首页 > Tools > 内核调试方法:Jprobe与硬件断点

内核调试方法:Jprobe与硬件断点

Tools 2013-12-19

Jprobe在之前经常使用用来对内核流程中的函数挂钩子,劫持相关参数,进行debug调试分析

但在内核调试中经常碰到需要监视的模块数据,而这些数据往往在很多函数中修改,需要程序员人工从大量的内核代码中过滤出这些函数,使用jprobe就需要监控每个函数的入口,涉及的内容比较复杂,而且很多时候的函数符号并没有导出,无法进行监控。而hw-breakpoint则解决了这个问题,它针对于具体的数据模块进行监控,如果发生变化后则触发硬件断点,执行指定函数。

所以jprobe方法称为进程断点,hw-breakpoint则称为数据断点。

Jprobe劫持函数示例如下:

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/kprobes.h>

/*
 * Jumper probe for do_fork.
 * Mirror principle enables access to arguments of the probed routine
 * from the probe handler.
 */

/* Proxy routine having the same arguments as actual do_fork() routine */
static long jdo_fork(unsigned long clone_flags, unsigned long stack_start,
	      struct pt_regs *regs, unsigned long stack_size,
	      int __user *parent_tidptr, int __user *child_tidptr)
{
	printk(KERN_INFO "jprobe: clone_flags = 0x%lx, stack_size = 0x%lx,"
			" regs = 0x%pn",
	       clone_flags, stack_size, regs);

	/* Always end with a call to jprobe_return(). */
	jprobe_return();
	return 0;
}

static struct jprobe my_jprobe = {
	.entry			= jdo_fork,
	.kp = {
		.symbol_name	= "do_fork",
	},
};

static int __init jprobe_init(void)
{
	int ret;

	ret = register_jprobe(&my_jprobe);
	if (ret < 0) {
		printk(KERN_INFO "register_jprobe failed, returned %dn", ret);
		return -1;
	}
	printk(KERN_INFO "Planted jprobe at %p, handler addr %pn",
	       my_jprobe.kp.addr, my_jprobe.entry);
	return 0;
}

static void __exit jprobe_exit(void)
{
	unregister_jprobe(&my_jprobe);
	printk(KERN_INFO "jprobe at %p unregisteredn", my_jprobe.kp.addr);
}

module_init(jprobe_init)
module_exit(jprobe_exit)
MODULE_LICENSE("GPL");

jprobe主要在于劫持函数的处理,往往在于劫持入口很多,需要对应的信息过滤规则,留下自己想要的信息。

补充用法:部分函数没有export,只能通过kallsyms_lookup_name函数获取函数地址,在kp上可以如下使用:

my_jprobe.kp.addr=kallsyms_lookup_name("do_fork");

硬件断点(hw-breakpoint)示例:

#include <linux/module.h>	/* Needed by all modules */
#include <linux/kernel.h>	/* Needed for KERN_INFO */
#include <linux/init.h>		/* Needed for the macros */
#include <linux/kallsyms.h>

#include <linux/perf_event.h>
#include <linux/hw_breakpoint.h>

struct perf_event * __percpu *sample_hbp;

static char ksym_name[KSYM_NAME_LEN] = "pid_max";
module_param_string(ksym, ksym_name, KSYM_NAME_LEN, S_IRUGO);
MODULE_PARM_DESC(ksym, "Kernel symbol to monitor; this module will report any"
			" write operations on the kernel symbol");

static void sample_hbp_handler(struct perf_event *bp, int nmi,
			       struct perf_sample_data *data,
			       struct pt_regs *regs)
{
	printk(KERN_INFO "%s value is changedn", ksym_name);
	dump_stack();
	printk(KERN_INFO "Dump stack from sample_hbp_handlern");
}

static int __init hw_break_module_init(void)
{
	int ret;
	struct perf_event_attr attr;

	hw_breakpoint_init(&attr);
	attr.bp_addr = kallsyms_lookup_name(ksym_name);
	attr.bp_len = HW_BREAKPOINT_LEN_4;
	attr.bp_type = HW_BREAKPOINT_W | HW_BREAKPOINT_R;

	sample_hbp = register_wide_hw_breakpoint(&attr, sample_hbp_handler);
	if (IS_ERR((void __force *)sample_hbp)) {
		ret = PTR_ERR((void __force *)sample_hbp);
		goto fail;
	}

	printk(KERN_INFO "HW Breakpoint for %s write installedn", ksym_name);

	return 0;

fail:
	printk(KERN_INFO "Breakpoint registration failedn");

	return ret;
}

static void __exit hw_break_module_exit(void)
{
	unregister_wide_hw_breakpoint(sample_hbp);
	printk(KERN_INFO "HW Breakpoint for %s write uninstalledn", ksym_name);
}

module_init(hw_break_module_init);
module_exit(hw_break_module_exit);

MODULE_LICENSE("GPL");
MODULE_AUTHOR("K.Prasad");
MODULE_DESCRIPTION("ksym breakpoint");

以上示例代码来源自内核linux-3.0.13-0.27/samples/kprobes/jprobe_example.c和linux-3.0.13-0.27/samples/hw_breakpoint/data_breakpoint.c

待续,后续写一下具体实现机制


内核调试方法:Jprobe与硬件断点来自于OenHan,链接为:http://oenhan.com/jprobe-hw-breakpoint
更多阅读