A question #45
Comments
|
when i use BCC to impliment bash-kern, I always get such as the picture show |
|
the code from bcc import BPF
from time import sleep
text = """
#include <uapi/linux/ptrace.h>
struct event_data_t {
u32 pid;
u8 line[80];
char comm[16];
};
BPF_PERF_OUTPUT(listen_evt);
int uretprobe_bash_readline(struct pt_regs *ctx) {
s64 pid_tgid = bpf_get_current_pid_tgid();
int pid = pid_tgid >> 32;
struct event_data_t event = {};
event.pid = pid;
bpf_get_current_comm(&event.comm, sizeof(event.comm));
bpf_probe_read(&event.line, sizeof(event.line), (void *)PT_REGS_RC(ctx));
listen_evt.perf_submit(ctx, &event, sizeof(event));
return 0;
}
"""
from ctypes import *
b = BPF(text=text)
b.attach_uprobe(name="/bin/bash",sym="readline",fn_name="uretprobe_bash_readline")
def print_event(cpu, data, size):
event = b["listen_evt"].event(data)
#line = bytearray(event.line).decode()
print("Rcv Event %d, %s,%s"%(event.pid, event.comm,bytes(event.line)))
b["listen_evt"].open_perf_buffer(print_event)
while True:
try:
b.perf_buffer_poll()
except:
exit() |
|
the same code as bash_kern.c in https://github.com/iovisor/bcc/blob/master/tools/bashreadline.py |
|
THANK YOU |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
No description provided.
The text was updated successfully, but these errors were encountered: