作者:朱辉
开源网址:https://github.com/teawater
http://teawater.github.io/kgtp/ 有中文版说明
内核编绎:
General setup ---> [ * ] Prompt for development and/or incomplete code/drivers
[ * ] Kprobe
Kernel hacking ---> [ * ] Compile the kernel with debug info
[ * ] Compile the kernel with frame pointers
gdb版本:
KGTP_NEED_GDB_VERSION = 7.6
KGTP_INSTALL_GDB = "gdb-7.7"
1.编绎
tar -zxvf kgtp-20140510.tar.gz [root@localhost kgtp-]# ls
add-ons gtp_2..20_to_2.6.32.patch gtp_rb.c plugin_example.c
dkms.conf gtp_2..33_to_2.6.38.patch kgtpcn.odt putgtprsp.c
dkms_others_install.sh gtp_2.6.39.patch kgtpcn.pdf README.md
dkms_others_uninstall.sh gtp_3.0_to_3..patch kgtp.odt ring_buffer.c
getframe.c gtp_3.7_to_upstream.patch kgtp.pdf ring_buffer.h
getgtprsp.pl gtp.c kgtp.py UPDATE
getmod.c gtp.h Makefile
getmod.py gtp_older_to_2.6.19.patch perf_event.c
[root@localhost kgtp-]# make
make CROSS_COMPILE= -C /lib/modules/2.6./build/ M=/root/kgtp- modules
make[]: Entering directory `/usr/src/kernels/linux-2.6.'
CC [M] /root/kgtp-/gtp.o
/root/kgtp-/gtp.c::: warning: #warning "Current Kernel is too old. Function of performance counters is not available."
/root/kgtp-/gtp.c::: warning: #warning "Cannot trace user program because the Linux Kernel that older than 3.9 doesn't support UPROBES."
/root/kgtp-/gtp_rb.c: In function ‘gtp_rb_walk’:
/root/kgtp-/gtp_rb.c:: warning: ‘step’ may be used uninitialized in this function
/root/kgtp-/gtp.c::: warning: #warning "Current Kernel is too old. Function of performance counters is not available."
/root/kgtp-/gtp.c::: warning: #warning "Cannot trace user program because the Linux Kernel that older than 3.9 doesn't support UPROBES."
Building modules, stage .
MODPOST modules
CC /root/kgtp-/gtp.mod.o
LD [M] /root/kgtp-/gtp.ko
make[]: Leaving directory `/usr/src/kernels/linux-2.6.'
gcc -O2 -static -o getmod getmod.c
gcc -O2 -static -o getframe getframe.c
gcc -O2 -static -o putgtprsp putgtprsp.c
2.insmod gtp.ko
3. mount -t sysfs none /sys/
mount -t debugfs none /sys/kernel/debug/
4. cd /usr/src/kernels/linux-2.6.32 进入源代码目录
5.gdb vmlinux
6.(gdb) target remote /sys/kernel/debug/gtp
7. 调试内核
(gdb) trace vfs_readdir 跟踪涵数名
Tracepoint at 0xffffffff810d751f: file fs/readdir.c, line .
--------------------------------------------------------------------
(gdb) actions 设轩预到跟踪点进行收集信息
Enter actions for tracepoint , one per line.
End with a line saying just "end".
> collect jiffies_64
> collect file->f_path.dentry->d_iname
> end
-------------------------------------------------------------------------------------------
(gdb) tstart 开始跟踪
--------------------------------------------------------------------------------------------
(gdb) shell ls :跟踪ls
arch Documentation init MAINTAINERS net security virt
block drivers ipc Makefile README sound vmlinux
COPYING firmware Kbuild mm REPORTING-BUGS System.map vmlinux.o
CREDITS fs kernel modules.order samples tools
crypto include lib Module.symvers scripts usr
----------------------------------------------------------------------------------------------
(gdb) tstop 停止跟踪
-------------------------------------------------------------------------------------------------
(gdb) tfind
# vfs_readdir (file=0xffff88003c087480, filler=0xffffffff810d7468 <filldir>,
buf=0xffff88004884df38) at fs/readdir.c:
{
(gdb) p jiffies_64
$ =
(gdb) p file->f_path.dentry->d_iname
$ = "/\000r", '\000' <repeats times>
(gdb) list vfs_readdir
#include <linux/unistd.h> #include <asm/uaccess.h> int vfs_readdir(struct file *file, filldir_t filler, void *buf)
{
struct inode *inode = file->f_path.dentry->d_inode;
int res = -ENOTDIR;
if (!file->f_op || !file->f_op->readdir)
goto out;
(gdb) disassemble /m vfs_readdir
Dump of assembler code for function vfs_readdir:
{
0xffffffff810d751f <vfs_readdir+>: push %r15
0xffffffff810d7521 <vfs_readdir+>: mov %rdx,%r15
0xffffffff810d7524 <vfs_readdir+>: push %r14
0xffffffff810d7526 <vfs_readdir+>: mov %rsi,%r14
0xffffffff810d7529 <vfs_readdir+>: push %r13
0xffffffff810d752b <vfs_readdir+>: push %r12
0xffffffff810d752d <vfs_readdir+>: push %rbp
0xffffffff810d752e <vfs_readdir+>: mov %rdi,%rbp
0xffffffff810d7531 <vfs_readdir+>: push %rbx
0xffffffff810d7532 <vfs_readdir+>: sub $0x8,%rsp struct inode *inode = file->f_path.dentry->d_inode;
0xffffffff810d7536 <vfs_readdir+>: mov 0x18(%rdi),%rax
0xffffffff810d753a <vfs_readdir+>: mov 0x10(%rax),%r12 int res = -ENOTDIR;
if (!file->f_op || !file->f_op->readdir)
0xffffffff810d753e <vfs_readdir+>: mov 0x20(%rdi),%rax
---Type <return> to continue, or q <return> to quit---
0xffffffff810d7542 <vfs_readdir+>: test %rax,%rax
0xffffffff810d7545 <vfs_readdir+>: je 0xffffffff810d75b3 <vfs_readdir+>
0xffffffff810d7547 <vfs_readdir+>: cmpq $0x0,0x30(%rax)
0xffffffff810d754c <vfs_readdir+>: je 0xffffffff810d75b3 <vfs_readdir+> goto out; res = security_file_permission(file, MAY_READ);
0xffffffff810d754e <vfs_readdir+>: mov $0x4,%esi
0xffffffff810d7553 <vfs_readdir+>: callq 0xffffffff8113848d <security_file_permission>
0xffffffff810d755a <vfs_readdir+>: mov %eax,%ebx if (res)
0xffffffff810d7558 <vfs_readdir+>: test %eax,%eax
0xffffffff810d755c <vfs_readdir+>: jne 0xffffffff810d75b8 <vfs_readdir+> goto out; res = mutex_lock_killable(&inode->i_mutex);
0xffffffff810d755e <vfs_readdir+>: lea 0xb8(%r12),%r13
---Type <return> to continue, or q <return> to quit---
0xffffffff810d7566 <vfs_readdir+>: mov %r13,%rdi
0xffffffff810d7569 <vfs_readdir+>: callq 0xffffffff812f4bff <mutex_lock_killable>
0xffffffff810d7570 <vfs_readdir+>: mov %eax,%ebx if (res)
0xffffffff810d756e <vfs_readdir+>: test %eax,%eax
0xffffffff810d7572 <vfs_readdir+>: jne 0xffffffff810d75b8 <vfs_readdir+> goto out; res = -ENOENT;
if (!IS_DEADDIR(inode)) {
0xffffffff810d7574 <vfs_readdir+>: testb $0x10,0x220(%r12)
0xffffffff810d757d <vfs_readdir+>: mov $0xfffffffe,%ebx
0xffffffff810d7582 <vfs_readdir+>: jne 0xffffffff810d75a9 <vfs_readdir+> res = file->f_op->readdir(file, buf, filler);
0xffffffff810d7584 <vfs_readdir+>: mov 0x20(%rbp),%rax
0xffffffff810d7588 <vfs_readdir+>: mov %r14,%rdx
0xffffffff810d758b <vfs_readdir+>: mov %r15,%rsi
---Type <return> to continue, or q <return> to quit---
0xffffffff810d758e <vfs_readdir+>: mov %rbp,%rdi
0xffffffff810d7591 <vfs_readdir+>: callq *0x30(%rax)
0xffffffff810d7598 <vfs_readdir+>: mov %eax,%ebx file_accessed(file);
}
mutex_unlock(&inode->i_mutex);
0xffffffff810d75a9 <vfs_readdir+>: mov %r13,%rdi
0xffffffff810d75ac <vfs_readdir+>: callq 0xffffffff812f4a35 <mutex_unlock>
0xffffffff810d75b1 <vfs_readdir+>: jmp 0xffffffff810d75b8 <vfs_readdir+> out:
0xffffffff810d75b3 <vfs_readdir+>: mov $0xffffffec,%ebx return res;
}
0xffffffff810d75b8 <vfs_readdir+>: pop %rcx
0xffffffff810d75b9 <vfs_readdir+>: mov %ebx,%eax
0xffffffff810d75bb <vfs_readdir+>: pop %rbx
0xffffffff810d75bc <vfs_readdir+>: pop %rbp
---Type <return> to continue, or q <return> to quit---
0xffffffff810d75bd <vfs_readdir+>: pop %r12
0xffffffff810d75bf <vfs_readdir+>: pop %r13
0xffffffff810d75c1 <vfs_readdir+>: pop %r14
0xffffffff810d75c3 <vfs_readdir+>: pop %r15
0xffffffff810d75c5 <vfs_readdir+>: retq