0

I'm trying to find a way to monitor Process by hooking it's function.

       [Process]                             [thirdparty]
       ...                  trigger callback
                            
pc --> myfunc(st *s, int b); ------------>   handle_myfunc_call(ctx) {
                                              st *s = (st*)ctx->rax;
                                              s->xxx //do some statistics
                                             }
                               return          
                              <--------
        ...
       [Process]                             [thirdparty]

I know the easiest way is using eBPF with uprobe. But I need another way which may work under old linux kernel like 3.10.

USTD

Programmer needs to add a hook in source code which is not I want.

uprobe

I'm familiar with writting kprobe with kernel mod. But after searching Google, I find most uprobe sample are like this

echo 'p:myfunc binaddr:offset %x0 %x1' > uprobe_events
cat /sys/kernel/tracing/trace_pipe

It seems that uprobe just print the log but not calling some callback

systemtap

As far as i know systemtap is using uprobe(fix me) to attach user function, but I don't know the detail about how it works. It seems using uprobe like systemtap works for me.

Utrace

deprecated

Like gdb attach

Thirdparty run as the parent of Process
ptrace Rewrite instructions (like gdb break command)
Capture singal
Access the register

I think it's not easy and singal may cost a lot CPU time...

Nail Jay
  • 267
  • 3
  • 9

1 Answers1

0

uprobes is indeed what you are looking for but it is extremely poorly documented (To the point you might think it doesn't even exist).

The usage you mentioned is just a nice userspace wrapping to allow you use uprobes without using the actual interface directly. The thing is that you already know that because you know ebpf lets you more than just logging.

If you wish to use it directly, you will need to load your own kernel module.

The only reference I found online was this sample GitHub project that I never tried myself but from my past experience it looks it might be enough. If that doesn't help I would try to reverse-engineer the usage from the actual c & h source code.

Another, probably harder-to-use option, is Detours. It is a library that allows you to instrument functions in other processes. The problem is that it is for windows. So, you might want to search google for a Linux implementation.

Eytan Naim
  • 159
  • 14