[LAC-DCC] - Keeping track of forcefully killed processes with Honey Potion
Вставка
- Опубліковано 15 вер 2024
- Honey Potion is an open source project that allows us to harness the power of eBPF with the easiness of writing elixir code! Follow this guide to understand just how it is that we can see what PID's have been forcefully killed with less than 20 lines of code!
Honey-Potion's Github: github.com/lac...
Honey-Potion Guide: • [LAC-DCC] - Honey Poti...
Compilers Lab Linked-in: / compilers-lab
![[LAC-DCC] - Managing Packets in Honey Potion - Redirecting, Dropping and Counting Packets Using eBPF](http://i.ytimg.com/vi/IeGRTywLhLg/mqdefault.jpg)
![[LAC-DCC] - Managing Packets in Honey Potion - Redirecting, Dropping and Counting Packets Using eBPF](/img/tr.png)
Thanks for posting this Kael!
Glad to be of help!
Just wondered if anyone knows how to print the command and args as well as the pid?
If you look at 2:55, you'll notice that we are setting the key PID to be 1. We could instead set the key PID to become SIG, that way we know what argument was used to kill the process! Instead of printing your output in the map, you could use the bpf_printk function to print a C string to /sys/kernel/debug/tracing/trace_pipe. If you did a print with the format ("kill -%d %d", sig, pid) you would get the format of a command that could've caused the kill. You can do both prints in only one program, however you will need another terminal to cat the output of "/sys/kernel/debug/tracing/trace_pipe" to see the commands. Hope to have helped!