On Thu, 16 Jul 2020 02:09:50 +0430 ahmadkhorrami <ahmadkhorrami@xxxxxxxx> wrote: > Hi Steven and Mathieu, > Firstly, many thanks! This method seems to be the most efficient method. > But, IIUC, what you suggest requires source code compilation. I need an > efficient dynamic method that, given the function address, captures its > occurrence and stores some information from the execution context. Is > there anything better than Uprobes perhaps with no trap into the kernel? > Why do we need traps? > Regards. Without recompiling, how would that be implemented? You would need to insert a jump on top of code, and still be able to preserve that code. What a trap does, is to insert a int3, that will trap into the kernel, it would then emulate the code that the int3 was on, and also call some code that can trace the current state. To do it in user land, you would need to find way to replace the code at the location you want to trace, with a jump to the tracing infrastructure, that will also be able to emulate the code that the jump was inserted on top of. As on x86, that jump will need to be 5 bytes long (covering 5 bytes of text to emulate), where as a int3 is a single byte. Thus, you either recompile and insert nops where you want to place your jumps, or you trap using int3 that can do the work from within the kernel. -- Steve
|