原理
systemtap原理类似与Runtime Hook技术,先找到函数的入口地址,然后保存函数的入口代码,再动态修改这部分代码,当内核调用函数时,systemtap就会执行检测点的修改代码,从而打印出我们需要的信息。
X86环境
Linux CentOS 3.10.0-514.2.2.el7.x86_64
安装:sudo yum install systemtap (安装时间较长)
版本信息:
Systemtap translator/driver (version 3.3/0.172, rpm 3.3-3.el7)
Copyright (C) 2005-2018 Red Hat, Inc. and others
This is free software; see the source for copying conditions.
tested kernel versions: 2.6.18 ... 4.18-rc0实现
stap可以使用2种方式实现:
1、stap + 文本,文本中实现函数
2、./stap.sh,脚本中注明脚本解释器
分析
下面脚本实现功能是打印出内核调用do_timer函数的信息。
#!/usr/bin/stap -v
probe kernel.function("do_timer").return {
printf("call do_timer from 0x%x\n", caller_addr());
}超级用户运行此脚本,打印如下:
[systemtap]$ sudo ./stap.sh
语法检查
Pass 1: parsed user script and 470 library scripts using 239544virt/41312res/3408shr/37952data kb, in 240usr/170sys/671real ms.
分析统计
Pass 2: analyzed script: 1 probe, 7 functions, 5 embeds, 0 globals using 365180virt/168216res/4760shr/163588data kb, in 1900usr/1930sys/6704real ms.
转换为C代码
Pass 3: translated to C into "/tmp/stapeLJkFD/stap_16b421a9b64012d46f93109e9c4710e2_4427_src.c" using 365180virt/168496res/5040shr/163588data kb, in 180usr/70sys/345real ms.
编译为内核ko模块
Pass 4: compiled C into "stap_16b421a9b64012d46f93109e9c4710e2_4427.ko" in 3200usr/1160sys/5194real ms.
加载运行
Pass 5: starting run.
WARNING: Missing unwind data for a module, rerun with 'stap -d kernel'
打印调用信息
call do_timer from 0xffff88003c603f80
call do_timer from 0xffff88003c683ea8地址信息需要使用addr2line工具进行转换才能看出函数名称。
修改脚本实现dump_stack函数功能。
#!/usr/bin/stap -v
probe kernel.function("do_timer").return {
print_backtrace();
printf("\n");
} 0xffffffff810eb9a0 : do_timer+0x0/0x20 [kernel]
0xffffffff810f2d00 : tick_do_update_jiffies64+0x70/0xd0 [kernel]
0xffffffff819afed0 : __end_rodata+0x3ed0/0x4000 [kernel]
0xffffffff810f3c77 : tick_nohz_idle_exit+0x67/0x150 [kernel] (inexact)
0xffffffff810e7cf1 : cpu_startup_entry+0x171/0x290 [kernel] (inexact)
0xffffffff81674627 : rest_init+0x77/0x80 [kernel] (inexact)
0xffffffff81b0a05a : start_kernel+0x42c/0x44d [kernel] (inexact)
0xffffffff81b09a37 : unknown_bootoption+0x0/0x186 [kernel] (inexact)
0xffffffff81b09120 : early_idt_handler+0x0/0xb7 [kernel] (inexact)
0xffffffff81b095ee : x86_64_start_reservations+0x2a/0x2c [kernel] (inexact)
0xffffffff81b09742 : x86_64_start_kernel+0x152/0x175 [kernel] (inexact)好处是不用重新编译和重新烧写或者启动内核,方便调试。
实现捕获进行切换的动作信息脚本如下:
#!/usr/bin/stap -v
probe kernel.function("__switch_to") {
if (tast_execname($next_p) == "vim") {
printf("switch from [%s] \t to \t [%s]\n",
task_execname($prev_p),
task_execname($next_p));
}
}
probe end {
printf("\nDONE\n");
}运行打印错误如下:
Pass 1: parsed user script and 470 library scripts using 239548virt/41316res/3408shr/37956data kb, in 220usr/70sys/287real ms.
WARNING: function __switch_to is blacklisted: keyword at ./stap.sh:3:1
source: probe kernel.function("__switch_to") {
^
semantic error: while resolving probe point: identifier 'kernel' at :3:7
source: probe kernel.function("__switch_to") {
^
semantic error: no match (similar functions: __switch_to, switch_mm, switch_idt, __stop_tx, __switch_to_xtra)
Pass 2: analyzed script: 1 probe, 0 functions, 0 embeds, 0 globals using 276036virt/78768res/4332shr/74444data kb, in 650usr/120sys/778real ms.
Pass 2: analysis failed. [man error::pass2]难道是我内核版本太低导致没有这个函数吗?没道理啊
ARM环境
版本4.0
Systemtap下载地址,下载后解压编译:
cd systemtap-4.0;mkdir build;cd build
../configure --host=arm-linux --prefix=$PWD CC=/home/wangyubo/ifoton/logread-build-tools/OS2000-70/openwrt/staging_dir/toolchain-arm_gcc-imx6ul/bin/arm-linux-gnueabihf-gcc问题1
configure: error: missing elfutils development headers/libraries (install elfutils-devel, libebl-dev, libdw-dev and/or libebl-devel)sudo yum install libdw-dev提示没有可用软件包 libdw-dev,手动网上下载libdw-dev,下载i386平台包,但格式是deb,安装alien工具转换为rpm:
sudo yum install alien
alien -r libdw-dev_0.175-2_i386.deb 进行转换
安装rmp包:
[yubo.wang@localhost systemtap]$ sudo rpm -ivh libdw-dev-0.175-3.i386.rpm
准备中... ################################# [100%]
file / from install of libdw-dev-0.175-3.i386 conflicts with file from package filesystem-3.2-21.el7.x86_64
file /usr/lib from install of libdw-dev-0.175-3.i386 conflicts with file from package filesystem-3.2-21.el7.x86_64
file /usr/include/elfutils/libdw.h from install of libdw-dev-0.175-3.i386 conflicts with file from package elfutils-devel-0.172-2.el7.x86_64
file /usr/include/elfutils/libdwelf.h from install of libdw-dev-0.175-3.i386 conflicts with file from package elfutils-devel-0.172-2.el7.x86_64安装成功后还是提示错误:
configure: error: missing elfutils development headers/libraries (install elfutils-devel, libebl-dev, libdw-dev and/or libebl-devel)为何? 难道要用Ubuntu才行吗?
直接使用命令在x86平台配置也失败:./configure【这里可以make编译试下?在ubuntu 14.04 x86环境安装了libdw-dev后配置后也是下面的打印,make编译通过】
configure: For a private or temporary build of systemtap, we recommend
configure: configuring with a prefix. For example, try
configure: ./configure python='/usr/bin/python2' pyexecdir='${exec_prefix}/lib64/python2.7/site-packages' --prefix=/home/yubo.wang/systemtap-4.0-104354
configure: Running systemtap uninstalled, entirely out of the build tree,
configure: is not supported.编译出版本信息如下,arm平台待验证。。。
切换版本
还是提示一样的问题,无改善,后续使用ubuntu测试一下,再不行的话就只有手写C代码,自己编译ko文件进行插入监测测试,需要使用到的函数:kprobe, jprobe, jretprobe