• linux内核调试工具之kprobe(二)

    目录

    一、探测内核函数

    二、在内核模块上使用动态kprobe跟踪

    前一章使用kprobe编程,需要编码手动编译。

    本章使用trace追踪技术,在任何函数上设置动态kprobe(通过kprobe事件)。

    一、探测内核函数

    1、切换到tracing目录下

    # cd /sys/kernel/debug/tracing

    2、查询可动态探测的函数

    1. #cat available_filter_functions | grep do_sys_open*
    2. do_sys_openat2
    3. do_sys_open

    3、设置动态探测函数

    echo "p: [...] >> kprobe_events

    #echo "p:my_sys_open3 do_sys_openat2 file=+0(%si):string" > /sys/kernel/debug/tracing/kprobe_events

    以上是在x86上运行的寄存器为 RDI,[R]SI,RDX,RCX,R8,R9

    而在ARM_32上使用的寄存器r0、r1 、r2、 r3

    在ARM_64上使用的寄存器为X0-X7

    4、查看设置探测的点

    1. #/sys/kernel/debug/tracing# ls -lR events/kprobes/
    2. events/kprobes/:
    3. total 0
    4. -rw-r----- 1 root root 0 10月 26 07:42 enable
    5. -rw-r----- 1 root root 0 10月 26 07:42 filter
    6. drwxr-x--- 2 root root 0 10月 26 07:42 my_sys_open3
    7.  
    8. events/kprobes/my_sys_open3:
    9. total 0
    10. -rw-r----- 1 root root 0 10月 26 07:43 enable
    11. -rw-r----- 1 root root 0 10月 26 07:42 filter
    12. -r--r----- 1 root root 0 10月 26 07:42 format
    13. -r--r----- 1 root root 0 10月 26 07:42 hist
    14. -r--r----- 1 root root 0 10月 26 07:42 id
    15. --w------- 1 root root 0 10月 26 07:42 inject
    16. -rw-r----- 1 root root 0 10月 26 07:42 trigger

    5、使能 

    #echo 1 > events/kprobes/my_sys_open3/enable

    6、输出结果

    1. cat trace
    2.  
    3.    systemd-oomd-656     [003] .....  1628.449020: my_sys_open3: (do_sys_openat2+0x0/0x160) file="/proc/meminfo"
    4.            a.out-5386    [002] .....  1628.450621: my_sys_open3: (do_sys_openat2+0x0/0x160) file="/home/kprobe.c"
    5.            a.out-5386    [002] .....  1628.461429: my_sys_open3: (do_sys_openat2+0x0/0x160) file="/home/kprobe.c"
    6.            a.out-5386    [002] .....  1628.472403: my_sys_open3: (do_sys_openat2+0x0/0x160) file="/home/kprobe.c"
    7.            a.out-5386    [002] .....  1628.483314: my_sys_open3: (do_sys_openat2+0x0/0x160) file="/home/kprobe.c"
    8.            a.out-5386    [002] .....  1628.494283: my_sys_open3: (do_sys_openat2+0x0/0x160) file="/home/kprobe.c"

    7、关闭

    1. //首先禁用
    2. echo 0 > events/kprobes/my_sys_open3/enable
    3.  
    4. //清除单个函数
    5. echo "-: " >> kprobe_events
    6.  
    7.  
    8. //清楚所有探测点
    9. echo > /sys/kernel/tracing/kprobe_events

    或者使用如下,单个探测点

    1. echo 0 > events/kprobes/my_sys_open3/enable
    2. echo "-:my_sys_open3" >> kprobe_events

    二、在内核模块上使用动态kprobe跟踪

    1、测试的内核模块,读写设备文件 miscdrv_rdwr.ko

    加载内核模块

    insmod miscdrv_rdwr.ko

    在内核全局符号表中查找模块

    1. root@ubuntu:~# grep miscdrv /proc/kallsyms 
    2. ffffffffc0687000 t write_miscdrv_rdwr	[miscdrv_rdwr]
    3. ffffffffc0687922 t write_miscdrv_rdwr.cold	[miscdrv_rdwr]
    4. ffffffffc0687290 t open_miscdrv_rdwr	[miscdrv_rdwr]
    5. ffffffffc0687480 t close_miscdrv_rdwr	[miscdrv_rdwr]

    内核模块加载完成

    2、探测函数设置

    1. root@ubuntu:/sys/kernel/tracing# echo "p:mymiscdrv_wr read_miscdrv_rdwr" >> kprobe_events 
    2. root@ubuntu:/sys/kernel/tracing# echo "p:mymiscdrv_wr write_miscdrv_rdwr" >> kprobe_events 
    3. root@ubuntu:/sys/kernel/tracing# echo "p:mymiscdrv_wr open_miscdrv_rdwr" >> kprobe_events

    查看设置的事件

    1. root@ubuntu:/sys/kernel/tracing# cat kprobe_events 
    2. p:kprobes/mymiscdrv_wr read_miscdrv_rdwr
    3. p:kprobes/mymiscdrv_wr write_miscdrv_rdwr
    4. p:kprobes/mymiscdrv_wr open_miscdrv_rdwr

     使能

    root@ubuntu:/sys/kernel/tracing# echo 1 > events/kprobes/mymiscdrv_wr/enable

    读取 (阻塞)

    root@ubuntu:/sys/kernel/tracing# cat trace_pipe

    启用另外一个终端在应用层,读写内核模块函数

    1. //写
    2. root@ubuntu# ./rdwr_test_secret w /dev/llkd_miscdrv_rdwr  "hello world"
    3. Device file /dev/llkd_miscdrv_rdwr opened (in write-only mode): fd=3
    4. ./rdwr_test_secret: wrote 12 bytes to /dev/llkd_miscdrv_rdwr
    5.  
    6. //读
    7. root@ubuntu# ./rdwr_test_secret r /dev/llkd_miscdrv_rdwr
    8. Device file /dev/llkd_miscdrv_rdwr opened (in read-only mode): fd=3
    9. ./rdwr_test_secret: read 11 bytes from /dev/llkd_miscdrv_rdwr
    10. The 'secret' is:
    11.  "hello world"

    在第一个终端中的显示如下,探测到所监测的内核模块函数

    1. root@ubuntu:/sys/kernel/tracing# cat trace_pipe 
    2.  rdwr_test_secre-8530    [000] .... 77924.632520: mymiscdrv_wr: (open_miscdrv_rdwr+0x0/0x1f0 [miscdrv_rdwr])
    3.  rdwr_test_secre-8530    [000] .... 77924.632824: mymiscdrv_wr: (write_miscdrv_rdwr+0x0/0x290 [miscdrv_rdwr])
    4.  rdwr_test_secre-8533    [003] .... 77943.415055: mymiscdrv_wr: (open_miscdrv_rdwr+0x0/0x1f0 [miscdrv_rdwr])
    5.  rdwr_test_secre-8533    [003] .... 77943.415123: mymiscdrv_wr: (read_miscdrv_rdwr+0x0/0x270 [miscdrv_rdwr])

    参考

    Kprobe-based Event Tracing — The Linux Kernel documentation

    perf-tools/kprobe at master · brendangregg/perf-tools · GitHub

    ABI相关

    Overview of ARM64 ABI conventions | Microsoft Learn

    https://cs.brown.edu/courses/cs033/docs/guides/x64_cheatsheet.pdf

    Overview of ARM ABI Conventions | Microsoft Learn

  • 相关阅读:
    Java开发利器之Guava Cache
    怎么快速编辑视频
    2024年小程序云开发CMS内容管理无法使用,无法同步内容模型到云开发数据库的解决方案,回退老版本CMS内容管理的最新方法
    Vue
    李宏毅机器学习笔记-半监督学习
    基于蚁群算法的TPS问题求解策略研究(Matlab代码实现)
    Chrome开发者工具课程
    bp网络和卷积神经网络,bp神经网络
    lenovo联想笔记本ThinkPad系列T15p或P15v Gen3(21DA,21DB,21D8,21D9)原厂Win11系统镜像
    使用halcon实现基于深度学习的目标检测
  • 原文地址:https://blog.csdn.net/WANGYONGZIXUE/article/details/127525367