Hi @all :-)
i wrote a Return Probes and put it into the running kernel
inspirational by sun's dtrace, i try to hunting process that lives short ( to short to see them with ps..)
in task_struct i found the most information that i need...
but this is not ok :-(
Dec 29 16:49:17 fedorasys kernel: fc_pid = 3948 fc_command = bash
parent_pid = 3868 parent_command = konsole
Dec 29 16:49:17 fedorasys kernel: child_pid = 3959 child_command = bash
parent_pid = 3948 parent_command = bash
Dec 29 16:49:17 fedorasys kernel:
ps -ef | grep 3959
root 3959 3948 0 16:49 pts/4 00:00:00 xclock
i see xclock as bash...
--------------------------------------------------------------------------------------------------------------
this is ok :-)
an other output from the probe
Dec 29 14:47:18 fedorasys kernel: fc_pid = 20153 fc_command = gcc parent_pid = 20152 parent_command = sh
Dec 29 14:47:18 fedorasys kernel: child_pid = 20154 child_command = cc1 parent_pid = 20153 parent_command = gcc
sh 20152 -> gcc 20153 -> cc1 20154
-------------------------------------------------------------------------------------------------------------------
in the appended code you see that i get the information from (child) task->comm
where is the right command saved ?
the kernel write the correct command in /proc/pid/cmdline
cat /proc/5235/cmdline
xclock
thanks for help !!!
Frank
MODULE_DESCRIPTION("");
MODULE_AUTHOR("xxxx");
MODULE_LICENSE("GPL");
static const char *probed_func = "do_fork";
/* proc_pid_cmdline wird aktiviert wenn ein prozess liest*/
//static int called_probe = 0;
/* Return-probe handler: If the probed function fails, log the return value. */
static int ret_handler(struct kretprobe_instance *ri, struct pt_regs *regs)
{
struct task_struct *task;
struct list_head *list;
task = current;
current->children;
read_lock(&tasklist_lock);
/* int retval = (int) regs->eax;
if (retval < 0) {
printk("%s returns %d\n", probed_func, retval);
}*/
printk(KERN_DEBUG "fc_pid = %d fc_command = %s parent_pid = %d parent_command = %s \n",task->pid,task->comm,task->parent->pid,task->parent->comm);
//printk("called %d \n",++called_probe);
list_for_each(list,¤t->children)
{
task = list_entry(list, struct task_struct, sibling);
printk(KERN_DEBUG "child_pid = %d child_command = %s parent_pid = %d parent_command = %s \n",task->pid,task->comm,task->parent->pid,task->parent->comm);
}
printk(KERN_DEBUG "----------------------------------------------------------------------------------\n\n");
read_unlock(&tasklist_lock);
return 0;
}
static struct kretprobe my_kretprobe = {
.handler = ret_handler,
/* Probe up to 20 instances concurrently. */
.maxactive = 20
};
int init_module(void)
{
int ret;
my_kretprobe.kp.addr = (kprobe_opcode_t *) kallsyms_lookup_name("do_fork");
if (!my_kretprobe.kp.addr) {
printk("Couldn't find %s to plant return probe\n", probed_func);
return -1;
}
if ((ret = register_kretprobe(&my_kretprobe)) < 0) {
printk("register_kretprobe failed, returned %d\n", ret);
return -1;
}
printk("Planted return probe at %p\n", my_kretprobe.kp.addr);
return 0;
}
void cleanup_module(void)
{
unregister_kretprobe(&my_kretprobe);
printk("kretprobe unregistered\n");
/* nmissed > 0 suggests that maxactive was set too low. */
printk("Missed probing %d instances of %s\n",
my_kretprobe.nmissed, probed_func);
}
__________________________________________________________________
Nur bis 31.12.: 1&1 DSL mit WEB.DE Preisvorteil! Jetzt einsteigen
und die Vorteile sichern! http://1und1dsl.web.de/?mc=021130
--
Kernelnewbies: Help each other learn about the Linux kernel.
Archive: http://mail.nl.linux.org/kernelnewbies/
FAQ: http://kernelnewbies.org/faq/
