DEVHIDE
Login Or Sign up

The non-invasive way to Instrumentation

166 Views Asked by At

I'm trying to find a way to monitor Process by hooking it's function.

       [Process]                             [thirdparty]
       ...                  trigger callback
                            
pc --> myfunc(st *s, int b); ------------>   handle_myfunc_call(ctx) {
                                              st *s = (st*)ctx->rax;
                                              s->xxx //do some statistics
                                             }
                               return          
                              <--------
        ...
       [Process]                             [thirdparty]

I know the easiest way is using eBPF with uprobe. But I need another way which may work under old linux kernel like 3.10.

USTD

Programmer needs to add a hook in source code which is not I want.

uprobe

I'm familiar with writting kprobe with kernel mod. But after searching Google, I find most uprobe sample are like this

echo 'p:myfunc binaddr:offset %x0 %x1' > uprobe_events
cat /sys/kernel/tracing/trace_pipe

It seems that uprobe just print the log but not calling some callback

systemtap

As far as i know systemtap is using uprobe(fix me) to attach user function, but I don't know the detail about how it works. It seems using uprobe like systemtap works for me.

Utrace

deprecated

Like gdb attach

Thirdparty run as the parent of Process
ptrace Rewrite instructions (like gdb break command)
Capture singal
Access the register

I think it's not easy and singal may cost a lot CPU time...

debugging trace instrumentation systemtap
Original Q&A
1

There are 1 best solutions below

1
Eytan Naim On

uprobes is indeed what you are looking for but it is extremely poorly documented (To the point you might think it doesn't even exist).

The usage you mentioned is just a nice userspace wrapping to allow you use uprobes without using the actual interface directly. The thing is that you already know that because you know ebpf lets you more than just logging.

If you wish to use it directly, you will need to load your own kernel module.

The only reference I found online was this sample GitHub project that I never tried myself but from my past experience it looks it might be enough. If that doesn't help I would try to reverse-engineer the usage from the actual c & h source code.

Another, probably harder-to-use option, is Detours. It is a library that allows you to instrument functions in other processes. The problem is that it is for windows. So, you might want to search google for a Linux implementation.

Related Questions in DEBUGGING

Related Questions in TRACE

Related Questions in INSTRUMENTATION

Related Questions in SYSTEMTAP

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Popular Questions

.

Copyright © 2021 Jogjafile Inc.