Jprobe在之前经常使用用来对内核流程中的函数挂钩子,劫持相关参数,进行debug调试分析

但在内核调试中经常碰到需要监视的模块数据,而这些数据往往在很多函数中修改,需要程序员人工从大量的内核代码中过滤出这些函数,使用jprobe就需要监控每个函数的入口,涉及的内容比较复杂,而且很多时候的函数符号并没有导出,无法进行监控。而hw-breakpoint则解决了这个问题,它针对于具体的数据模块进行监控,如果发生变化后则触发硬件断点,执行指定函数。

所以jprobe方法称为进程断点,hw-breakpoint则称为数据断点。

Jprobe劫持函数示例如下:

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/kprobes.h>

/*
 * Jumper probe for do_fork.
 * Mirror principle enables access to arguments of the probed routine
 * from the probe handler.
 */
/* Proxy routine having the same arguments as actual do_fork() routine */static long jdo_fork(unsigned long clone_flags, unsigned long stack_start,
      struct pt_regs *regs, unsigned long stack_size,
      int __user *parent_tidptr, int __user *child_tidptr)
{
printk(KERN_INFO "jprobe: clone_flags = 0x%lx, stack_size = 0x%lx,"
" regs = 0x%pn",
       clone_flags, stack_size, regs);

/* Always end with a call to jprobe_return(). */jprobe_return();
return 0;
}

static struct jprobe my_jprobe = {
.entry= jdo_fork,
.kp = {
.symbol_name= "do_fork",
},
};

static int __init jprobe_init(void)
{
int ret;

ret = register_jprobe(&my_jprobe);
if (ret < 0) {
printk(KERN_INFO "register_jprobe failed, returned %dn", ret);
return -1;
}
printk(KERN_INFO "Planted jprobe at %p, handler addr %pn",
       my_jprobe.kp.addr, my_jprobe.entry);
return 0;
}

static void __exit jprobe_exit(void)
{
unregister_jprobe(&my_jprobe);
printk(KERN_INFO "jprobe at %p unregisteredn", my_jprobe.kp.addr);
}

module_init(jprobe_init)
module_exit(jprobe_exit)
MODULE_LICENSE("GPL");

jprobe主要在于劫持函数的处理,往往在于劫持入口很多,需要对应的信息过滤规则,留下自己想要的信息。

补充用法:部分函数没有export,只能通过kallsyms_lookup_name函数获取函数地址,在kp上可以如下使用:

my_jprobe.kp.addr=kallsyms_lookup_name("do_fork");

硬件断点(hw-breakpoint)示例:

#include <linux/module.h>/* Needed by all modules */#include <linux/kernel.h>/* Needed for KERN_INFO */#include <linux/init.h>/* Needed for the macros */#include <linux/kallsyms.h>

#include <linux/perf_event.h>
#include <linux/hw_breakpoint.h>

struct perf_event * __percpu *sample_hbp;

static char ksym_name[KSYM_NAME_LEN] = "pid_max";
module_param_string(ksym, ksym_name, KSYM_NAME_LEN, S_IRUGO);
MODULE_PARM_DESC(ksym, "Kernel symbol to monitor; this module will report any"
" write operations on the kernel symbol");

static void sample_hbp_handler(struct perf_event *bp, int nmi,
       struct perf_sample_data *data,
       struct pt_regs *regs)
{
printk(KERN_INFO "%s value is changedn", ksym_name);
dump_stack();
printk(KERN_INFO "Dump stack from sample_hbp_handlern");
}

static int __init hw_break_module_init(void)
{
int ret;
struct perf_event_attr attr;

hw_breakpoint_init(&attr);
attr.bp_addr = kallsyms_lookup_name(ksym_name);
attr.bp_len = HW_BREAKPOINT_LEN_4;
attr.bp_type = HW_BREAKPOINT_W | HW_BREAKPOINT_R;

sample_hbp = register_wide_hw_breakpoint(&attr, sample_hbp_handler);
if (IS_ERR((void __force *)sample_hbp)) {
ret = PTR_ERR((void __force *)sample_hbp);
goto fail;
}

printk(KERN_INFO "HW Breakpoint for %s write installedn", ksym_name);

return 0;

fail:
printk(KERN_INFO "Breakpoint registration failedn");

return ret;
}

static void __exit hw_break_module_exit(void)
{
unregister_wide_hw_breakpoint(sample_hbp);
printk(KERN_INFO "HW Breakpoint for %s write uninstalledn", ksym_name);
}

module_init(hw_break_module_init);
module_exit(hw_break_module_exit);

MODULE_LICENSE("GPL");
MODULE_AUTHOR("K.Prasad");
MODULE_DESCRIPTION("ksym breakpoint");

以上示例代码来源自内核linux-3.0.13-0.27/samples/kprobes/jprobe_example.c和linux-3.0.13-0.27/samples/hw_breakpoint/data_breakpoint.c

待续,后续写一下具体实现机制


内核调试方法:Jprobe与硬件断点来自于OenHan

链接为:https://oenhan.com/jprobe-hw-breakpoint

发表评论