附加 kprobe 时的 `do_sys_open` 与 `__x86_sys_open`
[英]`do_sys_open` vs `__x86_sys_open` when attaching kprobe
问题描述
I have tried running opensnoop.py but using
我试过运行opensnoop.py但使用
fnname_open='do_sys_open'
(which I have seen in other scripts ) instead of (我在其他脚本中看到过)而不是
fnname_open = b.get_syscall_prefix().decode() + 'open'
# = '__x86_sys_open' on Ubuntu 18.04
but the script then stops printing file names.但脚本随后停止打印文件名。 What is causing the difference?是什么导致了差异?
When using attach_kprobe(event=fn) is fn a system call or an event?使用attach_kprobe(event=fn)时fn是系统调用还是事件?
Do you get list of possible syscall from /proc/kallsyms as described here ?您是否按照此处所述从/proc/kallsyms获得可能的系统调用列表?
1 个解决方案
解决方案1
0 2021-11-21 11:36:59
A BPF program attached to __x86_sys_open won't have the same result if you attach it to do_sys_open instead because those two functions don't have the same prototype:附加到do_sys_open的 BPF 程序如果将其附加到__x86_sys_open将不会有相同的结果,因为这两个函数没有相同的原型:
long do_sys_open(int dfd, const char __user *filename, int flags, umode_t mode);
long sys_open(const char __user *filename, int flags, umode_t mode);
So the filename argument, for example, won't be stored in the same register depending on which function you trace.因此,例如, filename参数不会存储在同一寄存器中,具体取决于您跟踪的 function。 You will need to edit the BPF program as well to fix this.您还需要编辑 BPF 程序来解决这个问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.