how to change kprobe.c(sys_execve) to know which binary is executed? #1446

Songchunbo · 2024-04-24T07:19:10Z

Songchunbo
Apr 24, 2024

I change the kprobe.c as belows. It seems not working.

change code

//go:build ignore

#include "common.h"

char __license[] SEC("license") = "Dual MIT/GPL";

struct bpf_map_def SEC("maps") kprobe_map = {
	.type        = BPF_MAP_TYPE_ARRAY,
	.key_size    = sizeof(u32),
	.value_size  = sizeof(u64),
	.max_entries = 1,
};

SEC("kprobe/sys_execve")
int kprobe_execve(struct pt_regs *ctx) {
	u32 key     = 0;
	u64 initval = 1, *valp;

	valp = bpf_map_lookup_elem(&kprobe_map, &key);
	if (!valp) {
		bpf_map_update_elem(&kprobe_map, &key, &initval, BPF_ANY);
		return 0;
	}
	__sync_fetch_and_add(valp, 1);

       char filename[256];
       bpf_probe_read_user_str(filename, sizeof(filename), (const char *)PT_REGS_PARM1(ctx));
       bpf_printk("Executed filename: %s\n", filename);

	return 0;
}

go generate

$ go generate
/xxx/ebpf/examples/kprobe/kprobe.c:28:71: warning: implicit declaration of function 'PT_REGS_PARM1' is invalid in C99 [-Wimplicit-function-declaration]
    bpf_probe_read_user_str(filename, sizeof(filename), (const char *)PT_REGS_PARM1(ctx));
                                                                      ^
/home/chunbo/Workspace/myebpf/ebpf/examples/kprobe/kprobe.c:28:57: warning: cast to 'const char *' from smaller integer type 'int' [-Wint-to-pointer-cast]
    bpf_probe_read_user_str(filename, sizeof(filename), (const char *)PT_REGS_PARM1(ctx));
                                                        ^
2 warnings generated.
Compiled /xxx/ebpf/examples/kprobe/bpf_bpfel.o
Stripped /xxx/ebpf/examples/kprobe/bpf_bpfel.o
Wrote /xxx/ebpf/examples/kprobe/bpf_bpfel.go
/xxx/ebpf/examples/kprobe/kprobe.c:28:71: warning: implicit declaration of function 'PT_REGS_PARM1' is invalid in C99 [-Wimplicit-function-declaration]
    bpf_probe_read_user_str(filename, sizeof(filename), (const char *)PT_REGS_PARM1(ctx));
                                                                      ^
/xxx/ebpf/examples/kprobe/kprobe.c:28:57: warning: cast to 'const char *' from smaller integer type 'int' [-Wint-to-pointer-cast]
    bpf_probe_read_user_str(filename, sizeof(filename), (const char *)PT_REGS_PARM1(ctx));
                                                        ^
2 warnings generated.
Compiled /xxx/ebpf/examples/kprobe/bpf_bpfeb.o
Stripped /xxx/ebpf/examples/kprobe/bpf_bpfeb.o
Wrote /xxx/ebpf/examples/kprobe/bpf_bpfeb.go

go build and execute

$ go build
/xxx/ebpf/examples/kprobe$ sudo ./execve_hook 
2024/04/24 15:18:04 loading objects: field KprobeExecve: program kprobe_execve: Call at insn 20: symbol "PT_REGS_PARM1": unsatisfied program reference

windy-purple · 2024-04-25T02:35:57Z

windy-purple
Apr 25, 2024

Maybe you can consider replacing (const char *)PT_REGS_PARM1(ctx) with ctx->rdi. Of course, this is under the x86-64 system, and your header file should define the corresponding pt_regs structure under the x86-64 system.

0 replies

Songchunbo · 2024-04-25T08:47:02Z

Songchunbo
Apr 25, 2024
Author

Thanks for the reply. I tried , go generate complains as below

kprobe.c:29:75: error: incomplete definition of type 'struct pt_regs'
    bpf_probe_read_user_str(filename, sizeof(filename), (const char *)(ctx->rdi));
                                                                       ~~~^
../headers/bpf_helper_defs.h:20:8: note: forward declaration of 'struct pt_regs'
struct pt_regs;
       ^
1 error generated.
Error: can't execute clang: exit status 1
exit status 1
main.go:15: running "go": exit status 1

I found the 'pt_regs' 's definition in '/usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/asm/ptrace.h' and try to include it and its dependencies into 'main.go' to build 'kprobe.c'. So it still complains, I think the dependency of 'pt_regs', 'PT_REGS_PARM1' is not correct , and need fix the dependency.

main.go
//go:generate go run github.com/cilium/ebpf/cmd/bpf2go bpf kprobe.c -- -I../headers -I/usr/src/linux-headers-5.15.0-102-generic/arch/x86/include -I/usr/src/linux-hwe-5.15-headers-5.15.0-102/arch/xtensa/include/uapi -I/usr/src/linux-hwe-5.15-headers-5.15.0-102/arch/ia64/include/uapi -I/usr/src/linux-hwe-5.15-headers-5.15.0-102/arch/x86/include/uapi -I/usr/src/linux-hwe-5.15-headers-5.15.0-102/include -I/usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/generated

complains

$ go generate
In file included from /home/chunbo/Workspace/myebpf/ebpf/examples/kprobe/kprobe.c:4:
In file included from /usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/asm/ptrace.h:7:
In file included from /usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/uapi/asm/ptrace.h:5:
In file included from /usr/src/linux-hwe-5.15-headers-5.15.0-102/include/linux/compiler.h:255:
In file included from /usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/generated/asm/rwonce.h:1:
In file included from /usr/src/linux-hwe-5.15-headers-5.15.0-102/include/asm-generic/rwonce.h:27:
In file included from /usr/src/linux-hwe-5.15-headers-5.15.0-102/include/linux/kcsan-checks.h:13:
/usr/src/linux-hwe-5.15-headers-5.15.0-102/include/linux/compiler_attributes.h:54:9: warning: '__always_inline' macro redefined [-Wmacro-redefined]
#define __always_inline                 inline __attribute__((__always_inline__))
        ^
../headers/bpf_helpers.h:33:9: note: previous definition is here
#define __always_inline inline __attribute__((always_inline))
        ^
In file included from /home/chunbo/Workspace/myebpf/ebpf/examples/kprobe/kprobe.c:4:
In file included from /usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/asm/ptrace.h:7:
In file included from /usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/uapi/asm/ptrace.h:5:
In file included from /usr/src/linux-hwe-5.15-headers-5.15.0-102/include/linux/compiler.h:255:
In file included from /usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/generated/asm/rwonce.h:1:
In file included from /usr/src/linux-hwe-5.15-headers-5.15.0-102/include/asm-generic/rwonce.h:27:
In file included from /usr/src/linux-hwe-5.15-headers-5.15.0-102/include/linux/kcsan-checks.h:13:
/usr/src/linux-hwe-5.15-headers-5.15.0-102/include/linux/compiler_attributes.h:316:9: warning: '__weak' macro redefined [-Wmacro-redefined]
#define __weak                          __attribute__((__weak__))
        ^
../headers/bpf_helpers.h:39:9: note: previous definition is here
#define __weak __attribute__((weak))
        ^
In file included from /home/chunbo/Workspace/myebpf/ebpf/examples/kprobe/kprobe.c:4:
In file included from /usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/asm/ptrace.h:7:
In file included from /usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/uapi/asm/ptrace.h:5:
In file included from /usr/src/linux-hwe-5.15-headers-5.15.0-102/include/linux/compiler.h:255:
In file included from /usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/generated/asm/rwonce.h:1:
/usr/src/linux-hwe-5.15-headers-5.15.0-102/include/asm-generic/rwonce.h:64:8: error: unknown type name '__no_sanitize_or_inline'
static __no_sanitize_or_inline
       ^
/usr/src/linux-hwe-5.15-headers-5.15.0-102/include/asm-generic/rwonce.h:82:8: error: unknown type name '__no_kasan_or_inline'
static __no_kasan_or_inline
       ^
In file included from /home/chunbo/Workspace/myebpf/ebpf/examples/kprobe/kprobe.c:4:
/usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/asm/ptrace.h:59:8: error: redefinition of 'pt_regs'
struct pt_regs {
       ^
/usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/uapi/asm/ptrace.h:44:8: note: previous definition is here
struct pt_regs {
       ^
In file included from /home/chunbo/Workspace/myebpf/ebpf/examples/kprobe/kprobe.c:4:
/usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/asm/ptrace.h:114:15: error: no member named 'ax' in 'struct pt_regs'
        return regs->ax;
               ~~~~  ^
/usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/asm/ptrace.h:119:8: error: no member named 'ax' in 'struct pt_regs'
        regs->ax = rc;
        ~~~~  ^
/usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/asm/ptrace.h:200:15: error: no member named 'sp' in 'struct pt_regs'
        return regs->sp;
               ~~~~  ^
/usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/asm/ptrace.h:205:15: error: no member named 'ip' in 'struct pt_regs'
        return regs->ip;
               ~~~~  ^
/usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/asm/ptrace.h:211:8: error: no member named 'ip' in 'struct pt_regs'
        regs->ip = val;
        ~~~~  ^
/usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/asm/ptrace.h:216:15: error: no member named 'bp' in 'struct pt_regs'
        return regs->bp;
               ~~~~  ^
/usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/asm/ptrace.h:221:15: error: no member named 'sp' in 'struct pt_regs'
        return regs->sp;
               ~~~~  ^
/usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/asm/ptrace.h:227:8: error: no member named 'sp' in 'struct pt_regs'
        regs->sp = val;
        ~~~~  ^
/usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/asm/ptrace.h:232:17: error: no member named 'flags' in 'struct pt_regs'; did you mean 'eflags'?
        return !(regs->flags & X86_EFLAGS_IF);
                       ^~~~~
                       eflags
/usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/uapi/asm/ptrace.h:73:16: note: 'eflags' declared here
        unsigned long eflags;
                      ^
In file included from /home/chunbo/Workspace/myebpf/ebpf/examples/kprobe/kprobe.c:4:
/usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/asm/ptrace.h:252:6: warning: implicit declaration of function 'unlikely' is invalid in C99 [-Wimplicit-function-declaration]
        if (unlikely(offset > MAX_REG_OFFSET))
            ^
/usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/asm/ptrace.h:280:48: error: no member named 'sp' in 'struct pt_regs'
        return ((addr & ~(THREAD_SIZE - 1)) == (regs->sp & ~(THREAD_SIZE - 1)));
                                                ~~~~  ^
/usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/asm/ptrace.h:294:47: error: no member named 'sp' in 'struct pt_regs'
        unsigned long *addr = (unsigned long *)regs->sp;
                                               ~~~~  ^
/usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/asm/ptrace.h:352:28: error: no member named 'di' in 'struct pt_regs'
                offsetof(struct pt_regs, di),
                ~~~~~~~~~~~~~~~~~~~~~~~~~^~~
/usr/src/linux-hwe-5.15-headers-5.15.0-102/include/linux/stddef.h:19:55: note: expanded from macro 'offsetof'
#define offsetof(TYPE, MEMBER)  ((size_t)&((TYPE *)0)->MEMBER)
                                          ~~~~~~~~~~~  ^
In file included from /home/chunbo/Workspace/myebpf/ebpf/examples/kprobe/kprobe.c:4:
/usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/asm/ptrace.h:353:28: error: no member named 'si' in 'struct pt_regs'
                offsetof(struct pt_regs, si),
                ~~~~~~~~~~~~~~~~~~~~~~~~~^~~
/usr/src/linux-hwe-5.15-headers-5.15.0-102/include/linux/stddef.h:19:55: note: expanded from macro 'offsetof'
#define offsetof(TYPE, MEMBER)  ((size_t)&((TYPE *)0)->MEMBER)
                                          ~~~~~~~~~~~  ^
In file included from /home/chunbo/Workspace/myebpf/ebpf/examples/kprobe/kprobe.c:4:
/usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/asm/ptrace.h:354:28: error: no member named 'dx' in 'struct pt_regs'
                offsetof(struct pt_regs, dx),
                ~~~~~~~~~~~~~~~~~~~~~~~~~^~~
/usr/src/linux-hwe-5.15-headers-5.15.0-102/include/linux/stddef.h:19:55: note: expanded from macro 'offsetof'
#define offsetof(TYPE, MEMBER)  ((size_t)&((TYPE *)0)->MEMBER)
                                          ~~~~~~~~~~~  ^
In file included from /home/chunbo/Workspace/myebpf/ebpf/examples/kprobe/kprobe.c:4:
/usr/src/linux-headers-5.15.0-102-generic/arch/x86/include/asm/ptrace.h:355:28: error: no member named 'cx' in 'struct pt_regs'
                offsetof(struct pt_regs, cx),
                ~~~~~~~~~~~~~~~~~~~~~~~~~^~~
/usr/src/linux-hwe-5.15-headers-5.15.0-102/include/linux/stddef.h:19:55: note: expanded from macro 'offsetof'
#define offsetof(TYPE, MEMBER)  ((size_t)&((TYPE *)0)->MEMBER)
                                          ~~~~~~~~~~~  ^
3 warnings and 18 errors generated.
Error: can't execute clang: exit status 1
exit status 1
main.go:16: running "go": exit status 1

1 reply

windy-purple Apr 25, 2024

Use bpftool to generate vmlinux.h. All the structures you need can be found in this header file.

Songchunbo · 2024-04-25T11:32:21Z

Songchunbo
Apr 25, 2024
Author

Hi, I tested with 'vmlinux.h' before, it didn't work.

$ sudo bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h
$ head -5 kprobe.c
//go:build ignore

#include "common.h"
#include "vmlinux.h"

$ go generate
In file included from /.../ebpf/examples/kprobe/kprobe.c:4:
/.../ebpf/examples/kprobe/vmlinux.h:5:15: error: attribute 'preserve_access_index' is not supported by '#pragma clang attribute'
#pragma clang attribute push (__attribute__((preserve_access_index)), apply_to = record)
              ^
/.../ebpf/examples/kprobe/vmlinux.h:10604:6: error: redefinition of 'bpf_map_type'
enum bpf_map_type {
     ^
../headers/common.h:27:6: note: previous definition is here
enum bpf_map_type {
     ^
In file included from /.../ebpf/examples/kprobe/kprobe.c:4:
/.../ebpf/examples/kprobe/vmlinux.h:10605:2: error: redefinition of enumerator 'BPF_MAP_TYPE_UNSPEC'
        BPF_MAP_TYPE_UNSPEC = 0,
        ^
../headers/common.h:28:2: note: previous definition is here
        BPF_MAP_TYPE_UNSPEC                = 0,
        ^
In file included from /.../ebpf/examples/kprobe/kprobe.c:4:
/.../ebpf/examples/kprobe/vmlinux.h:10606:2: error: redefinition of enumerator 'BPF_MAP_TYPE_HASH'
        BPF_MAP_TYPE_HASH = 1,
        ^
../headers/common.h:29:2: note: previous definition is here
        BPF_MAP_TYPE_HASH                  = 1,
        ^
In file included from /.../ebpf/examples/kprobe/kprobe.c:4:
/.../ebpf/examples/kprobe/vmlinux.h:10607:2: error: redefinition of enumerator 'BPF_MAP_TYPE_ARRAY'
        BPF_MAP_TYPE_ARRAY = 2,
        ^
../headers/common.h:30:2: note: previous definition is here
        BPF_MAP_TYPE_ARRAY                 = 2,
        ^
In file included from /.../ebpf/examples/kprobe/kprobe.c:4:
/.../ebpf/examples/kprobe/vmlinux.h:10608:2: error: redefinition of enumerator 'BPF_MAP_TYPE_PROG_ARRAY'
        BPF_MAP_TYPE_PROG_ARRAY = 3,
        ^
../headers/common.h:31:2: note: previous definition is here
        BPF_MAP_TYPE_PROG_ARRAY            = 3,
        ^
In file included from /.../ebpf/examples/kprobe/kprobe.c:4:
/.../ebpf/examples/kprobe/vmlinux.h:10609:2: error: redefinition of enumerator 'BPF_MAP_TYPE_PERF_EVENT_ARRAY'
        BPF_MAP_TYPE_PERF_EVENT_ARRAY = 4,
        ^
../headers/common.h:32:2: note: previous definition is here
        BPF_MAP_TYPE_PERF_EVENT_ARRAY      = 4,
        ^
In file included from /.../ebpf/examples/kprobe/kprobe.c:4:
/.../ebpf/examples/kprobe/vmlinux.h:10610:2: error: redefinition of enumerator 'BPF_MAP_TYPE_PERCPU_HASH'
        BPF_MAP_TYPE_PERCPU_HASH = 5,
        ^
../headers/common.h:33:2: note: previous definition is here
        BPF_MAP_TYPE_PERCPU_HASH           = 5,
        ^
In file included from /.../ebpf/examples/kprobe/kprobe.c:4:
/.../ebpf/examples/kprobe/vmlinux.h:10611:2: error: redefinition of enumerator 'BPF_MAP_TYPE_PERCPU_ARRAY'
        BPF_MAP_TYPE_PERCPU_ARRAY = 6,
        ^
../headers/common.h:34:2: note: previous definition is here
        BPF_MAP_TYPE_PERCPU_ARRAY          = 6,
        ^
In file included from /.../ebpf/examples/kprobe/kprobe.c:4:
/.../ebpf/examples/kprobe/vmlinux.h:10612:2: error: redefinition of enumerator 'BPF_MAP_TYPE_STACK_TRACE'
        BPF_MAP_TYPE_STACK_TRACE = 7,
        ^
../headers/common.h:35:2: note: previous definition is here
        BPF_MAP_TYPE_STACK_TRACE           = 7,
        ^
In file included from /.../ebpf/examples/kprobe/kprobe.c:4:
/.../ebpf/examples/kprobe/vmlinux.h:10613:2: error: redefinition of enumerator 'BPF_MAP_TYPE_CGROUP_ARRAY'
        BPF_MAP_TYPE_CGROUP_ARRAY = 8,
        ^
../headers/common.h:36:2: note: previous definition is here
        BPF_MAP_TYPE_CGROUP_ARRAY          = 8,
        ^
In file included from /.../ebpf/examples/kprobe/kprobe.c:4:
/.../ebpf/examples/kprobe/vmlinux.h:10614:2: error: redefinition of enumerator 'BPF_MAP_TYPE_LRU_HASH'
        BPF_MAP_TYPE_LRU_HASH = 9,
        ^
../headers/common.h:37:2: note: previous definition is here
        BPF_MAP_TYPE_LRU_HASH              = 9,
        ^
In file included from /.../ebpf/examples/kprobe/kprobe.c:4:
/.../ebpf/examples/kprobe/vmlinux.h:10615:2: error: redefinition of enumerator 'BPF_MAP_TYPE_LRU_PERCPU_HASH'
        BPF_MAP_TYPE_LRU_PERCPU_HASH = 10,
        ^
../headers/common.h:38:2: note: previous definition is here
        BPF_MAP_TYPE_LRU_PERCPU_HASH       = 10,
        ^
In file included from /.../ebpf/examples/kprobe/kprobe.c:4:
/.../ebpf/examples/kprobe/vmlinux.h:10616:2: error: redefinition of enumerator 'BPF_MAP_TYPE_LPM_TRIE'
        BPF_MAP_TYPE_LPM_TRIE = 11,
        ^
../headers/common.h:39:2: note: previous definition is here
        BPF_MAP_TYPE_LPM_TRIE              = 11,
        ^
In file included from /.../ebpf/examples/kprobe/kprobe.c:4:
/.../ebpf/examples/kprobe/vmlinux.h:10617:2: error: redefinition of enumerator 'BPF_MAP_TYPE_ARRAY_OF_MAPS'
        BPF_MAP_TYPE_ARRAY_OF_MAPS = 12,
        ^
../headers/common.h:40:2: note: previous definition is here
        BPF_MAP_TYPE_ARRAY_OF_MAPS         = 12,
        ^
In file included from /.../ebpf/examples/kprobe/kprobe.c:4:
/.../ebpf/examples/kprobe/vmlinux.h:10618:2: error: redefinition of enumerator 'BPF_MAP_TYPE_HASH_OF_MAPS'
        BPF_MAP_TYPE_HASH_OF_MAPS = 13,
        ^
../headers/common.h:41:2: note: previous definition is here
        BPF_MAP_TYPE_HASH_OF_MAPS          = 13,
        ^
In file included from /.../ebpf/examples/kprobe/kprobe.c:4:
/.../ebpf/examples/kprobe/vmlinux.h:10619:2: error: redefinition of enumerator 'BPF_MAP_TYPE_DEVMAP'
//go:build ignore
        BPF_MAP_TYPE_DEVMAP = 14,
        ^
../headers/common.h:42:2: note: previous definition is here
        BPF_MAP_TYPE_DEVMAP                = 14,
        ^
In file included from /.../ebpf/examples/kprobe/kprobe.c:4:
/.../ebpf/examples/kprobe/vmlinux.h:10620:2: error: redefinition of enumerator 'BPF_MAP_TYPE_SOCKMAP'
        BPF_MAP_TYPE_SOCKMAP = 15,
        ^
../headers/common.h:43:2: note: previous definition is here
        BPF_MAP_TYPE_SOCKMAP               = 15,
        ^
In file included from /.../ebpf/examples/kprobe/kprobe.c:4:
/.../ebpf/examples/kprobe/vmlinux.h:10621:2: error: redefinition of enumerator 'BPF_MAP_TYPE_CPUMAP'
        BPF_MAP_TYPE_CPUMAP = 16,
        ^
../headers/common.h:44:2: note: previous definition is here
        BPF_MAP_TYPE_CPUMAP                = 16,
        ^
fatal error: too many errors emitted, stopping now [-ferror-limit=]
20 errors generated.
Error: can't execute clang: exit status 1
exit status 1
main.go:16: running "go": exit status 1

uncomment "common.h"

$ vim kprobe.c
$ head -5 kprobe.c
//go:build ignore

//#include "common.h"
#include "vmlinux.h"

$ go generate
In file included from /.../ebpf/examples/kprobe/kprobe.c:4:
/.../ebpf/examples/kprobe/vmlinux.h:5:15: error: attribute 'preserve_access_index' is not supported by '#pragma clang attribute'
#pragma clang attribute push (__attribute__((preserve_access_index)), apply_to = record)
              ^
/.../ebpf/examples/kprobe/vmlinux.h:132120:15: error: '#pragma clang attribute pop' with no matching '#pragma clang attribute push'
#pragma clang attribute pop
              ^
/.../ebpf/examples/kprobe/kprobe.c:6:17: error: expected ';' after top level declarator
char __license[] SEC("license") = "Dual MIT/GPL";
                ^
                ;
/.../ebpf/examples/kprobe/kprobe.c:8:24: error: expected parameter declarator
struct bpf_map_def SEC("maps") kprobe_map = {
                       ^
/.../ebpf/examples/kprobe/kprobe.c:8:24: error: expected ')'
/.../ebpf/examples/kprobe/kprobe.c:8:23: note: to match this '('
struct bpf_map_def SEC("maps") kprobe_map = {
                      ^
/.../ebpf/examples/kprobe/kprobe.c:8:32: error: expected function body after function declarator
struct bpf_map_def SEC("maps") kprobe_map = {
                               ^
/.../ebpf/examples/kprobe/kprobe.c:15:5: error: expected parameter declarator
SEC("kprobe/sys_execve")
    ^
/.../ebpf/examples/kprobe/kprobe.c:15:5: error: expected ')'
/.../ebpf/examples/kprobe/kprobe.c:15:4: note: to match this '('
SEC("kprobe/sys_execve")
   ^
/.../ebpf/examples/kprobe/kprobe.c:15:1: warning: type specifier missing, defaults to 'int' [-Wimplicit-int]
SEC("kprobe/sys_execve")
^
/.../ebpf/examples/kprobe/kprobe.c:15:25: error: expected ';' after top level declarator
SEC("kprobe/sys_execve")
                        ^
                        ;
/.../ebpf/examples/kprobe/kprobe.c:20:9: warning: implicit declaration of function 'bpf_map_lookup_elem' is invalid in C99 [-Wimplicit-function-declaration]
        valp = bpf_map_lookup_elem(&kprobe_map, &key);
               ^
/.../ebpf/examples/kprobe/kprobe.c:20:30: error: use of undeclared identifier 'kprobe_map'
        valp = bpf_map_lookup_elem(&kprobe_map, &key);
                                    ^
/.../ebpf/examples/kprobe/kprobe.c:22:3: warning: implicit declaration of function 'bpf_map_update_elem' is invalid in C99 [-Wimplicit-function-declaration]
                bpf_map_update_elem(&kprobe_map, &key, &initval, BPF_ANY);
                ^
/.../ebpf/examples/kprobe/kprobe.c:22:24: error: use of undeclared identifier 'kprobe_map'
                bpf_map_update_elem(&kprobe_map, &key, &initval, BPF_ANY);
                                     ^
/.../ebpf/examples/kprobe/kprobe.c:29:5: warning: implicit declaration of function 'bpf_probe_read_user_str' is invalid in C99 [-Wimplicit-function-declaration]
    bpf_probe_read_user_str(filename, sizeof(filename), (const char *)(ctx->rdi));
    ^
/.../ebpf/examples/kprobe/kprobe.c:29:77: error: no member named 'rdi' in 'struct pt_regs'; did you mean 'di'?
    bpf_probe_read_user_str(filename, sizeof(filename), (const char *)(ctx->rdi));
                                                                            ^~~
                                                                            di
/.../ebpf/examples/kprobe/vmlinux.h:1605:20: note: 'di' declared here
        long unsigned int di;
                          ^
/.../ebpf/examples/kprobe/kprobe.c:30:5: warning: implicit declaration of function 'bpf_printk' is invalid in C99 [-Wimplicit-function-declaration]
    bpf_printk("Executed filename: %s\n", filename);
    ^
/.../ebpf/examples/kprobe/kprobe.c:6:6: warning: tentative array definition assumed to have one element
char __license[] SEC("license") = "Dual MIT/GPL";
     ^
6 warnings and 12 errors generated.
Error: can't execute clang: exit status 1
exit status 1
main.go:16: running "go": exit status 1

1 reply

lmb Apr 26, 2024
Maintainer

attribute 'preserve_access_index' is not supported by '#pragma clang attribute'

Your clang might be too old.

LLeavesG · 2024-07-23T08:12:32Z

LLeavesG
Jul 23, 2024

you can include vmlinux.h and add some defs in c file,
i build arm64 target , so i add defs behind
then you can run it successfully

struct pt_regs;
#define PT_REGS_ARM64 const volatile struct user_pt_regs
#define PT_REGS_PARM1(x) (((PT_REGS_ARM64 *)(x))->regs[0])
#define PT_REGS_PARM2(x) (((PT_REGS_ARM64 *)(x))->regs[1])
#define PT_REGS_PARM3(x) (((PT_REGS_ARM64 *)(x))->regs[2])
#define PT_REGS_PARM4(x) (((PT_REGS_ARM64 *)(x))->regs[3])
#define PT_REGS_PARM5(x) (((PT_REGS_ARM64 *)(x))->regs[4])
#define PT_REGS_RET(x) (((PT_REGS_ARM64 *)(x))->regs[30])
/* Works only with CONFIG_FRAME_POINTER */
#define PT_REGS_FP(x) (((PT_REGS_ARM64 *)(x))->regs[29])
#define PT_REGS_RC(x) (((PT_REGS_ARM64 *)(x))->regs[0])
#define PT_REGS_SP(x) (((PT_REGS_ARM64 *)(x))->sp)
#define PT_REGS_IP(x) (((PT_REGS_ARM64 *)(x))->pc)

#define PT_REGS_PARM1_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), regs[0])
#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), regs[1])
#define PT_REGS_PARM3_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), regs[2])
#define PT_REGS_PARM4_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), regs[3])
#define PT_REGS_PARM5_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), regs[4])
#define PT_REGS_RET_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), regs[30])
#define PT_REGS_FP_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), regs[29])
#define PT_REGS_RC_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), regs[0])
#define PT_REGS_SP_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), sp)
#define PT_REGS_IP_CORE(x) BPF_CORE_READ((PT_REGS_ARM64 *)(x), pc)

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

how to change kprobe.c(sys_execve) to know which binary is executed? #1446

{{title}}

Replies: 4 comments 2 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

how to change kprobe.c(sys_execve) to know which binary is executed? #1446

Songchunbo Apr 24, 2024

Replies: 4 comments · 2 replies

windy-purple Apr 25, 2024

Songchunbo Apr 25, 2024 Author

windy-purple Apr 25, 2024

Songchunbo Apr 25, 2024 Author

uncomment "common.h"

lmb Apr 26, 2024 Maintainer

LLeavesG Jul 23, 2024

Songchunbo
Apr 24, 2024

Replies: 4 comments 2 replies

windy-purple
Apr 25, 2024

Songchunbo
Apr 25, 2024
Author

Songchunbo
Apr 25, 2024
Author

lmb Apr 26, 2024
Maintainer

LLeavesG
Jul 23, 2024