Juhasz Balint
2009-Dec-08 16:27 UTC
[dtrace-discuss] syscall::open:entry predicate problem
Hy!
I have a problem with my script:
# cat process_ps.d
#!/usr/sbin/dtrace -qs
#pragma D option quiet
syscall::open:entry
/ (arg0 != NULL) && ( execname == "ps" ) && (
copyinstr(arg0) ="/proc/1305/psinfo" ) /
{
printf("%s:%s:%s:%s\t->\t%s (%d)\n", probeprov, probemod,
probefunc, probename, copyinstr(arg0), strlen(copyinstr(arg0)));
}
The output of this script:
# ./process_ps.d
syscall::open:entry -> /proc/1305/psinfo (17)
syscall::open:entry -> /proc/1305/psinfo (17)
dtrace: error on enabled probe ID 1 (ID 4538: syscall::open:entry):
invalid address (0xff358000) in predicate at DIF offset 120
dtrace: error on enabled probe ID 1 (ID 4538: syscall::open:entry):
invalid address (0xff358000) in predicate at DIF offset 120
syscall::open:entry -> /proc/1305/psinfo (17)
syscall::open:entry -> /proc/1305/psinfo (17)
syscall::open:entry -> /proc/1305/psinfo (17)
dtrace: error on enabled probe ID 1 (ID 4538: syscall::open:entry):
invalid address (0xff358000) in predicate at DIF offset 120
syscall::open:entry -> /proc/1305/psinfo (17)
dtrace: error on enabled probe ID 1 (ID 4538: syscall::open:entry):
invalid address (0xff358000) in predicate at DIF offset 120
syscall::open:entry -> /proc/1305/psinfo (17)
dtrace: error on enabled probe ID 1 (ID 4538: syscall::open:entry):
invalid address (0xff358000) in predicate at DIF offset 120
syscall::open:entry -> /proc/1305/psinfo (17)
dtrace: error on enabled probe ID 1 (ID 4538: syscall::open:entry):
invalid address (0xff358000) in predicate at DIF offset 120
syscall::open:entry -> /proc/1305/psinfo (17)
syscall::open:entry -> /proc/1305/psinfo (17)
dtrace: error on enabled probe ID 1 (ID 4538: syscall::open:entry):
invalid address (0xff358000) in predicate at DIF offset 120
syscall::open:entry -> /proc/1305/psinfo (17)
...
1. question:
I doesn''t understand why are there these "invalid address
(0xff358000)
in predicate at DIF offset 120" errors.
If i modify my script:
# cat process_ps.d
#!/usr/sbin/dtrace -qs
#pragma D option quiet
BEGIN {
printf("Your parameter(s):\t%s\n", $$1);
self->pida =
strjoin(strjoin("/proc/",$$1),"/psinfo");
printf("New variable(s):\t%s (%d)\n", self->pida,
strlen(self->pida));
}
syscall::open:entry
/ (arg0 != NULL) && ( execname == "ps" ) && (
copyinstr(arg0) == self->pida ) /
{
printf("%s:%s:%s:%s\t->\t%s (%d)\n", probeprov, probemod,
probefunc, probename, copyinstr(arg0), strlen(copyinstr(arg0)));
}
# ./process_ps.d 1305
Your parameter(s): 1305
New variable(s): /proc/1305/psinfo (17)
dtrace: error on enabled probe ID 2 (ID 4538: syscall::open:entry):
invalid address (0xff358000) in predicate at DIF offset 120
dtrace: error on enabled probe ID 2 (ID 4538: syscall::open:entry):
invalid address (0xff358000) in predicate at DIF offset 120
... and write nothing ...
2. question
I don''t understand why it is happen, i think the error is in "(
copyinstr(arg0) == self->pida )" but i think the syntax is ok.
Thanks a lot.
Br.:
Cni
Jonathan Adams
2009-Dec-08 18:08 UTC
[dtrace-discuss] syscall::open:entry predicate problem
On Tue, Dec 08, 2009 at 05:27:58PM +0100, Juhasz Balint wrote:> Hy! > > > I have a problem with my script: > # cat process_ps.d > #!/usr/sbin/dtrace -qs > #pragma D option quiet > > syscall::open:entry > / (arg0 != NULL) && ( execname == "ps" ) && ( copyinstr(arg0) => "/proc/1305/psinfo" ) / > { > printf("%s:%s:%s:%s\t->\t%s (%d)\n", probeprov, probemod, > probefunc, probename, copyinstr(arg0), strlen(copyinstr(arg0))); > } > > The output of this script: > > # ./process_ps.d > syscall::open:entry -> /proc/1305/psinfo (17) > syscall::open:entry -> /proc/1305/psinfo (17) > dtrace: error on enabled probe ID 1 (ID 4538: syscall::open:entry): > invalid address (0xff358000) in predicate at DIF offset 120 > dtrace: error on enabled probe ID 1 (ID 4538: syscall::open:entry): > invalid address (0xff358000) in predicate at DIF offset 120 > syscall::open:entry -> /proc/1305/psinfo (17) > syscall::open:entry -> /proc/1305/psinfo (17) > syscall::open:entry -> /proc/1305/psinfo (17) > dtrace: error on enabled probe ID 1 (ID 4538: syscall::open:entry): > invalid address (0xff358000) in predicate at DIF offset 120 > syscall::open:entry -> /proc/1305/psinfo (17) > dtrace: error on enabled probe ID 1 (ID 4538: syscall::open:entry): > invalid address (0xff358000) in predicate at DIF offset 120 > syscall::open:entry -> /proc/1305/psinfo (17) > dtrace: error on enabled probe ID 1 (ID 4538: syscall::open:entry): > invalid address (0xff358000) in predicate at DIF offset 120 > syscall::open:entry -> /proc/1305/psinfo (17) > dtrace: error on enabled probe ID 1 (ID 4538: syscall::open:entry): > invalid address (0xff358000) in predicate at DIF offset 120 > syscall::open:entry -> /proc/1305/psinfo (17) > syscall::open:entry -> /proc/1305/psinfo (17) > dtrace: error on enabled probe ID 1 (ID 4538: syscall::open:entry): > invalid address (0xff358000) in predicate at DIF offset 120 > syscall::open:entry -> /proc/1305/psinfo (17) > ...This is a classic userland data access issue; if the memory holding the string has not been touched by either the program or the kernel, it''s not possible to map it in from a dtrace probe. The usual workaround is to delay doing the copyin until after the kernel has read the string, typically by using the return probe. Your script would look like: --- cut here --- #!/usr/sbin/dtrace -s dtrace:::BEGIN { printf("Parameter(s):\t%s\n", $$1); } syscall::open:entry / arg0 != NULL && execname == "ps" / { self->file = arg0; } syscall::open:return / self->file && copyinstr(self->file) == ("/proc/" + $$1 + "/psinfo") / { printf("%s:%s:%s:%s\t->\t%s (%d)\n", probeprov, probemod, probefunc, probename, copyinstr(self->file), strlen(copyinstr(self->file))); } /* free the thread-local variable after we''re done, or if the thread exits */ syscall::open:return, proc:::lwp-exit /self->file/ { self->file = 0; } --- cut here --- Make sense? Cheers, - jonathan> 1. question: > I doesn''t understand why are there these "invalid address (0xff358000) > in predicate at DIF offset 120" errors. > > If i modify my script: > # cat process_ps.d > #!/usr/sbin/dtrace -qs > #pragma D option quiet > > BEGIN { > printf("Your parameter(s):\t%s\n", $$1); > self->pida = strjoin(strjoin("/proc/",$$1),"/psinfo"); > printf("New variable(s):\t%s (%d)\n", self->pida, strlen(self->pida)); > } > > syscall::open:entry > / (arg0 != NULL) && ( execname == "ps" ) && ( copyinstr(arg0) == self->pida ) / > { > printf("%s:%s:%s:%s\t->\t%s (%d)\n", probeprov, probemod, > probefunc, probename, copyinstr(arg0), strlen(copyinstr(arg0))); > } > > # ./process_ps.d 1305 > Your parameter(s): 1305 > New variable(s): /proc/1305/psinfo (17) > dtrace: error on enabled probe ID 2 (ID 4538: syscall::open:entry): > invalid address (0xff358000) in predicate at DIF offset 120 > dtrace: error on enabled probe ID 2 (ID 4538: syscall::open:entry): > invalid address (0xff358000) in predicate at DIF offset 120 > ... and write nothing ... > > 2. question > I don''t understand why it is happen, i think the error is in "( > copyinstr(arg0) == self->pida )" but i think the syntax is ok. > > Thanks a lot. > > Br.: > Cni > _______________________________________________ > dtrace-discuss mailing list > dtrace-discuss at opensolaris.org
Juhasz Balint
2009-Dec-08 21:10 UTC
[dtrace-discuss] syscall::open:entry predicate problem
Hello!
Thanks a lot the answer, what use in your script it doesn''t work in my
script:
...
/ (arg0 != NULL) && (execname == "ps") &&
(copyinstr(arg0) =("/proc/"+$$1+"/psinfo")) /
...
This was the error:
$ ./process_ps.d 905
dtrace: failed to compile script ./process_ps.d: line 11: operands
have incompatible types: "string" + "string"
but with this
/ (arg0 != NULL) && (execname == "ps") &&
(copyinstr(arg0) =strjoin(strjoin("/proc/",$$1),"/psinfo"))
/
it working fine
To understand what is my goal:
$ ./process_ps.d 905
Your parameter(s): 905
Current pid: 990
Current pid: 990
dtrace: error on enabled probe ID 2 (ID 46032: syscall::open:entry):
invalid address (0xd2786f9f) in predicate at DIF offset 120
syscall::open:entry -> /proc/905/psinfo (16)
syscall::open:entry -> xxxxxyyyyypsinfo (Modified)
syscall::open:entry -> /proc/990/psinfo (16)
syscall::open:entry -> xxxxxyyyyypsinfo (Modified)
^C
The script:
$ cat process_ps.d
#!/usr/sbin/dtrace -qs
#pragma D option quiet
#pragma D option destructive
BEGIN {
printf("Your parameter(s):\t%s\n", $$1);
printf("Current pid: %d\n", $pid);
printf("Current pid: %s\n", lltostr($pid));
}
syscall::open:entry
/ (arg0 != NULL) && (execname == "ps") &&
((copyinstr(arg0) =strjoin(strjoin("/proc/",$$1),"/psinfo"))
|| (copyinstr(arg0)
=strjoin(strjoin("/proc/",lltostr($pid)),"/psinfo")))/
{
printf("%s:%s:%s:%s\t->\t%s (%d)\n", probeprov, probemod,
probefunc, probename, copyinstr(arg0), strlen(copyinstr(arg0)));
copyoutstr("xxxxxyyyyy", arg0, 10);
printf("%s:%s:%s:%s\t->\t%s (Modified)\n", probeprov,
probemod, probefunc, probename, copyinstr(arg0));
}
The result(output) on an other terminal:
When the script doesn''t run:
$ ps -ef | egrep -i "dtrace|fsf|terminal" | grep -iv grep
root 3 0 0 20:25:14 ? 0:04 fsflush
root 905 1 2 20:37:17 ? 0:55 /usr/bin/gnome-terminal
After i start to run the script:
$ ps -ef | egrep -i "dtrace|fsf|terminal" | grep -iv grep
root 3 0 0 20:25:14 ? 0:04 fsflush
After i cancel the script:
$ ps -ef | egrep -i "dtrace|fsf|terminal" | grep -iv grep
root 3 0 0 20:25:14 ? 0:04 fsflush
root 905 1 2 20:37:17 ? 0:55 /usr/bin/gnome-terminal
My problem was how can i modify ps output, after i check ps''s syscalls
(i don''t check kernel space calls, just syscalls), i find
syscall::open:entry ask info about the process, and
syscall::write:return write the data to the terminal/console etc.....
If you modify the syscall::open:entry calls to a wrong call, the
result will be an error and the syscall::write:return doesn''t contain
error string.
Cni
2009/12/8 Jonathan Adams <jonathan.adams at
sun.com>:>
> This is a classic userland data access issue; ?if the memory holding the
> string has not been touched by either the program or the kernel,
it''s not
> possible to map it in from a dtrace probe. ?The usual workaround is to
delay
> doing the copyin until after the kernel has read the string, typically by
> using the return probe. ?Your script would look like:
>
> --- cut here ---
> #!/usr/sbin/dtrace -s
>
> dtrace:::BEGIN
> {
> ? ? ? ?printf("Parameter(s):\t%s\n", $$1);
> }
>
> syscall::open:entry
> / arg0 != NULL && ?execname == "ps" /
> {
> ? ? ? ?self->file = arg0;
> }
>
> syscall::open:return
> / self->file && copyinstr(self->file) == ("/proc/"
+ $$1 + "/psinfo") /
> {
> ? ? ? ?printf("%s:%s:%s:%s\t->\t%s (%d)\n", probeprov,
probemod,
> ? ? ? ? ? ?probefunc, probename, copyinstr(self->file),
> ? ? ? ? ? ?strlen(copyinstr(self->file)));
> }
>
> /* free the thread-local variable after we''re done, or if the
thread exits */
> syscall::open:return, proc:::lwp-exit
> /self->file/
> {
> ? ? ? ?self->file = 0;
> }
> --- cut here ---
>
> Make sense?
>
> Cheers,
> - jonathan
Hu, What exactly are you trying to achieve here? -- This message posted from opensolaris.org
Hu, Sorry but why do you want to modify the output of ps ?? Thanks Al -- This message posted from opensolaris.org
Sorry to be a pain here but My problem was how can i modify ps output, after i check ps''s syscalls (i don''t check kernel space calls, just syscalls), i find syscall::open:entry ask info about the process, and syscall::write:return write the data to the terminal/console etc..... Does this not seem to be a way of asking how to hide the output when looking for a particular string i.e in a ps , more of a rootkit type idea. I may be way wrong here.... -- This message posted from opensolaris.org
Juhasz Balint
2009-Dec-08 23:23 UTC
[dtrace-discuss] syscall::open:entry predicate problem
Hy! When i start to thinking about this (ps or process handling) problem (it was a sidetrack one of my previous project), i thinking about a technical problem, not about rootkit or anything else. Now when we see this problem we can thinking about, how we can correct process checking, for example compare ps output lines with /proc pid directorys, it is a simple script, or we can build some similar checks into ps. It is a technical forum for dtrace i alwalys thinking about the technical problems, and i think if the admins don''t wanna see my letter in the mail list/forum or impact with any mail list policy they will remove it. It is like a proof of concept script. Cni (At my workplace currently i am working on some dtrace script(s), for Oracle and for Solaris 10 performance tuning) (Sorry for the non technical letter, if somebody have a non technical comment for this post, please write it directly to me not to the list) 2009/12/8 Allan <Allan.McAleavy at gmail.com>:> Sorry to be a pain here but > > My problem was how can i modify ps output, after i check ps''s syscalls > (i don''t check kernel space calls, just syscalls), i find > syscall::open:entry ask info about the process, and > syscall::write:return write the data to the terminal/console etc..... > > Does this not seem to be a way of asking how to hide the output when looking for a particular string i.e in a ps , more of a ?rootkit type idea. I may be way wrong here.... > -- > This message posted from opensolaris.org > _______________________________________________ > dtrace-discuss mailing list > dtrace-discuss at opensolaris.org >