Skip to content

Instantly share code, notes, and snippets.

@udzura

udzura/execelftrace.py

Created September 9, 2020 13:24
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save udzura/a7d6bf135c791f3d3c38d45c19747452 to your computer and use it in GitHub Desktop.
Save udzura/a7d6bf135c791f3d3c38d45c19747452 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
execelftrace.py
from bcc import BPF
code = """
#include <linux/elf.h>
struct data_t {
unsigned char magic[EI_NIDENT];
u64 type;
u64 offset;
u64 addr;
};
BPF_PERF_OUTPUT(events);
BPF_HASH(phdrlen, u32);
int kprobe__load_elf_phdrs
(struct pt_regs *ctx, struct elfhdr *elf_ex, struct file *elf_file)
{
u32 tid = bpf_get_current_pid_tgid();
struct data_t data = {0};
# e.g. can trace other members.
bpf_probe_read_kernel(data.magic, EI_NIDENT, (void *)elf_ex->e_ident);
u64 num = elf_ex->e_phnum;
phdrlen.update(&tid, &num);
events.perf_submit(ctx, &data, sizeof(data));
return 0;
}
#define LOOP_LIMIT 64
int kretprobe__load_elf_phdrs
(struct pt_regs *ctx)
{
u32 tid = bpf_get_current_pid_tgid();
u64 *phnum = phdrlen.lookup(&tid);
if(phnum == 0)
return 0;
phdrlen.delete(&tid);
u64 num = *phnum;
struct elf_phdr * ret = (struct elf_phdr *)PT_REGS_RC(ctx);
for(int i = 0; i < LOOP_LIMIT; i++) {
if(i > num) break;
struct data_t data = {0};
data.type = (u64)ret->p_type;
data.offset = (u64)ret->p_offset;
data.addr = (u64)ret->p_vaddr;
events.perf_submit(ctx, &data, sizeof(data));
ret++;
}
return 0;
}
"""
b = BPF(text=code)
print "Start tracing..."
def print_event(cpu, data, size):
event = b["events"].event(data)
if event.magic[0] != 0:
bin = [v for v in list(event.magic)]
print("Magic: {}".format(bin))
else:
print("Type: %d(0x%08x), Offset: %d, Addr: 0x%08x" %
(event.type, event.type, event.offset, event.addr))
b["events"].open_perf_buffer(print_event)
while 1:
b.perf_buffer_poll()
@udzura
Copy link
Author

udzura commented Sep 9, 2020

参考

動作例

$ sudo python elfdump.py 
Start tracing...
Magic: [127, 69, 76, 70, 2, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0]
Type: 6(0x00000006), Offset: 64, Addr: 0x00000040 
Type: 3(0x00000003), Offset: 792, Addr: 0x00000318
Type: 1(0x00000001), Offset: 0, Addr: 0x00000000 
Type: 1(0x00000001), Offset: 12288, Addr: 0x00003000
Type: 1(0x00000001), Offset: 53248, Addr: 0x0000d000
Type: 1(0x00000001), Offset: 68224, Addr: 0x00011a80 
Type: 2(0x00000002), Offset: 68240, Addr: 0x00011a90 
Type: 4(0x00000004), Offset: 824, Addr: 0x00000338   
Type: 4(0x00000004), Offset: 856, Addr: 0x00000358
Type: 1685382483(0x6474e553), Offset: 824, Addr: 0x00000338
Type: 1685382480(0x6474e550), Offset: 61876, Addr: 0x0000f1b4
Type: 1685382481(0x6474e551), Offset: 0, Addr: 0x00000000     
Type: 1685382482(0x6474e552), Offset: 68224, Addr: 0x00011a80
Type: 0(0x00000000), Offset: 0, Addr: 0x00000000

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment