0

I just could not wrap my head around the idea of debuggers and probing tools.

How is it technically possible to insert debugging printk statements inside running kernel module or user space applications -- using Kprobe and Uprobe. what terminology is used to define the behavior of Kprobe and Uprobe in terms Memory -- how is it possible to stretch the address space in program running state.

user786
  • 3,902
  • 4
  • 40
  • 72
  • I think my question would have been answered if I just create a program. In it I add trap handler for let say `SIGINT` and send signal to any other process. So in turn my program trap handler will be called at that time in trap handler I just need to read cpu registers and cpu debugging registers. So question is really about which registers and what are debugging registers. It should make more sense. Is this right understanding how trap handlers? – user786 Jan 18 '21 at 18:46

1 Answers1

1

There are usually single-byte instructions that cause a breakpoint (software interrupt) and then there are some debug registers in the processor too.

With these it is possible to insert a trap that jumps to kernel trap handler anywhere in memory without extending any "memory space" - you just set the debug registers or replace the desired instruction at the breakpoint with that trap instruction.

Within the kernel trap handler the kernel would get to know the exact address where the fault occurred and therefore inspect the state of the registers and so forth. In case of a trap by a single-byte instruction or so, you'd replace the trap instruction with the original one; possibly use a processor trick to single step it; and then replace with the trap instruction again...

Antti Haapala -- Слава Україні
  • 129,958
  • 22
  • 279
  • 321
  • According to the [Kprobes documentation](https://www.kernel.org/doc/html/latest/trace/kprobes.html#how-does-a-kprobe-work), it actually single-steps a copy of the instruction (as replace, step, replace opens a window for a potential race, where another CPU might miss the breakpoint). – Hasturkun Jan 17 '21 at 13:49
  • `it is possible to insert a trap that jumps to kernel trap handler * anywhere in memory` does `anywhere in memory` means "it can and required by single-byte trap instruction to start the trap handler which can just jump to anywhere in memory? [where normally it jumps to -- which memory address??] Please clarify. On my system memory address is 16 bit, How 16 bit address plus something can get placed in 1-byte trap instruction? – user786 Jan 17 '21 at 14:12
  • no the said trap instruction is usually something that jumps to a predefined vector. – Antti Haapala -- Слава Україні Jan 17 '21 at 17:51
  • Almost every processor would have such an instruction - for example 6502/6510 processor as used in C64 would have one-byte wide BRK instruction. – Antti Haapala -- Слава Україні Jan 17 '21 at 17:57
  • @AnttiHaapala I think my question would have been answered if I just create a program. In it I add trap handler for let say SIGINT and send signal to any other process. So in turn my program trap handler will be called at that time in trap handler I just need to read cpu registers and cpu debugging registers. So question is really about which registers and what are debugging registers. It should make more sense. Is this right understanding how trap handlers? – user786 Jan 18 '21 at 18:47
  • @AnttiHaapala Can u also please take a look at this question. I just need to register MMAP with pci device driver. https://stackoverflow.com/questions/65749351/in-order-to-write-pci-ethernet-driver-how-to-implement-mmap-in-the-pci-ethernet – user786 Jan 19 '21 at 06:13