stackplz
stackplz copied to clipboard
SeeFlowerX
基于eBPF的堆栈追踪工具
报错
panic: unexpected EOF goroutine 13 [running]: stackplz/user/argtype.parse_STRING_ARRAY({0x77a6caca68?, 0x20?}, 0x4000316d08?, 0x598df06478?, 0x0?) /home/runner/work/stackplz/stackplz/user/argtype/argtype_complex.go:91 +0x3a0 stackplz/user/argtype.(*ARG_STRUCT).Parse(0x598e02a2e0?, 0x40000aab10?, 0x590000003a?, 0x70?) /home/runner/work/stackplz/stackplz/user/argtype/argtype_base.go:631 +0x70 stackplz/user/config.(*PointArg).Parse(0x598e097940?, 0x4001cec9f0?, 0x598e09bb00?, 0x8e47c238?) /home/runner/work/stackplz/stackplz/user/config/config_point_arg.go:116 +0x88 stackplz/user/config.(*SyscallPoint).ParseEnterPoint(0x40010136c0?, 0x598e005c00?) /home/runner/work/stackplz/stackplz/user/config/config_syscall.go:55 +0xd8 stackplz/user/event.(*SyscallEvent).ParseContext(0x40010136c0)...
目前stackplz用的是常规的PerfMap传递数据,比较耗费资源,在某些调用特别高频的时候下会出现大量数据丢失(虽然改用了tracee的方式传递数据好了很多,但...) 上游ebpfmanager已经添加了ringbuf map的支持,ringbuf效率更高 https://github.com/gojue/ebpfmanager/pull/35 但是为了传递其他的FLAG以获取更多参数,ebpfmanager和ebpf库都有所修改,需要进行合并适配 - https://github.com/SeeFlowerX/ebpfmanager - https://github.com/SeeFlowerX/ebpf
echo 1 > /proc/sys/kernel/kptr_restrict cat /proc/kallsyms | grep "T sys_" ./stackplz --brk 0xffffff93c5beb634:x --pid `pidof com.sfx.ebpf` --stack ./stackplz --brk 0xffffffc0003654dc:x --pid `pidof com.sfx.ebpf` --regs
# ps -ef | grep setting system 19849 16944 0 19:06:38 ? 00:00:51 com.android.settings # ./stackplz-v3 -p 19849 -s all --nocheck findBTFAssets btf_file=a12-5.10-arm64_min.btf [*] save maps to maps_19849.txt hook syscall...
环境:Redmi Note 11T Pro android 13 miui 14 内核为:5.10.101-android12-9-00027-g1292f517889e-ab8602202 执行命令: ./stackplz -n ???.???.???,iso -w popen[str.f0.f1] -f r:mount:::mounx -f "r:which su:::which zz" --stack 报错内容: findBTFAssets btf_file=a12-5.10-arm64_min.btf hook uprobe, count:1 StackMod module...
CheckKernelConfig failed, error:Config disabled, item :CONFIG_UPROBES.
BrkMod readEvents error:creating PerfEventArray(brk_events)#3 reader dns: failed to create perf ring for CPU 0: can't create perf event: no space left on device 这种情况是被监听软件自己给自己下断点占用位置防止被监听吗
使用的是google store的包,它的so是通过split.apk加载,并没有独立的so map,下硬件断点: ``` oriole:/data/local/tmp # ./stackplz --pid `pidof com.xxx.yyy` --brk 0x77be764e38:w --stack [*] save maps to maps_13251.txt set breakpoint at kernel:false, addr:0x77be764e38, type:2 start 1 modules [13251|13524] event_addr:0x77be764e38 hit_count:1,...
