bbpfuser
Reputation: 1
How to get syscall table address with eBPF (BCC)
I want to use Kprobe in eBPF to fetch the syscall addresses from the syscall table. How can I perform this task?
I wrote, but I do not know how to find the symbol table corresponding to the kernel.
Upvotes: 0
Views: 188
Answers (1)
ANISH SAJI KUMAR
Reputation: 130
There are a few ways to do this:
Use the bpf_probe_read() function to read the syscall table from memory.
Use the bpf_kprobe__read() function to read the syscall table from the kernel's kprobes.
Use the bpf_usdt_read() function to read the syscall table from the kernel's USDT probes.
Upvotes: 0
Related Questions
- How to get cgroup path of task in an eBPF program?
- cannot read arguements properly from ebpf kprobe
- how to access to bpf map which was made by user program in the kernel program (kernel context)?
- BPF_KPROBE macro provides unexpected value of the syscall argument
- Is there a function to get process via bpf_trace?
- bpf how to inspect syscall arguments
- Can eBPF modify the return value or parameters of a syscall?
- Read eBPF tracepoint argument
- attaching bpf to sys_enter (tracepoint available through /proc/kallsyms)
- bpftrace and sys_read syscall