Linux module: task creation and destruction notification

Kprobes, . , , . , do_fork() fork.c . do_exit. retprobe, kprobe, , . , , - , , . , 0.

, kretprobe:

static struct kretprobe do_fork_probe = {
    .entry_handler = (kprobe_opcode_t *) my_do_fork_entry,
    .handler = (kprobe_opcode_t *) my_do_fork_ret,
    .maxactive = 20,
    .data_size = sizeof(struct do_fork_ctx)
};

my_do_fork_entry , hooked, my_do_fork_ret ​​ . :

do_fork_probe.kp.addr =
    (kprobe_opcode_t *) kallsyms_lookup_name("do_fork");

if ((ret = register_kretprobe(&do_fork_probe)) <0) {
    // handle error
}

, . pt_regs. , x86 regs- > ax.

static int my_do_fork_ret(struct kretprobe_instance *ri, struct pt_regs *regs)
{
    struct do_fork_ctx *ctx = (struct do_fork_ctx *) ri->data;
    int ret = regs->ax; // This is on x86
    if (ret > 0) {
        // It not an error, probably a valid process
    }
}

. x86, regs- > di , regs- > si .. google . , , , , .

, , , , .