1 #![no_std]
2 #![no_main]
3
4 use aya_ebpf::{macros::kprobe, programs::ProbeContext};
5 use aya_ebpf::macros::map;
6 use aya_ebpf::maps::HashMap;
7 use aya_log_ebpf::info;
8
9 #[kprobe]
syscall_ebpf(ctx: ProbeContext) -> u3210 pub fn syscall_ebpf(ctx: ProbeContext) -> u32 {
11 try_syscall_ebpf(ctx).unwrap_or_else(|ret| ret)
12 }
13
try_syscall_ebpf(ctx: ProbeContext) -> Result<u32, u32>14 fn try_syscall_ebpf(ctx: ProbeContext) -> Result<u32, u32> {
15 let pt_regs = unsafe {
16 &*ctx.regs
17 };
18 // first arg -> rdi
19 // second arg -> rsi
20 // third arg -> rdx
21 // four arg -> rcx
22 let syscall_num = pt_regs.rsi as usize;
23 if syscall_num != 1 {
24 unsafe {
25 if let Some(v) = SYSCALL_LIST.get(&(syscall_num as u32)){
26 let new_v = *v + 1;
27 SYSCALL_LIST.insert(&(syscall_num as u32), &new_v,0).unwrap();
28 }else {
29 SYSCALL_LIST.insert(&(syscall_num as u32), &1,0).unwrap();
30 }
31 }
32 info!(&ctx, "invoke syscall {}", syscall_num);
33 }
34 Ok(0)
35 }
36
37 #[map] //
38 static SYSCALL_LIST: HashMap<u32, u32> =
39 HashMap::<u32, u32>::with_max_entries(1024, 0);
40
41 #[panic_handler]
panic(_info: &core::panic::PanicInfo) -> !42 fn panic(_info: &core::panic::PanicInfo) -> ! {
43 unsafe { core::hint::unreachable_unchecked() }
44 }
45