관리-도구

편집 파일: sysc_write.stp

# write ______________________________________________________
#
# ssize_t sys_write(unsigned int fd,
#	     const char __user * buf,
#	     size_t count)
#

@define _SYSCALL_WRITE_NAME
%(
	name = "write"
%)

@define _SYSCALL_WRITE_ARGSTR
%(
	argstr = sprintf("%d, %s, %u", fd, buf_str, count)
%)

@define _SYSCALL_WRITE_REGARGS
%(
	fd = int_arg(1)
	buf_uaddr = pointer_arg(2)
	count = ulong_arg(3)
	buf_str = user_buffer_quoted(buf_uaddr, count, syscall_string_trunc)
%)

probe syscall.write = dw_syscall.write !, nd_syscall.write ? {}
probe syscall.write.return = dw_syscall.write.return !, nd_syscall.write.return ? {}

# dw_write _____________________________________________________

probe dw_syscall.write =
%( arch == "s390" %?
	__syscall.write, kernel.function("sys32_write").call ?,
	kernel.function("compat_sys_s390_write").call ?
%:
	__syscall.write
%)
{
	@_SYSCALL_WRITE_NAME
	fd = __int32($fd)
	buf_uaddr = $buf
	count = @__compat_ulong($count)
	buf_str = user_buffer_quoted(buf_uaddr, count, syscall_string_trunc)
	@_SYSCALL_WRITE_ARGSTR
}
probe __syscall.write = kernel.function("sys_write").call
{
%( arch == "s390" %?
	@__syscall_gate(@const("__NR_write"))
%)
}
probe dw_syscall.write.return =
%( arch == "s390" %?
	__syscall.write.return, kernel.function("sys32_write").return ?,
	kernel.function("compat_sys_s390_write").return ?
%:
	__syscall.write.return
%)
{
	@_SYSCALL_WRITE_NAME
	@SYSC_RETVALSTR($return)
}
probe __syscall.write.return = kernel.function("sys_write").return
{
%( arch == "s390" %?
	@__syscall_gate(@const("__NR_write"))
%)
}

# nd_write _____________________________________________________

probe nd_syscall.write = nd1_syscall.write!, nd2_syscall.write!, tp_syscall.write
  { }

probe nd1_syscall.write =
%( arch == "s390" %?
	__nd1_syscall.write, kprobe.function("sys32_write") ?,
	kprobe.function("compat_sys_s390_write") ?
%:
	__nd1_syscall.write
%)
{
	@_SYSCALL_WRITE_NAME
	asmlinkage()
	@_SYSCALL_WRITE_REGARGS
	@_SYSCALL_WRITE_ARGSTR
}
probe __nd1_syscall.write = kprobe.function("sys_write")
{
%( arch == "s390" %?
	@__syscall_gate(@const("__NR_write"))
%)
}

/* kernel 4.17+ */
probe nd2_syscall.write = kprobe.function(@arch_syscall_prefix "sys_write")
{
	__set_syscall_pt_regs(pointer_arg(1))
	@_SYSCALL_WRITE_NAME
	@_SYSCALL_WRITE_REGARGS
	@_SYSCALL_WRITE_ARGSTR
}

/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.write = kernel.trace("sys_enter")
{
	__set_syscall_pt_regs($regs)
	@__syscall_compat_gate(@const("__NR_write"), @const("__NR_compat_write"))
	@_SYSCALL_WRITE_NAME
	@_SYSCALL_WRITE_REGARGS
	@_SYSCALL_WRITE_ARGSTR
}

probe nd_syscall.write.return = nd1_syscall.write.return!, nd2_syscall.write.return!, tp_syscall.write.return
  { }

probe nd1_syscall.write.return =
%( arch == "s390" %?
	__nd1_syscall.write.return, kprobe.function("sys32_write").return ?,
	kprobe.function("compat_sys_s390_write").return ?
%:
	__nd1_syscall.write.return
%)
{
	@_SYSCALL_WRITE_NAME
	@SYSC_RETVALSTR(returnval())
}
probe __nd1_syscall.write.return = kprobe.function("sys_write").return
{
%( arch == "s390" %?
	@__syscall_gate(@const("__NR_write"))
%)
}

/* kernel 4.17+ */
probe nd2_syscall.write.return = kprobe.function(@arch_syscall_prefix "sys_write").return
{
	@_SYSCALL_WRITE_NAME
	@SYSC_RETVALSTR(returnval())
}

/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.write.return = kernel.trace("sys_exit")
{
	__set_syscall_pt_regs($regs)
	@__syscall_compat_gate(@const("__NR_write"), @const("__NR_compat_write"))
	@_SYSCALL_WRITE_NAME
	@SYSC_RETVALSTR($ret)
}