3 * whatexec.d - Examine the type of files exec'd.
4 * Written using DTrace (Solaris 10 3/05)
6 * This prints the first four chacacters of files that are executed.
7 * This traces the kernel function findexec_by_hdr(), which checks for
8 * a known magic number in the file's header.
10 * The idea came from a demo I heard about from the UK, where a
11 * "blue screen of death" was displayed for "MZ" files (although I
12 * haven't seen the script or the demo).
14 * $Id: whatexec.d 3 2007-08-01 10:50:08Z brendan $
16 * USAGE: whatexec.d (early release, check for updates)
19 * PEXEC parent command name
20 * EXEC pathname to file exec'd
21 * OK is type runnable, Y/N
22 * TYPE first four characters from file
24 * COPYRIGHT: Copyright (c) 2006 Brendan Gregg.
28 * The contents of this file are subject to the terms of the
29 * Common Development and Distribution License, Version 1.0 only
30 * (the "License"). You may not use this file except in compliance
33 * You can obtain a copy of the license at Docs/cddl1.txt
34 * or http://www.opensolaris.org/os/licensing.
35 * See the License for the specific language governing permissions
36 * and limitations under the License.
40 * 11-Feb-2006 Brendan Gregg Created this.
41 * 25-Apr-2006 " " Last update.
44 #pragma D option quiet
50 printf("%-16s %-38s %2s %s\n", "PEXEC", "EXEC", "OK", "TYPE");
55 self->file = cleanpath((*(struct vnode **)arg0)->v_path);
59 fbt::findexec_by_hdr:entry
62 bcopy(args[0], this->buf = alloca(5), 4);
64 self->hdr = stringof(this->buf);
67 fbt::findexec_by_hdr:return
70 printf("%-16s %-38s %2s %S\n", execname, self->file,
71 arg1 == NULL ? "N" : "Y", self->hdr);