Created
September 9, 2020 13:24
-
-
Save udzura/a7d6bf135c791f3d3c38d45c19747452 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from bcc import BPF | |
code = """ | |
#include <linux/elf.h> | |
struct data_t { | |
unsigned char magic[EI_NIDENT]; | |
u64 type; | |
u64 offset; | |
u64 addr; | |
}; | |
BPF_PERF_OUTPUT(events); | |
BPF_HASH(phdrlen, u32); | |
int kprobe__load_elf_phdrs | |
(struct pt_regs *ctx, struct elfhdr *elf_ex, struct file *elf_file) | |
{ | |
u32 tid = bpf_get_current_pid_tgid(); | |
struct data_t data = {0}; | |
# e.g. can trace other members. | |
bpf_probe_read_kernel(data.magic, EI_NIDENT, (void *)elf_ex->e_ident); | |
u64 num = elf_ex->e_phnum; | |
phdrlen.update(&tid, &num); | |
events.perf_submit(ctx, &data, sizeof(data)); | |
return 0; | |
} | |
#define LOOP_LIMIT 64 | |
int kretprobe__load_elf_phdrs | |
(struct pt_regs *ctx) | |
{ | |
u32 tid = bpf_get_current_pid_tgid(); | |
u64 *phnum = phdrlen.lookup(&tid); | |
if(phnum == 0) | |
return 0; | |
phdrlen.delete(&tid); | |
u64 num = *phnum; | |
struct elf_phdr * ret = (struct elf_phdr *)PT_REGS_RC(ctx); | |
for(int i = 0; i < LOOP_LIMIT; i++) { | |
if(i > num) break; | |
struct data_t data = {0}; | |
data.type = (u64)ret->p_type; | |
data.offset = (u64)ret->p_offset; | |
data.addr = (u64)ret->p_vaddr; | |
events.perf_submit(ctx, &data, sizeof(data)); | |
ret++; | |
} | |
return 0; | |
} | |
""" | |
b = BPF(text=code) | |
print "Start tracing..." | |
def print_event(cpu, data, size): | |
event = b["events"].event(data) | |
if event.magic[0] != 0: | |
bin = [v for v in list(event.magic)] | |
print("Magic: {}".format(bin)) | |
else: | |
print("Type: %d(0x%08x), Offset: %d, Addr: 0x%08x" % | |
(event.type, event.type, event.offset, event.addr)) | |
b["events"].open_perf_buffer(print_event) | |
while 1: | |
b.perf_buffer_poll() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
参考
動作例