2 files changed, 19 insertions, 0 deletions

diff --git a/internal/generate/bpfhandler.go b/internal/generate/bpfhandler.go
index 5489d88..9365c52 100644
--- a/internal/generate/bpfhandler.go
+++ b/internal/generate/bpfhandler.go
@@ -151,6 +151,12 @@ func generateExtraMqOpen(f *Format) string {
 func generateExtraExec(f *Format) string {
 	filenameIdx := f.FieldNumber("filename")
 	dirfdIdx := f.FieldNumber("dfd")
+	if dirfdIdx < 0 {
+		dirfdIdx = f.FieldNumber("fd")
+	}
+	if dirfdIdx < 0 {
+		dirfdIdx = f.FieldNumber("dirfd")
+	}
 	flagsIdx := f.FieldNumber("flags")
 	if filenameIdx < 0 {
 		filenameIdx = 0
@@ -161,6 +167,8 @@ func generateExtraExec(f *Format) string {
 	b.WriteString("    bpf_get_current_comm(&ev->comm, sizeof(ev->comm));\n")
 	if dirfdIdx > -1 {
 		fmt.Fprintf(&b, "    ev->dirfd = (__s32)ctx->args[%d];\n", dirfdIdx)
+	} else if f.Name == "sys_enter_execveat" {
+		b.WriteString("    ev->dirfd = (__s32)ctx->args[0];\n")
 	} else {
 		b.WriteString("    ev->dirfd = -1;\n")
 	}
diff --git a/internal/generate/codegen_test.go b/internal/generate/codegen_test.go
index 95ced4d..c653ad0 100644
--- a/internal/generate/codegen_test.go
+++ b/internal/generate/codegen_test.go
@@ -75,6 +75,17 @@ func TestGenerateExecHandler(t *testing.T) {
 	requireContains(t, output, "ev->flags = (__s32)ctx->args[4];")
 }
 
+func TestGenerateExecHandlerDirfdFallbackForExecveat(t *testing.T) {
+	enter := strings.ReplaceAll(FormatExecveat, "dfd", "fd")
+	output := generateFromPair(t, enter, FormatExitExecveat)
+
+	requireContains(t, output, `SEC("tracepoint/syscalls/sys_enter_execveat")`)
+	requireContains(t, output, "ev->dirfd = (__s32)ctx->args[0];")
+	if strings.Contains(output, "ev->dirfd = -1;") {
+		t.Fatal("execveat handler unexpectedly falls back to ev->dirfd = -1")
+	}
+}
+
 func TestGenerateOpenat2Handler(t *testing.T) {
 	f := mustParseOne(t, FormatOpenat2)
 	r := ClassifyFormat(&f)