systemtap script #2
Comments
|
Getting back to this, I noticed that the systemtap script at the end of the page won't work as it generates this error: |
|
This works for me: %{
#include <net/sock.h>
%}
function dump_netlink_sock:long (arg_sock:long)
%{
struct netlink_ring {
void **pg_vec;
unsigned int head;
unsigned int frames_per_block;
unsigned int frame_size;
unsigned int frame_max;
unsigned int pg_vec_order;
unsigned int pg_vec_pages;
unsigned int pg_vec_len;
atomic_t pending;
};
struct netlink_sock {
/* struct sock has to be the first member of netlink_sock */
struct sock sk;
u32 portid;
u32 dst_portid;
u32 dst_group;
u32 flags;
u32 subscriptions;
u32 ngroups;
unsigned long *groups;
unsigned long state;
size_t max_recvmsg_len;
wait_queue_head_t wait;
bool cb_running;
struct netlink_callback cb;
struct mutex *cb_mutex;
struct mutex cb_def_mutex;
void (*netlink_rcv)(struct sk_buff *skb);
int (*netlink_bind)(int group);
void (*netlink_unbind)(int group);
struct module *module;
#ifdef CONFIG_NETLINK_MMAP
struct mutex pg_vec_lock;
struct netlink_ring rx_ring;
struct netlink_ring tx_ring;
atomic_t mapped;
#endif /* CONFIG_NETLINK_MMAP */
};
struct sock *sk = (void *)STAP_ARG_arg_sock;
struct netlink_sock *nlk = (void *)sk;
_stp_printf("\n\n-----------------dump netlink_sock start-------------------\n");
_stp_printf(" sk = %p\n", sk);
_stp_printf(" sk->sk_rmem_alloc = %d\n", sk->sk_rmem_alloc);
_stp_printf(" sk->sk_rcvbuf = %d\n", sk->sk_rcvbuf);
_stp_printf(" sk->sk_refcnt = %d\n", sk->sk_refcnt);
_stp_printf(" nlk->state (before) = %x\n", (nlk->state & 0x1));
nlk->state |= 1;
_stp_printf(" nlk->state (after) = %x\n", (nlk->state & 0x1));
_stp_printf("-----------------dump netlink_sock end---------------------\n\n\n");
%}
probe kernel.function("netlink_attachskb")
{
if(execname() == "exploit")
{
printf("[%d: %d] > netlink_attachskb(%s)\n", pid(), tid(), $$parms)
dump_netlink_sock($sk);
}
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello and thank you for your awesome post.
I am getting stuck at how the systemtap file builds up throughout the first part of your guide. Specifically, at the first part you mention:
and then you get the output you show on the table. I really don't know anything about systemtap and I can't modify the one that you show above so as to "probe every function invoked in mq_notify()" and therefore I can't actually trace all the i/o flow between the functions called in there. Can you please provide the full systemtap script for this?
Also, at the other systemtap script you include the
net/netlink_sock.h. What package should I install for this? Should I do it from apt or find an older one that matches more my vuln kernel?The text was updated successfully, but these errors were encountered: