1*387f9dfdSAndroid Build Coastguard Worker#!/usr/bin/python 2*387f9dfdSAndroid Build Coastguard Worker# 3*387f9dfdSAndroid Build Coastguard Worker# strlen_count Trace strlen() and print a frequency count of strings. 4*387f9dfdSAndroid Build Coastguard Worker# For Linux, uses BCC, eBPF. Embedded C. 5*387f9dfdSAndroid Build Coastguard Worker# 6*387f9dfdSAndroid Build Coastguard Worker# Written as a basic example of BCC and uprobes. 7*387f9dfdSAndroid Build Coastguard Worker# 8*387f9dfdSAndroid Build Coastguard Worker# Also see strlensnoop. 9*387f9dfdSAndroid Build Coastguard Worker# 10*387f9dfdSAndroid Build Coastguard Worker# Copyright 2016 Netflix, Inc. 11*387f9dfdSAndroid Build Coastguard Worker# Licensed under the Apache License, Version 2.0 (the "License") 12*387f9dfdSAndroid Build Coastguard Worker 13*387f9dfdSAndroid Build Coastguard Workerfrom __future__ import print_function 14*387f9dfdSAndroid Build Coastguard Workerfrom bcc import BPF 15*387f9dfdSAndroid Build Coastguard Workerfrom bcc.utils import printb 16*387f9dfdSAndroid Build Coastguard Workerfrom time import sleep 17*387f9dfdSAndroid Build Coastguard Worker 18*387f9dfdSAndroid Build Coastguard Worker# load BPF program 19*387f9dfdSAndroid Build Coastguard Workerb = BPF(text=""" 20*387f9dfdSAndroid Build Coastguard Worker#include <uapi/linux/ptrace.h> 21*387f9dfdSAndroid Build Coastguard Worker 22*387f9dfdSAndroid Build Coastguard Workerstruct key_t { 23*387f9dfdSAndroid Build Coastguard Worker char c[80]; 24*387f9dfdSAndroid Build Coastguard Worker}; 25*387f9dfdSAndroid Build Coastguard WorkerBPF_HASH(counts, struct key_t); 26*387f9dfdSAndroid Build Coastguard Worker 27*387f9dfdSAndroid Build Coastguard Workerint count(struct pt_regs *ctx) { 28*387f9dfdSAndroid Build Coastguard Worker if (!PT_REGS_PARM1(ctx)) 29*387f9dfdSAndroid Build Coastguard Worker return 0; 30*387f9dfdSAndroid Build Coastguard Worker 31*387f9dfdSAndroid Build Coastguard Worker struct key_t key = {}; 32*387f9dfdSAndroid Build Coastguard Worker u64 zero = 0, *val; 33*387f9dfdSAndroid Build Coastguard Worker 34*387f9dfdSAndroid Build Coastguard Worker bpf_probe_read_user(&key.c, sizeof(key.c), (void *)PT_REGS_PARM1(ctx)); 35*387f9dfdSAndroid Build Coastguard Worker // could also use `counts.increment(key)` 36*387f9dfdSAndroid Build Coastguard Worker val = counts.lookup_or_try_init(&key, &zero); 37*387f9dfdSAndroid Build Coastguard Worker if (val) { 38*387f9dfdSAndroid Build Coastguard Worker (*val)++; 39*387f9dfdSAndroid Build Coastguard Worker } 40*387f9dfdSAndroid Build Coastguard Worker return 0; 41*387f9dfdSAndroid Build Coastguard Worker}; 42*387f9dfdSAndroid Build Coastguard Worker""") 43*387f9dfdSAndroid Build Coastguard Workerb.attach_uprobe(name="c", sym="strlen", fn_name="count") 44*387f9dfdSAndroid Build Coastguard Worker 45*387f9dfdSAndroid Build Coastguard Worker# header 46*387f9dfdSAndroid Build Coastguard Workerprint("Tracing strlen()... Hit Ctrl-C to end.") 47*387f9dfdSAndroid Build Coastguard Worker 48*387f9dfdSAndroid Build Coastguard Worker# sleep until Ctrl-C 49*387f9dfdSAndroid Build Coastguard Workertry: 50*387f9dfdSAndroid Build Coastguard Worker sleep(99999999) 51*387f9dfdSAndroid Build Coastguard Workerexcept KeyboardInterrupt: 52*387f9dfdSAndroid Build Coastguard Worker pass 53*387f9dfdSAndroid Build Coastguard Worker 54*387f9dfdSAndroid Build Coastguard Worker# print output 55*387f9dfdSAndroid Build Coastguard Workerprint("%10s %s" % ("COUNT", "STRING")) 56*387f9dfdSAndroid Build Coastguard Workercounts = b.get_table("counts") 57*387f9dfdSAndroid Build Coastguard Workerfor k, v in sorted(counts.items(), key=lambda counts: counts[1].value): 58*387f9dfdSAndroid Build Coastguard Worker printb(b"%10d \"%s\"" % (v.value, k.c)) 59