1*387f9dfdSAndroid Build Coastguard WorkerDemonstrations of bashreadline, the Linux eBPF/bcc version. 2*387f9dfdSAndroid Build Coastguard Worker 3*387f9dfdSAndroid Build Coastguard Worker 4*387f9dfdSAndroid Build Coastguard WorkerThis prints bash commands from all running bash shells on the system. For 5*387f9dfdSAndroid Build Coastguard Workerexample: 6*387f9dfdSAndroid Build Coastguard Worker 7*387f9dfdSAndroid Build Coastguard Worker# ./bashreadline 8*387f9dfdSAndroid Build Coastguard WorkerTIME PID COMMAND 9*387f9dfdSAndroid Build Coastguard Worker05:28:25 21176 ls -l 10*387f9dfdSAndroid Build Coastguard Worker05:28:28 21176 date 11*387f9dfdSAndroid Build Coastguard Worker05:28:35 21176 echo hello world 12*387f9dfdSAndroid Build Coastguard Worker05:28:43 21176 foo this command failed 13*387f9dfdSAndroid Build Coastguard Worker05:28:45 21176 df -h 14*387f9dfdSAndroid Build Coastguard Worker05:29:04 3059 echo another shell 15*387f9dfdSAndroid Build Coastguard Worker05:29:13 21176 echo first shell again 16*387f9dfdSAndroid Build Coastguard Worker 17*387f9dfdSAndroid Build Coastguard WorkerWhen running the script on Arch Linux, you may need to specify the location 18*387f9dfdSAndroid Build Coastguard Workerof libreadline.so library: 19*387f9dfdSAndroid Build Coastguard Worker 20*387f9dfdSAndroid Build Coastguard Worker# ./bashreadline -s /lib/libreadline.so 21*387f9dfdSAndroid Build Coastguard WorkerTIME PID COMMAND 22*387f9dfdSAndroid Build Coastguard Worker11:17:34 28796 whoami 23*387f9dfdSAndroid Build Coastguard Worker11:17:41 28796 ps -ef 24*387f9dfdSAndroid Build Coastguard Worker11:17:51 28796 echo "Hello eBPF!" 25*387f9dfdSAndroid Build Coastguard Worker 26*387f9dfdSAndroid Build Coastguard Worker 27*387f9dfdSAndroid Build Coastguard WorkerThe entered command may fail. This is just showing what command lines were 28*387f9dfdSAndroid Build Coastguard Workerentered interactively for bash to process. 29*387f9dfdSAndroid Build Coastguard Worker 30*387f9dfdSAndroid Build Coastguard WorkerIt works by tracing the return of the readline() function using uprobes 31*387f9dfdSAndroid Build Coastguard Worker(specifically a uretprobe). 32