Playing with uprobes and influx

uprobe-influx.txt

1. Calculate the offset

offset(fn) = virtual_address(fn) - virtual_address(.text) + offset(.text)


2. Virtual address: 
readelf -S /home/fntlnz/go/bin/influx | grep -i text
  [ 1] .text             PROGBITS         0000000000401000  00001000

So, virtual address= 0x0000000000401000
And, offset= 0x00001000


3. Va of the function:
 objdump -t /home/fntlnz/go/bin/influxd |grep ExecuteQuery
0000000000852da0 g     F .text  00000000000000ea              github.com/influxdata/influxdb/query.(*QueryExecutor).ExecuteQuery

so, the VA is: 0x0000000000852da0



4. final calculation:
0x0000000000852da0 - 0x0000000000401000 + 0x00001000 = 0x452DA0


5. Final uprobe:
echo "p:p_ExecuteQuery /home/fntlnz/go/bin/influxd:0x452DA0 %ip %ax" > /sys/kernel/debug/tracing/uprobe_events



6. Now enable

 echo 1 > /sys/kernel/debug/tracing/events/uprobes/enable


7. Get the results

cat /sys/kernel/debug/tracing/trace


8. Get some statistics

cat /sys/kernel/debug/tracing/uprobe_profile 


9. Play with format

/sys/kernel/debug/tracing/events/uprobes/p_ExecuteQuery/


10. Define an uretprobe for sprintf

objdump -t /home/fntlnz/go/bin/influxd | grep Sprintf
00000000004c35e0 g     F .text  00000000000000e2              fmt.Sprintf

so, the VA is: 00000000004c35e0

calculation in this case using the same virtual address and offset.

0x00000000004c35e0 - 0x0000000000401000 + 0x00001000 = 0xc35e0

echo 'r:p_sprintf /home/fntlnz/go/bin/influxd:0xc35e0 +0($retval):string' > /sys/kernel/debug/tracing/uprobe_events

11. Record the uprobes and uretprobes with `kernelshark`


12. clear all events

echo > /sys/kernel/debug/tracing/uprobe_events

Read more at: https://www.kernel.org/doc/html/latest/trace/uprobetracer.html?highlight=uprobe#synopsis-of-uprobe-tracer