PAL.C.T MINI SHELL
# IA64 system calls
# In kernels < 2.6.33, mmap()/mmap2() was handled by arch-specific
# code. In kernels >= 2.6.33, the arch-specific code just calls
# generic sys_mmap_pgoff().
%( kernel_v < "2.6.33" %?
# mmap
# sys_mmap (unsigned long addr, unsigned long len, int prot, int flags, int fd, long off)
#
probe nd_syscall.mmap = kprobe.function("sys_mmap") ?
{
name = "mmap"
asmlinkage()
start = ulong_arg(1)
len = ulong_arg(2)
prot = int_arg(3)
flags = int_arg(4)
fd = int_arg(5)
offset = long_arg(6)
argstr = sprintf("%p, %u, %s, %s, %d, %d", start, len,
_mprotect_prot_str(prot), _mmap_flags(flags), fd, offset)
}
probe nd_syscall.mmap.return = kprobe.function("sys_mmap").return ?
{
name = "mmap"
retstr = returnstr(2)
}
# mmap2
# sys_mmap2 (unsigned long addr, unsigned long len, int prot, int flags, int fd, long pgoff)
probe nd_syscall.mmap2 = kprobe.function("sys_mmap2") ?
{
name = "mmap2"
asmlinkage()
start = ulong_arg(1)
length = ulong_arg(2)
prot = int_arg(3)
flags = int_arg(4)
fd = int_arg(5)
pgoffset = long_arg(6)
argstr = sprintf("%p, %u, %s, %s, %d, %d", start, length,
_mprotect_prot_str(prot), _mmap_flags(flags), fd, pgoffset)
}
probe nd_syscall.mmap2.return = kprobe.function("sys_mmap2").return ?
{
name = "mmap2"
retstr = returnstr(2)
}
%)
%( CONFIG_GENERIC_SIGALTSTACK == "n" || kernel_v < "3.8" %?
# sigaltstack _______________________________________________
# asmlinkage long
# sys_sigaltstack (const stack_t __user *uss, stack_t __user *uoss, long arg2,
# long arg3, long arg4, long arg5, long arg6, long arg7,
# struct pt_regs regs)
#
probe nd_syscall.sigaltstack = kprobe.function("sys_sigaltstack")
{
name = "sigaltstack";
asmlinkage()
uss_uaddr = pointer_arg(1)
uoss_uaddr = pointer_arg(2)
%(systemtap_v <= "2.8" %?
ss_uaddr = uss_uaddr
oss_uaddr = uoss_uaddr
%)
argstr = sprintf("%s, %p", _stp_sigaltstack_u(uss_uaddr), uoss_uaddr)
}
probe nd_syscall.sigaltstack.return = kprobe.function("sys_sigaltstack").return
{
name = "sigaltstack";
retstr = returnstr(1)
}
%)
# sysctl _____________________________________________________
#
# long sys32_sysctl (struct sysctl32 __user *args)
#
probe nd_syscall.sysctl32 = kprobe.function("sys32_sysctl") ?
{
name = "sysctl"
// argstr = sprintf("%p", $args)
asmlinkage()
argstr = sprintf("%p", pointer_arg(1))
}
probe nd_syscall.sysctl32.return = kprobe.function("sys32_sysctl").return ?
{
name = "sysctl"
retstr = returnstr(1)
}
%( kernel_v < "3.7" %?
# execve _____________________________________________________
#
# In kernels < 3.7, sys_execve() was in arch-specific code (and had
# varying arguments). It was just a wrapper around generic
# do_execve(), but the wrapper could error out before calling
# do_execve(). So, we'll have to handle it in arch-specific tapset
# code to catch all calls.
#
# long sys_execve (char __user *filename, char __user * __user *argv,
# char __user * __user *envp, struct pt_regs *regs)
probe nd_syscall.execve = kprobe.function("sys_execve")
{
name = "execve"
filename = user_string_quoted(pointer_arg(1))
args = __get_argv(pointer_arg(2), 0)
env_str = __count_envp(pointer_arg(3))
argstr = sprintf("%s, %s, %s", filename, args, env_str)
}
probe nd_syscall.execve.return = kprobe.function("sys_execve").return
{
name = "execve"
retstr = returnstr(1)
}
%)
y~or�5J�={Ee�u磝Qk���ᯘG{?+]ן?�wM3X�^歌>{7پK>on\jy�R�g/=fOr�oNVv~Y+�NGuÝHWyw[eQʨSb>�>}Gmx[o[<�{Ϯ_qF�vM����IENDB`