dtrace discuss - Aug 2011 - dtrace modify exec syscall

Hello,

for some strange reasons ;) I want to use dtrace to modify a exec*
syscall when it''s entered.
So, if someone calls "./foobar.ksh" I want the exec to call
/usr/bin/date instead.

But somehow this does not work.  I think it''s too late to modify arg0
when exece() is already called, am I right?

This is my try:

#!/usr/sbin/dtrace -s
#pragma D option destructive

syscall::exec*:entry
/copyinstr(arg0) == "./foobar.ksh" /
{
   printf("exec arg0: %s\n", copyinstr(arg0));
   copyout("/usr/bin/date", arg0, 14);
}

Yours

-- 
Olaf Bohlen ? ? ?<olafbohlen at googlemail.com>
Fon: +49 172 4561817 ? ? ? ? RIPE: DARK-RIPE
UKW/DSC: 211501050 DH6432 S/Y Annemarie (HX)

Hi Olaf,

This scripts works for me. I tried it on a Solaris 11 Express x86 machine. 

You can always catch it a little early. For example when the open system call
happens.

#!/usr/sbin/dtrace -s
#pragma D option destructive

syscall::open*:entry
/copyinstr(arg0) == "./foobar.ksh" /
{
  printf("open arg0: %s\n", copyinstr(arg0));
  copyout("./bar.ksh", arg0, 10);
}

BTW, I have no idea what the side effects are for doing stuff like this. So
please be careful using these types of scripts in production.

-Angelo



On Aug 10, 2011, at 4:12 AM, Olaf Bohlen wrote:
> Hello,
> 
> for some strange reasons ;) I want to use dtrace to modify a exec*
> syscall when it''s entered.
> So, if someone calls "./foobar.ksh" I want the exec to call
> /usr/bin/date instead.
> 
> But somehow this does not work.  I think it''s too late to modify
arg0
> when exece() is already called, am I right?
> 
> This is my try:
> 
> #!/usr/sbin/dtrace -s
> #pragma D option destructive
> 
> syscall::exec*:entry
> /copyinstr(arg0) == "./foobar.ksh" /
> {
>   printf("exec arg0: %s\n", copyinstr(arg0));
>   copyout("/usr/bin/date", arg0, 14);
> }
> 
> Yours
> 
> -- 
> Olaf Bohlen      <olafbohlen at googlemail.com>
> Fon: +49 172 4561817         RIPE: DARK-RIPE
> UKW/DSC: 211501050 DH6432 S/Y Annemarie (HX)
> _______________________________________________
> dtrace-discuss mailing list
> dtrace-discuss at opensolaris.org

Hi Angelo,
> This scripts works for me. I tried it on a Solaris 11 Express x86
> machine. 
> 
> You can always catch it a little early. For example when the open system
> call happens.
...
> BTW, I have no idea what the side effects are for doing stuff like this.
> So please be careful using these types of scripts in production.
Thank you for your reply. My script works now for me. It did not caught the exec
probe, because my shell never tried to exec() the script :)
The ksh does a stat() before exec() and the script was simply not there...so ksh
bailed out before exec() :) My fault..

Thanks for all other replies,

Olaf