execsnoop doesn't work with kernel 4.17+

[mphilipps]

hi

This implementation is designed to work on older kernel versions, and without kernel debuginfo.

would be nice if it would also work on more recent kernel versions. I have tried changing the makeprobe call use __x64_sys_execve, but then half the output is gibberish. Unsure on how I have to adjust the output format of the probe.

[positron96]

Huh, so you say that is won't work on most modern installations? I've just spent half an hour trying to make it work on ubuntu 18.04 with 5.3 kernel...

[mayank-ramnani]

I confirmed this on Centos 8 with 4.18 kernel and Redhat 8.1 with 4.18 kernel. Saw no output apart from these two services:

 46758  41533 /usr/lib/systemd/systemd-cgroups-agent /user.slice/user-1000.slice/user@1000.service/tracker-extract.service
 46791  46775 /usr/lib/systemd/systemd-cgroups-agent /system.slice/systemd-hostnamed.service

Changing the system call being probed from sys_execve to __x64_sys_execve makes it work for Ubuntu 20.4 with kernel 5.4 but the arguments are printed as gibberish.

<...>-49283 [000] .... 41154.763005: exec: (__x64_sys_execve+0x0/0x50) filename="@"V" arg1=(fault) arg2="" arg3="

This could be because from 4.17+, arguments are not sent through registers directly but as a part of pt_regs struct which is passed instead.

[paulmenzel]

Without __x64_sys_execve it quits right away in Debian sid/unstable with Linux 5.10-rc4.

$ sudo ./execsnoop
Tracing exec()s. Ctrl-C to end.
ERROR: adding a kprobe for execve. Exiting.

[dongho-jung]

If you still have an issue, try this version of execsnoop https://github.com/iovisor/bcc/blob/master/tools/execsnoop.py that is maintained by bcc and looks more recent

[adam505hq]

Same here on Arch 5.10.33-1-lts x86_64

ERROR: adding a kprobe for execve. Exiting.

[rajagennu]

Any update on this issue please ?