Sindbad~EG File Manager
# readahead __________________________________________________
#
# asmlinkage ssize_t
# sys_readahead(int fd,
# loff_t offset,
# size_t count)
#
@define _SYSCALL_READAHEAD_NAME
%(
name = "readahead"
%)
@define _SYSCALL_READAHEAD_ARGSTR
%(
argstr = sprintf("%d, %d, %u", fd, offset, count)
%)
@define _SYSCALL_READAHEAD_REGARGS_STORE
%(
if (@probewrite(fd))
set_int_arg(1, fd)
%( CONFIG_64BIT == "y" %?
if (@probewrite(offset))
set_longlong_arg(2, offset)
if (@probewrite(count))
set_ulong_arg(3, count)
%:
if (@probewrite(offset))
set_longlong_arg(2, offset)
if (@probewrite(count))
set_ulong_arg(4, count)
%)
%)
probe syscall.readahead = dw_syscall.readahead !, nd_syscall.readahead ? {}
probe syscall.readahead.return = dw_syscall.readahead.return !,
nd_syscall.readahead.return ? {}
# dw_readahead _____________________________________________________
probe dw_syscall.readahead = kernel.function("sys_readahead").call
{
@__syscall_gate_compat_simple
@_SYSCALL_READAHEAD_NAME
fd = __int32($fd)
offset = $offset
%( CONFIG_64BIT == "y" %?
count = $count
%:
count = __uint32($count)
%)
@_SYSCALL_READAHEAD_ARGSTR
}
probe dw_syscall.readahead.return = kernel.function("sys_readahead").return
{
@__syscall_gate_compat_simple
@_SYSCALL_READAHEAD_NAME
@SYSC_RETVALSTR($return)
}
# nd_readahead _____________________________________________________
probe nd_syscall.readahead = nd1_syscall.readahead!, nd2_syscall.readahead!, tp_syscall.readahead
{ }
probe nd1_syscall.readahead = kprobe.function("sys_readahead") ?
{
@__syscall_gate_compat_simple
@_SYSCALL_READAHEAD_NAME
asmlinkage()
fd = int_arg(1)
%( CONFIG_64BIT == "y" %?
offset = longlong_arg(2)
count = ulong_arg(3)
%:
%( arch == "arm" %?
# arm has some odd rules regarding long long arguments.
offset = longlong_arg(3)
count = ulong_arg(5)
%:
# On a 32-bit kernel, 'long long' arguments take the space of
# 2 arguments, so we have to adjust the following argument
# numbers.
offset = longlong_arg(2)
count = ulong_arg(4)
%)
%)
@_SYSCALL_READAHEAD_ARGSTR
}
/* kernel 4.17+ */
probe nd2_syscall.readahead = kprobe.function(@arch_syscall_prefix "sys_readahead") ?
{
__set_syscall_pt_regs(pointer_arg(1))
@_SYSCALL_READAHEAD_NAME
fd = int_arg(1)
offset = longlong_arg(2)
count = ulong_arg(3)
@_SYSCALL_READAHEAD_ARGSTR
},
{
%( @_IS_SREG_KERNEL %? @_SYSCALL_READAHEAD_REGARGS_STORE %)
}
/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.readahead = kernel.trace("sys_enter")
{
__set_syscall_pt_regs($regs)
@__syscall_gate(@const("__NR_readahead"))
@_SYSCALL_READAHEAD_NAME
fd = int_arg(1)
offset = longlong_arg(2)
count = ulong_arg(3)
@_SYSCALL_READAHEAD_ARGSTR
},
{
%( @_IS_SREG_KERNEL %? @_SYSCALL_READAHEAD_REGARGS_STORE %)
}
probe nd_syscall.readahead.return = nd1_syscall.readahead.return!, nd2_syscall.readahead.return!, tp_syscall.readahead.return
{ }
probe nd1_syscall.readahead.return = kprobe.function("sys_readahead").return ?
{
@__syscall_gate_compat_simple
@_SYSCALL_READAHEAD_NAME
@SYSC_RETVALSTR(returnval())
}
/* kernel 4.17+ */
probe nd2_syscall.readahead.return = kprobe.function(@arch_syscall_prefix "sys_readahead").return ?
{
@_SYSCALL_READAHEAD_NAME
@SYSC_RETVALSTR(returnval())
}
/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.readahead.return = kernel.trace("sys_exit")
{
__set_syscall_pt_regs($regs)
@__syscall_gate(@const("__NR_readahead"))
@_SYSCALL_READAHEAD_NAME
@SYSC_RETVALSTR($ret)
}
Sindbad File Manager Version 1.0, Coded By Sindbad EG ~ The Terrorists