demo

2023-05-09 01:03:55 +08:00
parent 7f1d3e37d3
commit 49904f5cb5
6 changed files with 233 additions and 2 deletions
--- a/ebpf/core.ebpf.c
+++ b/ebpf/core.ebpf.c
@@ -0,0 +1,35 @@
+#include <uapi/linux/ptrace.h>
+#include <linux/sched.h>
+
+struct event_data_t {
+    int type;
+    u32 pid;
+    u32 ppid;
+} __attribute__((packed));
+
+BPF_PERF_OUTPUT(events);
+
+int trace_process_start(struct pt_regs *ctx, struct filename *filename) {
+    struct event_data_t event_data;
+
+    u32 pid = bpf_get_current_pid_tgid();
+    u32 ppid = bpf_get_current_pid_tgid() >> 32;
+    event_data.type = 0;
+    event_data.pid = pid;
+    event_data.ppid = ppid;
+    events.perf_submit(ctx, &event_data, sizeof(event_data));
+    return 0;
+}
+
+int trace_process_exit(struct pt_regs *ctx) {
+    struct event_data_t event_data;
+
+    u32 pid = bpf_get_current_pid_tgid();
+    u32 ppid = bpf_get_current_pid_tgid() >> 32;
+    event_data.type = 1;
+    event_data.pid = pid;
+    event_data.ppid = ppid;
+    events.perf_submit(ctx, &event_data, sizeof(event_data));
+
+    return 0;
+}