36 lines
866 B
C
36 lines
866 B
C
#include <uapi/linux/ptrace.h>
|
|
#include <linux/sched.h>
|
|
|
|
struct event_data_t {
|
|
int type;
|
|
u32 pid;
|
|
u32 ppid;
|
|
} __attribute__((packed));
|
|
|
|
BPF_PERF_OUTPUT(events);
|
|
|
|
int trace_process_start(struct pt_regs *ctx, struct filename *filename) {
|
|
struct event_data_t event_data;
|
|
|
|
u32 pid = bpf_get_current_pid_tgid();
|
|
u32 ppid = bpf_get_current_pid_tgid() >> 32;
|
|
event_data.type = 0;
|
|
event_data.pid = pid;
|
|
event_data.ppid = ppid;
|
|
events.perf_submit(ctx, &event_data, sizeof(event_data));
|
|
return 0;
|
|
}
|
|
|
|
int trace_process_exit(struct pt_regs *ctx) {
|
|
struct event_data_t event_data;
|
|
|
|
u32 pid = bpf_get_current_pid_tgid();
|
|
u32 ppid = bpf_get_current_pid_tgid() >> 32;
|
|
event_data.type = 1;
|
|
event_data.pid = pid;
|
|
event_data.ppid = ppid;
|
|
events.perf_submit(ctx, &event_data, sizeof(event_data));
|
|
|
|
return 0;
|
|
}
|