Last active
February 5, 2020 20:12
-
-
Save florianl/d2155cb74fedc18b4e5d12e58562b32a to your computer and use it in GitHub Desktop.
Tracing potential dlopen() usage
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bpftrace | |
| /* | |
| * dlopen.bt reports potential usage of dlopen() usage which is a combination | |
| * of a open syscall followed by mmap syscall | |
| */ | |
| BEGIN | |
| { | |
| printf("Tracing potential dlopen() usage... Hit Ctrl-C to end.\n"); | |
| printf("%-5s %-24s\t%-5s\t%s\n", | |
| "PID", "COMM", "FD", "FILENAME"); | |
| } | |
| tracepoint:syscalls:sys_enter_open, | |
| tracepoint:syscalls:sys_enter_openat | |
| { | |
| @seen[tid] = args->filename; | |
| } | |
| tracepoint:syscalls:sys_exit_open, | |
| tracepoint:syscalls:sys_exit_openat | |
| /@seen[tid]/ | |
| { | |
| if (args->ret < 0) { | |
| /* | |
| * opening the file was not successfull | |
| */ | |
| delete(@seen[tid]); | |
| } else { | |
| @fd[tid] = args->ret; | |
| } | |
| } | |
| kprobe:do_mmap | |
| /@seen[tid] && @fd[tid]/ | |
| { | |
| /* | |
| * The prot argument describes the desired memory protection of the | |
| * mapping (and must not conflict with the open mode of the file). | |
| * http://man7.org/linux/man-pages/man2/mmap.2.html | |
| */ | |
| $prot = arg3; | |
| if ($prot & 0x4) { | |
| printf("%-5d %-24s\t%-5d\t%s\n", pid, comm, @fd[tid], str(@seen[tid])); | |
| } | |
| delete(@seen[tid]); | |
| delete(@fd[tid]); | |
| } | |
| END | |
| { | |
| clear(@seen); | |
| clear(@fd); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment