From 8428516f13eddd633280d5f6773ce00500645ce0 Mon Sep 17 00:00:00 2001
From: Pragyansh Chaturvedi <pragyansh.chaturvedi@canonical.com>
Date: Tue, 9 Sep 2025 02:59:01 +0530
Subject: [PATCH] Add execve3.py example

---
 examples/execve3.py | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 examples/execve3.py

diff --git a/examples/execve3.py b/examples/execve3.py
new file mode 100644
index 0000000..bffbb03
--- /dev/null
+++ b/examples/execve3.py
@@ -0,0 +1,40 @@
+from pythonbpf.decorators import bpf, map, section, bpfglobal
+from ctypes import c_void_p, c_int64, c_int32, c_uint64
+from pythonbpf.helpers import bpf_ktime_get_ns
+from pythonbpf.maps import HashMap
+
+
+@bpf
+@map
+def last() -> HashMap:
+    return HashMap(key_type=c_uint64, value_type=c_uint64, max_entries=1)
+
+
+@bpf
+@section("tracepoint/syscalls/sys_enter_execve")
+def hello(ctx: c_void_p) -> c_int32:
+    print("entered")
+    print("multi constant support")
+    return c_int32(0)
+
+
+@bpf
+@section("tracepoint/syscalls/sys_exit_execve")
+def hello_again(ctx: c_void_p) -> c_int64:
+    print("exited")
+    key = 0
+    tsp = last().lookup(key)
+    if tsp:
+        delta = (bpf_ktime_get_ns() - tsp.value)
+        if delta < 1000000000:
+            print("execve called within last second")
+        last().delete(key)
+    ts = bpf_ktime_get_ns()
+    last().update(key, ts)
+    return c_int64(0)
+
+
+@bpf
+@bpfglobal
+def LICENSE() -> str:
+    return "GPL"