execmon icon indicating copy to clipboard operation
execmon copied to clipboard

Published 20 hours ago verified publisher icon kfiros

execmon is unable to run on kernels >= 4.6

Open u-riaz opened this issue 7 years ago • 1 comments

Hi Kfir, thanks for this awesome utility. It helped me a lot.

Your utility, execmon, works well on kernels up till 4.5. I'd tested it on Ubuntu 16.04 with kernel 4.4. Till kernel 4.5, assembly stubs had been used to call sys_execve and by patching call sys_execve in stub_execve did the job. Awesome ! But starting from 4.6 these stubs had been changed and now ptregs_sys_execve is a replace of stub_execve. But it's highly different than older stubs. Now registers are being used to store the real syscall address and there are two way calls 'slow_path' and 'fast_path'. I'd tried hard but failing to make some logic that how to patch execve calls in this new scheme. Could you please spare some time to have a look and find some clues to upgrading execmon to work for kernels greater than 4.5.

thanks

u-riaz avatar Nov 01 '17 15:11 u-riaz

any update for now @u-riaz @kfiros @fizwit

how about https://github.com/ColinIanKing/forkstat

QGB avatar Dec 17 '22 08:12 QGB