Beruflich Dokumente
Kultur Dokumente
Introduction
In
this
assignment,
you
will
learn:
1. To
use
a
Linux
kernel
monitoring
and
debugging
utility
called
kprobes.
2. To
insert
kprobes
at
different
kernel
routines.
3. To
modify
and
monitor
kernel
routines
using
kprobes
without
recompilation.
Connect
to
your
Linux
machine
via
an
SSH
terminal
session
as
was
shown
in
assignment
1.
Now,
before
we
proceed,
it
is
recommended
that
you
perform
all
your
work
for
the
assignment
in
a
separate
directory
on
the
Linux
machine
that
can
be
created
and
navigated
to
using
the
following
commands:
# cd /home/ucla
# mkdir assg2
# cd assg2
Now
enter
root
mode
using
following
the
command
with
the
password
ascent:
# sudo su
Back
at
your
laptop/machine
you
would
now
transfer
the
modules
for
the
assignment
using
SCP
to
the
Linux
system.
Let
us
assume
that
you
have
unzipped
the
provided
assg2.zip
to
your
desktop
and
now
the
folder
assg2
on
your
desktop
contains
all
the
required
assignment
modules.
In
the
command
prompt
or
terminal,
you
would
navigate
to
the
desktop
and
then
transfer
all
files
from
the
assg2
folder
to
your
destination
Linux
system
using
SCP.
For
example,
on
a
Mac/Linux
machine,
you
would
use
the
following
command
after
navigating
to
the
desktop:
> scp assg2/* ucla@192.168.200.2:/home/ucla/assg2/
Now
that
all
modules
have
been
transferred
to
the
Linux
system,
we
return
to
the
SSH
session
terminal
and
use
the
following
command
to
list
all
the
modules
had
been
transferred
using
SCP:
# ls -l
The
above
command
should
list
the
files
Makefile
and
kpro.c
in
the
directory
if
everything
was
successful.
modified
or
recompiled).
Thus,
kprobes
enable
monitoring
and
modification
of
various
kernel
functions
to
observe
operation
and
debug
the
kernel
without
needing
to
recompile
any
source
code.
A
kprobe
contains
a
pre-handler
and
post-handler
(these
are
custom
functions
that
can
perform
any
work
required
by
the
developer).
The
kprobe
can
be
inserted
at
any
address
in
the
kernel.
When
the
instruction/code
at
an
address
with
a
kprobe
is
reached,
the
kprobes
pre-handler
is
executed,
then
the
instruction
itself
executes
and
finally
the
post-handler
is
executed
before
resuming
normal
execution
of
the
rest
of
the
kernel
code.
Hence,
to
monitor
kernel
functions,
we
need
to
determine
the
address
of
the
function
and
then
insert
a
kprobe
at
that
address
while
defining
our
own
pre-handler
and
post-
handler
[1].
The
kernel
maps
important
functions
to
the
specific
addresses.
To
take
a
look
at
the
various
functions
and
the
corresponding
addresses
we
use
the
system
map:
# cat /boot/System.map*
This
prints
a
list
of
hexadecimal
addresses
and
function
names.
For
example,
in
the
kpro.c
module
we
can
see
that
the
address
0xc160b020
is
used
as
the
address
where
our
kprobe
is
inserted.
This
address
corresponds
to
the
ping_rcv()
function
as
can
be
seen
using:
# cat /boot/System.map* | grep ping_rcv
Thus,
the
kpro.c
module
inserts
a
kprobe
at
the
ping_rcv()
function
in
the
kernel.
The
pre
and
post
handlers
are
defined
such
that
the
pre-handler
prints
Received
ping!
while
the
post-handler
does
nothing.
The
register_kprobe()
function
call
in
the
module
registers
or
inserts
the
kprobe
with
the
pre
and
post
handlers
at
the
ping_rcv()
functions
address.
The
ping_rcv()
function
is
called
whenever
a
ping
packet
is
received
so
this
leads
to
execution
of
the
kprobe
pre-handler
and
prints
Received
ping!
to
the
kernel
message
buffer.
On
removal
of
the
module,
the
unregister_kprobe()
function
call
removes
the
kprobe
from
the
ping_rcv()
function.
References
[0] http://lwn.net/Articles/132196/
[1] http://www.opensourceforu.com/2011/04/kernel-debugging-using-kprobe-and-jprobe/