EBPF -Codes nicht an KPROBE anhängen?
Posted: 05 Mar 2025, 09:11
Mein Linux-System ist WSL2 mit Kernel-5.15.133, und ich habe in Kernel mit KPROBE . ist montiert at/sys/kernel/debug , Tracefs ist montiert unter /sys/kernel/debug/tracing.
Ich bin ziemlich neu bei EBPF, ich konnte nicht herausfinden, warum Attach_KPROBE
Code: Select all
// kmalloc_counter.c
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include "bpf_insn.h"
#ifndef __NR_bpf
# define __NR_bpf 321
#endif
#ifndef barrier
# define barrier() asm volatile("" ::: "memory")
#endif
static int sys_bpf(enum bpf_cmd cmd, union bpf_attr *attr, unsigned int size) {
return syscall(__NR_bpf, cmd, attr, size);
}
static int create_map() {
union bpf_attr attr = {
.map_type = BPF_MAP_TYPE_ARRAY,
.key_size = sizeof(int),
.value_size = sizeof(long long),
.max_entries = 1,
};
return sys_bpf(BPF_MAP_CREATE, &attr, sizeof(attr));
}
static int load_prog(int map_fd) {
struct bpf_insn prog[] = {
BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), // *(u32 *)(r10 -4) = 0
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), // r2 = fp -4
BPF_LD_MAP_FD(BPF_REG_1, map_fd), // r1 = map_fd
BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), // if (r0 == 0) goto exit
BPF_MOV64_IMM(BPF_REG_1, 1), // r1 = 1
BPF_RAW_INSN(BPF_STX|BPF_XADD|BPF_DW, BPF_REG_0, BPF_REG_1, 0, 0), // xadd r0 += r1
BPF_MOV64_REG(BPF_REG_0, BPF_REG_6), // r0 = r6
BPF_EXIT_INSN(), // return
};
union bpf_attr attr = {
.prog_type = BPF_PROG_TYPE_KPROBE,
.insns = (__u64)prog,
.insn_cnt = sizeof(prog)/sizeof(prog[0]),
.license = (__u64)"GPL",
.kern_version = LINUX_VERSION_CODE,
};
return sys_bpf(BPF_PROG_LOAD, &attr, sizeof(attr));
}
static int attach_kprobe(int prog_fd, const char *func) {
int pfd;
struct perf_event_attr attr = {
.type = PERF_TYPE_TRACEPOINT,
.size = sizeof(attr),
.config = 0,
.sample_period = 1,
.sample_type = PERF_SAMPLE_RAW,
};
pfd = syscall(__NR_perf_event_open, &attr, -1, 0, -1, PERF_FLAG_FD_CLOEXEC);
if (pfd < 0) return -1;
if (ioctl(pfd, PERF_EVENT_IOC_SET_BPF, prog_fd) < 0) {
close(pfd);
return -1;
}
if (ioctl(pfd, PERF_EVENT_IOC_ENABLE, 0) < 0) {
close(pfd);
return -1;
}
int fd = open("/sys/kernel/debug/tracing/kprobe_events", O_WRONLY);
if (fd < 0) return -1;
dprintf(fd, "p:myprobe %s\n", func);
close(fd);
return pfd;
}
int main() {
int map_fd, prog_fd, pfd;
int key = 0;
long long value = 0;
if ((map_fd = create_map()) < 0) {
perror("map create failed");
return 1;
}
union bpf_attr update_attr = {
.map_fd = map_fd,
.key = (__u64)&key,
.value = (__u64)&value,
.flags = BPF_ANY,
};
sys_bpf(BPF_MAP_UPDATE_ELEM, &update_attr, sizeof(update_attr));
if ((prog_fd = load_prog(map_fd)) < 0) {
perror("prog load failed");
return 1;
}
if ((pfd = attach_kprobe(prog_fd, "kmalloc")) < 0) {
perror("kprobe attach failed");
return 1;
}
printf("Monitoring kmalloc calls...\n");
while (1) {
union bpf_attr lookup_attr = {
.map_fd = map_fd,
.key = (__u64)&key,
.value = (__u64)&value,
};
if (sys_bpf(BPF_MAP_LOOKUP_ELEM, &lookup_attr, sizeof(lookup_attr)) == 0) {
printf("kmalloc calls: %lld\n", value);
}
sleep(1);
}
close(pfd);
return 0;
}
< /code>
debufsIch bin ziemlich neu bei EBPF, ich konnte nicht herausfinden, warum Attach_KPROBE