StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POGetting function arguments using kprobes
text
Body
copied!<p>I have put a kprobe on a function and now I need to get values of its arguments in kprobe's prehandler function.</p> <p>Here is my function:</p> <pre><code>void foobar(int arg, int arg2, int arg3, int arg4, int arg5, int arg6, int arg7, int arg8) { printk("foobar called\n"); } </code></pre> <p>Putting kprobe on it and calling the function:</p> <pre><code>... kp.addr = (kprobe_opcode_t *) foobar; register_kprobe(&kp); foobar(0xdead1, 0xdead2, 0xdead3, 0xdead4, 0xdead5, 0xdead6, 0xdead7, 0xdead8); </code></pre> <p>And finally prehandler function (taken from <a href="http://www-users.cs.umn.edu/~boutcher/kprobes/" rel="noreferrer">here</a>):</p> <pre><code>static int inst_generic_make_request(struct kprobe *p, struct pt_regs *regs) { printk(KERN_INFO "eax: %08lx ebx: %08lx ecx: %08lx edx: %08lx\n", regs->ax, regs->bx, regs->cx, regs->dx); printk(KERN_INFO "esi: %08lx edi: %08lx ebp: %08lx esp: %08lx\n", regs->si, regs->di, regs->bp, regs->sp); regs++; //... } </code></pre> <p>The output from the prehandler function looks like this (I incremented <code>regs</code> pointer 3 times)</p> <pre><code>May 10 22:58:07 kernel: [ 402.640994] eax: 000dead1 ebx: f7d80086 ecx: 000dead3 edx: 000dead2 May 10 22:58:07 kernel: [ 402.640996] esi: 00000000 edi: b77c8040 ebp: 00000000 esp: f7d8006c May 10 22:58:07 kernel: [ 402.641006] eax: f7d8032c ebx: 000dead5 ecx: 000dead6 edx: 000dead7 May 10 22:58:07 kernel: [ 402.641007] esi: 000dead8 edi: f7d800e0 ebp: f7d80330 esp: 08049674 May 10 22:58:07 kernel: [ 402.641014] eax: 00000080 ebx: 0992b018 ecx: 0000108e edx: 0992b008 May 10 22:58:07 kernel: [ 402.641015] esi: 08049674 edi: b77c8040 ebp: bfe23fb8 esp: bfe23f50 </code></pre> <p>Now I can see arguments of <code>foobar</code> function in various registers (but where's <code>0xdead4</code>?), shouldn't they be in a stack? How can I access the stack from prehandler function? Or how can I get arguments of any function without knowing their types and count? I know that this might not be an easy task (and not even possible to get all values), but only approximately values should be enough. I'm calculating correlation between arguments of two functions and I really don't need exact values. Would it help if I had assembly code of caller function where the arguments are pushed onto the stack)?</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload