#!/usr/sbin/dtrace -s
/*
 * whatexec.d - Examine the type of files exec'd.
 *              Written using DTrace (Solaris 10 3/05)
 *
 * This prints the first four chacacters of files that are executed.
 * This traces the kernel function findexec_by_hdr(), which checks for
 * a known magic number in the file's header.
 *
 * The idea came from a demo I heard about from the UK, where a
 * "blue screen of death" was displayed for "MZ" files (although I
 * haven't seen the script or the demo).
 *
 * $Id: whatexec.d 3 2007-08-01 10:50:08Z brendan $
 *
 * USAGE:	whatexec.d	(early release, check for updates)
 *
 * FIELDS:
 *		PEXEC		parent command name
 *		EXEC		pathname to file exec'd
 *		OK		is type runnable, Y/N
 *		TYPE		first four characters from file
 *
 * COPYRIGHT: Copyright (c) 2006 Brendan Gregg.
 *
 * CDDL HEADER START
 *
 *  The contents of this file are subject to the terms of the
 *  Common Development and Distribution License, Version 1.0 only
 *  (the "License").  You may not use this file except in compliance
 *  with the License.
 *
 *  You can obtain a copy of the license at Docs/cddl1.txt
 *  or http://www.opensolaris.org/os/licensing.
 *  See the License for the specific language governing permissions
 *  and limitations under the License.
 *
 * CDDL HEADER END
 *
 * 11-Feb-2006  Brendan Gregg   Created this.
 * 25-Apr-2006	   "      "	Last update.
 */

#pragma D option quiet

this char *buf;

dtrace:::BEGIN
{
	printf("%-16s %-38s %2s %s\n", "PEXEC", "EXEC", "OK", "TYPE");
}

fbt::gexec:entry
{
	self->file = cleanpath((*(struct vnode **)arg0)->v_path);
	self->ok = 1;
}

fbt::findexec_by_hdr:entry
/self->ok/
{
	bcopy(args[0], this->buf = alloca(5), 4);
	this->buf[4] = '\0';
	self->hdr = stringof(this->buf);
}

fbt::findexec_by_hdr:return
/self->ok/
{
	printf("%-16s %-38s %2s %S\n", execname, self->file,
	    arg1 == NULL ? "N" : "Y", self->hdr);
	self->hdr = 0;
}

fbt::gexec:return
{
	self->file = 0;
	self->ok = 0;
}