Skip to content

Instantly share code, notes, and snippets.

@fntlnz
Last active September 17, 2018 18:59
Show Gist options
  • Save fntlnz/96a6d7bdd9881420c28e6454b8f7b91e to your computer and use it in GitHub Desktop.
Save fntlnz/96a6d7bdd9881420c28e6454b8f7b91e to your computer and use it in GitHub Desktop.
Playing with uprobes and influx
1. Calculate the offset
offset(fn) = virtual_address(fn) - virtual_address(.text) + offset(.text)
2. Virtual address:
readelf -S /home/fntlnz/go/bin/influx | grep -i text
[ 1] .text PROGBITS 0000000000401000 00001000
So, virtual address= 0x0000000000401000
And, offset= 0x00001000
3. Va of the function:
objdump -t /home/fntlnz/go/bin/influxd |grep ExecuteQuery
0000000000852da0 g F .text 00000000000000ea github.com/influxdata/influxdb/query.(*QueryExecutor).ExecuteQuery
so, the VA is: 0x0000000000852da0
4. final calculation:
0x0000000000852da0 - 0x0000000000401000 + 0x00001000 = 0x452DA0
5. Final uprobe:
echo "p:p_ExecuteQuery /home/fntlnz/go/bin/influxd:0x452DA0 %ip %ax" > /sys/kernel/debug/tracing/uprobe_events
6. Now enable
echo 1 > /sys/kernel/debug/tracing/events/uprobes/enable
7. Get the results
cat /sys/kernel/debug/tracing/trace
8. Get some statistics
cat /sys/kernel/debug/tracing/uprobe_profile
9. Play with format
/sys/kernel/debug/tracing/events/uprobes/p_ExecuteQuery/
10. Define an uretprobe for sprintf
objdump -t /home/fntlnz/go/bin/influxd | grep Sprintf
00000000004c35e0 g F .text 00000000000000e2 fmt.Sprintf
so, the VA is: 00000000004c35e0
calculation in this case using the same virtual address and offset.
0x00000000004c35e0 - 0x0000000000401000 + 0x00001000 = 0xc35e0
echo 'r:p_sprintf /home/fntlnz/go/bin/influxd:0xc35e0 +0($retval):string' > /sys/kernel/debug/tracing/uprobe_events
11. Record the uprobes and uretprobes with `kernelshark`
12. clear all events
echo > /sys/kernel/debug/tracing/uprobe_events
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment