kprobe监控tcp_v4_connect

于 2021-06-13 17:03:38 发布
阅读量744 收藏 3
点赞数
CC 4.0 BY-SA版权
分类专栏: kprobe linux kernel 文章标签: linux 内核
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/yongjong/article/details/117881108
该博客介绍了如何使用Linux内核探针(Kprobe)来跟踪`tcp_v4_connect`函数的执行,记录TCP连接的源IP、源端口、目的IP和目的端口等信息,并在函数执行前、后及发生故障时打印相关信息。通过模块参数设置要跟踪的函数,展示了内核模块的加载和卸载过程。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/kprobes.h>
#include <linux/init.h>
#include <linux/uaccess.h>
#include <linux/inet.h>
#include <net/inet_sock.h>
#include <linux/limits.h>

static char func_name[NAME_MAX] = "tcp_v4_connect";
module_param_string(func, func_name, NAME_MAX, 0644);
MODULE_PARM_DESC(func, "Function to kretprobe; this module will report the"
		               " function's execution time");

static struct kprobe kp = {
	.symbol_name	= func_name
};

static int handler_pre(struct kprobe *p, struct pt_regs *regs)
{
	struct sockaddr_in *usin = (struct sockaddr_in *)(regs->si);
	struct inet_sock *inet = inet_sk((struct sock *)(regs->di));
	__be16 sport = inet->inet_sport;
	__be32 saddr = inet->inet_saddr;
	__be32 daddr = usin->sin_addr.s_addr;

	printk(KERN_INFO "command: %s, pid: %d, src ip: %u.%u.%u.%u, src port: %d, dest ip: %u.%u.%u.%u, dest port: %d\n",
		   current->comm,
		   current->pid,
           ((unsigned char *)&saddr)[0],
           ((unsigned char *)&saddr)[1],
           ((unsigned char *)&saddr)[2],
           ((unsigned char *)&saddr)[3],
	       be16_to_cpu(sport),
	       ((unsigned char *)&daddr)[0],
	       ((unsigned char *)&daddr)[1],
	       ((unsigned char *)&daddr)[2],
	       ((unsigned char *)&daddr)[3],
	       be16_to_cpu(usin->sin_port));

	return 0;
}

static void handler_post(struct kprobe *p, struct pt_regs *regs,
			             unsigned long flags)
{
	printk(KERN_INFO "post_handler: p->addr = 0x%p, flags = 0x%lx\n",
		   p->addr, regs->flags);
}

static int handler_fault(struct kprobe *p, struct pt_regs *regs, int trapnr)
{
	printk(KERN_INFO "fault_handler: p->addr = 0x%p, trap #%d\n",
		   p->addr, trapnr);
	return 0;
}

static int __init kprobe_init(void)
{
	int ret;
	kp.pre_handler = handler_pre;
	kp.post_handler = handler_post;
	kp.fault_handler = handler_fault;

	ret = register_kprobe(&kp);
	if (ret < 0) {
		printk(KERN_INFO "register_kprobe failed, returned %d\n", ret);
		return ret;
	}
	printk(KERN_INFO "Planted kprobe at %p\n", kp.addr);
	return 0;
}

static void __exit kprobe_exit(void)
{
	unregister_kprobe(&kp);
	printk(KERN_INFO "kprobe at %p unregistered\n", kp.addr);
}

module_init(kprobe_init)
module_exit(kprobe_exit)
MODULE_LICENSE("GPL");

obj-m+=kprobe_sample.o
CONFIG_MODULE_SIG=n
all:
        make -C /lib/modules/$(shell uname -r)/build/ M=$(PWD) modules
clean:
        make -C /lib/modules/$(shell uname -r)/build/ M=$(PWD) clean

X86架构64位内核函数调用传参数使用的寄存器(calling.h)

 

评论 2
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值