An analysis of the original understanding of Kprobe (II.)

The previous article and everyone briefly explained how the next kprobe should be used, then we will uncover kprobe mysterious veil, inquisitive, a glimpse of the kprobe.

The working process of Kprobe is as follows:

1) Register Kprobe. Each kprobe that is registered corresponds to a kprobe structure, which records the insertion point (position) and the instruction Original_opcode corresponding to the insertion point;

2) Replace the original instruction. When the Kprobe is enabled, the instruction of the insertion point position is replaced with an exception (BRK) instruction, which causes the CPU to fall into an abnormal state when it executes to the insertion point position;

3) Execute pre_handler. After entering the abnormal state, the Pre_handler is executed first, then the corresponding registers are set up by using the Single Step Debugging (Single-step) function provided by the CPU, and the

The next instruction is set to the original instruction at the insertion point, returning from the abnormal state;

4) fall into an abnormal state again. The Single-step related registers are set in the previous step, so originnal_opcode just one execution, it will returned: Again into the abnormal state, this time will Single-step

Clears, and executes the Post_handler, and then returns safely from the abnormal state.

Step 2), 3), 4) is the process of kprobe work, and one of the basic ideas is to extend an instruction to execute kprobe->pre_handler---> Instructions---> kprobe-- >post_hander such three processes. Each procedure is explained in detail below:

Instruction substitution Process:

The blue area indicates memory, red indicates the address, the green part represents an instruction, meaning that memory 0xfffffc000162914 place an instruction is 0XA9BD7BFD. Well, now I have registered a kprobe, the detection point is the Sys_write function, the starting position of the function is 0xffffffc000162914, now I want to enable Kprobe, So what I'm going to do is to replace the original instruction 0XA9BD7BFD in 0xffffffc000162914 with a BRK instruction, which is a counter switch process represented. You might wonder where the original instruction 0XA9BD7BFD existed? There are opcode domains for kprobe structures! So that when it is no longer possible to kprobe, I return back.

Trigger BRK Command:

The above to change their instructions, then the CPU execution to BRK will inevitably cause the kernel to fall into BRK abnormal state:

The blue part is still the memory, the green part indicates the instruction, the red indicates the CPU, the CPU executes to 0xffffffc000162914 (sys_write), the instruction is BRK, and the kernel falls into an abnormal state. In an abnormal state, the kernel uses the BRK instruction error code to determine that this is a Kprobe exception, and then enters the kprobe processing function. The Kprobe exception handler will find the corresponding kprobe based on the address of the exception (Kprobe's addr domain records the address), execute Kprobe pre_handler function, and then set Single-step related registers for next execution The original instruction occurs when the Single-step exception is prepared. Then we set the address of the original instruction, we know that the 0xffffffc000162914 place has been replaced with the BRK instruction, the original instruction is stored in the kprobe structure, how to ensure the next implementation to the original command? The simplest way is to request a piece of memory, and then copy the original instruction to the beginning of the memory, set the PC register as the first address of the memory, so that when the code from the abnormal state return, the execution of the first command is the original command!

The original instructions were executed, returned

After the above step, Pre_handler has been executed, from the abnormal state returned, the original instruction was also executed, but because the Single-step mode is set, so executed the original instruction, immediately fell into an abnormal state, returned:

This time after entering the abnormal state, first clear the Single-step related registers, to ensure that the next return from the exception of the instruction will not be due to single-step occur three, and then execute Post_handler, Finally write the address 0xfffffc000162918 to the PC register, why is this value? It is immediately following the 0xffffffc000162914 of the next instruction address, there is no discovery, so far we have completed the pre_handler-> original instruction->post_handler such three stages, That is to say kprobe to do all finished, at this time the work is to clean up the mess, return to the normal flow of instruction, our detection point in 0xffffffc000162914, the next command should be 0xffffffc000162918, So write this value to the PC register and get everything back on track!

Kprobe work is over and on track

The PC is set to the 0xffffffc000162918, so from the abnormal state return, the CPU is on the right track and then executed, a BRK instruction triggered by the reaction here, but each time when the CPU execution to 0xffffffc000162914 place, Will trigger the sequence of actions above, and the kprobe mechanism starts with a BRK command.

Note:

--------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------

Since kprobe involves the modification of program directives, this part is related to architecture, and the architecture I choose ARM64, such as BRK directives in this article, are ARM64 concepts.

x86 in the INT3 of the corresponding.

--------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------

An analysis of the original understanding of Kprobe (II.)