Commit 79ce51cb authored by Bastian Reitemeier's avatar Bastian Reitemeier

Added -q option to execsnoop to quote individual arguments. This helps when...

Added -q option to execsnoop to quote individual arguments. This helps when working with arguments that contain spaces.
parent 18d3814c
...@@ -42,6 +42,9 @@ parser.add_argument("-t", "--timestamp", action="store_true", ...@@ -42,6 +42,9 @@ parser.add_argument("-t", "--timestamp", action="store_true",
help="include timestamp on output") help="include timestamp on output")
parser.add_argument("-x", "--fails", action="store_true", parser.add_argument("-x", "--fails", action="store_true",
help="include failed exec()s") help="include failed exec()s")
parser.add_argument("-q", "--quote", action="store_true",
help="Add quotemarks (\") around arguments."
)
parser.add_argument("-n", "--name", parser.add_argument("-n", "--name",
type=ArgString, type=ArgString,
help="only print commands matching this name (regex), any arg") help="only print commands matching this name (regex), any arg")
...@@ -192,6 +195,11 @@ def print_event(cpu, data, size): ...@@ -192,6 +195,11 @@ def print_event(cpu, data, size):
skip = True skip = True
if args.name and not re.search(bytes(args.name), event.comm): if args.name and not re.search(bytes(args.name), event.comm):
skip = True skip = True
if args.quote:
argv[event.pid] = [
"\"" + arg.replace("\"", "\\\"") + "\""
for arg in argv[event.pid]
]
if args.line and not re.search(bytes(args.line), if args.line and not re.search(bytes(args.line),
b' '.join(argv[event.pid])): b' '.join(argv[event.pid])):
skip = True skip = True
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment