whatexec.d 1m "$Date:: 2007-08-05 #$" "USER COMMANDS"
NAME
whatexec.d - Examine the type of files exec'd. Uses DTrace.
SYNOPSIS
whatexec.d
DESCRIPTION
This prints the first four chacacters of files that are executed. This traces the kernel function findexec_by_hdr(), which checks for a known magic number in the file's header. The idea came from a demo I heard about from the UK, where a "blue screen of death" was displayed for "MZ" files (although I haven't seen the script or the demo). Since this uses DTrace, only the root user or users with the dtrace_kernel privilege can run this command.
OS
Solaris
STABILITY
unstable - this script uses fbt provider probes which may change for future updates of the OS, invalidating this script. Please read Docs/Notes/ALLfbt_notes.txt for further details about these fbt scripts.
EXAMPLES

Trace execs as they occur, # whatexec.d

FIELDS

PEXEC parent command name

EXEC pathname to file exec'd

OK is type runnable, Y/N

TYPE first four characters from file

DOCUMENTATION
See the DTraceToolkit for further documentation under the Docs directory. The DTraceToolkit docs may include full worked examples with verbose descriptions explaining the output.
EXIT
whatexec.d will trace until Ctrl-C is hit.
AUTHOR
Brendan Gregg [Sydney, Australia]
SEE ALSO
dtrace(1M)