• linux内核调试工具之kprobe(二)

    目录

    一、探测内核函数

    二、在内核模块上使用动态kprobe跟踪

    前一章使用kprobe编程,需要编码手动编译。

    本章使用trace追踪技术,在任何函数上设置动态kprobe(通过kprobe事件)。

    一、探测内核函数

    1、切换到tracing目录下

    # cd /sys/kernel/debug/tracing

    2、查询可动态探测的函数

    1. #cat available_filter_functions | grep do_sys_open*
    2. do_sys_openat2
    3. do_sys_open

    3、设置动态探测函数

    echo "p: [...] >> kprobe_events

    #echo "p:my_sys_open3 do_sys_openat2 file=+0(%si):string" > /sys/kernel/debug/tracing/kprobe_events

    以上是在x86上运行的寄存器为 RDI,[R]SI,RDX,RCX,R8,R9

    而在ARM_32上使用的寄存器r0、r1 、r2、 r3

    在ARM_64上使用的寄存器为X0-X7

    4、查看设置探测的点

    1. #/sys/kernel/debug/tracing# ls -lR events/kprobes/
    2. events/kprobes/:
    3. total 0
    4. -rw-r----- 1 root root 0 10月 26 07:42 enable
    5. -rw-r----- 1 root root 0 10月 26 07:42 filter
    6. drwxr-x--- 2 root root 0 10月 26 07:42 my_sys_open3
    7.  
    8. events/kprobes/my_sys_open3:
    9. total 0
    10. -rw-r----- 1 root root 0 10月 26 07:43 enable
    11. -rw-r----- 1 root root 0 10月 26 07:42 filter
    12. -r--r----- 1 root root 0 10月 26 07:42 format
    13. -r--r----- 1 root root 0 10月 26 07:42 hist
    14. -r--r----- 1 root root 0 10月 26 07:42 id
    15. --w------- 1 root root 0 10月 26 07:42 inject
    16. -rw-r----- 1 root root 0 10月 26 07:42 trigger

    5、使能 

    #echo 1 > events/kprobes/my_sys_open3/enable

    6、输出结果

    1. cat trace
    2.  
    3.    systemd-oomd-656     [003] .....  1628.449020: my_sys_open3: (do_sys_openat2+0x0/0x160) file="/proc/meminfo"
    4.            a.out-5386    [002] .....  1628.450621: my_sys_open3: (do_sys_openat2+0x0/0x160) file="/home/kprobe.c"
    5.            a.out-5386    [002] .....  1628.461429: my_sys_open3: (do_sys_openat2+0x0/0x160) file="/home/kprobe.c"
    6.            a.out-5386    [002] .....  1628.472403: my_sys_open3: (do_sys_openat2+0x0/0x160) file="/home/kprobe.c"
    7.            a.out-5386    [002] .....  1628.483314: my_sys_open3: (do_sys_openat2+0x0/0x160) file="/home/kprobe.c"
    8.            a.out-5386    [002] .....  1628.494283: my_sys_open3: (do_sys_openat2+0x0/0x160) file="/home/kprobe.c"

    7、关闭

    1. //首先禁用
    2. echo 0 > events/kprobes/my_sys_open3/enable
    3.  
    4. //清除单个函数
    5. echo "-: " >> kprobe_events
    6.  
    7.  
    8. //清楚所有探测点
    9. echo > /sys/kernel/tracing/kprobe_events

    或者使用如下,单个探测点

    1. echo 0 > events/kprobes/my_sys_open3/enable
    2. echo "-:my_sys_open3" >> kprobe_events

    二、在内核模块上使用动态kprobe跟踪

    1、测试的内核模块,读写设备文件 miscdrv_rdwr.ko

    加载内核模块

    insmod miscdrv_rdwr.ko

    在内核全局符号表中查找模块

    1. root@ubuntu:~# grep miscdrv /proc/kallsyms 
    2. ffffffffc0687000 t write_miscdrv_rdwr	[miscdrv_rdwr]
    3. ffffffffc0687922 t write_miscdrv_rdwr.cold	[miscdrv_rdwr]
    4. ffffffffc0687290 t open_miscdrv_rdwr	[miscdrv_rdwr]
    5. ffffffffc0687480 t close_miscdrv_rdwr	[miscdrv_rdwr]

    内核模块加载完成

    2、探测函数设置

    1. root@ubuntu:/sys/kernel/tracing# echo "p:mymiscdrv_wr read_miscdrv_rdwr" >> kprobe_events 
    2. root@ubuntu:/sys/kernel/tracing# echo "p:mymiscdrv_wr write_miscdrv_rdwr" >> kprobe_events 
    3. root@ubuntu:/sys/kernel/tracing# echo "p:mymiscdrv_wr open_miscdrv_rdwr" >> kprobe_events

    查看设置的事件

    1. root@ubuntu:/sys/kernel/tracing# cat kprobe_events 
    2. p:kprobes/mymiscdrv_wr read_miscdrv_rdwr
    3. p:kprobes/mymiscdrv_wr write_miscdrv_rdwr
    4. p:kprobes/mymiscdrv_wr open_miscdrv_rdwr

     使能

    root@ubuntu:/sys/kernel/tracing# echo 1 > events/kprobes/mymiscdrv_wr/enable

    读取 (阻塞)

    root@ubuntu:/sys/kernel/tracing# cat trace_pipe

    启用另外一个终端在应用层,读写内核模块函数

    1. //写
    2. root@ubuntu# ./rdwr_test_secret w /dev/llkd_miscdrv_rdwr  "hello world"
    3. Device file /dev/llkd_miscdrv_rdwr opened (in write-only mode): fd=3
    4. ./rdwr_test_secret: wrote 12 bytes to /dev/llkd_miscdrv_rdwr
    5.  
    6. //读
    7. root@ubuntu# ./rdwr_test_secret r /dev/llkd_miscdrv_rdwr
    8. Device file /dev/llkd_miscdrv_rdwr opened (in read-only mode): fd=3
    9. ./rdwr_test_secret: read 11 bytes from /dev/llkd_miscdrv_rdwr
    10. The 'secret' is:
    11.  "hello world"

    在第一个终端中的显示如下,探测到所监测的内核模块函数

    1. root@ubuntu:/sys/kernel/tracing# cat trace_pipe 
    2.  rdwr_test_secre-8530    [000] .... 77924.632520: mymiscdrv_wr: (open_miscdrv_rdwr+0x0/0x1f0 [miscdrv_rdwr])
    3.  rdwr_test_secre-8530    [000] .... 77924.632824: mymiscdrv_wr: (write_miscdrv_rdwr+0x0/0x290 [miscdrv_rdwr])
    4.  rdwr_test_secre-8533    [003] .... 77943.415055: mymiscdrv_wr: (open_miscdrv_rdwr+0x0/0x1f0 [miscdrv_rdwr])
    5.  rdwr_test_secre-8533    [003] .... 77943.415123: mymiscdrv_wr: (read_miscdrv_rdwr+0x0/0x270 [miscdrv_rdwr])

    参考

    Kprobe-based Event Tracing — The Linux Kernel documentation

    perf-tools/kprobe at master · brendangregg/perf-tools · GitHub

    ABI相关

    Overview of ARM64 ABI conventions | Microsoft Learn

    https://cs.brown.edu/courses/cs033/docs/guides/x64_cheatsheet.pdf

    Overview of ARM ABI Conventions | Microsoft Learn

  • 相关阅读:
    ZYNQ linux调试LCD7789
    三川智控定时控制开关灯
    2022 各互联网大厂面经及总结 + 大厂 Java 岗面试真题解析(进大厂必看攻略)
    软件测试/测试开发丨接口自动化测试学习笔记,多环境自动切换
    LeetCode0621.任务调度器 Go语言AC笔记
    kubelet 状态更新机制之参数配置解析
    南卡和小米蓝牙耳机哪个更值得入手?南卡和小米蓝牙耳机深度测评
    Vue.js vs React vs Angular
    kubernetes之镜像拉取策略ImagePullSecrets;
    设计模式 — — 前端
  • 原文地址:https://blog.csdn.net/WANGYONGZIXUE/article/details/127525367