我正在科学Linux6.3 x86_64下编写一个内核模块,并希望使用kprobes。在这个模块中,我需要在返回时访问函数的第一个参数,所以不需要使用jprobes。
我发现这个帖子很有帮助:
但是,当我尝试在探测器中访问regs->rdi时,编译器会报错
error: ‘struct pt_regs’ has no member named ‘rdi’
在我的模块初始化期间,我运行这个检查没有任何问题:
#ifndef CONFIG_X86_64
printk(KERN_ALERT "Error: this module only supports x86_64!\n"
当我尝试执行sudo opensnoop-bpfcc时,我得到这样的消息:
In file included from /virtual/main.c:4:
In file included from include/linux/sched.h:14:
In file included from include/linux/pid.h:5:
In file included from include/linux/rculist.h:11:
In file included from include/linux/rcupdate.h:40:
In file included from inclu
K探针有一个预处理函数,模糊地记录如下:
User's pre-handler (kp->pre_handler)::
#include <linux/kprobes.h>
#include <linux/ptrace.h>
int pre_handler(struct kprobe *p, struct pt_regs *regs);
Called with p pointing to the kprobe associated with the breakpoint,
and regs pointing to the str
我正在跟踪bcc教程并尝试执行trace-bpfcc命令:sudo trace-bpfcc 'sys_execve "%s", arg1'
该命令失败时出错:cannot attach kprobe, probe entry may not exist Failed to attach BPF program b'probe_sys_execve_1' to kprobe b'sys_execve'
在搜索web时,我发现如果__x64_sys_execve符号在/proc/kallsyms中缺失,就会发生这样的错误,但我在那里有
我试图使用bpf syscall加载BPF程序,但返回时我正在接收invalid argument (EINVAL)。从来看,可能的原因是:
EINVAL
For BPF_PROG_LOAD, indicates an attempt to load an invalid program.
eBPF programs can be deemed invalid due to unrecognized instructions,
the use of reserved fields, jumps out of range, infinite loops or calls
of unkno
我已经在一个函数上放置了一个kprobe,现在我需要在kprobe的预处理函数中获取它的参数值。
下面是我的函数:
void foobar(int arg, int arg2, int arg3, int arg4, int arg5, int arg6, int arg7, int arg8)
{
printk("foobar called\n");
}
在其上放置kprobe并调用函数:
...
kp.addr = (kprobe_opcode_t *) foobar;
register_kprobe(&kp);
foobar(0xdead1, 0xdea