1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
# x86_64-specific system calls
# arch_prctl _________________________________________________
# long sys_arch_prctl(int code, unsigned long addr)
#
# NOTE: x86_64 only.
#
probe syscall.arch_prctl = kernel.function("sys_arch_prctl") {
name = "arch_prctl"
code = $code
addr = $addr
argstr = sprintf("%d, %p", $code, $addr)
}
probe syscall.arch_prctl.return = kernel.function("sys_arch_prctl").return {
name = "arch_prctl"
retstr = returnstr(1)
}
# iopl _______________________________________________________
# long sys_iopl(unsigned int level, struct pt_regs *regs);
# NOTE. This function is only in i386 and x86_64 and its args vary
# between those two archs.
#
probe syscall.iopl = kernel.function("sys_iopl") {
name = "iopl"
level = $level
argstr = sprint($level)
}
probe syscall.iopl.return = kernel.function("sys_iopl").return {
name = "iopl"
retstr = returnstr(1)
}
# sigaltstack ________________________________________________
# long sys_sigaltstack(const stack_t __user *uss, stack_t __user *uoss,
# struct pt_regs *regs)
#
# NOTE: args vary between archs.
#
probe syscall.sigaltstack = kernel.function("sys_sigaltstack") {
name = "sigaltstack"
uss_uaddr = $uss
uoss_uaddr = $uoss
regs_uaddr = $regs
argstr = sprintf("%p, %p", $uss, $uoss)
}
probe syscall.sigaltstack.return = kernel.function("sys_sigaltstack").return {
name = "sigaltstack"
retstr = returnstr(1)
}
# sysctl _____________________________________________________
#
# long sys32_sysctl(struct sysctl_ia32 __user *args32)
#
probe syscall.sysctl32 = kernel.function("sys32_sysctl") ? {
name = "sysctl"
argstr = sprintf("%p", $args32)
}
probe syscall.sysctl32.return = kernel.function("sys32_sysctl").return ? {
name = "sysctl"
retstr = returnstr(1)
}
# mmap
# long sys_mmap(unsigned long addr, unsigned long len,
# unsigned long prot, unsigned long flags,
# unsigned long fd, unsigned long off)
probe syscall.mmap = kernel.function("sys_mmap") ? {
name = "mmap"
start = $addr
len = $len
prot = $prot
flags = $flags
fd = $fd
offset = $off
argstr = sprintf("%p, %d, %s, %s, %d, %d", $addr, $len,
_mprotect_prot_str($prot), _mmap_flags($flags), $fd, $off)
}
probe syscall.mmap.return = kernel.function("sys_mmap").return ? {
name = "mmap"
retstr = returnstr(2)
}
|
