File tree Expand file tree Collapse file tree 1 file changed +40
-0
lines changed Expand file tree Collapse file tree 1 file changed +40
-0
lines changed Original file line number Diff line number Diff line change 1+ from pythonbpf .decorators import bpf , map , section , bpfglobal
2+ from ctypes import c_void_p , c_int64 , c_int32 , c_uint64
3+ from pythonbpf .helpers import bpf_ktime_get_ns
4+ from pythonbpf .maps import HashMap
5+
6+
7+ @bpf
8+ @map
9+ def last () -> HashMap :
10+ return HashMap (key_type = c_uint64 , value_type = c_uint64 , max_entries = 1 )
11+
12+
13+ @bpf
14+ @section ("tracepoint/syscalls/sys_enter_execve" )
15+ def hello (ctx : c_void_p ) -> c_int32 :
16+ print ("entered" )
17+ print ("multi constant support" )
18+ return c_int32 (0 )
19+
20+
21+ @bpf
22+ @section ("tracepoint/syscalls/sys_exit_execve" )
23+ def hello_again (ctx : c_void_p ) -> c_int64 :
24+ print ("exited" )
25+ key = 0
26+ tsp = last ().lookup (key )
27+ if tsp :
28+ delta = (bpf_ktime_get_ns () - tsp .value )
29+ if delta < 1000000000 :
30+ print ("execve called within last second" )
31+ last ().delete (key )
32+ ts = bpf_ktime_get_ns ()
33+ last ().update (key , ts )
34+ return c_int64 (0 )
35+
36+
37+ @bpf
38+ @bpfglobal
39+ def LICENSE () -> str :
40+ return "GPL"
You can’t perform that action at this time.
0 commit comments