Kprobes 是 Linux 中的轻量级装置,可以将断点插入到正在运行的内核之中。Kprobes 可以地收集处理器寄存器和全局数据结构等调试信息。甚至可以使用 Kprobes 来修改
寄存器值和全局数据结构的值。
Kprobes 向运行的内核中给定地址写入断点指令,插入一个探测器。 执行被探测的指令会导致断点错误。Kprobes 钩住(hook in)断点处理器并收集调试信息。Kprobes 甚至可以单步执行被探测的指令。
内核编译中开启CONFIG_KPROBE_EVENTS=y.即可动态添加kprobe。
1. 工作原理
用户指定一个探测点,并把一个用户定义的处理函数关联到该探测点,当内核执行到该探测点时,相应的关联函数被执行,然后继续执行正常的代码路径。
kprobe实现了三种类型的探测点: kprobes, jprobes和kretprobes (也叫返回探测点)。 kprobes是可以被插入到内核的任何指令位置的探测点,jprobes则只能被插入到一个内核函数的入口,而kretprobes则是在指定的内核函数返回时才被执行。
l  安装一个kprobes探测点,kprobe先备份被探测的指令,然后使用断点指令来取代被探测指令的头一个或几个字节。
l  当执行到探测点时,将因运行断点指令而执行trap操作,保存CPU的寄存器,调用相应的trap处理函数。
l  trap处理函数将调用相应的notifier_call_chain中注册的所有notifier函数,kprobe正是通过向trap对应的notifier_call_chain注册关联到探测点的处理函数来实现探测处理的。
l  首先执行关联到探测点的pre_handler函数,并把相应的kprobe struct和保存的寄存器作为该函数的参数,最后kprobe执行post_handler。等所有这些运行完毕后,最后紧跟在被探测指令后的指令流。
如下图:
2. kprobe初始化
kprobes作为一个模块,其初始化函数为init_kprobes,代码路径kernel/kprobes.c
3. 通过ftrace接口使用
可以通过
/sys/kernel/debug/tracing/kprobe_events,
并使能
/sys/kernel/debug/tracing/events/kprobes/<EVENT>/enabled.
语法
事件的语法如下:
p[:[GRP/]EVENT] [MOD:]SYM[+offs]|MEMADDR [FETCHARGS] : Set a probe
r[MAXACTIVE][:[GRP/]EVENT] [MOD:]SYM[+0] [FETCHARGS] : Set a return probe
-:[GRP/]EVENT : Clear a probe
GRP : Group name. If omitted, use "kprobes" for it.
EVENT : Event name. If omitted, the event name is generated
based on SYM+offs or MEMADDR.
MOD : Module name which has given SYM.
SYM[+offs] : Symbol+offset where the probe is inserted.
MEMADDR : Address where the probe is inserted.
MAXACTIVE : Maximum number of instances of the specified function that
can be probed simultaneously, or 0 for the default value
as defined in Documentation/kprobes.txt section 1.3.1.
FETCHARGS : Arguments. Each probe can have up to 128 args.
%REG : Fetch register REG
@ADDR : Fetch memory at ADDR (ADDR should be in kernel)
@SYM[+|-offs] : Fetch memory at SYM +|- offs (SYM should be a data symbol)
$stackN : Fetch Nth entry of stack (N >= 0)
$stack : Fetch stack address.
$retval : Fetch return value.(*)
$comm : Fetch current task comm.
+|-offs(FETCHARG) : Fetch memory at FETCHARG +|- offs address.(**)
NAME=FETCHARG : Set NAME as the argument name of FETCHARG.
FETCHARG:TYPE : Set TYPE as the type of FETCHARG. Currently, basic types
(u8/u16/u32/u64/s8/s16/s32/s64), hexadecimal types
(x8/x16/x32/x64), "string" and bitfield are supported.
(*) only for return probe.
(**) this is useful for fetching a field of data structures.
增加kprobe事件
例如,增加一个新的事件do_sys_open。
echo 'p:myprobe do_sys_open dfd=%ax filename=%dx flags=%cx mode=+4($stack)' > /sys/kernel/debug/tracing/kprobe_events
可以查看文件:
# cat /sys/kernel/debug/tracing/kprobe_events
p:kprobes/myprobe do_sys_open dfd=%ax filename=%dx flags=%cx mode=+4($stack)
查看内核源码发现do_sys_open定义如下:
long do_sys_open(int dfd, const char __user *filename, int flags, umode_t mode)
所以说,dfd=%ax filename=%dx flags=%cx mode=+4($stack)是do_sys_open的参数,因为kprobe是在函数入口处,
增加kretprobe事件
定义一个返回出的事件如下:
echo 'r:myretprobe do_sys_open $retval' >> /sys/kernel/debug/tracing/kprobe_events
继续查看,发现有两个事件:
# cat /sys/kernel/debug/tracing/kprobe_events
p:kprobes/myprobe do_sys_open dfd=%ax filename=%dx flags=%cx mode=+4($stack)
r:kprobes/myretprobe do_sys_open arg1=$retval
查看格式
关于所定义事件的格式,可以通过如下查看
# cat /sys/kernel/debug/tracing/events/kprobes/myprobe/format
name: myprobe
ID: 1844
format:
field:unsigned short common_type; offset:0; size:2; signed:0;
field:unsigned char common_flags; offset:2; size:1; signed:0;
field:unsigned char common_preempt_count; offset:3; size:1; signed:0;
field:int common_pid; offset:4; size:4; signed:1;
field:unsigned long __probe_ip; offset:8; size:8; signed:0;
field:u64 dfd; offset:16; size:8; signed:0;
field:u64 filename; offset:24; size:8; signed:0;
field:u64 flags; offset:32; size:8; signed:0;
field:u64 mode; offset:40; size:8; signed:0;
print fmt: "(%lx) dfd=0x%Lx filename=0x%Lx flags=0x%Lx mode=0x%Lx", REC->__probe_ip, REC->dfd, REC->filename, REC->flags, REC->mode
可以看到有四个参数。
使能事件跟踪
定义事件后,默认是关闭的。如果要使能,命令如下:
echo 1 > /sys/kernel/debug/tracing/events/kprobes/myprobe/enable
echo 1 > /sys/kernel/debug/tracing/events/kprobes/myretprobe/enable
使能之后,就可以查看事件
#cat /sys/kernel/debug/tracing/trace
# _-----=> irqs-off
# / _----=> need-resched
# | / _---=> hardirq/softirq
# || / _--=> preempt-depth
# ||| / delay
# TASK-PID CPU# |||| TIMESTAMP FUNCTION
# | | | |||| | |
bash-4024 [001] .... 7507.712770: myprobe: (do_sys_open+0x0/0x210) dfd=0x2 filename=0x8241 flags=0x1b6 mode=0xffffffff
awk-5016 [000] .... 7508.140821: myprobe: (do_sys_open+0x0/0x210) dfd=0x2 filename=0x88000 flags=0x1 mode=0xffffffff
awk-5016 [000] d... 7508.140829: myretprobe: (do_syscall_64+0x6e/0x1a0 <- do_sys_open) arg1=0x3
awk-5016 [000] .... 7508.140851: myprobe: (do_sys_open+0x0/0x210) dfd=0x2 filename=0x88000 flags=0xe148 mode=0xffffffff
awk-5016 [000] d... 7508.140856: myretprobe: (do_syscall_64+0x6e/0x1a0 <- do_sys_open) arg1=0x3
awk-5016 [000] .... 7508.140908: myprobe: (do_sys_open+0x0/0x210) dfd=0x2 filename=0x88000 flags=0xe148 mode=0xffffffff
awk-5016 [000] d... 7508.140913: myretprobe: (do_syscall_64+0x6e/0x1a0 <- do_sys_open) arg1=0x3
awk-5016 [000] .... 7508.140962: myprobe: (do_sys_open+0x0/0x210) dfd=0x2 filename=0x88000 flags=0xe148 mode=0xffffffff
awk-5016 [000] d... 7508.140966: myretprobe: (do_syscall_64+0x6e/0x1a0 <- do_sys_open) arg1=0x3
awk-5016 [000] .... 7508.141351: myprobe: (do_sys_open+0x0/0x210) dfd=0x2 filename=0x88000 flags=0x768 mode=0xffffffff
awk-5016 [000] d... 7508.141357: myretprobe: (do_syscall_64+0x6e/0x1a0 <- do_sys_open) arg1=0x3
awk-5016 [000] .... 7508.141451: myprobe: (do_sys_open+0x0/0x210) dfd=0x2 filename=0x8000 flags=0x0 mode=0xffffffff
每一行表示事件发生,其中<-符号表示从哪里返回。
清空kprobe事件
echo 0 > /sys/kernel/debug/tracing/events/kprobes/myprobe/enable
echo 0 > /sys/kernel/debug/tracing/events/kprobes/myretprobe/enable
命令如下:
echo -:myprobe >> kprobe_events
4. 内核模块方式
使用代码如下:
/*
* NOTE: This example is works on x86.
* Here's a sample kernel module showing the use of kprobes to dump a
* stack trace and selected registers when do_fork() is called.
*
* For more information on theory of operation of kprobes, see
* Documentation/kprobes.txt
*
* You will see the trace data in /var/log/messages and on the console
* whenever do_fork() is invoked to create a new process.
*/
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/kprobes.h>
/* For each probe you need to allocate a kprobe structure */
static struct kprobe kp = {
.symbol_name = "do_fork",
};
/* kprobe pre_handler: called just before the probed instruction is executed */
static int handler_pre(struct kprobe *p, struct pt_regs *regs)
{
#ifdef CONFIG_X86
printk(KERN_INFO "pre_handler: p->addr = 0x%p, ip = %lx,"
" flags = 0x%lx\n",
p->addr, regs->ip, regs->flags);
#endif
#ifdef CONFIG_PPC
printk(KERN_INFO "pre_handler: p->addr = 0x%p, nip = 0x%lx,"
" msr = 0x%lx\n",
p->addr, regs->nip, regs->msr);
#endif
#ifdef CONFIG_MIPS
printk(KERN_INFO "pre_handler: p->addr = 0x%p, epc = 0x%lx,"
" status = 0x%lx\n",
p->addr, regs->cp0_epc, regs->cp0_status);
#endif
/* A dump_stack() here will give a stack backtrace */
return 0;
}
/* kprobe post_handler: called after the probed instruction is executed */
static void handler_post(struct kprobe *p, struct pt_regs *regs,
unsigned long flags)
{
#ifdef CONFIG_X86
printk(KERN_INFO "post_handler: p->addr = 0x%p, flags = 0x%lx\n",
p->addr, regs->flags);
#endif
#ifdef CONFIG_PPC
printk(KERN_INFO "post_handler: p->addr = 0x%p, msr = 0x%lx\n",
p->addr, regs->msr);
#endif
#ifdef CONFIG_MIPS
printk(KERN_INFO "post_handler: p->addr = 0x%p, status = 0x%lx\n",
p->addr, regs->cp0_status);
#endif
}
/*
* fault_handler: this is called if an exception is generated for any
* instruction within the pre- or post-handler, or when Kprobes
* single-steps the probed instruction.
*/
static int handler_fault(struct kprobe *p, struct pt_regs *regs, int trapnr)
{
printk(KERN_INFO "fault_handler: p->addr = 0x%p, trap #%dn",
p->addr, trapnr);
/* Return 0 because we don't handle the fault. */
return 0;
}
static int __init kprobe_init(void)
{
int ret;
kp.pre_handler = handler_pre;
kp.post_handler = handler_post;
kp.fault_handler = handler_fault;
ret = register_kprobe(&kp);
if (ret < 0) {
printk(KERN_INFO "register_kprobe failed, returned %d\n", ret);
return ret;
}
printk(KERN_INFO "Planted kprobe at %p\n", kp.addr);
return 0;
}
static void __exit kprobe_exit(void)
{
unregister_kprobe(&kp);
printk(KERN_INFO "kprobe at %p unregistered\n", kp.addr);
}
module_init(kprobe_init)
module_exit(kprobe_exit)
MODULE_LICENSE("GPL");
添加Makefile如下:
obj-m := pr.o
CROSS_COMPILE=''
KDIR := /lib/modules/`uname -r`/build
PWD := $(shell pwd)
default:
make -C $(KDIR) M=$(PWD) modules
clean:
rm -rf *.o .* .cmd *.ko *.mod.c .tmp_versions
然后加载pr.ko文件后,可以通过dmesg命令查看相关输出。
5. 参考
https://blog.csdn.net/luckyapple1028/article/details/52972315
Documentation/kprobes.txt
Documentation/trace/ftrace.txt