0

I was referring: http://www-users.cs.umn.edu/~boutcher/kprobes/kprobes.txt.html to understand kprobe. I used kprobe_example.c as given in the doc.

I compiled it using the makefile (code taken from the same document)

I got compilation errors because my kernel version is 4.2 and some fields were changed in struct pt_regs. So I replaced eip with ip and eflag with flag in kprobe_example.c which is https://gist.github.com/murlee417/87c2eb43a6afa1954b05404a07813e81. Then I was able to compile it successfully.

Now, as a root user, I did: 

#insmod kprobe_example.ko

and I got: 

insmod: ERROR: could not insert module kprobe_example.ko: Operation not permitted

My message buffer has: 

#dmesg  
[ 4537.478408] Couldn't find do_fork to plant kprobe

Please help me to resolve this error and make insmod work.

flyingunicorn
  • 26
  • 2
  • 7
  • `I got compilation errors because my kernel version is 4.2 and some fields were changed in struct pt_regs.` - Not only single struct is changed. [Definition of function `do_fork`](http://lxr.free-electrons.com/source/kernel/fork.c?v=4.2#L1753) becomes dependent from configuration macro *HAVE_COPY_THREAD_TLS*. Probably, this macro is defined for your case (check `.config` file in kernel build directory), so the function is simply absent. If this is a case, just change name of the function to probe. – Tsyvarev Sep 19 '16 at 08:31

1 Answers1

0

In x86 do_fork() is known as sys_fork(), so change the code as below

/* For each probe you need to allocate a kprobe structure */
static struct kprobe kp = {
    //.symbol_name  = "do_fork",
    .symbol_name    = "sys_fork",
};
J. Chomel
  • 8,193
  • 15
  • 41
  • 69
Rahul Ravi
  • 819
  • 7
  • 5