without a doubt most crazy and insane spying mechanism in linux kernel is krobes
- It`s expensive - each time when int3 occurred typical call stack looks like:
xen_asm_exc_int3
asm_exc_int3
irq_entries_start
exc_int3
do_int3
kprobe_int3_handler - It makes working with kdbg (which itself is too far away from windbg) like nightmare - function do_int3 first calls kgdb_ll_trap
- There is no mechanism to predict which functions cannot be kprobed. Let assume that your handler uses simple printk - so you can`t set kprobe on whole graph of functions called from printk (like vprintk_func, vprintk_default, vprintk_emit, __msecs_to_jiffies, arch_touch_nmi_watchdog, touch_softlockup_watchdog, __printk_safe_enter, _raw_spin_lock, vprintk_store, vscnprintf, cont_flush etc etc) and as far I know there is no way to even find them all
- Sure you have /sys/kernel/debug/kprobes/list file so you can see which functions was hooked. But there is no way to know by whom
So I wrote dumper of installed kprobes. Sample of output:
sudo ./lkmem -k -c ~/krnl/curr ~/krnl/System.map-5.11.0-34-generic kprobes[47]: 1 kprobe at 0xffffffffc0605080 flags 8 addr: 0xffffffffa4a9f040 - kernel!__do_sys_fork pre_handler: 0xffffffffc0603548 - lkcd post_handler: 0xffffffffc0603526 - lkcd