ebpf c 学习
前段时间开始学习ebpf,今晚上整理下来吧,马上12点了,整理晚睡觉,写下笔记感觉整个人都平静下来做笔记的视频是linux内核社区的那群大学生的视频真的不错:BPF C编程入门_哔哩哔哩_bilibiliebpf的官网:eBPF - Introduction, Tutorials & Community Resourcesebpf 的demo 其实在linux 内核源码里有很多例子,对我们
实验环境是ubuntu20,注意内核版本是linux 5.11.0,所以运行程序希望在本版本下去实践
做笔记的视频是linux内核社区的那群大学生的视频真的不错:
ebpf的官网:
eBPF - Introduction, Tutorials & Community Resources
ebpf 的demo 其实在linux 内核源码里有很多例子,对我们学习内核知识是非常好的,遇到不会的知识点可以去看linux 内核的设计核实现^_^。
一、首先安装跟ubuntu一样的内核版本
uname -r 查看版本号:
zhanglei@ubuntu:/usr/src/linux-5.11.1$ uname -r
5.11.0-38-generic
从linux官网去下载你想要的版本^_^
https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/
安装libpcap
sudo apt-get install libcap-dev
我安装的是
https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/linux-5.11.tar.gz
进入/usr/src/linux-5.11,按步骤生成
sudo make defconfig
sudo make modules_prepare
sudo make headers_install
sudo make M=samples/bpf/
下面我们写一个例子程序:
bpf程序由两部分组成,一部分是用户程序,一部分是kernel 程序,要通过clang + llvm 去植入进内核
内核程序:
#include <linux/ptrace.h>
#include <linux/version.h>
#include <uapi/linux/bpf.h>
#include <bpf/bpf_helpers.h>
#include "trace_common.h"
SEC("kprobe/" SYSCALL(sys_write))
int bpf_prog(struct pt_regs *ctx) {
char msg[] = "hello world!\n";
bpf_trace_printk(msg, sizeof(msg));
return 0;
}
char _license[] SEC("license") = "GPL";
用户程序:
#include <bpf/bpf.h>
#include <bpf/libbpf.h>
#include <linux/bpf.h>
#include <fcntl.h>
#define DEBUGFS "/sys/kernel/debug/tracing/"
void read_trace_pipe(void)
{
int trace_fd;
trace_fd = open(DEBUGFS "trace_pipe", O_RDONLY, 0);
if (trace_fd < 0)
return;
while (1) {
static char buf[4096];
ssize_t sz;
sz = read(trace_fd, buf, sizeof(buf) - 1);
if (sz > 0) {
buf[sz] = 0;
puts(buf);
}
}
}
int load_bpf_file(const char* object_name) {
struct bpf_object *objs;
struct bpf_program *prog;
struct bpf_link *link = NULL;
printf("%s\n", object_name);
objs = bpf_object__open_file(object_name, NULL);
if (libbpf_get_error(objs)) {
fprintf(stderr, "open object file error!\n");
goto cleanup;
return -1;
}
prog = bpf_object__find_program_by_name(objs, "bpf_prog");
if (!prog) {
fprintf(stderr, "ERROR: finding a prog in obj file failed\n");
goto cleanup;
return -1;
}
if (bpf_object__load(objs)) {
fprintf(stderr, "load object file error!\n");
goto cleanup;
return -1;
}
link = bpf_program__attach(prog);
if (libbpf_get_error(link)) {
fprintf(stderr, "ERROR: bpf_program__attach failed\n");
goto cleanup;
return -1;
}
return 0;
cleanup:
bpf_link__destroy(link);
bpf_object__close(objs);
return -1;
}
int main() {
if (load_bpf_file("/usr/src/linux-5.11/samples/bpf/hello_kern.o")) {
return -1;
}
read_trace_pipe();
return 0;
}
Makefile
我们需要更改内核下的makefile,具体修改位置:
tprogs-y += hello
hello-objs := hello_user.o
always-y += hello_kern.o
然后再次编译:
sudo make M=samples/bpf/
运行我的程序:
sudo ./hello
我们会发现我们的程序植入了内核中的钩子:
gnome-terminal--4937 [001] d... 16561.655076: bpf_trace_printk: hello world!
hello-39560 [003] d... 16561.655114: bpf_trace_printk: hello world!
gnome-terminal--4937 [001] d... 16561.655122: bpf_trace_printk: hello world!
gnome-terminal--4937 [001] d... 16561.655133: bpf_trace_printk: hello world!
hello-39560 [003] d... 16561.655159: bpf_trace_printk: hello world!
gnome-terminal--4937 [001] d... 16561.655276: bpf_trace_printk: hello world!
gnome-terminal--4937 [001] d... 16561.655289: bpf_trace_printk: hello world!
hello-39560 [003] d... 16561.655303: bpf_trace_printk: hello world!
hello-39560 [003] d... 16561.655341: bpf_trace_printk: hello world!
hello-39560 [003] d... 16561.655420: bpf_trace_printk: hello world!
gnome-terminal--4937 [001] d... 16561.654612: bpf_trace_printk: hello world!
hello-39560 [003] d... 16561.654681: bpf_trace_printk: hello world!
InputThread-2749 [002] d... 16561.654756: bpf_trace_printk: hello world!
hello-39560 [003] d... 16561.654770: bpf_trace_printk: hello world!
hello-39560 [003] d... 16561.654803: bpf_trace_printk: hello world!
hello-39560 [003] d... 16561.654870: bpf_trace_printk: hello world!
hello-39560 [003] d... 16561.654898: bpf_trace_printk: hello world!
hello-39560 [003] d... 16561.654945: bpf_trace_printk: hello world!
hello-39560 [003] d... 16561.654972: bpf_trace_printk: hello world!
hello-39560 [003] d... 16561.655039: bpf_trace_printk: hello world!
hello-39560 [003] d... 16561.655069: bpf_trace_printk: hello world!
gnome-terminal--4937 [001] d... 16561.655076: bpf_trace_printk: hello world!
hello-39560 [003] d... 16561.655114: bpf_trace_printk: hello world!
gnome-terminal--4937 [001] d... 16561.655122: bpf_trace_printk: hello world!
gnome-terminal--4937 [001] d... 16561.655133: bpf_trace_printk: hello world!
hello-39560 [003] d... 16561.655159: bpf_trace_printk: hello world!
gnome-terminal--4937 [001] d... 16561.655276: bpf_trace_printk: hello world!
gnome-terminal--4937 [001] d... 16561.655289: bpf_trace_printk: hello world!
hello-39560 [003] d... 16561.655303: bpf_trace_printk: hello world!
hello-39560 [003] d... 16561.655341: bpf_trace_printk: hello world!
hello-39560 [003] d... 16561.655420: bpf_trace_printk: hello world!
内核是如何把我们的程序加载进去的?
我们首先看一下elf,elf是在计算机科学中,是一种用于二进制文件、可执行文件、目标代码、共享库和核心转储格式文件。
我们使用 readelf 查看
<pre>readelf -S hello_kern.o</pre>
查看结果:
There are 19 section headers, starting at offset 0xe08:
Section Headers:
[Nr] Name Type Address Offset
Size EntSize Flags Link Info Align
[ 0] NULL 0000000000000000 00000000
0000000000000000 0000000000000000 0 0 0
[ 1] .strtab STRTAB 0000000000000000 00000d48
00000000000000b9 0000000000000000 0 0 1
[ 2] .text PROGBITS 0000000000000000 00000040
0000000000000000 0000000000000000 AX 0 0 4
[ 3] kprobe/__x64_sys_ PROGBITS 0000000000000000 00000040
0000000000000068 0000000000000000 AX 0 0 8
[ 4] .rodata.str1.1 PROGBITS 0000000000000000 000000a8
000000000000000e 0000000000000001 AMS 0 0 1
[ 5] license PROGBITS 0000000000000000 000000b6
0000000000000004 0000000000000000 WA 0 0 1
[ 6] .debug_abbrev PROGBITS 0000000000000000 000000ba
00000000000000da 0000000000000000 0 0 1
[ 7] .debug_info PROGBITS 0000000000000000 00000194
00000000000001f5 0000000000000000 0 0 1
[ 8] .rel.debug_info REL 0000000000000000 00000a18
00000000000002a0 0000000000000010 18 7 8
[ 9] .debug_str PROGBITS 0000000000000000 00000389
000000000000010d 0000000000000001 MS 0 0 1
[10] .BTF PROGBITS 0000000000000000 00000496
000000000000032b 0000000000000000 0 0 1
[11] .rel.BTF REL 0000000000000000 00000cb8
0000000000000010 0000000000000010 18 10 8
[12] .BTF.ext PROGBITS 0000000000000000 000007c1
0000000000000090 0000000000000000 0 0 1
[13] .rel.BTF.ext REL 0000000000000000 00000cc8
0000000000000060 0000000000000010 18 12 8
[14] .eh_frame PROGBITS 0000000000000000 00000858
0000000000000030 0000000000000000 A 0 0 8
[15] .rel.eh_frame REL 0000000000000000 00000d28
0000000000000010 0000000000000010 18 14 8
[16] .debug_line PROGBITS 0000000000000000 00000888
00000000000000cd 0000000000000000 0 0 1
[17] .rel.debug_line REL 0000000000000000 00000d38
0000000000000010 0000000000000010 18 16 8
[18] .symtab SYMTAB 0000000000000000 00000958
00000000000000c0 0000000000000018 1 6 8
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
L (link order), O (extra OS processing required), G (group), T (TLS),
C (compressed), x (unknown), o (OS specific), E (exclude),
p (processor specific)
我们可以看到
kprobe/__x64_sys_ 就是我们程序中的SEC("kprobe/" SYSCALL(sys_write))
我们定义的许可证的节名字就是 license
[ 5] license PROGBITS 0000000000000000 000000b6
我们使用obj-dump去看bpf字节码
objdump -s hello_kern.o
显示结果:
hello_kern.o: file format elf64-little
Contents of section kprobe/__x64_sys_write:
0000 b7010000 0a000000 6b1afcff 00000000 ........k.......
0010 b7010000 726c6421 631af8ff 00000000 ....rld!c.......
0020 18010000 68656c6c 00000000 6f20776f ....hell....o wo
0030 7b1af0ff 00000000 bfa10000 00000000 {...............
0040 07010000 f0ffffff b7020000 0e000000 ................
0050 85000000 06000000 b7000000 00000000 ................
0060 95000000 00000000 ........
Contents of section .rodata.str1.1:
0000 68656c6c 6f20776f 726c6421 0a00 hello world!..
Contents of section license:
0000 47504c00 GPL.
Contents of section .debug_abbrev:
0000 01110125 0e130503 0e10171b 0e110112 ...%............
0010 06000002 3400030e 49133f19 3a0b3b0b ....4...I.?.:.;.
0020 02180000 03010149 13000004 21004913 .......I....!.I.
0030 370b0000 05240003 0e3e0b0b 0b000006 7....$...>......
0040 2400030e 0b0b3e0b 00000734 00030e49 $.....>....4...I
0050 133a0b3b 0b000008 0f004913 00000915 .:.;......I.....
0060 01491327 1900000a 05004913 00000b18 .I.'......I.....
0070 0000000c 26004913 00000d16 00491303 ....&.I......I..
0080 0e3a0b3b 0b00000e 2e011101 12064018 .:.;..........@.
0090 97421903 0e3a0b3b 0b271949 133f1900 .B...:.;.'.I.?..
00a0 000f0500 030e3a0b 3b0b4913 00001034 ......:.;.I....4
00b0 00021803 0e3a0b3b 0b491300 00111301 .....:.;.I......
00c0 030e0b0b 3a0b3b0b 0000120d 00030e49 ....:.;........I
00d0 133a0b3b 0b380b00 0000 .:.;.8....
Contents of section .debug_info:
0000 f1010000 04000000 00000801 00000000 ................
0010 0c001500 00000000 00002e00 00000000 ................
0020 00000000 00006800 00000242 0000003f ......h....B...?
0030 00000001 0f090300 00000000 00000003 ................
0040 4b000000 04520000 00040005 4b000000 K....R......K...
0050 06010650 00000008 07076400 00006400 ...P......d...d.
0060 000003aa 08690000 00097a00 00000a81 .....i....z.....
0070 0000000a 8b000000 0b000575 00000005 ...........u....
0080 08088600 00000c4b 0000000d 96000000 .......K........
0090 8b000000 021b057e 00000007 040e0000 .......~........
00a0 00000000 00006800 0000015a 91000000 ......h....Z....
00b0 0109d000 00000fa2 00000001 09e30000 ................
00c0 00100291 009e0000 00010ad7 00000000 ................
00d0 059a0000 00050403 4b000000 04520000 ........K....R..
00e0 000e0008 e8000000 11050100 00a80438 ...............8
00f0 12a60000 00ed0100 00043d00 12bc0000 ..........=.....
0100 00ed0100 00043e08 12c00000 00ed0100 ......>.........
0110 00043f10 12c40000 00ed0100 00044018 ..?...........@.
0120 12c80000 00ed0100 00044120 12cb0000 ..........A ....
0130 00ed0100 00044228 12ce0000 00ed0100 ......B(........
0140 00044430 12d20000 00ed0100 00044538 ..D0..........E8
0150 12d60000 00ed0100 00044640 12d90000 ..........F@....
0160 00ed0100 00044748 12dc0000 00ed0100 ......GH........
0170 00044850 12df0000 00ed0100 00044958 ..HP..........IX
0180 12e20000 00ed0100 00044a60 12e50000 ..........J`....
0190 00ed0100 00044b68 12e80000 00ed0100 ......Kh........
01a0 00044c70 12eb0000 00ed0100 00045178 ..Lp..........Qx
01b0 12f30000 00ed0100 00045380 12f60000 ..........S.....
01c0 00ed0100 00045488 12f90000 00ed0100 ......T.........
01d0 00045590 12ff0000 00ed0100 00045698 ..U...........V.
01e0 12020100 00ed0100 000457a0 0005aa00 ..........W.....
01f0 00000708 00 .....
Contents of section .debug_str:
0000 636c616e 67207665 7273696f 6e203133 clang version 13
0010 2e302e30 0073616d 706c6573 2f627066 .0.0.samples/bpf
0020 2f68656c 6c6f5f6b 65726e2e 63002f75 /hello_kern.c./u
0030 73722f73 72632f6c 696e7578 2d352e31 sr/src/linux-5.1
0040 31005f6c 6963656e 73650063 68617200 1._license.char.
0050 5f5f4152 5241595f 53495a45 5f545950 __ARRAY_SIZE_TYP
0060 455f5f00 6270665f 74726163 655f7072 E__.bpf_trace_pr
0070 696e746b 006c6f6e 6720696e 7400756e intk.long int.un
0080 7369676e 65642069 6e74005f 5f753332 signed int.__u32
0090 00627066 5f70726f 6700696e 74006d73 .bpf_prog.int.ms
00a0 67006374 78007231 35006c6f 6e672075 g.ctx.r15.long u
00b0 6e736967 6e656420 696e7400 72313400 nsigned int.r14.
00c0 72313300 72313200 62700062 78007231 r13.r12.bp.bx.r1
00d0 31007231 30007239 00723800 61780063 1.r10.r9.r8.ax.c
00e0 78006478 00736900 6469006f 7269675f x.dx.si.di.orig_
00f0 61780069 70006373 00666c61 67730073 ax.ip.cs.flags.s
0100 70007373 0070745f 72656773 00 p.ss.pt_regs.
Contents of section .BTF:
0000 9feb0100 18000000 00000000 b4010000 ................
0010 b4010000 5f010000 00000000 00000002 ...._...........
0020 02000000 01000000 15000004 a8000000 ................
0030 09000000 03000000 00000000 0d000000 ................
0040 03000000 40000000 11000000 03000000 ....@...........
0050 80000000 15000000 03000000 c0000000 ................
0060 19000000 03000000 00010000 1c000000 ................
0070 03000000 40010000 1f000000 03000000 ....@...........
0080 80010000 23000000 03000000 c0010000 ....#...........
0090 27000000 03000000 00020000 2a000000 '...........*...
00a0 03000000 40020000 2d000000 03000000 ....@...-.......
00b0 80020000 30000000 03000000 c0020000 ....0...........
00c0 33000000 03000000 00030000 36000000 3...........6...
00d0 03000000 40030000 39000000 03000000 ....@...9.......
00e0 80030000 3c000000 03000000 c0030000 ....<...........
00f0 44000000 03000000 00040000 47000000 D...........G...
0100 03000000 40040000 4a000000 03000000 ....@...J.......
0110 80040000 50000000 03000000 c0040000 ....P...........
0120 53000000 03000000 00050000 56000000 S...........V...
0130 00000001 08000000 40000000 00000000 ........@.......
0140 0100000d 05000000 68000000 01000000 ........h.......
0150 6c000000 00000001 04000000 20000001 l........... ...
0160 70000000 0100000c 04000000 35010000 p...........5...
0170 00000001 01000000 08000001 00000000 ................
0180 00000003 00000000 07000000 09000000 ................
0190 04000000 3a010000 00000001 04000000 ....:...........
01a0 20000000 4e010000 0000000e 08000000 ...N...........
01b0 01000000 57010000 0100000f 00000000 ....W...........
01c0 0a000000 00000000 04000000 0070745f .............pt_
01d0 72656773 00723135 00723134 00723133 regs.r15.r14.r13
01e0 00723132 00627000 62780072 31310072 .r12.bp.bx.r11.r
01f0 31300072 39007238 00617800 63780064 10.r9.r8.ax.cx.d
0200 78007369 00646900 6f726967 5f617800 x.si.di.orig_ax.
0210 69700063 7300666c 61677300 73700073 ip.cs.flags.sp.s
0220 73006c6f 6e672075 6e736967 6e656420 s.long unsigned
0230 696e7400 63747800 696e7400 6270665f int.ctx.int.bpf_
0240 70726f67 006b7072 6f62652f 5f5f7836 prog.kprobe/__x6
0250 345f7379 735f7772 69746500 2f757372 4_sys_write./usr
0260 2f737263 2f6c696e 75782d35 2e31312f /src/linux-5.11/
0270 73616d70 6c65732f 6270662f 2f68656c samples/bpf//hel
0280 6c6f5f6b 65726e2e 6300696e 74206270 lo_kern.c.int bp
0290 665f7072 6f672873 74727563 74207074 f_prog(struct pt
02a0 5f726567 73202a63 74782920 7b002020 _regs *ctx) {.
02b0 63686172 206d7367 5b5d203d 20226865 char msg[] = "he
02c0 6c6c6f20 776f726c 64215c6e 223b0020 llo world!\n";.
02d0 20627066 5f747261 63655f70 72696e74 bpf_trace_print
02e0 6b286d73 672c2073 697a656f 66286d73 k(msg, sizeof(ms
02f0 6729293b 00202072 65747572 6e20303b g));. return 0;
0300 00636861 72005f5f 41525241 595f5349 .char.__ARRAY_SI
0310 5a455f54 5950455f 5f005f6c 6963656e ZE_TYPE__._licen
0320 7365006c 6963656e 736500 se.license.
Contents of section .BTF.ext:
0000 9feb0100 20000000 00000000 14000000 .... ...........
0010 14000000 5c000000 70000000 00000000 ....\...p.......
0020 08000000 79000000 01000000 00000000 ....y...........
0030 06000000 10000000 79000000 05000000 ........y.......
0040 00000000 90000000 be000000 00240000 .............$..
0050 08000000 90000000 e2000000 08280000 .............(..
0060 40000000 90000000 00000000 00000000 @...............
0070 48000000 90000000 03010000 032c0000 H............,..
0080 58000000 90000000 29010000 03300000 X.......)....0..
Contents of section .eh_frame:
0000 10000000 00000000 017a5200 087c0b01 .........zR..|..
0010 0c000000 18000000 18000000 00000000 ................
0020 00000000 68000000 00000000 00000000 ....h...........
Contents of section .debug_line:
0000 c9000000 0400a100 00000801 01fb0e0d ................
0010 00010101 01000000 01000001 73616d70 ............samp
0020 6c65732f 62706600 2e2f696e 636c7564 les/bpf../includ
0030 652f7561 70692f61 736d2d67 656e6572 e/uapi/asm-gener
0040 6963002e 2f746f6f 6c732f6c 69622f62 ic../tools/lib/b
0050 7066002e 2f617263 682f7838 362f696e pf../arch/x86/in
0060 636c7564 652f6173 6d000068 656c6c6f clude/asm..hello
0070 5f6b6572 6e2e6300 01000069 6e742d6c _kern.c....int-l
0080 6c36342e 68000200 00627066 5f68656c l64.h....bpf_hel
0090 7065725f 64656673 2e680003 00007074 per_defs.h....pt
00a0 72616365 2e680004 00000000 09020000 race.h..........
00b0 00000000 00001a05 080a2105 00060376 ..........!....v
00c0 74050306 030b202f 02020001 01 t..... /.....
我们的主要程序体的节就是:
Contents of section kprobe/__x64_sys_write:
0000 b7010000 0a000000 6b1afcff 00000000 ........k.......
0010 b7010000 726c6421 631af8ff 00000000 ....rld!c.......
0020 18010000 68656c6c 00000000 6f20776f ....hell....o wo
0030 7b1af0ff 00000000 bfa10000 00000000 {...............
0040 07010000 f0ffffff b7020000 0e000000 ................
0050 85000000 06000000 b7000000 00000000 ................
0060 95000000 00000000 ........
查看bpf字节码的反汇编表示,输入指令
zhanglei@ubuntu:/usr/src/linux-5.11/samples/bpf$ llvm-objdump -d hello_kern.o
hello_kern.o: file format elf64-bpf
Disassembly of section kprobe/__x64_sys_write:
0000000000000000 <bpf_prog>:
0: b7 01 00 00 0a 00 00 00 r1 = 10
1: 6b 1a fc ff 00 00 00 00 *(u16 *)(r10 - 4) = r1
2: b7 01 00 00 72 6c 64 21 r1 = 560229490
3: 63 1a f8 ff 00 00 00 00 *(u32 *)(r10 - 8) = r1
4: 18 01 00 00 68 65 6c 6c 00 00 00 00 6f 20 77 6f r1 = 8031924123371070824 ll
6: 7b 1a f0 ff 00 00 00 00 *(u64 *)(r10 - 16) = r1
7: bf a1 00 00 00 00 00 00 r1 = r10
8: 07 01 00 00 f0 ff ff ff r1 += -16
9: b7 02 00 00 0e 00 00 00 r2 = 14
10: 85 00 00 00 06 00 00 00 call 6
11: b7 00 00 00 00 00 00 00 r0 = 0
12: 95 00 00 00 00 00 00 00 exit
看到关键位置call 6的汇编,call 6 代表什么?
在汇编里表示调用一个地址,思考这个字节码是怎么出现的呢?
85 00 00 00 06 00 00 00
首先去看两个头文件
首先看 /usr/src/linux-5.11/usr/include/linux/bpf.h
#define __BPF_FUNC_MAPPER(FN) \
FN(unspec), \
FN(map_lookup_elem), \
FN(map_update_elem), \
FN(map_delete_elem), \
FN(probe_read), \
FN(ktime_get_ns), \
FN(trace_printk), \
FN(get_prandom_u32), \
FN(get_smp_processor_id), \
FN(skb_store_bytes), \
FN(l3_csum_replace), \
FN(l4_csum_replace), \
FN(tail_call), \
FN(clone_redirect), \
FN(get_current_pid_tgid), \
FN(get_current_uid_gid), \
FN(get_current_comm), \
FN(get_cgroup_classid), \
FN(skb_vlan_push), \
FN(skb_vlan_pop), \
FN(skb_get_tunnel_key), \
FN(skb_set_tunnel_key), \
FN(perf_event_read), \
FN(redirect), \
FN(get_route_realm), \
FN(perf_event_output), \
FN(skb_load_bytes), \
FN(get_stackid), \
FN(csum_diff), \
FN(skb_get_tunnel_opt), \
FN(skb_set_tunnel_opt), \
FN(skb_change_proto), \
FN(skb_change_type), \
FN(skb_under_cgroup), \
FN(get_hash_recalc), \
FN(get_current_task), \
FN(probe_write_user), \
FN(current_task_under_cgroup), \
FN(skb_change_tail), \
FN(skb_pull_data), \
FN(csum_update), \
FN(set_hash_invalid), \
FN(get_numa_node_id), \
FN(skb_change_head), \
FN(xdp_adjust_head), \
FN(probe_read_str), \
FN(get_socket_cookie), \
FN(get_socket_uid), \
FN(set_hash), \
FN(setsockopt), \
FN(skb_adjust_room), \
FN(redirect_map), \
FN(sk_redirect_map), \
FN(sock_map_update), \
FN(xdp_adjust_meta), \
FN(perf_event_read_value), \
FN(perf_prog_read_value), \
FN(getsockopt), \
FN(override_return), \
FN(sock_ops_cb_flags_set), \
FN(msg_redirect_map), \
FN(msg_apply_bytes), \
FN(msg_cork_bytes), \
FN(msg_pull_data), \
FN(bind), \
FN(xdp_adjust_tail), \
FN(skb_get_xfrm_state), \
FN(get_stack), \
FN(skb_load_bytes_relative), \
FN(fib_lookup), \
FN(sock_hash_update), \
FN(msg_redirect_hash), \
FN(sk_redirect_hash), \
FN(lwt_push_encap), \
FN(lwt_seg6_store_bytes), \
FN(lwt_seg6_adjust_srh), \
FN(lwt_seg6_action), \
FN(rc_repeat), \
FN(rc_keydown), \
FN(skb_cgroup_id), \
FN(get_current_cgroup_id), \
FN(get_local_storage), \
FN(sk_select_reuseport), \
FN(skb_ancestor_cgroup_id), \
FN(sk_lookup_tcp), \
FN(sk_lookup_udp), \
FN(sk_release), \
FN(map_push_elem), \
FN(map_pop_elem), \
FN(map_peek_elem), \
FN(msg_push_data), \
FN(msg_pop_data), \
FN(rc_pointer_rel), \
FN(spin_lock), \
FN(spin_unlock), \
FN(sk_fullsock), \
FN(tcp_sock), \
FN(skb_ecn_set_ce), \
FN(get_listener_sock), \
FN(skc_lookup_tcp), \
FN(tcp_check_syncookie), \
FN(sysctl_get_name), \
FN(sysctl_get_current_value), \
FN(sysctl_get_new_value), \
FN(sysctl_set_new_value), \
FN(strtol), \
FN(strtoul), \
FN(sk_storage_get), \
FN(sk_storage_delete), \
FN(send_signal), \
FN(tcp_gen_syncookie), \
FN(skb_output), \
FN(probe_read_user), \
FN(probe_read_kernel), \
FN(probe_read_user_str), \
FN(probe_read_kernel_str), \
FN(tcp_send_ack), \
FN(send_signal_thread), \
FN(jiffies64), \
FN(read_branch_records), \
FN(get_ns_current_pid_tgid), \
FN(xdp_output), \
FN(get_netns_cookie), \
FN(get_current_ancestor_cgroup_id), \
FN(sk_assign), \
FN(ktime_get_boot_ns), \
FN(seq_printf), \
FN(seq_write), \
FN(sk_cgroup_id), \
FN(sk_ancestor_cgroup_id), \
FN(ringbuf_output), \
FN(ringbuf_reserve), \
FN(ringbuf_submit), \
FN(ringbuf_discard), \
FN(ringbuf_query), \
FN(csum_level), \
FN(skc_to_tcp6_sock), \
FN(skc_to_tcp_sock), \
FN(skc_to_tcp_timewait_sock), \
FN(skc_to_tcp_request_sock), \
FN(skc_to_udp6_sock), \
FN(get_task_stack), \
FN(load_hdr_opt), \
FN(store_hdr_opt), \
FN(reserve_hdr_opt), \
FN(inode_storage_get), \
FN(inode_storage_delete), \
FN(d_path), \
FN(copy_from_user), \
FN(snprintf_btf), \
FN(seq_printf_btf), \
FN(skb_cgroup_classid), \
FN(redirect_neigh), \
FN(per_cpu_ptr), \
FN(this_cpu_ptr), \
FN(redirect_peer), \
FN(task_storage_get), \
FN(task_storage_delete), \
FN(get_current_task_btf), \
FN(bprm_opts_set), \
FN(ktime_get_coarse_ns), \
FN(ima_inode_hash), \
FN(sock_from_file), \
/* */
后面的直接截图视频中的部分吧,不去看了。
再次替换
可以看到 6 是一个函数指针 BPF_FUNC_trace_printk
内核里使用BPF_EMIT_CALL去调用的
继续展开
code 是指令码
dst_reg是目的寄存器
stc_reg是源寄存器
imm 是立即数(立即数对应枚举就是6 - 0)
所以存的是85
更多推荐
所有评论(0)