Highest Voted 'kprobe' Questions

2

votes

0 answers

Why `my_do_fork` and `post_handler` are executed but `pre_handler` isn't?

I have used jprobe in a kernel module and everything works just fine. except the fact that the pre_handler is not executed. static struct jprobe my_jprobe = { .entry = my_do_fork, .kp = { .symbol_name…

c linux-kernel jprobe kprobe

asked Nov 20 '12 at 09:01

0x90

39,472
36
165
245

1

vote

0 answers

Concurrent system calls handling by kprobes

I have written an eBPF program which captures HTTP requests and responses using kprobes on system calls like accept4, accept, read, write, close(both entry & exit) and sending these as a captured event to userspace using ringbuf. I have few…

http linux-kernel ebpf kprobe

asked May 11 '23 at 10:04

Gourav Kumar

205
1
7

1

vote

0 answers

How to remove a eBPF function attached by BCC toolkit?

Using bpftool prog show, I can see a list of eBPF programs. 3: cgroup_skb tag 6deef7357e7b4530 gpl loaded_at 2023-04-20T05:19:04-0400 uid 0 xlated 64B jited 54B memlock 4096B 4: cgroup_skb tag 6deef7357e7b4530 gpl …

ebpf bcc-bpf kprobe

asked Apr 24 '23 at 13:17

akastack

75
7

1

vote

2 answers

eBPF vs non-eBPF tracepoint/kprobes

As per this document (amongst others): https://blogs.oracle.com/linux/post/taming-tracepoints-in-the-linux-kernel It is possible using both eBPF and other kernel-provided mechanisms to register callbacks for tracepoints or kprobes. It seems that…

linux-kernel ebpf kprobe tracepoint

asked Feb 07 '23 at 08:43

Mario

1,661
13
22

1

vote

1 answer

Get return address of a function using kretprobe or bpf

Is it possible to identify where the kernel function returned using kretprobe or BPF code? For example; void func() { .........some line...... .........some line...... if (condition1) return; .........some line...... .........some line...... …

linux-kernel bpf kprobe

asked Dec 16 '22 at 06:43

Franc

319
9
28

1

vote

0 answers

Can sys_execve() still return with error after begin_new_exec() returns zero?

I'm using a BPF kprobe to find out when a task's UIDs, GIDs and namespaces change outside the syscalls that have the ability to change these values. For this, I update values[pid] when returning from execve(), execveat(), setns(), unshare(),…

linux-kernel exec ebpf kprobe

asked Nov 03 '22 at 10:43

patraulea

652
2
5
26

1

vote

0 answers

Why is uprobe unaffected by ASLR?

I came from this article: https://blog.quarkslab.com/defeating-ebpf-uprobe-monitoring.html and this worked well for me: # First log-in as root. # This line creates a uretprobe named bashReadline at offset 0xd5690 of /bin/bash program that prints…

trace kprobe uprobe

asked Sep 13 '22 at 07:45

daisy

22,498
29
129
265

1

vote

1 answer

Why are security_path_* symbols missing from kallsyms and System.map on kernel version 5.4.156?

I am failing to load an eBPF script that traces path renames by using kprobe: int kprobe__security_path_rename( struct pt_regs *ctx, const struct path *old_dir, struct dentry *old_dentry, const struct path *new_dir, struct dentry *new_dentry ) { …

linux ebpf kprobe

asked Mar 01 '22 at 09:39

shapaz

43
4

1

vote

2 answers

How unstable are networking-related kprobes in practice?

I am very new to the world of BPF development and need to use kprobes in my BPF program so that i can properly detect and gather the PIDs for processes attempting to send packets over the network. I want to deploy this BPF program with my userspace…

linux linux-kernel bpf kprobe

asked May 20 '20 at 01:20

horseyguy

29,455
20
103
145

1

vote

2 answers

attaching bpf to sys_enter (tracepoint available through /proc/kallsyms)

I'm trying to build a tool wherein I attach a BPF program to the entry points for all syscalls. From the CLI, I was able to attach to all syscall entries via sudo bpftrace -e 'tracepoint:syscalls:sys_enter_* /comm != "bpftrace"/ {printf("Process…

trace ebpf kprobe bcc-bpf

asked Apr 02 '20 at 03:47

byrnesj1

189
1
14

1

vote

0 answers

Linux/Golang : unable to access /sys/kernel/debug/tracing/kprobe_events

I'm running Arch linux on LTS kernel (4.19.75). I've checked with more recent kernels, same issue. I do have debugfs mounted, and as root I can see this file : /sys/kernel/debug/tracing/kprobe_events I try to fix/run/fork (name it as you like,…

linux kernel kprobe

asked Jan 07 '20 at 09:57

squalou

199
1
5

1

vote

1 answer

Why is orig_ax not having proper system call number

I wrote a basic kprobe linux kernel module, which will register a handler for fork and in the handler i am printing the value of register 'orig_ax'. #include #include #include…

c linux linux-kernel linux-device-driver kprobe

asked Jan 04 '20 at 13:16

md.jamal

4,067
8
45
108

1

vote

2 answers

Were jprobes removed from kernel v4?

There is a jprobe_example.c in v3. But it is missing in v4. I tried to compile v3 example having kernel v4 and it works giving me jprobe_example.ko, but when I try to insmod it, it fails with insmod: ERROR: could not insert module…

linux-kernel kernel-module kprobe

asked Mar 02 '19 at 11:16

sanyassh

8,100
13
36
70

1

vote

1 answer

kprobe handler not getting triggered for specific function

Am trying to intercept below function in module using kprobes. "register_kprobe" passed for this function but Kprobe handler is not getting triggered when function is called. Strangely it starts working (kprobe handler gets called) if I print…

linux linux-kernel kernel-module kprobe

asked Jan 12 '18 at 07:39

Abubaker Siddique

129
10

1

vote

1 answer

register_kprobe returns EINVAL (-22) error for instructions involving rip

I am trying to insert probes at different instructions with kprobes in function of kernel module. But register_kprobe is returning EINVAL(-22) error for 0xffffffffa33c1085 instruction addresses and 0xffffffffa33c109b from below assembly code (it…

linux linux-kernel kernel-module kprobe

asked Jan 10 '18 at 09:43

Abubaker Siddique

129
10

Questions tagged [kprobe]