Getting function arguments with kprobes

Question

Getting function arguments with kprobes

I put kprobe on a function, and now I need to get the values of my arguments in the prehandler kprobe function.

Here is my function:

void foobar(int arg, int arg2, int arg3, int arg4, int arg5, int arg6, int arg7, int arg8)
{
    printk("foobar called\n");
}

Install kprobe on it and call the function:

...
kp.addr = (kprobe_opcode_t *) foobar;
register_kprobe(&kp);

foobar(0xdead1, 0xdead2, 0xdead3, 0xdead4, 0xdead5, 0xdead6, 0xdead7, 0xdead8);

And finally, the function of the preliminary manipulator (taken from here ):

static int inst_generic_make_request(struct kprobe *p, struct pt_regs *regs)
{
  printk(KERN_INFO "eax: %08lx   ebx: %08lx   ecx: %08lx   edx: %08lx\n",
    regs->ax, regs->bx, regs->cx, regs->dx);
    printk(KERN_INFO "esi: %08lx   edi: %08lx   ebp: %08lx   esp: %08lx\n",
      regs->si, regs->di, regs->bp, regs->sp);
    regs++;
    //...
}

The exit from the prehandler function is as follows (I increased the pointer regs3 times)

May 10 22:58:07 kernel: [  402.640994] eax: 000dead1   ebx: f7d80086   ecx: 000dead3   edx: 000dead2
May 10 22:58:07 kernel: [  402.640996] esi: 00000000   edi: b77c8040   ebp: 00000000   esp: f7d8006c

May 10 22:58:07 kernel: [  402.641006] eax: f7d8032c   ebx: 000dead5   ecx: 000dead6   edx: 000dead7
May 10 22:58:07 kernel: [  402.641007] esi: 000dead8   edi: f7d800e0   ebp: f7d80330   esp: 08049674

May 10 22:58:07 kernel: [  402.641014] eax: 00000080   ebx: 0992b018   ecx: 0000108e   edx: 0992b008
May 10 22:58:07 kernel: [  402.641015] esi: 08049674   edi: b77c8040   ebp: bfe23fb8   esp: bfe23f50

foobar ( 0xdead4?), ? prehandler? , ? , ( ), . , . , , )?

+5

assembly debugging linux kernel

Peter Krejci 12 '12 12:15

2

, , Linux. . .

1) ( -g), , , test.ko .

2) readelf . :

   $readelf debug-dump=info test.ko > log.info

readelf log.info.

3) log.info , , 'foobar()'. foobar() TAG DW_TAG_subprogram. TAG . . , , "arg" ebx, esp + 8, ecx ..

4) , , kprobe . , , esp prehandler.

5) , , .

0

mohanreddykv 12 '12 16:22

Eugene · Accepted Answer · 2012-05-13T19:32:52+0000

.

1: Jprobes

, : Jprobes , . kprobes (. ).

Jprobes , , . .

2:

, , , . , 32- x86.

x86, 32

, Linux x86 ( Agner Fog). , (. ), , "" , .

1

, asmlinkage, , . , . ..

esp, , . *(esp+4) , *(esp+8) - .., .

2

, , , .

-mregparm=3, 3 eax, edx ecx , - . *(esp+4) 4- , *(esp+8) - ..

x86, 64bit

, x86-64 . ( ) 6 rdi, rsi, rdx, rcx, r8, r9 , . *(esp+8) 7- , *(esp+16) - ..

EDIT:

, x86-32 esp pt_regs ( , KProbes). < asm/ptrace.h > kernel_stack_pointer() esp, x86-32, x86-64. . kernel_stack_pointer() .

, regs_get_kernel_stack_nth() ( ) .

Getting function arguments with kprobes

1: Jprobes

2:

x86, 32

1

2

x86, 64bit

More articles: