32 lines
882 B
Plaintext
32 lines
882 B
Plaintext
Demonstrations of bashreadline, the Linux eBPF/bcc version.
|
|
|
|
|
|
This prints bash commands from all running bash shells on the system. For
|
|
example:
|
|
|
|
# ./bashreadline
|
|
TIME PID COMMAND
|
|
05:28:25 21176 ls -l
|
|
05:28:28 21176 date
|
|
05:28:35 21176 echo hello world
|
|
05:28:43 21176 foo this command failed
|
|
05:28:45 21176 df -h
|
|
05:29:04 3059 echo another shell
|
|
05:29:13 21176 echo first shell again
|
|
|
|
When running the script on Arch Linux, you may need to specify the location
|
|
of libreadline.so library:
|
|
|
|
# ./bashreadline -s /lib/libreadline.so
|
|
TIME PID COMMAND
|
|
11:17:34 28796 whoami
|
|
11:17:41 28796 ps -ef
|
|
11:17:51 28796 echo "Hello eBPF!"
|
|
|
|
|
|
The entered command may fail. This is just showing what command lines were
|
|
entered interactively for bash to process.
|
|
|
|
It works by tracing the return of the readline() function using uprobes
|
|
(specifically a uretprobe).
|