1*fae6e9adSlinfeng #![no_std]
2*fae6e9adSlinfeng #![no_main]
3*fae6e9adSlinfeng
4*fae6e9adSlinfeng use aya_ebpf::{macros::kprobe, programs::ProbeContext};
5*fae6e9adSlinfeng use aya_ebpf::macros::map;
6*fae6e9adSlinfeng use aya_ebpf::maps::HashMap;
7*fae6e9adSlinfeng use aya_log_ebpf::info;
8*fae6e9adSlinfeng
9*fae6e9adSlinfeng #[kprobe]
syscall_ebpf(ctx: ProbeContext) -> u3210*fae6e9adSlinfeng pub fn syscall_ebpf(ctx: ProbeContext) -> u32 {
11*fae6e9adSlinfeng try_syscall_ebpf(ctx).unwrap_or_else(|ret| ret)
12*fae6e9adSlinfeng }
13*fae6e9adSlinfeng
try_syscall_ebpf(ctx: ProbeContext) -> Result<u32, u32>14*fae6e9adSlinfeng fn try_syscall_ebpf(ctx: ProbeContext) -> Result<u32, u32> {
15*fae6e9adSlinfeng let pt_regs = unsafe {
16*fae6e9adSlinfeng &*ctx.regs
17*fae6e9adSlinfeng };
18*fae6e9adSlinfeng // first arg -> rdi
19*fae6e9adSlinfeng // second arg -> rsi
20*fae6e9adSlinfeng // third arg -> rdx
21*fae6e9adSlinfeng // four arg -> rcx
22*fae6e9adSlinfeng let syscall_num = pt_regs.rsi as usize;
23*fae6e9adSlinfeng if syscall_num != 1 {
24*fae6e9adSlinfeng unsafe {
25*fae6e9adSlinfeng if let Some(v) = SYSCALL_LIST.get(&(syscall_num as u32)){
26*fae6e9adSlinfeng let new_v = *v + 1;
27*fae6e9adSlinfeng SYSCALL_LIST.insert(&(syscall_num as u32), &new_v,0).unwrap();
28*fae6e9adSlinfeng }else {
29*fae6e9adSlinfeng SYSCALL_LIST.insert(&(syscall_num as u32), &1,0).unwrap();
30*fae6e9adSlinfeng }
31*fae6e9adSlinfeng }
32*fae6e9adSlinfeng info!(&ctx, "invoke syscall {}", syscall_num);
33*fae6e9adSlinfeng }
34*fae6e9adSlinfeng Ok(0)
35*fae6e9adSlinfeng }
36*fae6e9adSlinfeng
37*fae6e9adSlinfeng #[map] //
38*fae6e9adSlinfeng static SYSCALL_LIST: HashMap<u32, u32> =
39*fae6e9adSlinfeng HashMap::<u32, u32>::with_max_entries(1024, 0);
40*fae6e9adSlinfeng
41*fae6e9adSlinfeng #[panic_handler]
panic(_info: &core::panic::PanicInfo) -> !42*fae6e9adSlinfeng fn panic(_info: &core::panic::PanicInfo) -> ! {
43*fae6e9adSlinfeng unsafe { core::hint::unreachable_unchecked() }
44*fae6e9adSlinfeng }
45