[Lguest] probing the guest os kernel code ?

Wed Nov 25 18:31:04 EST 2009

I want to collect informations about guest os,so i probing the guest os 
code using kprobe.
First, I run a guest os(linux-2.6.31) using lguest, and insmod the 
fellow module--the code is as follows.

@%@%> insmod /home/lguest_kprobe_example.ko
[ 11.592410] Planted kprobe at c0163430

Results is right above,but when I run command "dmeg" to view the print 
information,the results are fellows:

@%@%> dmesg
[ 85.056197] pre_handler1: p->addr = 0xc0163430, ip = c0163431, flags = 
0x286
[ 85.056249] pre_handler2: p->symbol_name=do_fork, p->opcode=85
lguest: Bad address 0xc3a37c34

I think it's wrong when hit the probe,especially trapping in the 
kernel,but I don't known the details.
please give me some advice and solvtions.

#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/kprobes.h>

/* For each probe you need to allocate a kprobe structure */
static struct kprobe kp = {
..symbol_name = "do_fork",
};

/* kprobe pre_handler: called just before the probed instruction is 
executed */
static int handler_pre(struct kprobe *p, struct pt_regs *regs)
{
#ifdef CONFIG_X86
printk(KERN_INFO "pre_handler1: p->addr = 0x%p, ip = %lx,"
" flags = 0x%lx\n",p->addr, regs->ip, regs->flags);

printk(KERN_INFO "pre_handler2: p->symbol_name=%s, 
p->opcode=%d\n",p->symbol_name,p->opcode);
#endif
#ifdef CONFIG_PPC
printk(KERN_INFO "pre_handler: p->addr = 0x%p, nip = 0x%lx,"
" msr = 0x%lx\n",
p->addr, regs->nip, regs->msr);
#endif

/* A dump_stack() here will give a stack backtrace */
return 0;
}

/* kprobe post_handler: called after the probed instruction is executed */
static void handler_post(struct kprobe *p, struct pt_regs *regs,
unsigned long flags)
{
#ifdef CONFIG_X86
printk(KERN_INFO "post_handler: p->addr = 0x%p, flags = 0x%lx\n",
p->addr, regs->flags);
#endif
#ifdef CONFIG_PPC
printk(KERN_INFO "post_handler: p->addr = 0x%p, msr = 0x%lx\n",
p->addr, regs->msr);
#endif
}

/*
* fault_handler: this is called if an exception is generated for any
* instruction within the pre- or post-handler, or when Kprobes
* single-steps the probed instruction.
*/
static int handler_fault(struct kprobe *p, struct pt_regs *regs, int trapnr)
{
printk(KERN_INFO "fault_handler: p->addr = 0x%p, trap #%dn",
p->addr, trapnr);
/* Return 0 because we don't handle the fault. */
return 0;
}

static int __init kprobe_init(void)
{
int ret;
kp.pre_handler = handler_pre;
kp.post_handler = handler_post;
kp.fault_handler = handler_fault;

ret = register_kprobe(&kp);
if (ret < 0) {
printk(KERN_INFO "register_kprobe failed, returned %d\n", ret);
return ret;
}
printk(KERN_INFO "Planted kprobe at %p\n", kp.addr);
return 0;
}

static void __exit kprobe_exit(void)
{
unregister_kprobe(&kp);
printk(KERN_INFO "kprobe at %p unregistered\n", kp.addr);
}

module_init(kprobe_init)
module_exit(kprobe_exit)
MODULE_LICENSE("GPL");

__________________________________________________
¸Ï¿ì×¢²áÑÅ»¢³¬´óÈÝÁ¿Ãâ·ÑÓÊÏä?
http://cn.mail.yahoo.com