CODEWITHSUNDEEP
cdebugginglinux-kerneltracekprobe
md.jamal
md.jamal

Reputation: 4567

Can we trace all the Linux kernel functions using kprobes

I read the below regarding kprobes:

Kprobes allows you to install pre-handlers and post-handlers for any kernel instruction as well as for function-entry and function-return handlers

I am trying to register a kprobe for '_do_sys_open' function.

$ sudo cat /proc/kallsyms | grep 'do_sys_open'
ffffffff96ac0130 T do_sys_open

Wrote a basic code which registers the kprobe

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/kprobes.h>

MODULE_LICENSE("GPL");

static struct kprobe kp;;
static char *name = "_do_sys_open";

static int pre_handler(struct kprobe *p, struct pt_regs *regs)
{
    return 0;
}

static void post_handler(struct kprobe *p, struct pt_regs *regs,
             unsigned long flags)
{
}

static int __init hello_init(void)
{
    /* set the handler functions */
    kp.pre_handler = pre_handler;
    kp.post_handler = post_handler;
    kp.symbol_name = name;
    return register_kprobe(&kp);
}

static void __exit hello_exit(void)
{
    unregister_kprobe(&kp);
}

module_init(hello_init);
module_exit(hello_exit);

Loading this module fails with 

Unknown symbol in module

Does this mean this function cannot be used with kprobes.

It is also not listed in the blacklist

# cat /sys/kernel/debug/kprobes/blacklist | grep '_do_sys_open'

Upvotes: 2

Views: 1146

Answers (1)

Qasim Ahmed
Qasim Ahmed

Reputation: 47

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/kprobes.h>

static int pre_handler(struct kprobe *p, struct pt_regs *regs)
{
    return 0;
}

// static void post_handler(struct kprobe *p, struct pt_regs *regs,
//              unsigned long flags)
// {
//     return 0;
// }

static struct kprobe kp = {
    .symbol_name = "do_sys_open",
    .pre_handler = pre_handler,
};

static int __init hello_init(void)
{
    int ret;
    ret = register_kprobe(&kp);
    if (ret < 0) {
        return ret;
    }
    pr_info("Kprobe registered");
    return 0;
}

static void __exit hello_exit(void)
{
    unregister_kprobe(&kp);
}

module_init(hello_init);
module_exit(hello_exit);

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Your Name");
MODULE_DESCRIPTION("Kprobe module");

This code should work if you're using the following command to load on kernel

sudo insmod system_protection.ko

Upvotes: 0

Related Questions