asda?‰PNG  IHDR ? f ??C1 sRGB ??é gAMA ±? üa pHYs ? ??o¨d GIDATx^íüL”÷e÷Y?a?("Bh?_ò???¢§?q5k?*:t0A-o??¥]VkJ¢M??f?±8\k2íll£1]q?ù???T # llseek _____________________________________________________ # long sys_llseek(unsigned int fd, # unsigned long offset_high, # unsigned long offset_low, # loff_t __user * result, # unsigned int whence) @define _SYSCALL_LLSEEK_NAME %( name = "llseek" %) @define _SYSCALL_LLSEEK_ARGSTR %( argstr = sprintf("%d, 0x%x, 0x%x, %p, %s", fd, offset_high, offset_low, result_uaddr, whence_str) %) @define _SYSCALL_LLSEEK_REGARGS %( fd = int_arg(1) offset_high = ulong_arg(2) offset_low = ulong_arg(3) result_uaddr = pointer_arg(4) whence = uint_arg(5) whence_str = _seek_whence_str(whence) %) @define _SYSCALL_LLSEEK_REGARGS_STORE %( if (@probewrite(fd)) set_int_arg(1, fd) if (@probewrite(offset_high)) set_ulong_arg(2, offset_high) if (@probewrite(offset_low)) set_ulong_arg(3, offset_low) if (@probewrite(result_uaddr)) set_pointer_arg(4, result_uaddr) if (@probewrite(whence)) set_uint_arg(5, whence) %) probe syscall.llseek = dw_syscall.llseek !, nd_syscall.llseek ? {} probe syscall.llseek.return = dw_syscall.llseek.return !, nd_syscall.llseek.return ? {} # dw_llseek _____________________________________________________ probe dw_syscall.llseek = kernel.function("sys_llseek").call ? { @_SYSCALL_LLSEEK_NAME fd = __int32($fd) offset_high = $offset_high offset_low = $offset_low result_uaddr = $result whence = @choose_defined($whence, $origin) whence_str = _seek_whence_str(@choose_defined($whence, $origin)) @_SYSCALL_LLSEEK_ARGSTR } probe dw_syscall.llseek.return = kernel.function("sys_llseek").return ? { @_SYSCALL_LLSEEK_NAME @SYSC_RETVALSTR($return) } # nd_llseek _____________________________________________________ probe nd_syscall.llseek = nd1_syscall.llseek!, nd2_syscall.llseek!, tp_syscall.llseek { } probe nd1_syscall.llseek = kprobe.function("sys_llseek") ? { @_SYSCALL_LLSEEK_NAME asmlinkage() @_SYSCALL_LLSEEK_REGARGS @_SYSCALL_LLSEEK_ARGSTR } /* kernel 4.17+ */ probe nd2_syscall.llseek = kprobe.function(@arch_syscall_prefix "sys_llseek") ? { __set_syscall_pt_regs(pointer_arg(1)) @_SYSCALL_LLSEEK_NAME @_SYSCALL_LLSEEK_REGARGS @_SYSCALL_LLSEEK_ARGSTR }, { %( @_IS_SREG_KERNEL %? @_SYSCALL_LLSEEK_REGARGS_STORE %) } /* kernel 3.5+, but undesirable because it affects all syscalls */ probe tp_syscall.llseek = kernel.trace("sys_enter") { __set_syscall_pt_regs($regs) @__syscall_compat_gate(@const("__NR__llseek"), @const("__NR_compat__llseek")) @_SYSCALL_LLSEEK_NAME @_SYSCALL_LLSEEK_REGARGS @_SYSCALL_LLSEEK_ARGSTR }, { %( @_IS_SREG_KERNEL %? @_SYSCALL_LLSEEK_REGARGS_STORE %) } probe nd_syscall.llseek.return = nd1_syscall.llseek.return!, nd2_syscall.llseek.return!, tp_syscall.llseek.return { } probe nd1_syscall.llseek.return = kprobe.function("sys_llseek").return ? { @_SYSCALL_LLSEEK_NAME @SYSC_RETVALSTR(returnval()) } /* kernel 4.17+ */ probe nd2_syscall.llseek.return = kprobe.function(@arch_syscall_prefix "sys_llseek").return ? { @_SYSCALL_LLSEEK_NAME @SYSC_RETVALSTR(returnval()) } /* kernel 3.5+, but undesirable because it affects all syscalls */ probe tp_syscall.llseek.return = kernel.trace("sys_exit") { __set_syscall_pt_regs($regs) @__syscall_compat_gate(@const("__NR__llseek"), @const("__NR_compat__llseek")) @_SYSCALL_LLSEEK_NAME @SYSC_RETVALSTR($ret) }