monitor execve command

lipeng hao · lipeng hao · commit 49dbbf4d35a0 · 2026-02-17T21:34:00.000+08:00
diff --git a/src/15-exec-command-monitor/Makefile b/src/15-exec-command-monitor/Makefile
@@ -0,0 +1,5 @@
+# SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)
+# 进程执行命令监控示例
+
+APPS = exec_monitor
+include ../Makefile.common
diff --git a/src/15-exec-command-monitor/exec_monitor.bpf.c b/src/15-exec-command-monitor/exec_monitor.bpf.c
@@ -0,0 +1,141 @@
+// SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
+// 使用 eBPF 监控进程执行的命令
+// Hook sched_process_exec tracepoint 捕获 execve 系统调用
+
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include <bpf/bpf_core_read.h>
+
+char LICENSE[] SEC("license") = "Dual BSD/GPL";
+
+#define MAX_ARGS_SIZE 256
+#define MAX_FILENAME_SIZE 256
+#define MAX_COMM_SIZE 16
+
+// 执行事件结构体
+struct exec_event {
+    __u32 pid;                          // 进程 ID
+    __u32 ppid;                         // 父进程 ID
+    __u32 uid;                          // 用户 ID
+    char comm[MAX_COMM_SIZE];           // 进程名
+    char filename[MAX_FILENAME_SIZE];   // 执行的程序路径
+    char args[MAX_ARGS_SIZE];           // 命令行参数
+};
+
+// Ring Buffer：传递事件到用户空间
+struct {
+    __uint(type, BPF_MAP_TYPE_RINGBUF);
+    __uint(max_entries, 256 * 1024);
+} events SEC(".maps");
+
+// 目标 PID 过滤（0 表示监控所有进程）
+struct {
+    __uint(type, BPF_MAP_TYPE_ARRAY);
+    __uint(max_entries, 1);
+    __type(key, __u32);
+    __type(value, __u32);
+} target_pid_map SEC(".maps");
+
+// 检查当前进程是否是目标进程的后代（最多向上查找 10 层）
+static __always_inline bool is_descendant_of_target(__u32 target_pid)
+{
+    struct task_struct *task = (struct task_struct *)bpf_get_current_task();
+
+    // 检查自己是否是目标进程
+    __u32 pid = bpf_get_current_pid_tgid() >> 32;
+    if (pid == target_pid)
+        return true;
+
+    // 向上遍历进程树
+    #pragma unroll
+    for (int i = 0; i < 10; i++) {
+        __u32 ppid = BPF_CORE_READ(task, real_parent, tgid);
+
+        // 找到目标进程
+        if (ppid == target_pid)
+            return true;
+
+        // 到达 init 进程，停止遍历
+        if (ppid == 0 || ppid == 1)
+            return false;
+
+        // 继续向上遍历
+        task = BPF_CORE_READ(task, real_parent);
+        if (!task)
+            return false;
+    }
+    return false;
+}
+
+SEC("tp/sched/sched_process_exec")
+int trace_exec(struct trace_event_raw_sched_process_exec *ctx)
+{
+    struct task_struct *task;
+    struct exec_event *e;
+    __u32 pid, ppid, uid;
+    __u32 key = 0;
+
+    // 获取进程信息
+    pid = bpf_get_current_pid_tgid() >> 32;
+    uid = bpf_get_current_uid_gid() & 0xFFFFFFFF;
+    task = (struct task_struct *)bpf_get_current_task();
+    ppid = BPF_CORE_READ(task, real_parent, tgid);
+
+    // 检查目标 PID 过滤
+    __u32 *target = bpf_map_lookup_elem(&target_pid_map, &key);
+    if (target && *target != 0) {
+        if (!is_descendant_of_target(*target))
+            return 0;
+    }
+
+    // 分配事件
+    e = bpf_ringbuf_reserve(&events, sizeof(*e), 0);
+    if (!e)
+        return 0;
+
+    // 填充基本事件数据
+    e->pid = pid;
+    e->ppid = ppid;
+    e->uid = uid;
+    bpf_get_current_comm(&e->comm, sizeof(e->comm));
+
+    // 读取命令路径 - 使用 tracepoint 提供的 filename
+    unsigned int fname_off = ctx->__data_loc_filename & 0xFFFF;
+    bpf_probe_read_str(e->filename, sizeof(e->filename), (void *)ctx + fname_off);
+
+    // 读取完整命令行参数（从 mm->arg_start）
+    struct mm_struct *mm = BPF_CORE_READ(task, mm);
+    if (mm) {
+        unsigned long arg_start = BPF_CORE_READ(mm, arg_start);
+        unsigned long arg_end = BPF_CORE_READ(mm, arg_end);
+        unsigned long arg_len = arg_end - arg_start;
+
+        // 限制到缓冲区大小
+        if (arg_len > MAX_ARGS_SIZE - 1)
+            arg_len = MAX_ARGS_SIZE - 1;
+
+        if (arg_len > 0) {
+            __builtin_memset(e->args, 0, MAX_ARGS_SIZE);
+
+            // 读取整个参数区域
+            long ret = bpf_probe_read_user(e->args, arg_len, (void *)arg_start);
+            if (ret == 0) {
+                // 将 null 字节替换为空格以提高可读性
+                #pragma unroll
+                for (int i = 0; i < MAX_ARGS_SIZE - 1; i++) {
+                    if (i >= arg_len - 1)
+                        break;
+                    if (e->args[i] == '\0')
+                        e->args[i] = ' ';
+                }
+                e->args[arg_len] = '\0';
+            }
+        }
+    } else {
+        e->args[0] = '\0';
+    }
+
+    bpf_ringbuf_submit(e, 0);
+    return 0;
+}
diff --git a/src/15-exec-command-monitor/exec_monitor.c b/src/15-exec-command-monitor/exec_monitor.c
@@ -0,0 +1,182 @@
+// SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
+// 进程执行命令监控 - 用户空间程序
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+#include <unistd.h>
+#include <time.h>
+#include <getopt.h>
+#include <bpf/libbpf.h>
+#include "exec_monitor.skel.h"
+
+#define MAX_ARGS_SIZE 256
+#define MAX_FILENAME_SIZE 256
+#define MAX_COMM_SIZE 16
+
+// 与内核程��一致的结构体定义
+struct exec_event {
+    __u32 pid;
+    __u32 ppid;
+    __u32 uid;
+    char comm[MAX_COMM_SIZE];
+    char filename[MAX_FILENAME_SIZE];
+    char args[MAX_ARGS_SIZE];
+};
+
+static volatile sig_atomic_t exiting = 0;
+static int exec_count = 0;
+
+static void sig_handler(int sig)
+{
+    exiting = 1;
+}
+
+static int libbpf_print_fn(enum libbpf_print_level level, const char *format, va_list args)
+{
+    if (level == LIBBPF_DEBUG)
+        return 0;
+    return vfprintf(stderr, format, args);
+}
+
+// 获取当前时间戳
+static void get_timestamp(char *buf, size_t len)
+{
+    time_t now = time(NULL);
+    struct tm *tm_info = localtime(&now);
+    strftime(buf, len, "%H:%M:%S", tm_info);
+}
+
+// 处理执行事件
+static int handle_event(void *ctx, void *data, size_t data_sz)
+{
+    const struct exec_event *e = data;
+    char timestamp[32];
+    const char *display_cmd;
+
+    get_timestamp(timestamp, sizeof(timestamp));
+    exec_count++;
+
+    // 检查是否是 sh -c 或 bash -c 命令，提取实际命令
+    if (strstr(e->filename, "/sh") || strstr(e->filename, "/bash")) {
+        const char *cmd_start = strstr(e->args, "-c ");
+        if (cmd_start) {
+            cmd_start += 3;  // 跳过 "-c "
+            display_cmd = cmd_start;
+        } else {
+            display_cmd = e->args;
+        }
+    } else {
+        display_cmd = e->args;
+    }
+
+    printf("[%s] PID:%-6u PPID:%-6u UID:%-5u | %s\n",
+           timestamp, e->pid, e->ppid, e->uid, display_cmd);
+
+    return 0;
+}
+
+static void usage(const char *prog)
+{
+    printf("Usage: %s [OPTIONS]\n", prog);
+    printf("\n");
+    printf("监控进程执行的命令 (execve)\n");
+    printf("\n");
+    printf("Options:\n");
+    printf("  -p PID    只监控指定 PID 及其子进程\n");
+    printf("  -h        显示帮助信息\n");
+    printf("\n");
+    printf("Examples:\n");
+    printf("  %s                  # 监控所有进程\n", prog);
+    printf("  %s -p 1234          # 只监控 PID 1234 及其子进程\n", prog);
+}
+
+int main(int argc, char **argv)
+{
+    struct exec_monitor_bpf *skel;
+    struct ring_buffer *rb = NULL;
+    int err;
+    __u32 target_pid = 0;
+    int opt;
+
+    // 解析命令行参数
+    while ((opt = getopt(argc, argv, "p:h")) != -1) {
+        switch (opt) {
+        case 'p':
+            target_pid = atoi(optarg);
+            break;
+        case 'h':
+        default:
+            usage(argv[0]);
+            return opt == 'h' ? 0 : 1;
+        }
+    }
+
+    signal(SIGINT, sig_handler);
+    signal(SIGTERM, sig_handler);
+    libbpf_set_print(libbpf_print_fn);
+
+    // 打开并加载 BPF 程序
+    skel = exec_monitor_bpf__open_and_load();
+    if (!skel) {
+        fprintf(stderr, "加载 BPF 程序失败\n");
+        return 1;
+    }
+
+    // 设置目标 PID 过滤
+    if (target_pid > 0) {
+        __u32 key = 0;
+        err = bpf_map__update_elem(skel->maps.target_pid_map,
+                                   &key, sizeof(key),
+                                   &target_pid, sizeof(target_pid), 0);
+        if (err) {
+            fprintf(stderr, "设置目标 PID 失败: %d\n", err);
+            goto cleanup;
+        }
+    }
+
+    // 附加 BPF 程序
+    err = exec_monitor_bpf__attach(skel);
+    if (err) {
+        fprintf(stderr, "附加 BPF 程序失败: %d\n", err);
+        goto cleanup;
+    }
+
+    // 创建 Ring Buffer
+    rb = ring_buffer__new(bpf_map__fd(skel->maps.events), handle_event, NULL, NULL);
+    if (!rb) {
+        fprintf(stderr, "创建 ring buffer 失败\n");
+        err = -1;
+        goto cleanup;
+    }
+
+    printf("========================================\n");
+    printf("进程执行命令监控 (sched_process_exec)\n");
+    printf("========================================\n");
+    if (target_pid > 0) {
+        printf("目标 PID: %u (包含子进程)\n", target_pid);
+    } else {
+        printf("目标 PID: 所有进程\n");
+    }
+    printf("========================================\n");
+    printf("监控中... (Ctrl+C 退出)\n\n");
+
+    // 主循环
+    while (!exiting) {
+        err = ring_buffer__poll(rb, 100);
+        if (err < 0 && err != -EINTR) {
+            fprintf(stderr, "轮询错误: %d\n", err);
+            break;
+        }
+    }
+
+    printf("\n========================================\n");
+    printf("监控结束，共捕获 %d 条命令\n", exec_count);
+    printf("========================================\n");
+
+cleanup:
+    ring_buffer__free(rb);
+    exec_monitor_bpf__destroy(skel);
+    return err < 0 ? -err : 0;
+}
