the same code as bash_kern.c in <a href="https://github.com/iovisor/bcc/blob/master/to

the code <div class="highlight highlight-source-python notranslate position-relati

A question about ecapture HOT 4 CLOSED

gojue commented on May 18, 2024

A question

from ecapture.

Comments (4)

cfc4n commented on May 18, 2024 1

the same code as bash_kern.c in https://github.com/iovisor/bcc/blob/master/tools/bashreadline.py

from ecapture.

huzai9527 commented on May 18, 2024

when i use BCC to impliment bash-kern, I always get such as the picture show

the code just as same as the kern/bash_kern.c, can you tell me what's wrong?
THANK YOU!

from ecapture.

huzai9527 commented on May 18, 2024

the code

from bcc import BPF
from time import sleep
text = """
#include <uapi/linux/ptrace.h>
struct event_data_t {
	u32 pid;
	u8 line[80];
	char comm[16];
};
BPF_PERF_OUTPUT(listen_evt);
int uretprobe_bash_readline(struct pt_regs *ctx) {
    s64 pid_tgid = bpf_get_current_pid_tgid();
    int pid = pid_tgid >> 32;
    struct event_data_t event = {};
    event.pid = pid;
    bpf_get_current_comm(&event.comm, sizeof(event.comm));
    bpf_probe_read(&event.line, sizeof(event.line), (void *)PT_REGS_RC(ctx));
    listen_evt.perf_submit(ctx, &event, sizeof(event));
    return 0;
}

"""
from  ctypes import *
b = BPF(text=text)
b.attach_uprobe(name="/bin/bash",sym="readline",fn_name="uretprobe_bash_readline")


def print_event(cpu, data, size):
  event = b["listen_evt"].event(data)
  #line = bytearray(event.line).decode()
  print("Rcv Event %d, %s,%s"%(event.pid, event.comm,bytes(event.line)))
b["listen_evt"].open_perf_buffer(print_event)

while True:
    try:
        b.perf_buffer_poll()
    except:
        exit()