Highest Voted 'kprobe' Questions

1

vote

1 answer

Alter kernel execution path using kprobes

Is it possible to alter the execution path with kprobe and terminate kernel function execution? While searching, I came across this post Replace system call in linux kernel 3 AFAIK, one can change the return value using kretprobe, but what i'm…

kprobe

asked May 08 '17 at 21:46

riya khanna

33
2
4

1

vote

0 answers

A puzzle on kprobe mechanism in linux kernel

I have a puzzule on how kprobe works when I read the source code of linux kernel for work needs, according to the kprobe.txt in linux kernel: 1.1 How Does a Kprobe Work? When a kprobe is registered, Kprobes makes a copy of the probed instruction…

linux linux-kernel x86 arm kprobe

asked Nov 26 '16 at 02:58

Elinx

1,196
12
20

1

vote

0 answers

Kernel Oops when unregister jprobes on Android/ARM

I wrote a kernel module (see code below) for my Nexus 5 to trace some syscalls via kprobes (I have built a custom kernel that has kprobes enabled for this). Occasionally, when unloading the module via rmmod my phone freezes and reboots. Trying to…

android linux-kernel arm kernel-module kprobe

asked Dec 09 '15 at 23:56

jckuester

277
1
5
15

1

vote

1 answer

How to use registers in kprobe?

From kprobe document: echo 'p:myprobe do_sys_open dfd=%ax filename=%dx flags=%cx mode=+4($stack)' > /sys/kernel/debug/tracing/kprobe_events Per my understanding, on X86_64 platform, the arguments should be passed into registers (please refer…

linux linux-kernel trace kprobe

asked Oct 13 '15 at 07:06

Nan Xiao

16,671
18
103
164

1

vote

1 answer

jprobe do_execve does not work with kernel 4.1

I want to set a jprobe hook on do_execve to catch every executed program. My code is working on <= 3.2 linux kernel (debian). This is my output on linux kernel 3.2: [ 628.534037] registered: do_execve, ret: 0 [ 723.995797] execve: /usr/bin/vi [ …

linux linux-kernel execve kprobe jprobe

asked Sep 03 '15 at 11:56

stux

11
2

1

vote

1 answer

Communication between two kernel kprobes/kretprobes

Is it possible to capture a kernel function's return value using a kretprobe and communicate it to another kretprobe which is hooked on to another kernel function.

linux-kernel kernel kernel-module kprobe

asked Jul 08 '15 at 06:59

bawejakunal

1,678
2
25
54

1

vote

1 answer

Kprobe/Jprobe in the middle of a function

I want to intercept the load_elf_binary function in fs/binfmt_elf.c file, read a few custom section headers from the file passed to it via an argument and set a few registers(eax, ebx, ecx, edx) before returning from the function. Now I read that…

linux linux-kernel kernel elf kprobe

asked Jun 19 '15 at 04:01

bawejakunal

1,678
2
25
54

1

vote

1 answer

Kprobe mechanism to intercept do_page_fault

Im trying to intercept the __do_page_fault() method in linux kernel. The normal way to register kprobes , i.e. defining kp.addr as kp.addr = (kprobe_opcode_t *) kallsyms_lookup_name("__do_page_fault"); is not working. What's the proper way to do…

linux linux-kernel intercept page-fault kprobe

asked Jan 16 '15 at 21:44

Sayak

25
1
5

1

vote

2 answers

register_kprobe is returning -2

I am trying to hook some kernel function for learning purpose, I wrote the simple kernel module below, but for some reasons, the register_kprobe always returns -2. I didn't find nothing about what it says what this error means and have no idea how…

linux-kernel kernel-module kprobe

asked Apr 27 '14 at 08:13

Ramzi Khahil

4,932
4
35
69

1

vote

0 answers

Hijack Syscall: Access system call arguments from struct pt_regs (64bit-x86)

Using kprobes pre_handler, I am trying to access the system call arguments from struct pt_regs and modify them(which is the main goal), before calling the actual system call itself. Say I am probing sys_link. asmlinkage long sys_link(const char…

c linux-kernel hook system-calls kprobe

asked Oct 02 '13 at 12:37

dmkathayat

393
1
4
11

1

vote

1 answer

How Can I Count malloc in linux kernel with kprobe

I want to count the malloc system call with Kprobe in fedora. I know that malloc is not a system call and is implemented in user space, but I want to count malloc with kprobe if its possible. What is the name of system call that I must give to…

linux-kernel malloc system-calls fedora kprobe

asked Jan 23 '13 at 09:30

Alireza Sahaf

39
2
6

0

votes

1 answer

How to correctly read socket->sk from pt_regs* in ebpf program?

I want to get some information from kprobe/inet_accept through ebpf, but got error: load program: permission denied: 13: (79) r6 = *(u64 *)(r6 +24): R6 invalid mem access 'inv' (22 line(s) omitted) debug detail: ; struct socket *newsock = (struct…

c ebpf bpf kprobe

asked Aug 23 '23 at 11:19

dcy

5
2

0

votes

0 answers

get current kubernetes logged in user with kprobe

I want to get currently logged in user for auditing. for example I want to find which user executed a malicious caommand in k8s pod. there is a tool that I can define some policy that can works with kprobe. Is there anyway to get user by kprobe? I…

kubernetes linux-kernel audit-logging kprobe

asked Jul 18 '23 at 15:03

Michael Cab

13
5

0

votes

1 answer

tracepoint/syscalls/sys_enter_execve missing args

I use cilium-ebpf to write some simple monitoring programs. Currently I want to use tracepoint/syscalls/sys_enter_execve to get argv. but I am having problems with missing arguments. The following is an example of code that can be…

c ebpf kprobe cilium tracepoint

asked Jun 09 '23 at 08:15

HIHIA

1

0

votes

0 answers

BPF program attach failed

I was trying to do some work in rwsem. I defined a function like this and called it in rwsem_optimistic_spin(): noinline void __bpf_hook_rwsem(struct rw_semaphore *sem, bool wlock, u64 delta) { pr_err("rwsem_trace, delta = %llu.", delta); if…

linux-kernel bpf bcc kprobe

asked May 18 '23 at 07:41

peibo zhang

1

Questions tagged [kprobe]