分会场2_张银奎_深挖eBPF的插桩和回调过程_报告PPT.pdf

《分会场2_张银奎_深挖eBPF的插桩和回调过程_报告PPT.pdf》由会员分享，可在线阅读，更多相关《分会场2_张银奎_深挖eBPF的插桩和回调过程_报告PPT.pdf（42页珍藏版）》请在三个皮匠报告上搜索。

1、深挖eBPF的插桩和回调过程第三届 eBPF开发者大会w w w.e b p f t r a v e l.c o m中 国 西 安张银奎 软件调试作者2025-4-19第三届 eBPF开发者大会w w w.e b p f t r a v e l.c o m中 国 西 安系统调用修补内核触发回调输出事件调试方法SYSCALL_DEFINE3(bpf,int,cmd,union bpf_attr_user*,uattr,unsigned int,size)geduerulan:$cat HelloYourLand.py#!/usr/bin/pythonfrom bcc import BPFprog

2、=int hello(void*ctx)bpf_trace_printk(Here is YourLand!n);return 0;b=BPF(text=prog)b.attach_kprobe(event=b.get_syscall_fnname(clone),fn_name=hello)#headerprint(%-18s%-16s%-6s%s%(TIME(s),COMM,PID,MESSAGE)while 1:try:(task,pid,cpu,flags,ts,msg)=b.trace_fields()except ValueError:continueprint(%-18.9f%-1

3、6s%-d%s%(ts,task,pid,msg)ggeduerulan:$sudo./HelloYourLand.pysudo password for geduer:TIME(s)COMM PID MESSAGE359.216558000 b 2759 bHere is YourLand!365.169917000 b 2588 bHere is YourLand!365.182842000 b 2812 bHere is YourLand!366.049768000 b 1 bHere is YourLand!366.328557000 bsshd 2588 bHere is YourL

4、and!366.349306000 bsshd 2816 bHere is YourLand!366.355594000 b 2817 bHere is YourLand!366.367741000 b 2819 bHere is YourLand!366.375037000 b 2820 bHere is YourLand!366.391117000 b00-header 2820 bHere is YourLand!366.399792000 b00-header 2820 bHere is YourLand!366.407825000 b00-header 2820 bHere is Y

5、ourLand!366.418288000 brun-parts 2819 bHere is YourLand!366.427935000 brun-parts 2819 bHere is YourLand!366.433061000 brun-parts 2819 bHere is YourLand!366.437419000 b85-fwupd 2827 bHere is YourLand!366.445348000 brun-parts 2819 bHere is YourLand!366.452698000 b90-updates-avai 2829 bHere is YourLand

6、!366.459509000 b90-updates-avai 2829 bHere is YourLand!366.461085000 b90-updates-avai 2829 bHere is YourLand!366.473640000 brun-parts 2819 bHere is YourLand!bpf(BPF_PROG_LOAD,prog_type=BPF_PROG_TYPE_SOCKET_FILTER,insn_cnt=2,insns=0 x7fffca1100,license=GPL,log_level=0,log_size=0,log_buf=NULL,kern_ver