内核调试方法:Jprobe与硬件断点
Jprobe在之前经常使用用来对内核流程中的函数挂钩子,劫持相关参数,进行debug调试分析。
但在内核调试中经常碰到需要监视的模块数据,而这些数据往往在很多函数中修改,需要程序员人工从大量的内核代码中过滤出这些函数,使用jprobe就需要监控每个函数的入口,涉及的内容比较复杂,而且很多时候的函数符号并没有导出,无法进行监控。而hw-breakpoint则解决了这个问题,它针对于具体的数据模块进行监控,如果发生变化后则触发硬件断点,执行指定函数。
所以jprobe方法称为进程断点,hw-breakpoint则称为数据断点。
Jprobe劫持函数示例如下:
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/kprobes.h>
/*
* Jumper probe for do_fork.
* Mirror principle enables access to arguments of the probed routine
* from the probe handler.
*/
/* Proxy routine having the same arguments as actual do_fork() routine */
static long jdo_fork(unsigned long clone_flags, unsigned long stack_start,
struct pt_regs *regs, unsigned long stack_size,
int __user *parent_tidptr, int __user *child_tidptr)
{
printk(KERN_INFO "jprobe: clone_flags = 0x%lx, stack_size = 0x%lx,"
" regs = 0x%pn",
clone_flags, stack_size, regs);
/* Always end with a call to jprobe_return(). */
jprobe_return();
return 0;
}
static struct jprobe my_jprobe = {
.entry = jdo_fork,
.kp = {
.symbol_name = "do_fork",
},
};
static int __init jprobe_init(void)
{
int ret;
ret = register_jprobe(&my_jprobe);
if (ret < 0) {
printk(KERN_INFO "register_jprobe failed, returned %dn", ret);
return -1;
}
printk(KERN_INFO "Planted jprobe at %p, handler addr %pn",
my_jprobe.kp.addr, my_jprobe.entry);
return 0;
}
static void __exit jprobe_exit(void)
{
unregister_jprobe(&my_jprobe);
printk(KERN_INFO "jprobe at %p unregisteredn", my_jprobe.kp.addr);
}
module_init(jprobe_init)
module_exit(jprobe_exit)
MODULE_LICENSE("GPL");
jprobe主要在于劫持函数的处理,往往在于劫持入口很多,需要对应的信息过滤规则,留下自己想要的信息。
补充用法:部分函数没有export,只能通过kallsyms_lookup_name函数获取函数地址,在kp上可以如下使用:
my_jprobe.kp.addr=kallsyms_lookup_name("do_fork");
硬件断点(hw-breakpoint)示例:
#include <linux/module.h> /* Needed by all modules */
#include <linux/kernel.h> /* Needed for KERN_INFO */
#include <linux/init.h> /* Needed for the macros */
#include <linux/kallsyms.h>
#include <linux/perf_event.h>
#include <linux/hw_breakpoint.h>
struct perf_event * __percpu *sample_hbp;
static char ksym_name[KSYM_NAME_LEN] = "pid_max";
module_param_string(ksym, ksym_name, KSYM_NAME_LEN, S_IRUGO);
MODULE_PARM_DESC(ksym, "Kernel symbol to monitor; this module will report any"
" write operations on the kernel symbol");
static void sample_hbp_handler(struct perf_event *bp, int nmi,
struct perf_sample_data *data,
struct pt_regs *regs)
{
printk(KERN_INFO "%s value is changedn", ksym_name);
dump_stack();
printk(KERN_INFO "Dump stack from sample_hbp_handlern");
}
static int __init hw_break_module_init(void)
{
int ret;
struct perf_event_attr attr;
hw_breakpoint_init(&attr);
attr.bp_addr = kallsyms_lookup_name(ksym_name);
attr.bp_len = HW_BREAKPOINT_LEN_4;
attr.bp_type = HW_BREAKPOINT_W | HW_BREAKPOINT_R;
sample_hbp = register_wide_hw_breakpoint(&attr, sample_hbp_handler);
if (IS_ERR((void __force *)sample_hbp)) {
ret = PTR_ERR((void __force *)sample_hbp);
goto fail;
}
printk(KERN_INFO "HW Breakpoint for %s write installedn", ksym_name);
return 0;
fail:
printk(KERN_INFO "Breakpoint registration failedn");
return ret;
}
static void __exit hw_break_module_exit(void)
{
unregister_wide_hw_breakpoint(sample_hbp);
printk(KERN_INFO "HW Breakpoint for %s write uninstalledn", ksym_name);
}
module_init(hw_break_module_init);
module_exit(hw_break_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("K.Prasad");
MODULE_DESCRIPTION("ksym breakpoint");
以上示例代码来源自内核linux-3.0.13-0.27/samples/kprobes/jprobe_example.c和linux-3.0.13-0.27/samples/hw_breakpoint/data_breakpoint.c
待续,后续写一下具体实现机制
内核调试方法:Jprobe与硬件断点来自于OENHAN
链接为:https://oenhan.com/jprobe-hw-breakpoint/
