == 1 && PID != pid) || (OPT_uid == 1 && UID != uid)/ 169 1.1 christos { 170 1.1 christos self->buf = 0; 171 1.1 christos } 172 1.1 christos syscall::write:return, syscall::read:return 173 1.1 christos /self->buf && child[pid] == 0 && OPT_time == 1/ 174 1.1 christos { 175 1.1 christos printf("%-14d ", timestamp/1000); 176 1.1 christos } 177 1.1 christos syscall::write:return, syscall::read:return 178 1.1 christos /self->buf && child[pid] == 0 && OPT_timestr == 1/ 179 1.1 christos { 180 1.1 christos printf("%-20Y ", walltimestamp); 181 1.1 christos } 182 1.1 christos syscall::write:return, syscall::read:return 183 1.1 christos /self->buf && child[pid] == 0 && OPT_quiet == 0/ 184 1.1 christos { 185 1.1 christos this->text = (char *)copyin(self->buf, arg0); 186 1.1 christos this->text[arg0] = '\'\\0\''; 187 1.1 christos 188 1.1 christos printf("%5d %5d %8s %3s %s\n", pid, curpsinfo->pr_ppid, execname, 189 1.1 christos probefunc == "read" ? "R" : "W", stringof(this->text)); 190 1.1 christos } 191 1.1 christos syscall::write:return 192 1.1 christos /self->buf && child[pid] == 0 && OPT_quiet == 1/ 193 1.1 christos { 194 1.1 christos this->text = (char *)copyin(self->buf, arg0); 195 1.1 christos this->text[arg0] = '\'\\0\''; 196 1.1 christos printf("%s", stringof(this->text)); 197 1.1 christos } 198 1.1 christos syscall::read:return 199 1.1 christos /self->buf && execname == "sh" && child[pid] == 0 && OPT_quiet == 1/ 200 1.1 christos { 201 1.1 christos this->text = (char *)copyin(self->buf, arg0); 202 1.1 christos this->text[arg0] = '\'\\0\''; 203 1.1 christos printf("%s", stringof(this->text)); 204 1.1 christos } 205 1.1 christos syscall::write:return, syscall::read:return 206 1.1 christos /self->buf && child[pid] == 0/ 207 1.1 christos { 208 1.1 christos self->buf = 0; 209 1.1 christos } 210 1.1 christos 211 1.1 christos /* 212 1.1 christos * Print command output 213 1.1 christos */ 214 1.1 christos syscall::write:entry, syscall::read:entry 215 1.1 christos /child[pid] == 1 && (arg0 == 1 || arg0 == 2)/ 216 1.1 christos { 217 1.1 christos self->buf = arg1; 218 1.1 christos } 219 1.1 christos syscall::write:return, syscall::read:return 220 1.1 christos /self->buf && OPT_time == 1/ 221 1.1 christos { 222 1.1 christos printf("%-14d ", timestamp/1000); 223 1.1 christos } 224 1.1 christos syscall::write:return, syscall::read:return 225 1.1 christos /self->buf && OPT_timestr == 1/ 226 1.1 christos { 227 1.1 christos printf("%-20Y ", walltimestamp); 228 1.1 christos } 229 1.1 christos syscall::write:return, syscall::read:return 230 1.1 christos /self->buf && OPT_quiet == 0/ 231 1.1 christos { 232 1.1 christos this->text = (char *)copyin(self->buf, arg0); 233 1.1 christos this->text[arg0] = '\'\\0\''; 234 1.1 christos 235 1.1 christos printf("%5d %5d %8s %3s %s", pid, curpsinfo->pr_ppid, execname, 236 1.1 christos probefunc == "read" ? "R" : "W", stringof(this->text)); 237 1.1 christos 238 1.1 christos /* here we check if a newline is needed */ 239 1.1 christos this->length = strlen(this->text); 240 1.1 christos printf("%s", this->text[this->length - 1] == '\'\\n\'' ? "" : "\n"); 241 1.1 christos self->buf = 0; 242 1.1 christos } 243 1.1 christos syscall::write:return, syscall::read:return 244 1.1 christos /self->buf && OPT_quiet == 1/ 245 1.1 christos { 246 1.1 christos this->text = (char *)copyin(self->buf, arg0); 247 1.1 christos this->text[arg0] = '\'\\0\''; 248 1.1 christos printf("%s", stringof(this->text)); 249 1.1 christos self->buf = 0; 250 1.1 christos } 251 1.1 christos 252 1.1 christos /* 253 1.1 christos * Cleanup 254 1.1 christos */ 255 1.1 christos syscall::exit:entry 256 1.1 christos { 257 1.1 christos child[pid] = 0; 258 1.1 christos 259 1.1 christos /* debug */ 260 1.1 christos this->parent = (char *)curthread->td_proc->p_pptr->p_comm; 261 1.1 christos OPT_debug == 1 ? printf("PID %d CMD %s exited. (%s)\n", 262 1.1 christos pid, execname, stringof(this->parent)) : 1; 263 1.1 christos } 264 1.1 christos ' 265
Indexes created Thu Apr 30 00:23:01 UTC 2026