Tobias Waldekranz wkz

## perror
#!/bin/sh

if [ $1 -eq 0 ]; then
    exit 0;
fi

msg=`cc -E -dM /usr/include/errno.h | egrep "^#define E\w+ $1$" | cut -d" " -f 2,3`

echo "$msg "

## gist:228a8069dcb89ac38bc3
sys_read {
  hit[pid] += 1
}

--

sys_read {
  hit[pid] += 1;
}

## gist:078304ec66d6ebbda7eb
kprobe:test {
	a = 1;
	return 2 * (a - 1) + 7
}

--

mov r9, 0x1
mov r8, r9
sub r8, 0x1

## gist:8ce75257d61ddb7b533c
TroglOS Linux 1.0-beta5 chaos /dev/ttyAMA0
chaos login: root

 (@-
 //\   TroglOS Linux  ::  Troglobit Software
 V_/_  Chaos Release  ::  http://troglobit.com

~ # echo 'kprobe:do_sys_open { trace("hello, world!\n") }' | /dtl
         syslogd-37    [000] d...     6.067101: : hello, world!
              sh-63    [000] d...     6.074971: : hello, world!

## gist:0bafae4d24aad363fdf5
open.fs:
--
kprobe:SyS_open {
	opens[comm()] += 1;
}
--

~ # dtl -f open.fs &
<DO RANDOM STUFF>
~ # fg

## gist:18ad94891b0f3aaa9c2c
#!/bin/ply -f

kprobe:SyS_* {
	syscall[reg("pc")] += 1
}

--

000:	mov	r9, r1
001:	mov	r0, #0x0

## gist:151f171c8ca733033677
wkz@wkz-box:~$ cat test.ply
kprobe:SyS_read {
	/* on x86_64, di contains first argument to read, the fd */
	fds[pid(), execname(), reg("di")] += 1
}
wkz@wkz-box:~$ sudo ply test.ply
[sudo] password for wkz:
^C
fds:
[     2315, xmobar          ,       11 ]	       3

## Makefile

flip:
	@echo '\\/' | sed -e 's:\\/://\\:'

flip-adv:
	@echo '\\/' | sed -e 's/\\\//\/\/\\/'

flip-evil:
	@echo "\\\\\/" | sed -e "s/\\\\\\\\\//\/\/\\\/"

## gist:fd858eb2286ad0abc625
wkz@wkz-box:~$ time cat /proc/kallsyms | awk '{ print $NF; exit 0 }'
irq_stack_union

real	0m0.003s
user	0m0.000s
sys	0m0.000s
wkz@wkz-box:~$ time cat /proc/kallsyms | awk 'END{ print $NF }'
[wmi]

real	0m0.064s

## gist:e439f6cc4a634455cf9a
#!/usr/bin/env ply
/* -*- mode: c -*- */

kprobe:SyS_read
{
	sizes[arg(2)].count();
	dist.quantize(arg(2));
	sum.count();
}
	#!/bin/sh

	if [ $1 -eq 0 ]; then
	exit 0;
	fi

	msg=`cc -E -dM /usr/include/errno.h \| egrep "^#define E\w+ $1$" \| cut -d" " -f 2,3`

	echo "$msg "
	kprobe:test {
	a = 1;
	return 2 * (a - 1) + 7
	}

	--

	mov r9, 0x1
	mov r8, r9
	sub r8, 0x1
	TroglOS Linux 1.0-beta5 chaos /dev/ttyAMA0
	chaos login: root

	(@-
	//\ TroglOS Linux :: Troglobit Software
	V_/_ Chaos Release :: http://troglobit.com

	~ # echo 'kprobe:do_sys_open { trace("hello, world!\n") }' \| /dtl
	syslogd-37 [000] d... 6.067101: : hello, world!
	sh-63 [000] d... 6.074971: : hello, world!
	open.fs:
	--
	kprobe:SyS_open {
	opens[comm()] += 1;
	}
	--

	~ # dtl -f open.fs &
	<DO RANDOM STUFF>
	~ # fg
	#!/bin/ply -f

	kprobe:SyS_* {
	syscall[reg("pc")] += 1
	}

	--

	000: mov r9, r1
	001: mov r0, #0x0
	wkz@wkz-box:~$ cat test.ply
	kprobe:SyS_read {
	/* on x86_64, di contains first argument to read, the fd */
	fds[pid(), execname(), reg("di")] += 1
	}
	wkz@wkz-box:~$ sudo ply test.ply
	[sudo] password for wkz:
	^C
	fds:
	[ 2315, xmobar , 11 ] 3

	flip:
	@echo '\\/' \| sed -e 's:\\/://\\:'

	flip-adv:
	@echo '\\/' \| sed -e 's/\\\//\/\/\\/'

	flip-evil:
	@echo "\\\\\/" \| sed -e "s/\\\\\\\\\//\/\/\\\/"
	wkz@wkz-box:~$ time cat /proc/kallsyms \| awk '{ print $NF; exit 0 }'
	irq_stack_union

	real 0m0.003s
	user 0m0.000s
	sys 0m0.000s
	wkz@wkz-box:~$ time cat /proc/kallsyms \| awk 'END{ print $NF }'
	[wmi]

	real 0m0.064s
	#!/usr/bin/env ply
	/* -- mode: c -- */

	kprobe:SyS_read
	{
	sizes[arg(2)].count();
	dist.quantize(arg(2));
	sum.count();
	}