kprobe vs uprobe system call interposition

Question

I want to write a system call interposition by using Utrace. I understood that Utrace project has been abandoned, but part of its code is used on kprobe and uprobe.

I haven't understood really well how these work. Especially uprobe Can you explain what difference exists between them? And can I use uprobe without writing a module to check which are the actual parameters for a system call?

thanks

Why did you tag `linux-device-driver` and `selinux`? – Matheus Santana Apr 03 '18 at 12:34 — Matheus Santana, Apr 03 '18 at 12:34

score 9 · Accepted Answer · edited Dec 17 '15 at 13:16

9

Kprobe creates and manages probepoints in kernel code, that is, you want to probe some kernel function, say, do_sys_open(). You need to take a look at Documentation/trace/kprobetrace.txt to get some usage of kprobe.

Uprobe creates and manages probepoints in user applications, that is, you want to probe some user-space function, but the probe is run in the kernel space on behalf of the probed process. You need to take a look at Documentation/trace/uprobetracer.txt to get the basic usage of uprobe, to see what it aims for.

edited Dec 17 '15 at 13:16

camillobruni

2,298
16
26

answered Dec 26 '12 at 14:42

Cong Wang

2,001
12
13

Thanks for the answer: I've already seen those files. How can I use uprobe to trace a process not a bin file? – Giuseppe Pes Dec 26 '12 at 15:02

kprobe vs uprobe system call interposition

1 Answers1