Assignment

2: Monitoring Kernel Events

Digvijay Singh and William Kaiser
digvijay@ucla.edu ; kaiser@ee.ucla.edu

Introduction
In this assignment, you will learn:
1. To use a Linux kernel monitoring and debugging utility called kprobes.
2. To insert kprobes at different kernel routines.
3. To modify and monitor kernel routines using kprobes without recompilation.
Connect to your Linux machine via an SSH terminal session as was shown in assignment 1. Now, before
we proceed, it is recommended that you perform all your work for the assignment in a separate
directory on the Linux machine that can be created and navigated to using the following commands:
# cd /home/ucla
# mkdir assg2
# cd assg2
Now enter root mode using following the command with the password ascent:
# sudo su
Back at your laptop/machine you would now transfer the modules for the assignment using SCP to the
Linux system. Let us assume that you have unzipped the provided assg2.zip to your desktop and now
the folder assg2 on your desktop contains all the required assignment modules. In the command prompt
or terminal, you would navigate to the desktop and then transfer all files from the assg2 folder to your
destination Linux system using SCP. For example, on a Mac/Linux machine, you would use the following
command after navigating to the desktop:
> scp assg2/* ucla@192.168.200.2:/home/ucla/assg2/
Now that all modules have been transferred to the Linux system, we return to the SSH session terminal
and use the following command to list all the modules had been transferred using SCP:
# ls -l
The above command should list the files Makefile and kpro.c in the directory if everything was
successful.

Step 1: Building, Insertion and Removal of Kernel Modules

Build the module to allow compilation of the source code into a kernel object:
# make clean
# make
The above commands will cause the generation of kpro.ko. We can now insert the compiled kernel
modules object file into the kernel with the following commands:
# insmod kpro.ko
We now ping ourselves on the local network:
# ping 127.0.0.1
Press Ctrl + C to stop sending ping packets to the system. We can now observe the effect of the insertion
using the following command:
# dmesg
We can see our Received ping! message. This was printed to the kernel log buffer in response to any
ping packets received by the kpro.c module after it was compiled and inserted into the kernel. We can
now remove the module using:
# rmmod kpro.ko
We now ping ourselves on the local network:
# ping 127.0.0.1
Press Ctrl + C to stop sending ping packets to the system. We again observe the kernel message buffer:
# dmesg
No new Received ping! messages are observed in kernel message buffer. This is because of the
removal of kpro.ko.

Step 2: Studying Linux Kernel Module Code

Let us study the kpro.c file to make the operation of the module clearer. To read the file we can use the
following command:
# cat kpro.c
The module uses a powerful kernel monitoring utility called kprobes [0]. These allow the developer to
insert their own functions into kernel code at run-time (the source code does not need to be changed,

modified or recompiled). Thus, kprobes enable monitoring and modification of various kernel functions
to observe operation and debug the kernel without needing to recompile any source code.
A kprobe contains a pre-handler and post-handler (these are custom functions that can perform any
work required by the developer). The kprobe can be inserted at any address in the kernel. When the
instruction/code at an address with a kprobe is reached, the kprobes pre-handler is executed, then the
instruction itself executes and finally the post-handler is executed before resuming normal execution of
the rest of the kernel code. Hence, to monitor kernel functions, we need to determine the address of
the function and then insert a kprobe at that address while defining our own pre-handler and post-
handler [1].
The kernel maps important functions to the specific addresses. To take a look at the various functions
and the corresponding addresses we use the system map:
# cat /boot/System.map*
This prints a list of hexadecimal addresses and function names. For example, in the kpro.c module we
can see that the address 0xc160b020 is used as the address where our kprobe is inserted. This address
corresponds to the ping_rcv() function as can be seen using:
# cat /boot/System.map* | grep ping_rcv
Thus, the kpro.c module inserts a kprobe at the ping_rcv() function in the kernel. The pre and post
handlers are defined such that the pre-handler prints Received ping! while the post-handler does
nothing. The register_kprobe() function call in the module registers or inserts the kprobe with the pre
and post handlers at the ping_rcv() functions address.
The ping_rcv() function is called whenever a ping packet is received so this leads to execution of the
kprobe pre-handler and prints Received ping! to the kernel message buffer. On removal of the
module, the unregister_kprobe() function call removes the kprobe from the ping_rcv() function.

Step 3: Modifications to Kernel Module Code

Another way to detect incoming packets is to use a kprobe at the ip_rcv() function. This is a more
general function that is called whenever an IP packet is received (in contrast to ping_rcv() that is only
called when a ping packet is received). Thus, you will modify the module to register the kprobe at the
ip_rcv() functions address (this can be obtained from /boot/System.map* as shown in the previous
step). Now, instead of printing Received ping!, the kprobe pre-handler should be modified to print
Received packet!.

Step 4: Building, Insertion and Operation of Modified Kernel Module

After modifying the module, build, insert and remove it to ensure correct operation (as shown in Step
1). To demonstrate correct operation, please submit a screen capture of pings sent to the system and
then the messages Received packet! in the kernel message buffer along with your module code.

Step 5: Further Modifications to the Kernel Module Code

In this step, you will combine the functionality of the original module and the modified module from
step 3. Your module should now be modified to register and unregister two kprobes: one on the
ping_rcv() function that prints Ping received! and one on the ip_rcv() function that prints Packet
received! to the kernel message buffer.

Step 6: Building, Insertion and Operation of Modified Kernel Module

After modifying the module, build, insert and remove it to ensure correct operation. To demonstrate
correct operation, please submit a screen capture of pings to the system and then the message(s)
observed in the kernel message buffer along with your module code.

References
[0] http://lwn.net/Articles/132196/
[1] http://www.opensourceforu.com/2011/04/kernel-debugging-using-kprobe-and-jprobe/