1 #![no_std] 2 #![no_main] 3 4 use aya_ebpf::{macros::kprobe, programs::ProbeContext}; 5 use aya_ebpf::macros::map; 6 use aya_ebpf::maps::HashMap; 7 use aya_log_ebpf::info; 8 9 #[kprobe] 10 pub fn syscall_ebpf(ctx: ProbeContext) -> u32 { 11 try_syscall_ebpf(ctx).unwrap_or_else(|ret| ret) 12 } 13 14 fn try_syscall_ebpf(ctx: ProbeContext) -> Result<u32, u32> { 15 let pt_regs = unsafe { 16 &*ctx.regs 17 }; 18 // first arg -> rdi 19 // second arg -> rsi 20 // third arg -> rdx 21 // four arg -> rcx 22 let syscall_num = pt_regs.rsi as usize; 23 if syscall_num != 1 { 24 unsafe { 25 if let Some(v) = SYSCALL_LIST.get(&(syscall_num as u32)){ 26 let new_v = *v + 1; 27 SYSCALL_LIST.insert(&(syscall_num as u32), &new_v,0).unwrap(); 28 }else { 29 SYSCALL_LIST.insert(&(syscall_num as u32), &1,0).unwrap(); 30 } 31 } 32 info!(&ctx, "invoke syscall {}", syscall_num); 33 } 34 Ok(0) 35 } 36 37 #[map] // 38 static SYSCALL_LIST: HashMap<u32, u32> = 39 HashMap::<u32, u32>::with_max_entries(1024, 0); 40 41 #[panic_handler] 42 fn panic(_info: &core::panic::PanicInfo) -> ! { 43 unsafe { core::hint::unreachable_unchecked() } 44 } 45