diff --git a/src/ebpf/include/bpf/exec.h b/src/ebpf/include/bpf/exec.h
new file mode 100644
index 0000000..abc4b35
--- /dev/null
+++ b/src/ebpf/include/bpf/exec.h
@@ -0,0 +1,36 @@
+#ifndef __EXEC_H
+#define __EXEC_H
+
+#include "headervmlinux.h"
+
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include <bpf/bpf_core_read.h>
+
+#include "../../../common/constants.h"
+#include "../../../common/map_common.h"
+#include "defs.h"
+#include "../utils/strings.h"
+
+
+/**
+ * >> cat /sys/kernel/debug/tracing/events/syscalls/sys_enter_open/format
+ */
+struct sys_execve_enter_ctx {
+    unsigned long long unused;
+    int __syscall_nr;
+    unsigned int padding;
+    const char* const *argv;
+    const char* filename;
+    const char* const *envp;
+};
+
+
+SEC("tp/syscalls/sys_enter_execve")
+int tp_sys_enter_execve(struct sys_execve_enter_ctx *ctx) {
+
+}
+
+
+
+#endif
\ No newline at end of file
diff --git a/src/helpers/execve_hijack b/src/helpers/execve_hijack
new file mode 100755
index 0000000..abf396c
Binary files /dev/null and b/src/helpers/execve_hijack differ
diff --git a/src/helpers/execve_hijack.c b/src/helpers/execve_hijack.c
new file mode 100644
index 0000000..fa78c8e
--- /dev/null
+++ b/src/helpers/execve_hijack.c
@@ -0,0 +1,9 @@
+#include <stdio.h>
+
+int main(int argc, char* argv[]){
+    printf("Hello world from execve hijacker\n");
+    for(int ii=0; ii<argc; ii++){
+        printf("Argument %i is %s\n", ii, argv[ii]);
+    }
+    return 0;
+}
\ No newline at end of file