I wrote a module which registers kprobe on do_sys_open and i am trying to print the filename in the pre_handler
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/kprobes.h>
MODULE_LICENSE("GPL");
static struct kprobe kp;
static char *name = "do_sys_open";
module_param(name, charp, 0);
static int pre_handler(struct kprobe *p, struct pt_regs *regs)
{
char *filename = (char *)regs->si;
char user_filename[256] = {0};
long copied = strncpy_from_user(user_filename, filename, sizeof(user_filename));
pr_info("eax: %08lx ebx: %08lx ecx: %08lx edx: %08lx\n",
regs->ax, regs->bx, regs->cx, regs->dx);
pr_info("esi: %08lx edi: %08lx ebp: %08lx esp: %08lx\n",
regs->si, regs->di, regs->bp, regs->sp);
if (copied > 0)
pr_info("%s filename:%s\n",__func__, user_filename);
return 0;
}
static int __init hello_init(void)
{
/* set the handler functions */
kp.pre_handler = pre_handler;
kp.symbol_name = name;
return register_kprobe(&kp);
}
static void __exit hello_exit(void)
{
pr_info("%s\n", __func__);
unregister_kprobe(&kp);
}
module_init(hello_init);
module_exit(hello_exit);
After loading this module, i am continuously getting the same file name: pre_handler filename:/run/log/journal/e5f9bd15e9f247dd888fba443a4d9599/system.journal
What's wrong with the above code?
from Recent Questions - Stack Overflow https://ift.tt/3mgzkKf
https://ift.tt/eA8V8J
No comments:
Post a Comment