From d20da010608cd945ee2737220546d320e2ee1e69 Mon Sep 17 00:00:00 2001 From: see Date: Mon, 5 Dec 2022 10:19:37 +0800 Subject: [PATCH] =?UTF-8?q?=E6=94=AF=E6=8C=81=E8=BE=93=E5=87=BA=E6=89=A7?= =?UTF-8?q?=E8=A1=8C=E5=90=8E=E6=9C=89=E5=86=85=E5=AE=B9=E7=9A=84=E5=8F=82?= =?UTF-8?q?=E6=95=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/config/config_sys.go | 7 +- app/config/table32.json | 808 +++++++++++++++++++-------------------- app/config/table64.json | 558 +++++++++++++-------------- app/module/module.go | 38 +- cli/cmd/root.go | 2 +- src/raw_syscalls.c | 84 ++-- 6 files changed, 775 insertions(+), 722 deletions(-) diff --git a/app/config/config_sys.go b/app/config/config_sys.go index 478c8b5..cf3ef30 100644 --- a/app/config/config_sys.go +++ b/app/config/config_sys.go @@ -6,9 +6,10 @@ import ( ) type TableConfig struct { - Count uint32 - Name string - Mask uint32 + Count uint32 + Name string + Mask uint32 + RetMask uint32 } type SysTableConfig map[string]TableConfig diff --git a/app/config/table32.json b/app/config/table32.json index b2f770e..ed676ca 100644 --- a/app/config/table32.json +++ b/app/config/table32.json @@ -1,406 +1,406 @@ { - "0": [0, "restart_syscall", 0], - "1": [1, "exit", 0], - "2": [0, "fork", 0], - "3": [3, "read", 0], - "4": [3, "write", 0], - "5": [3, "open", 1], - "6": [1, "close", 0], - "7": [3, "waitpid", 0], - "8": [2, "creat", 1], - "9": [2, "link", 3], - "10": [1, "unlink", 1], - "11": [3, "execve", 1], - "12": [1, "chdir", 1], - "13": [1, "time", 0], - "14": [3, "mknod", 1], - "15": [2, "chmod", 1], - "16": [3, "lchown", 1], - "17": [0, "break", 0], - "18": [2, "oldstat", 0], - "19": [3, "lseek", 0], - "20": [0, "getpid", 0], - "21": [5, "mount", 11], - "22": [1, "umount", 1], - "23": [1, "setuid", 0], - "24": [0, "getuid", 0], - "25": [1, "stime", 0], - "26": [4, "ptrace", 0], - "27": [1, "alarm", 0], - "28": [2, "oldfstat", 0], - "29": [0, "pause", 0], - "30": [2, "utime", 0], - "31": [2, "stty", 0], - "32": [2, "gtty", 0], - "33": [2, "access", 1], - "34": [1, "nice", 0], - "35": [0, "ftime", 0], - "36": [0, "sync", 0], - "37": [2, "kill", 0], - "38": [2, "rename", 3], - "39": [2, "mkdir", 1], - "40": [1, "rmdir", 1], - "41": [1, "dup", 0], - "42": [1, "pipe", 0], - "43": [1, "times", 0], - "44": [0, "prof", 0], - "45": [1, "brk", 0], - "46": [1, "setgid", 0], - "47": [0, "getgid", 0], - "48": [2, "signal", 0], - "49": [0, "geteuid", 0], - "50": [0, "getegid", 0], - "51": [1, "acct", 0], - "52": [2, "umount2", 0], - "53": [0, "lock", 0], - "54": [3, "ioctl", 0], - "55": [3, "fcntl", 0], - "56": [0, "mpx", 0], - "57": [2, "setpgid", 0], - "58": [2, "ulimit", 0], - "59": [1, "oldolduname", 0], - "60": [1, "umask", 0], - "61": [1, "chroot", 1], - "62": [2, "ustat", 0], - "63": [2, "dup2", 0], - "64": [0, "getppid", 0], - "65": [0, "getpgrp", 0], - "66": [0, "setsid", 0], - "67": [3, "sigaction", 0], - "68": [0, "sgetmask", 0], - "69": [1, "ssetmask", 0], - "70": [2, "setreuid", 0], - "71": [2, "setregid", 0], - "72": [3, "sigsuspend", 0], - "73": [1, "sigpending", 0], - "74": [2, "sethostname", 0], - "75": [2, "setrlimit", 0], - "76": [2, "getrlimit", 0], - "77": [2, "getrusage", 0], - "78": [2, "gettimeofday", 0], - "79": [2, "settimeofday", 0], - "80": [2, "getgroups", 0], - "81": [2, "setgroups", 0], - "82": [1, "select", 0], - "83": [2, "symlink", 0], - "84": [2, "oldlstat", 0], - "85": [3, "readlink", 1], - "86": [1, "uselib", 0], - "87": [2, "swapon", 0], - "88": [4, "reboot", 0], - "89": [3, "readdir", 0], - "90": [1, "mmap", 0], - "91": [2, "munmap", 0], - "92": [2, "truncate", 1], - "93": [2, "ftruncate", 0], - "94": [2, "fchmod", 0], - "95": [3, "fchown", 0], - "96": [2, "getpriority", 0], - "97": [3, "setpriority", 0], - "98": [4, "profil", 0], - "99": [2, "statfs", 1], - "100": [2, "fstatfs", 0], - "101": [3, "ioperm", 0], - "102": [2, "socketcall", 0], - "103": [3, "syslog", 0], - "104": [3, "setitimer", 0], - "105": [2, "getitimer", 0], - "106": [2, "stat", 1], - "107": [2, "lstat", 1], - "108": [2, "fstat", 0], - "109": [1, "olduname", 0], - "110": [1, "iopl", 0], - "111": [0, "vhangup", 0], - "112": [0, "idle", 0], - "113": [5, "syscall", 0], - "114": [4, "wait4", 0], - "115": [1, "swapoff", 0], - "116": [1, "sysinfo", 0], - "117": [6, "ipc", 0], - "118": [1, "fsync", 0], - "119": [0, "sigreturn", 0], - "120": [5, "clone", 0], - "121": [2, "setdomainname", 0], - "122": [1, "uname", 0], - "123": [3, "modify_ldt", 0], - "124": [1, "adjtimex", 0], - "125": [3, "mprotect", 0], - "126": [3, "sigprocmask", 0], - "127": [2, "create_module", 0], - "128": [3, "init_module", 0], - "129": [2, "delete_module", 0], - "130": [1, "get_kernel_syms", 0], - "131": [4, "quotactl", 0], - "132": [1, "getpgid", 0], - "133": [1, "fchdir", 0], - "134": [2, "bdflush", 0], - "135": [3, "sysfs", 0], - "136": [1, "personality", 0], - "137": [5, "afs_syscall", 0], - "138": [1, "setfsuid", 0], - "139": [1, "setfsgid", 0], - "140": [5, "_llseek", 0], - "141": [3, "getdents", 0], - "142": [5, "_newselect", 0], - "143": [2, "flock", 0], - "144": [3, "msync", 0], - "145": [3, "readv", 0], - "146": [3, "writev", 0], - "147": [1, "getsid", 0], - "148": [1, "fdatasync", 0], - "149": [1, "_sysctl", 0], - "150": [2, "mlock", 0], - "151": [2, "munlock", 0], - "152": [1, "mlockall", 0], - "153": [0, "munlockall", 0], - "154": [2, "sched_setparam", 0], - "155": [2, "sched_getparam", 0], - "156": [3, "sched_setscheduler", 0], - "157": [1, "sched_getscheduler", 0], - "158": [0, "sched_yield", 0], - "159": [1, "sched_get_priority_max", 0], - "160": [1, "sched_get_priority_min", 0], - "161": [2, "sched_rr_get_interval", 0], - "162": [2, "nanosleep", 0], - "163": [5, "mremap", 0], - "164": [3, "setresuid", 0], - "165": [3, "getresuid", 0], - "166": [5, "vm86", 0], - "167": [5, "query_module", 0], - "168": [3, "poll", 0], - "169": [3, "nfsservctl", 0], - "170": [3, "setresgid", 0], - "171": [3, "getresgid", 0], - "172": [5, "prctl", 0], - "173": [0, "rt_sigreturn", 0], - "174": [4, "rt_sigaction", 0], - "175": [4, "rt_sigprocmask", 0], - "176": [2, "rt_sigpending", 0], - "177": [4, "rt_sigtimedwait", 0], - "178": [3, "rt_sigqueueinfo", 0], - "179": [2, "rt_sigsuspend", 0], - "180": [6, "pread64", 0], - "181": [6, "pwrite64", 0], - "182": [3, "chown", 0], - "183": [2, "getcwd", 0], - "184": [2, "capget", 0], - "185": [2, "capset", 0], - "186": [2, "sigaltstack", 0], - "187": [4, "sendfile", 0], - "188": [5, "getpmsg", 0], - "189": [5, "putpmsg", 0], - "190": [0, "vfork", 0], - "191": [2, "ugetrlimit", 0], - "192": [6, "mmap2", 0], - "193": [4, "truncate64", 0], - "194": [4, "ftruncate64", 0], - "195": [2, "stat64", 0], - "196": [2, "lstat64", 0], - "197": [2, "fstat64", 0], - "198": [3, "lchown32", 0], - "199": [0, "getuid32", 0], - "200": [0, "getgid32", 0], - "201": [0, "geteuid32", 0], - "202": [0, "getegid32", 0], - "203": [2, "setreuid32", 0], - "204": [2, "setregid32", 0], - "205": [2, "getgroups32", 0], - "206": [2, "setgroups32", 0], - "207": [3, "fchown32", 0], - "208": [3, "setresuid32", 0], - "209": [3, "getresuid32", 0], - "210": [3, "setresgid32", 0], - "211": [3, "getresgid32", 0], - "212": [3, "chown32", 0], - "213": [1, "setuid32", 0], - "214": [1, "setgid32", 0], - "215": [1, "setfsuid32", 0], - "216": [1, "setfsgid32", 0], - "217": [3, "getdents64", 0], - "218": [2, "pivot_root", 0], - "219": [3, "mincore", 0], - "220": [3, "madvise", 0], - "221": [3, "fcntl64", 0], - "224": [0, "gettid", 0], - "225": [5, "readahead", 0], - "226": [5, "setxattr", 0], - "227": [5, "lsetxattr", 0], - "228": [5, "fsetxattr", 0], - "229": [4, "getxattr", 0], - "230": [4, "lgetxattr", 0], - "231": [4, "fgetxattr", 0], - "232": [3, "listxattr", 0], - "233": [3, "llistxattr", 0], - "234": [3, "flistxattr", 0], - "235": [2, "removexattr", 0], - "236": [2, "lremovexattr", 0], - "237": [2, "fremovexattr", 0], - "238": [2, "tkill", 0], - "239": [4, "sendfile64", 0], - "240": [6, "futex", 0], - "241": [3, "sched_setaffinity", 0], - "242": [3, "sched_getaffinity", 0], - "243": [2, "io_setup", 0], - "244": [1, "io_destroy", 0], - "245": [5, "io_getevents", 0], - "246": [3, "io_submit", 0], - "247": [3, "io_cancel", 0], - "248": [1, "exit_group", 0], - "249": [4, "lookup_dcookie", 0], - "250": [1, "epoll_create", 0], - "251": [4, "epoll_ctl", 0], - "252": [4, "epoll_wait", 0], - "253": [5, "remap_file_pages", 0], - "256": [1, "set_tid_address", 0], - "257": [3, "timer_create", 0], - "258": [4, "timer_settime", 0], - "259": [2, "timer_gettime", 0], - "260": [1, "timer_getoverrun", 0], - "261": [1, "timer_delete", 0], - "262": [2, "clock_settime", 0], - "263": [2, "clock_gettime", 0], - "264": [2, "clock_getres", 0], - "265": [4, "clock_nanosleep", 0], - "266": [3, "statfs64", 0], - "267": [3, "fstatfs64", 0], - "268": [3, "tgkill", 0], - "269": [2, "utimes", 0], - "270": [6, "fadvise64_64", 0], - "271": [3, "pciconfig_iobase", 0], - "272": [5, "pciconfig_read", 0], - "273": [5, "pciconfig_write", 0], - "274": [4, "mq_open", 0], - "275": [1, "mq_unlink", 0], - "276": [5, "mq_timedsend", 0], - "277": [5, "mq_timedreceive", 0], - "278": [2, "mq_notify", 0], - "279": [3, "mq_getsetattr", 0], - "280": [5, "waitid", 0], - "281": [3, "socket", 0], - "282": [3, "bind", 0], - "283": [3, "connect", 0], - "284": [2, "listen", 0], - "285": [3, "accept", 0], - "286": [3, "getsockname", 0], - "287": [3, "getpeername", 0], - "288": [4, "socketpair", 0], - "289": [4, "send", 0], - "290": [6, "sendto", 0], - "291": [4, "recv", 0], - "292": [6, "recvfrom", 0], - "293": [2, "shutdown", 0], - "294": [5, "setsockopt", 0], - "295": [5, "getsockopt", 0], - "296": [3, "sendmsg", 0], - "297": [3, "recvmsg", 0], - "298": [3, "semop", 0], - "299": [3, "semget", 0], - "300": [4, "semctl", 0], - "301": [4, "msgsnd", 0], - "302": [5, "msgrcv", 0], - "303": [2, "msgget", 0], - "304": [3, "msgctl", 0], - "305": [3, "shmat", 0], - "306": [1, "shmdt", 0], - "307": [3, "shmget", 0], - "308": [3, "shmctl", 0], - "309": [5, "add_key", 0], - "310": [4, "request_key", 0], - "311": [5, "keyctl", 0], - "312": [4, "semtimedop", 0], - "313": [5, "vserver", 0], - "314": [3, "ioprio_set", 0], - "315": [2, "ioprio_get", 0], - "316": [0, "inotify_init", 0], - "317": [3, "inotify_add_watch", 0], - "318": [2, "inotify_rm_watch", 0], - "319": [6, "mbind", 0], - "320": [5, "get_mempolicy", 0], - "321": [3, "set_mempolicy", 0], - "322": [4, "openat", 2], - "323": [3, "mkdirat", 2], - "324": [4, "mknodat", 2], - "325": [5, "fchownat", 2], - "326": [3, "futimesat", 2], - "327": [4, "fstatat64", 2], - "328": [3, "unlinkat", 2], - "329": [4, "renameat", 10], - "330": [5, "linkat", 10], - "331": [3, "symlinkat", 5], - "332": [4, "readlinkat", 2], - "333": [3, "fchmodat", 2], - "334": [3, "faccessat", 2], - "335": [6, "pselect6", 0], - "336": [5, "ppoll", 0], - "337": [1, "unshare", 0], - "338": [2, "set_robust_list", 0], - "339": [3, "get_robust_list", 0], - "340": [6, "splice", 0], - "341": [6, "sync_file_range2", 0], - "342": [4, "tee", 0], - "343": [4, "vmsplice", 0], - "344": [6, "move_pages", 0], - "345": [3, "getcpu", 0], - "346": [6, "epoll_pwait", 0], - "347": [4, "kexec_load", 0], - "348": [4, "utimensat", 0], - "349": [3, "signalfd", 0], - "350": [2, "timerfd_create", 0], - "351": [1, "eventfd", 0], - "352": [6, "fallocate", 0], - "353": [4, "timerfd_settime", 0], - "354": [2, "timerfd_gettime", 0], - "355": [4, "signalfd4", 0], - "356": [2, "eventfd2", 0], - "357": [1, "epoll_create1", 0], - "358": [3, "dup3", 0], - "359": [2, "pipe2", 0], - "360": [1, "inotify_init1", 0], - "361": [5, "preadv", 0], - "362": [5, "pwritev", 0], - "363": [4, "rt_tgsigqueueinfo", 0], - "364": [5, "perf_event_open", 0], - "365": [5, "recvmmsg", 0], - "366": [4, "accept4", 0], - "367": [2, "fanotify_init", 0], - "368": [6, "fanotify_mark", 0], - "369": [4, "prlimit64", 0], - "370": [5, "name_to_handle_at", 0], - "371": [3, "open_by_handle_at", 0], - "372": [2, "clock_adjtime", 0], - "373": [1, "syncfs", 0], - "374": [4, "sendmmsg", 0], - "375": [2, "setns", 0], - "376": [6, "process_vm_readv", 0], - "377": [6, "process_vm_writev", 0], - "378": [5, "kcmp", 0], - "379": [3, "finit_module", 0], - "380": [3, "sched_setattr", 0], - "381": [4, "sched_getattr", 0], - "382": [5, "renameat2", 10], - "383": [3, "seccomp", 0], - "384": [3, "getrandom", 0], - "385": [2, "memfd_create", 1], - "386": [3, "bpf", 0], - "387": [5, "execveat", 14], - "388": [1, "userfaultfd", 0], - "389": [3, "membarrier", 0], - "390": [3, "mlock2", 0], - "391": [6, "copy_file_range", 0], - "392": [6, "preadv2", 0], - "393": [6, "pwritev2", 0], - "394": [4, "pkey_mprotect", 0], - "395": [2, "pkey_alloc", 0], - "396": [1, "pkey_free", 0], - "397": [5, "statx", 0], - "398": [4, "rseq", 0], - "399": [6, "io_pgetevents", 0], - "400": [4, "migrate_pages", 0], - "401": [5, "kexec_file_load", 0], - "983041": [0, "breakpoint", 0], - "983042": [3, "cacheflush", 0], - "983043": [0, "usr26", 0], - "983044": [0, "usr32", 0], - "983045": [1, "set_tls", 0], - "983046": [0, "get_tls", 0] + "0": [0, "restart_syscall", 0, 0], + "1": [1, "exit", 0, 0], + "2": [0, "fork", 0, 0], + "3": [3, "read", 0, 0], + "4": [3, "write", 0, 0], + "5": [3, "open", 1, 0], + "6": [1, "close", 0, 0], + "7": [3, "waitpid", 0, 0], + "8": [2, "creat", 1, 0], + "9": [2, "link", 3, 0], + "10": [1, "unlink", 1, 0], + "11": [3, "execve", 1, 0], + "12": [1, "chdir", 1, 0], + "13": [1, "time", 0, 0], + "14": [3, "mknod", 1, 0], + "15": [2, "chmod", 1, 0], + "16": [3, "lchown", 1, 0], + "17": [0, "break", 0, 0], + "18": [2, "oldstat", 0, 0], + "19": [3, "lseek", 0, 0], + "20": [0, "getpid", 0, 0], + "21": [5, "mount", 11, 0], + "22": [1, "umount", 1, 0], + "23": [1, "setuid", 0, 0], + "24": [0, "getuid", 0, 0], + "25": [1, "stime", 0, 0], + "26": [4, "ptrace", 0, 0], + "27": [1, "alarm", 0, 0], + "28": [2, "oldfstat", 0, 0], + "29": [0, "pause", 0, 0], + "30": [2, "utime", 0, 0], + "31": [2, "stty", 0, 0], + "32": [2, "gtty", 0, 0], + "33": [2, "access", 1, 0], + "34": [1, "nice", 0, 0], + "35": [0, "ftime", 0, 0], + "36": [0, "sync", 0, 0], + "37": [2, "kill", 0, 0], + "38": [2, "rename", 3, 0], + "39": [2, "mkdir", 1, 0], + "40": [1, "rmdir", 1, 0], + "41": [1, "dup", 0, 0], + "42": [1, "pipe", 0, 0], + "43": [1, "times", 0, 0], + "44": [0, "prof", 0, 0], + "45": [1, "brk", 0, 0], + "46": [1, "setgid", 0, 0], + "47": [0, "getgid", 0, 0], + "48": [2, "signal", 0, 0], + "49": [0, "geteuid", 0, 0], + "50": [0, "getegid", 0, 0], + "51": [1, "acct", 0, 0], + "52": [2, "umount2", 0, 0], + "53": [0, "lock", 0, 0], + "54": [3, "ioctl", 0, 0], + "55": [3, "fcntl", 0, 0], + "56": [0, "mpx", 0, 0], + "57": [2, "setpgid", 0, 0], + "58": [2, "ulimit", 0, 0], + "59": [1, "oldolduname", 0, 0], + "60": [1, "umask", 0, 0], + "61": [1, "chroot", 1, 0], + "62": [2, "ustat", 0, 0], + "63": [2, "dup2", 0, 0], + "64": [0, "getppid", 0, 0], + "65": [0, "getpgrp", 0, 0], + "66": [0, "setsid", 0, 0], + "67": [3, "sigaction", 0, 0], + "68": [0, "sgetmask", 0, 0], + "69": [1, "ssetmask", 0, 0], + "70": [2, "setreuid", 0, 0], + "71": [2, "setregid", 0, 0], + "72": [3, "sigsuspend", 0, 0], + "73": [1, "sigpending", 0, 0], + "74": [2, "sethostname", 0, 0], + "75": [2, "setrlimit", 0, 0], + "76": [2, "getrlimit", 0, 0], + "77": [2, "getrusage", 0, 0], + "78": [2, "gettimeofday", 0, 0], + "79": [2, "settimeofday", 0, 0], + "80": [2, "getgroups", 0, 0], + "81": [2, "setgroups", 0, 0], + "82": [1, "select", 0, 0], + "83": [2, "symlink", 0, 0], + "84": [2, "oldlstat", 0, 0], + "85": [3, "readlink", 1, 2], + "86": [1, "uselib", 0, 0], + "87": [2, "swapon", 0, 0], + "88": [4, "reboot", 0, 0], + "89": [3, "readdir", 0, 0], + "90": [1, "mmap", 0, 0], + "91": [2, "munmap", 0, 0], + "92": [2, "truncate", 1, 0], + "93": [2, "ftruncate", 0, 0], + "94": [2, "fchmod", 0, 0], + "95": [3, "fchown", 0, 0], + "96": [2, "getpriority", 0, 0], + "97": [3, "setpriority", 0, 0], + "98": [4, "profil", 0, 0], + "99": [2, "statfs", 1, 0], + "100": [2, "fstatfs", 0, 0], + "101": [3, "ioperm", 0, 0], + "102": [2, "socketcall", 0, 0], + "103": [3, "syslog", 0, 0], + "104": [3, "setitimer", 0, 0], + "105": [2, "getitimer", 0, 0], + "106": [2, "stat", 1, 0], + "107": [2, "lstat", 1, 0], + "108": [2, "fstat", 0, 0], + "109": [1, "olduname", 0, 0], + "110": [1, "iopl", 0, 0], + "111": [0, "vhangup", 0, 0], + "112": [0, "idle", 0, 0], + "113": [5, "syscall", 0, 0], + "114": [4, "wait4", 0, 0], + "115": [1, "swapoff", 0, 0], + "116": [1, "sysinfo", 0, 0], + "117": [6, "ipc", 0, 0], + "118": [1, "fsync", 0, 0], + "119": [0, "sigreturn", 0, 0], + "120": [5, "clone", 0, 0], + "121": [2, "setdomainname", 0, 0], + "122": [1, "uname", 0, 0], + "123": [3, "modify_ldt", 0, 0], + "124": [1, "adjtimex", 0, 0], + "125": [3, "mprotect", 0, 0], + "126": [3, "sigprocmask", 0, 0], + "127": [2, "create_module", 0, 0], + "128": [3, "init_module", 0, 0], + "129": [2, "delete_module", 0, 0], + "130": [1, "get_kernel_syms", 0, 0], + "131": [4, "quotactl", 0, 0], + "132": [1, "getpgid", 0, 0], + "133": [1, "fchdir", 0, 0], + "134": [2, "bdflush", 0, 0], + "135": [3, "sysfs", 0, 0], + "136": [1, "personality", 0, 0], + "137": [5, "afs_syscall", 0, 0], + "138": [1, "setfsuid", 0, 0], + "139": [1, "setfsgid", 0, 0], + "140": [5, "_llseek", 0, 0], + "141": [3, "getdents", 0, 0], + "142": [5, "_newselect", 0, 0], + "143": [2, "flock", 0, 0], + "144": [3, "msync", 0, 0], + "145": [3, "readv", 0, 0], + "146": [3, "writev", 0, 0], + "147": [1, "getsid", 0, 0], + "148": [1, "fdatasync", 0, 0], + "149": [1, "_sysctl", 0, 0], + "150": [2, "mlock", 0, 0], + "151": [2, "munlock", 0, 0], + "152": [1, "mlockall", 0, 0], + "153": [0, "munlockall", 0, 0], + "154": [2, "sched_setparam", 0, 0], + "155": [2, "sched_getparam", 0, 0], + "156": [3, "sched_setscheduler", 0, 0], + "157": [1, "sched_getscheduler", 0, 0], + "158": [0, "sched_yield", 0, 0], + "159": [1, "sched_get_priority_max", 0, 0], + "160": [1, "sched_get_priority_min", 0, 0], + "161": [2, "sched_rr_get_interval", 0, 0], + "162": [2, "nanosleep", 0, 0], + "163": [5, "mremap", 0, 0], + "164": [3, "setresuid", 0, 0], + "165": [3, "getresuid", 0, 0], + "166": [5, "vm86", 0, 0], + "167": [5, "query_module", 0, 0], + "168": [3, "poll", 0, 0], + "169": [3, "nfsservctl", 0, 0], + "170": [3, "setresgid", 0, 0], + "171": [3, "getresgid", 0, 0], + "172": [5, "prctl", 0, 0], + "173": [0, "rt_sigreturn", 0, 0], + "174": [4, "rt_sigaction", 0, 0], + "175": [4, "rt_sigprocmask", 0, 0], + "176": [2, "rt_sigpending", 0, 0], + "177": [4, "rt_sigtimedwait", 0, 0], + "178": [3, "rt_sigqueueinfo", 0, 0], + "179": [2, "rt_sigsuspend", 0, 0], + "180": [6, "pread64", 0, 0], + "181": [6, "pwrite64", 0, 0], + "182": [3, "chown", 0, 0], + "183": [2, "getcwd", 0, 0], + "184": [2, "capget", 0, 0], + "185": [2, "capset", 0, 0], + "186": [2, "sigaltstack", 0, 0], + "187": [4, "sendfile", 0, 0], + "188": [5, "getpmsg", 0, 0], + "189": [5, "putpmsg", 0, 0], + "190": [0, "vfork", 0, 0], + "191": [2, "ugetrlimit", 0, 0], + "192": [6, "mmap2", 0, 0], + "193": [4, "truncate64", 0, 0], + "194": [4, "ftruncate64", 0, 0], + "195": [2, "stat64", 0, 0], + "196": [2, "lstat64", 0, 0], + "197": [2, "fstat64", 0, 0], + "198": [3, "lchown32", 0, 0], + "199": [0, "getuid32", 0, 0], + "200": [0, "getgid32", 0, 0], + "201": [0, "geteuid32", 0, 0], + "202": [0, "getegid32", 0, 0], + "203": [2, "setreuid32", 0, 0], + "204": [2, "setregid32", 0, 0], + "205": [2, "getgroups32", 0, 0], + "206": [2, "setgroups32", 0, 0], + "207": [3, "fchown32", 0, 0], + "208": [3, "setresuid32", 0, 0], + "209": [3, "getresuid32", 0, 0], + "210": [3, "setresgid32", 0, 0], + "211": [3, "getresgid32", 0, 0], + "212": [3, "chown32", 0, 0], + "213": [1, "setuid32", 0, 0], + "214": [1, "setgid32", 0, 0], + "215": [1, "setfsuid32", 0, 0], + "216": [1, "setfsgid32", 0, 0], + "217": [3, "getdents64", 0, 0], + "218": [2, "pivot_root", 0, 0], + "219": [3, "mincore", 0, 0], + "220": [3, "madvise", 0, 0], + "221": [3, "fcntl64", 0, 0], + "224": [0, "gettid", 0, 0], + "225": [5, "readahead", 0, 0], + "226": [5, "setxattr", 0, 0], + "227": [5, "lsetxattr", 0, 0], + "228": [5, "fsetxattr", 0, 0], + "229": [4, "getxattr", 0, 0], + "230": [4, "lgetxattr", 0, 0], + "231": [4, "fgetxattr", 0, 0], + "232": [3, "listxattr", 0, 0], + "233": [3, "llistxattr", 0, 0], + "234": [3, "flistxattr", 0, 0], + "235": [2, "removexattr", 0, 0], + "236": [2, "lremovexattr", 0, 0], + "237": [2, "fremovexattr", 0, 0], + "238": [2, "tkill", 0, 0], + "239": [4, "sendfile64", 0, 0], + "240": [6, "futex", 0, 0], + "241": [3, "sched_setaffinity", 0, 0], + "242": [3, "sched_getaffinity", 0, 0], + "243": [2, "io_setup", 0, 0], + "244": [1, "io_destroy", 0, 0], + "245": [5, "io_getevents", 0, 0], + "246": [3, "io_submit", 0, 0], + "247": [3, "io_cancel", 0, 0], + "248": [1, "exit_group", 0, 0], + "249": [4, "lookup_dcookie", 0, 0], + "250": [1, "epoll_create", 0, 0], + "251": [4, "epoll_ctl", 0, 0], + "252": [4, "epoll_wait", 0, 0], + "253": [5, "remap_file_pages", 0, 0], + "256": [1, "set_tid_address", 0, 0], + "257": [3, "timer_create", 0, 0], + "258": [4, "timer_settime", 0, 0], + "259": [2, "timer_gettime", 0, 0], + "260": [1, "timer_getoverrun", 0, 0], + "261": [1, "timer_delete", 0, 0], + "262": [2, "clock_settime", 0, 0], + "263": [2, "clock_gettime", 0, 0], + "264": [2, "clock_getres", 0, 0], + "265": [4, "clock_nanosleep", 0, 0], + "266": [3, "statfs64", 0, 0], + "267": [3, "fstatfs64", 0, 0], + "268": [3, "tgkill", 0, 0], + "269": [2, "utimes", 0, 0], + "270": [6, "fadvise64_64", 0, 0], + "271": [3, "pciconfig_iobase", 0, 0], + "272": [5, "pciconfig_read", 0, 0], + "273": [5, "pciconfig_write", 0, 0], + "274": [4, "mq_open", 0, 0], + "275": [1, "mq_unlink", 0, 0], + "276": [5, "mq_timedsend", 0, 0], + "277": [5, "mq_timedreceive", 0, 0], + "278": [2, "mq_notify", 0, 0], + "279": [3, "mq_getsetattr", 0, 0], + "280": [5, "waitid", 0, 0], + "281": [3, "socket", 0, 0], + "282": [3, "bind", 0, 0], + "283": [3, "connect", 0, 0], + "284": [2, "listen", 0, 0], + "285": [3, "accept", 0, 0], + "286": [3, "getsockname", 0, 0], + "287": [3, "getpeername", 0, 0], + "288": [4, "socketpair", 0, 0], + "289": [4, "send", 0, 0], + "290": [6, "sendto", 0, 0], + "291": [4, "recv", 0, 0], + "292": [6, "recvfrom", 0, 0], + "293": [2, "shutdown", 0, 0], + "294": [5, "setsockopt", 0, 0], + "295": [5, "getsockopt", 0, 0], + "296": [3, "sendmsg", 0, 0], + "297": [3, "recvmsg", 0, 0], + "298": [3, "semop", 0, 0], + "299": [3, "semget", 0, 0], + "300": [4, "semctl", 0, 0], + "301": [4, "msgsnd", 0, 0], + "302": [5, "msgrcv", 0, 0], + "303": [2, "msgget", 0, 0], + "304": [3, "msgctl", 0, 0], + "305": [3, "shmat", 0, 0], + "306": [1, "shmdt", 0, 0], + "307": [3, "shmget", 0, 0], + "308": [3, "shmctl", 0, 0], + "309": [5, "add_key", 0, 0], + "310": [4, "request_key", 0, 0], + "311": [5, "keyctl", 0, 0], + "312": [4, "semtimedop", 0, 0], + "313": [5, "vserver", 0, 0], + "314": [3, "ioprio_set", 0, 0], + "315": [2, "ioprio_get", 0, 0], + "316": [0, "inotify_init", 0, 0], + "317": [3, "inotify_add_watch", 0, 0], + "318": [2, "inotify_rm_watch", 0, 0], + "319": [6, "mbind", 0, 0], + "320": [5, "get_mempolicy", 0, 0], + "321": [3, "set_mempolicy", 0, 0], + "322": [4, "openat", 2, 0], + "323": [3, "mkdirat", 2, 0], + "324": [4, "mknodat", 2, 0], + "325": [5, "fchownat", 2, 0], + "326": [3, "futimesat", 2, 0], + "327": [4, "fstatat64", 2, 0], + "328": [3, "unlinkat", 2, 0], + "329": [4, "renameat", 10, 0], + "330": [5, "linkat", 10, 0], + "331": [3, "symlinkat", 5, 0], + "332": [4, "readlinkat", 2, 4], + "333": [3, "fchmodat", 2, 0], + "334": [3, "faccessat", 2, 0], + "335": [6, "pselect6", 0, 0], + "336": [5, "ppoll", 0, 0], + "337": [1, "unshare", 0, 0], + "338": [2, "set_robust_list", 0, 0], + "339": [3, "get_robust_list", 0, 0], + "340": [6, "splice", 0, 0], + "341": [6, "sync_file_range2", 0, 0], + "342": [4, "tee", 0, 0], + "343": [4, "vmsplice", 0, 0], + "344": [6, "move_pages", 0, 0], + "345": [3, "getcpu", 0, 0], + "346": [6, "epoll_pwait", 0, 0], + "347": [4, "kexec_load", 0, 0], + "348": [4, "utimensat", 0, 0], + "349": [3, "signalfd", 0, 0], + "350": [2, "timerfd_create", 0, 0], + "351": [1, "eventfd", 0, 0], + "352": [6, "fallocate", 0, 0], + "353": [4, "timerfd_settime", 0, 0], + "354": [2, "timerfd_gettime", 0, 0], + "355": [4, "signalfd4", 0, 0], + "356": [2, "eventfd2", 0, 0], + "357": [1, "epoll_create1", 0, 0], + "358": [3, "dup3", 0, 0], + "359": [2, "pipe2", 0, 0], + "360": [1, "inotify_init1", 0, 0], + "361": [5, "preadv", 0, 0], + "362": [5, "pwritev", 0, 0], + "363": [4, "rt_tgsigqueueinfo", 0, 0], + "364": [5, "perf_event_open", 0, 0], + "365": [5, "recvmmsg", 0, 0], + "366": [4, "accept4", 0, 0], + "367": [2, "fanotify_init", 0, 0], + "368": [6, "fanotify_mark", 0, 0], + "369": [4, "prlimit64", 0, 0], + "370": [5, "name_to_handle_at", 0, 0], + "371": [3, "open_by_handle_at", 0, 0], + "372": [2, "clock_adjtime", 0, 0], + "373": [1, "syncfs", 0, 0], + "374": [4, "sendmmsg", 0, 0], + "375": [2, "setns", 0, 0], + "376": [6, "process_vm_readv", 0, 0], + "377": [6, "process_vm_writev", 0, 0], + "378": [5, "kcmp", 0, 0], + "379": [3, "finit_module", 0, 0], + "380": [3, "sched_setattr", 0, 0], + "381": [4, "sched_getattr", 0, 0], + "382": [5, "renameat2", 10, 0], + "383": [3, "seccomp", 0, 0], + "384": [3, "getrandom", 0, 0], + "385": [2, "memfd_create", 1, 0], + "386": [3, "bpf", 0, 0], + "387": [5, "execveat", 14, 0], + "388": [1, "userfaultfd", 0, 0], + "389": [3, "membarrier", 0, 0], + "390": [3, "mlock2", 0, 0], + "391": [6, "copy_file_range", 0, 0], + "392": [6, "preadv2", 0, 0], + "393": [6, "pwritev2", 0, 0], + "394": [4, "pkey_mprotect", 0, 0], + "395": [2, "pkey_alloc", 0, 0], + "396": [1, "pkey_free", 0, 0], + "397": [5, "statx", 0, 0], + "398": [4, "rseq", 0, 0], + "399": [6, "io_pgetevents", 0, 0], + "400": [4, "migrate_pages", 0, 0], + "401": [5, "kexec_file_load", 0, 0], + "983041": [0, "breakpoint", 0, 0], + "983042": [3, "cacheflush", 0, 0], + "983043": [0, "usr26", 0, 0], + "983044": [0, "usr32", 0, 0], + "983045": [1, "set_tls", 0, 0], + "983046": [0, "get_tls", 0, 0] } \ No newline at end of file diff --git a/app/config/table64.json b/app/config/table64.json index 28a77ca..e2d49e7 100644 --- a/app/config/table64.json +++ b/app/config/table64.json @@ -1,281 +1,281 @@ { - "0": [2, "io_setup", 0], - "1": [1, "io_destroy", 0], - "2": [3, "io_submit", 0], - "3": [3, "io_cancel", 0], - "4": [5, "io_getevents", 0], - "5": [5, "setxattr", 0], - "6": [5, "lsetxattr", 0], - "7": [5, "fsetxattr", 0], - "8": [4, "getxattr", 0], - "9": [4, "lgetxattr", 0], - "10": [4, "fgetxattr", 0], - "11": [3, "listxattr", 0], - "12": [3, "llistxattr", 0], - "13": [3, "flistxattr", 0], - "14": [2, "removexattr", 0], - "15": [2, "lremovexattr", 0], - "16": [2, "fremovexattr", 0], - "17": [2, "getcwd", 0], - "18": [3, "lookup_dcookie", 0], - "19": [2, "eventfd2", 0], - "20": [1, "epoll_create1", 0], - "21": [4, "epoll_ctl", 0], - "22": [6, "epoll_pwait", 0], - "23": [1, "dup", 0], - "24": [3, "dup3", 0], - "25": [3, "fcntl", 0], - "26": [1, "inotify_init1", 0], - "27": [3, "inotify_add_watch", 0], - "28": [2, "inotify_rm_watch", 0], - "29": [3, "ioctl", 0], - "30": [3, "ioprio_set", 0], - "31": [2, "ioprio_get", 0], - "32": [2, "flock", 0], - "33": [4, "mknodat", 2], - "34": [3, "mkdirat", 2], - "35": [3, "unlinkat", 2], - "36": [3, "symlinkat", 10], - "37": [5, "linkat", 10], - "38": [4, "renameat", 10], - "39": [2, "umount2", 1], - "40": [5, "mount", 11], - "41": [2, "pivot_root", 0], - "42": [3, "nfsservctl", 0], - "43": [2, "statfs", 1], - "44": [2, "fstatfs", 0], - "45": [2, "truncate", 1], - "46": [2, "ftruncate", 0], - "47": [4, "fallocate", 0], - "48": [3, "faccessat", 2], - "49": [1, "chdir", 1], - "50": [1, "fchdir", 0], - "51": [1, "chroot", 1], - "52": [2, "fchmod", 0], - "53": [3, "fchmodat", 2], - "54": [5, "fchownat", 2], - "55": [3, "fchown", 0], - "56": [4, "openat", 2], - "57": [1, "close", 0], - "58": [0, "vhangup", 0], - "59": [2, "pipe2", 0], - "60": [4, "quotactl", 0], - "61": [3, "getdents64", 0], - "62": [3, "lseek", 0], - "63": [3, "read", 0], - "64": [3, "write", 0], - "65": [3, "readv", 0], - "66": [3, "writev", 0], - "67": [4, "pread64", 0], - "68": [4, "pwrite64", 0], - "69": [4, "preadv", 0], - "70": [4, "pwritev", 0], - "71": [4, "sendfile", 0], - "72": [6, "pselect6", 0], - "73": [5, "ppoll", 0], - "74": [4, "signalfd4", 0], - "75": [4, "vmsplice", 0], - "76": [6, "splice", 0], - "77": [4, "tee", 0], - "78": [4, "readlinkat", 2], - "79": [4, "newfstatat", 2], - "80": [2, "fstat", 0], - "81": [0, "sync", 0], - "82": [1, "fsync", 0], - "83": [1, "fdatasync", 0], - "84": [4, "sync_file_range", 0], - "85": [2, "timerfd_create", 0], - "86": [4, "timerfd_settime", 0], - "87": [2, "timerfd_gettime", 0], - "88": [4, "utimensat", 0], - "89": [1, "acct", 0], - "90": [2, "capget", 0], - "91": [2, "capset", 0], - "92": [1, "personality", 0], - "93": [1, "exit", 0], - "94": [1, "exit_group", 0], - "95": [5, "waitid", 0], - "96": [1, "set_tid_address", 0], - "97": [1, "unshare", 0], - "98": [6, "futex", 0], - "99": [2, "set_robust_list", 0], - "100": [3, "get_robust_list", 0], - "101": [2, "nanosleep", 0], - "102": [2, "getitimer", 0], - "103": [3, "setitimer", 0], - "104": [4, "kexec_load", 0], - "105": [3, "init_module", 0], - "106": [2, "delete_module", 0], - "107": [3, "timer_create", 0], - "108": [2, "timer_gettime", 0], - "109": [1, "timer_getoverrun", 0], - "110": [4, "timer_settime", 0], - "111": [1, "timer_delete", 0], - "112": [2, "clock_settime", 0], - "113": [2, "clock_gettime", 0], - "114": [2, "clock_getres", 0], - "115": [4, "clock_nanosleep", 0], - "116": [3, "syslog", 0], - "117": [4, "ptrace", 0], - "118": [2, "sched_setparam", 0], - "119": [3, "sched_setscheduler", 0], - "120": [1, "sched_getscheduler", 0], - "121": [2, "sched_getparam", 0], - "122": [3, "sched_setaffinity", 0], - "123": [3, "sched_getaffinity", 0], - "124": [0, "sched_yield", 0], - "125": [1, "sched_get_priority_max", 0], - "126": [1, "sched_get_priority_min", 0], - "127": [2, "sched_rr_get_interval", 0], - "128": [0, "restart_syscall", 0], - "129": [2, "kill", 0], - "130": [2, "tkill", 0], - "131": [3, "tgkill", 0], - "132": [2, "sigaltstack", 0], - "133": [2, "rt_sigsuspend", 0], - "134": [4, "rt_sigaction", 0], - "135": [4, "rt_sigprocmask", 0], - "136": [2, "rt_sigpending", 0], - "137": [4, "rt_sigtimedwait", 0], - "138": [3, "rt_sigqueueinfo", 0], - "139": [0, "rt_sigreturn", 0], - "140": [3, "setpriority", 0], - "141": [2, "getpriority", 0], - "142": [4, "reboot", 0], - "143": [2, "setregid", 0], - "144": [1, "setgid", 0], - "145": [2, "setreuid", 0], - "146": [1, "setuid", 0], - "147": [3, "setresuid", 0], - "148": [3, "getresuid", 0], - "149": [3, "setresgid", 0], - "150": [3, "getresgid", 0], - "151": [1, "setfsuid", 0], - "152": [1, "setfsgid", 0], - "153": [1, "times", 0], - "154": [2, "setpgid", 0], - "155": [1, "getpgid", 0], - "156": [1, "getsid", 0], - "157": [0, "setsid", 0], - "158": [2, "getgroups", 0], - "159": [2, "setgroups", 0], - "160": [1, "uname", 0], - "161": [2, "sethostname", 0], - "162": [2, "setdomainname", 0], - "163": [2, "getrlimit", 0], - "164": [2, "setrlimit", 0], - "165": [2, "getrusage", 0], - "166": [1, "umask", 0], - "167": [5, "prctl", 0], - "168": [3, "getcpu", 0], - "169": [2, "gettimeofday", 0], - "170": [2, "settimeofday", 0], - "171": [1, "adjtimex", 0], - "172": [0, "getpid", 0], - "173": [0, "getppid", 0], - "174": [0, "getuid", 0], - "175": [0, "geteuid", 0], - "176": [0, "getgid", 0], - "177": [0, "getegid", 0], - "178": [0, "gettid", 0], - "179": [1, "sysinfo", 0], - "180": [4, "mq_open", 1], - "181": [1, "mq_unlink", 0], - "182": [5, "mq_timedsend", 0], - "183": [5, "mq_timedreceive", 0], - "184": [2, "mq_notify", 0], - "185": [3, "mq_getsetattr", 0], - "186": [2, "msgget", 0], - "187": [3, "msgctl", 0], - "188": [5, "msgrcv", 0], - "189": [4, "msgsnd", 0], - "190": [3, "semget", 0], - "191": [4, "semctl", 0], - "192": [4, "semtimedop", 0], - "193": [3, "semop", 0], - "194": [3, "shmget", 0], - "195": [3, "shmctl", 0], - "196": [3, "shmat", 0], - "197": [1, "shmdt", 0], - "198": [3, "socket", 0], - "199": [4, "socketpair", 0], - "200": [3, "bind", 0], - "201": [2, "listen", 0], - "202": [3, "accept", 0], - "203": [3, "connect", 0], - "204": [3, "getsockname", 0], - "205": [3, "getpeername", 0], - "206": [6, "sendto", 0], - "207": [6, "recvfrom", 0], - "208": [5, "setsockopt", 0], - "209": [5, "getsockopt", 0], - "210": [2, "shutdown", 0], - "211": [3, "sendmsg", 0], - "212": [3, "recvmsg", 0], - "213": [3, "readahead", 0], - "214": [1, "brk", 0], - "215": [2, "munmap", 0], - "216": [5, "mremap", 0], - "217": [5, "add_key", 0], - "218": [4, "request_key", 0], - "219": [5, "keyctl", 0], - "220": [5, "clone", 0], - "221": [3, "execve", 1], - "222": [6, "mmap", 0], - "223": [4, "fadvise64", 0], - "224": [2, "swapon", 0], - "225": [1, "swapoff", 0], - "226": [3, "mprotect", 0], - "227": [3, "msync", 0], - "228": [2, "mlock", 0], - "229": [2, "munlock", 0], - "230": [1, "mlockall", 0], - "231": [0, "munlockall", 0], - "232": [3, "mincore", 0], - "233": [3, "madvise", 0], - "234": [5, "remap_file_pages", 0], - "235": [6, "mbind", 0], - "236": [5, "get_mempolicy", 0], - "237": [3, "set_mempolicy", 0], - "238": [4, "migrate_pages", 0], - "239": [6, "move_pages", 0], - "240": [4, "rt_tgsigqueueinfo", 0], - "241": [5, "perf_event_open", 0], - "242": [4, "accept4", 0], - "243": [5, "recvmmsg", 0], - "260": [4, "wait4", 0], - "261": [4, "prlimit64", 0], - "262": [2, "fanotify_init", 0], - "263": [5, "fanotify_mark", 0], - "264": [5, "name_to_handle_at", 0], - "265": [3, "open_by_handle_at", 0], - "266": [2, "clock_adjtime", 0], - "267": [1, "syncfs", 0], - "268": [2, "setns", 0], - "269": [4, "sendmmsg", 0], - "270": [6, "process_vm_readv", 0], - "271": [6, "process_vm_writev", 0], - "272": [5, "kcmp", 0], - "273": [3, "finit_module", 0], - "274": [3, "sched_setattr", 0], - "275": [4, "sched_getattr", 0], - "276": [5, "renameat2", 10], - "277": [3, "seccomp", 0], - "278": [3, "getrandom", 0], - "279": [2, "memfd_create", 1], - "280": [3, "bpf", 0], - "281": [5, "execveat", 14], - "282": [1, "userfaultfd", 0], - "283": [3, "membarrier", 0], - "284": [3, "mlock2", 0], - "285": [6, "copy_file_range", 0], - "286": [6, "preadv2", 0], - "287": [6, "pwritev2", 0], - "288": [4, "pkey_mprotect", 0], - "289": [2, "pkey_alloc", 0], - "290": [1, "pkey_free", 0], - "291": [5, "statx", 0], - "292": [6, "io_pgetevents", 0], - "293": [4, "rseq", 0], - "294": [5, "kexec_file_load", 0] + "0": [2, "io_setup", 0, 0], + "1": [1, "io_destroy", 0, 0], + "2": [3, "io_submit", 0, 0], + "3": [3, "io_cancel", 0, 0], + "4": [5, "io_getevents", 0, 0], + "5": [5, "setxattr", 0, 0], + "6": [5, "lsetxattr", 0, 0], + "7": [5, "fsetxattr", 0, 0], + "8": [4, "getxattr", 0, 0], + "9": [4, "lgetxattr", 0, 0], + "10": [4, "fgetxattr", 0, 0], + "11": [3, "listxattr", 0, 0], + "12": [3, "llistxattr", 0, 0], + "13": [3, "flistxattr", 0, 0], + "14": [2, "removexattr", 0, 0], + "15": [2, "lremovexattr", 0, 0], + "16": [2, "fremovexattr", 0, 0], + "17": [2, "getcwd", 0, 0], + "18": [3, "lookup_dcookie", 0, 0], + "19": [2, "eventfd2", 0, 0], + "20": [1, "epoll_create1", 0, 0], + "21": [4, "epoll_ctl", 0, 0], + "22": [6, "epoll_pwait", 0, 0], + "23": [1, "dup", 0, 0], + "24": [3, "dup3", 0, 0], + "25": [3, "fcntl", 0, 0], + "26": [1, "inotify_init1", 0, 0], + "27": [3, "inotify_add_watch", 0, 0], + "28": [2, "inotify_rm_watch", 0, 0], + "29": [3, "ioctl", 0, 0], + "30": [3, "ioprio_set", 0, 0], + "31": [2, "ioprio_get", 0, 0], + "32": [2, "flock", 0, 0], + "33": [4, "mknodat", 2, 0], + "34": [3, "mkdirat", 2, 0], + "35": [3, "unlinkat", 2, 0], + "36": [3, "symlinkat", 10, 0], + "37": [5, "linkat", 10, 0], + "38": [4, "renameat", 10, 0], + "39": [2, "umount2", 1, 0], + "40": [5, "mount", 11, 0], + "41": [2, "pivot_root", 0, 0], + "42": [3, "nfsservctl", 0, 0], + "43": [2, "statfs", 1, 0], + "44": [2, "fstatfs", 0, 0], + "45": [2, "truncate", 1, 0], + "46": [2, "ftruncate", 0, 0], + "47": [4, "fallocate", 0, 0], + "48": [3, "faccessat", 2, 0], + "49": [1, "chdir", 1, 0], + "50": [1, "fchdir", 0, 0], + "51": [1, "chroot", 1, 0], + "52": [2, "fchmod", 0, 0], + "53": [3, "fchmodat", 2, 0], + "54": [5, "fchownat", 2, 0], + "55": [3, "fchown", 0, 0], + "56": [4, "openat", 2, 0], + "57": [1, "close", 0, 0], + "58": [0, "vhangup", 0, 0], + "59": [2, "pipe2", 0, 0], + "60": [4, "quotactl", 0, 0], + "61": [3, "getdents64", 0, 0], + "62": [3, "lseek", 0, 0], + "63": [3, "read", 0, 0], + "64": [3, "write", 0, 0], + "65": [3, "readv", 0, 0], + "66": [3, "writev", 0, 0], + "67": [4, "pread64", 0, 0], + "68": [4, "pwrite64", 0, 0], + "69": [4, "preadv", 0, 0], + "70": [4, "pwritev", 0, 0], + "71": [4, "sendfile", 0, 0], + "72": [6, "pselect6", 0, 0], + "73": [5, "ppoll", 0, 0], + "74": [4, "signalfd4", 0, 0], + "75": [4, "vmsplice", 0, 0], + "76": [6, "splice", 0, 0], + "77": [4, "tee", 0, 0], + "78": [4, "readlinkat", 2, 4], + "79": [4, "newfstatat", 2, 0], + "80": [2, "fstat", 0, 0], + "81": [0, "sync", 0, 0], + "82": [1, "fsync", 0, 0], + "83": [1, "fdatasync", 0, 0], + "84": [4, "sync_file_range", 0, 0], + "85": [2, "timerfd_create", 0, 0], + "86": [4, "timerfd_settime", 0, 0], + "87": [2, "timerfd_gettime", 0, 0], + "88": [4, "utimensat", 0, 0], + "89": [1, "acct", 0, 0], + "90": [2, "capget", 0, 0], + "91": [2, "capset", 0, 0], + "92": [1, "personality", 0, 0], + "93": [1, "exit", 0, 0], + "94": [1, "exit_group", 0, 0], + "95": [5, "waitid", 0, 0], + "96": [1, "set_tid_address", 0, 0], + "97": [1, "unshare", 0, 0], + "98": [6, "futex", 0, 0], + "99": [2, "set_robust_list", 0, 0], + "100": [3, "get_robust_list", 0, 0], + "101": [2, "nanosleep", 0, 0], + "102": [2, "getitimer", 0, 0], + "103": [3, "setitimer", 0, 0], + "104": [4, "kexec_load", 0, 0], + "105": [3, "init_module", 0, 0], + "106": [2, "delete_module", 0, 0], + "107": [3, "timer_create", 0, 0], + "108": [2, "timer_gettime", 0, 0], + "109": [1, "timer_getoverrun", 0, 0], + "110": [4, "timer_settime", 0, 0], + "111": [1, "timer_delete", 0, 0], + "112": [2, "clock_settime", 0, 0], + "113": [2, "clock_gettime", 0, 0], + "114": [2, "clock_getres", 0, 0], + "115": [4, "clock_nanosleep", 0, 0], + "116": [3, "syslog", 0, 0], + "117": [4, "ptrace", 0, 0], + "118": [2, "sched_setparam", 0, 0], + "119": [3, "sched_setscheduler", 0, 0], + "120": [1, "sched_getscheduler", 0, 0], + "121": [2, "sched_getparam", 0, 0], + "122": [3, "sched_setaffinity", 0, 0], + "123": [3, "sched_getaffinity", 0, 0], + "124": [0, "sched_yield", 0, 0], + "125": [1, "sched_get_priority_max", 0, 0], + "126": [1, "sched_get_priority_min", 0, 0], + "127": [2, "sched_rr_get_interval", 0, 0], + "128": [0, "restart_syscall", 0, 0], + "129": [2, "kill", 0, 0], + "130": [2, "tkill", 0, 0], + "131": [3, "tgkill", 0, 0], + "132": [2, "sigaltstack", 0, 0], + "133": [2, "rt_sigsuspend", 0, 0], + "134": [4, "rt_sigaction", 0, 0], + "135": [4, "rt_sigprocmask", 0, 0], + "136": [2, "rt_sigpending", 0, 0], + "137": [4, "rt_sigtimedwait", 0, 0], + "138": [3, "rt_sigqueueinfo", 0, 0], + "139": [0, "rt_sigreturn", 0, 0], + "140": [3, "setpriority", 0, 0], + "141": [2, "getpriority", 0, 0], + "142": [4, "reboot", 0, 0], + "143": [2, "setregid", 0, 0], + "144": [1, "setgid", 0, 0], + "145": [2, "setreuid", 0, 0], + "146": [1, "setuid", 0, 0], + "147": [3, "setresuid", 0, 0], + "148": [3, "getresuid", 0, 0], + "149": [3, "setresgid", 0, 0], + "150": [3, "getresgid", 0, 0], + "151": [1, "setfsuid", 0, 0], + "152": [1, "setfsgid", 0, 0], + "153": [1, "times", 0, 0], + "154": [2, "setpgid", 0, 0], + "155": [1, "getpgid", 0, 0], + "156": [1, "getsid", 0, 0], + "157": [0, "setsid", 0, 0], + "158": [2, "getgroups", 0, 0], + "159": [2, "setgroups", 0, 0], + "160": [1, "uname", 0, 0], + "161": [2, "sethostname", 0, 0], + "162": [2, "setdomainname", 0, 0], + "163": [2, "getrlimit", 0, 0], + "164": [2, "setrlimit", 0, 0], + "165": [2, "getrusage", 0, 0], + "166": [1, "umask", 0, 0], + "167": [5, "prctl", 0, 0], + "168": [3, "getcpu", 0, 0], + "169": [2, "gettimeofday", 0, 0], + "170": [2, "settimeofday", 0, 0], + "171": [1, "adjtimex", 0, 0], + "172": [0, "getpid", 0, 0], + "173": [0, "getppid", 0, 0], + "174": [0, "getuid", 0, 0], + "175": [0, "geteuid", 0, 0], + "176": [0, "getgid", 0, 0], + "177": [0, "getegid", 0, 0], + "178": [0, "gettid", 0, 0], + "179": [1, "sysinfo", 0, 0], + "180": [4, "mq_open", 1, 0], + "181": [1, "mq_unlink", 0, 0], + "182": [5, "mq_timedsend", 0, 0], + "183": [5, "mq_timedreceive", 0, 0], + "184": [2, "mq_notify", 0, 0], + "185": [3, "mq_getsetattr", 0, 0], + "186": [2, "msgget", 0, 0], + "187": [3, "msgctl", 0, 0], + "188": [5, "msgrcv", 0, 0], + "189": [4, "msgsnd", 0, 0], + "190": [3, "semget", 0, 0], + "191": [4, "semctl", 0, 0], + "192": [4, "semtimedop", 0, 0], + "193": [3, "semop", 0, 0], + "194": [3, "shmget", 0, 0], + "195": [3, "shmctl", 0, 0], + "196": [3, "shmat", 0, 0], + "197": [1, "shmdt", 0, 0], + "198": [3, "socket", 0, 0], + "199": [4, "socketpair", 0, 0], + "200": [3, "bind", 0, 0], + "201": [2, "listen", 0, 0], + "202": [3, "accept", 0, 0], + "203": [3, "connect", 0, 0], + "204": [3, "getsockname", 0, 0], + "205": [3, "getpeername", 0, 0], + "206": [6, "sendto", 0, 0], + "207": [6, "recvfrom", 0, 0], + "208": [5, "setsockopt", 0, 0], + "209": [5, "getsockopt", 0, 0], + "210": [2, "shutdown", 0, 0], + "211": [3, "sendmsg", 0, 0], + "212": [3, "recvmsg", 0, 0], + "213": [3, "readahead", 0, 0], + "214": [1, "brk", 0, 0], + "215": [2, "munmap", 0, 0], + "216": [5, "mremap", 0, 0], + "217": [5, "add_key", 0, 0], + "218": [4, "request_key", 0, 0], + "219": [5, "keyctl", 0, 0], + "220": [5, "clone", 0, 0], + "221": [3, "execve", 1, 0], + "222": [6, "mmap", 0, 0], + "223": [4, "fadvise64", 0, 0], + "224": [2, "swapon", 0, 0], + "225": [1, "swapoff", 0, 0], + "226": [3, "mprotect", 0, 0], + "227": [3, "msync", 0, 0], + "228": [2, "mlock", 0, 0], + "229": [2, "munlock", 0, 0], + "230": [1, "mlockall", 0, 0], + "231": [0, "munlockall", 0, 0], + "232": [3, "mincore", 0, 0], + "233": [3, "madvise", 0, 0], + "234": [5, "remap_file_pages", 0, 0], + "235": [6, "mbind", 0, 0], + "236": [5, "get_mempolicy", 0, 0], + "237": [3, "set_mempolicy", 0, 0], + "238": [4, "migrate_pages", 0, 0], + "239": [6, "move_pages", 0, 0], + "240": [4, "rt_tgsigqueueinfo", 0, 0], + "241": [5, "perf_event_open", 0, 0], + "242": [4, "accept4", 0, 0], + "243": [5, "recvmmsg", 0, 0], + "260": [4, "wait4", 0, 0], + "261": [4, "prlimit64", 0, 0], + "262": [2, "fanotify_init", 0, 0], + "263": [5, "fanotify_mark", 0, 0], + "264": [5, "name_to_handle_at", 0, 0], + "265": [3, "open_by_handle_at", 0, 0], + "266": [2, "clock_adjtime", 0, 0], + "267": [1, "syncfs", 0, 0], + "268": [2, "setns", 0, 0], + "269": [4, "sendmmsg", 0, 0], + "270": [6, "process_vm_readv", 0, 0], + "271": [6, "process_vm_writev", 0, 0], + "272": [5, "kcmp", 0, 0], + "273": [3, "finit_module", 0, 0], + "274": [3, "sched_setattr", 0, 0], + "275": [4, "sched_getattr", 0, 0], + "276": [5, "renameat2", 10, 0], + "277": [3, "seccomp", 0, 0], + "278": [3, "getrandom", 0, 0], + "279": [2, "memfd_create", 1, 0], + "280": [3, "bpf", 0, 0], + "281": [5, "execveat", 14, 0], + "282": [1, "userfaultfd", 0, 0], + "283": [3, "membarrier", 0, 0], + "284": [3, "mlock2", 0, 0], + "285": [6, "copy_file_range", 0, 0], + "286": [6, "preadv2", 0, 0], + "287": [6, "pwritev2", 0, 0], + "288": [4, "pkey_mprotect", 0, 0], + "289": [2, "pkey_alloc", 0, 0], + "290": [1, "pkey_free", 0, 0], + "291": [5, "statx", 0, 0], + "292": [6, "io_pgetevents", 0, 0], + "293": [4, "rseq", 0, 0], + "294": [5, "kexec_file_load", 0, 0] } \ No newline at end of file diff --git a/app/module/module.go b/app/module/module.go index fb90264..6804dde 100644 --- a/app/module/module.go +++ b/app/module/module.go @@ -82,9 +82,10 @@ func (this *Module) Run() error { json.Unmarshal(table_buffer, &tmp_config) for nr, config_arr := range tmp_config { table_config := config.TableConfig{ - Count: uint32(config_arr[0].(float64)), - Name: config_arr[1].(string), - Mask: uint32(config_arr[2].(float64)), + Count: uint32(config_arr[0].(float64)), + Name: config_arr[1].(string), + Mask: uint32(config_arr[2].(float64)), + RetMask: uint32(config_arr[3].(float64)), } this.systable_config[nr] = table_config } @@ -146,6 +147,14 @@ func (this *Module) Run() error { nr_key, _ := strconv.ParseUint(nr, 10, 32) argMaskMap.Update(unsafe.Pointer(&nr_key), unsafe.Pointer(&table_config.Mask), ebpf.UpdateAny) } + argRetMaskMap, found, err := this.bpfManager.GetMap("arg_ret_mask_map") + if !found { + return errors.New("cannot find arg_ret_mask_map") + } + for nr, table_config := range this.systable_config { + nr_key, _ := strconv.ParseUint(nr, 10, 32) + argRetMaskMap.Update(unsafe.Pointer(&nr_key), unsafe.Pointer(&table_config.RetMask), ebpf.UpdateAny) + } filterMap, found, err := this.bpfManager.GetMap("filter_map") if !found { @@ -275,28 +284,39 @@ func (this *Module) Decode(em *ebpf.Map, payload []byte) (event event.SyscallDat if err = binary.Read(buf, binary.LittleEndian, &data.arg_str); err != nil { return } - base_str := fmt.Sprintf("[%s] type:%d pid:%d tid:%d nr:%s", bytes.TrimSpace(bytes.Trim(data.comm[:], "\x00")), data.mtype, data.pid, data.tid, this.ReadNR(*data)) + var base_str string + if this.conf.Debug { + base_str = fmt.Sprintf("[%s] type:%d pid:%d tid:%d nr:%s", bytes.TrimSpace(bytes.Trim(data.comm[:], "\x00")), data.mtype, data.pid, data.tid, this.ReadNR(*data)) + } else { + base_str = fmt.Sprintf("[%s] pid:%d tid:%d nr:%s", bytes.TrimSpace(bytes.Trim(data.comm[:], "\x00")), data.pid, data.tid, this.ReadNR(*data)) + } + // type 和数据发送的顺序相关 switch data.mtype { case 1: + // --getlr 和 --getpc 建议只使用其中一个 if this.conf.GetLR { info, err := this.ParseLR(*data) if err != nil { this.logger.Printf("ParseLR err:%v\n", err) } - this.logger.Printf("%s %s LR:%s\n", base_str, this.ReadArgs(*data), info) - } else if this.conf.GetPC { + this.logger.Printf("%s LR:0x%x Info:\n%s\n", base_str, data.lr, info) + } + if this.conf.GetPC { info, err := this.ParsePC(*data) if err != nil { this.logger.Printf("ParsePC err:%v\n", err) } - this.logger.Printf("%s %s PC:%s\n", base_str, this.ReadArgs(*data), info) - } else { - this.logger.Printf("%s %s\n", base_str, this.ReadArgs(*data)) + this.logger.Printf("%s PC:0x%x Info:\n%s\n", base_str, data.pc, info) } case 2: arg_str := strings.SplitN(string(bytes.Trim(data.arg_str[:], "\x00")), "\x00", 2)[0] this.logger.Printf("%s arg_index:%d arg_str:%s\n", base_str, data.arg_index, strings.TrimSpace(arg_str)) case 3: + this.logger.Printf("%s %s\n", base_str, this.ReadArgs(*data)) + case 4: + arg_str := strings.SplitN(string(bytes.Trim(data.arg_str[:], "\x00")), "\x00", 2)[0] + this.logger.Printf("%s arg_index:%d arg_ret_str:%s\n", base_str, data.arg_index, strings.TrimSpace(arg_str)) + case 5: this.logger.Printf("%s ret:0x%x\n", base_str, data.ret) } diff --git a/cli/cmd/root.go b/cli/cmd/root.go index 86eb545..d7c2fa3 100644 --- a/cli/cmd/root.go +++ b/cli/cmd/root.go @@ -44,7 +44,7 @@ func runFunc(command *cobra.Command, args []string) { ctx, cancelFun := context.WithCancel(context.TODO()) // 首先根据全局设定设置日志输出 - logger := log.New(os.Stdout, "syscall_", log.Ltime) + logger := log.New(os.Stdout, "", log.Lmicroseconds) if global_config.LogFile != "" { log_path := global_config.ExecPath + "/" + global_config.LogFile _, err := os.Stat(log_path) diff --git a/src/raw_syscalls.c b/src/raw_syscalls.c index 8aeb122..eba115b 100644 --- a/src/raw_syscalls.c +++ b/src/raw_syscalls.c @@ -39,6 +39,17 @@ struct { __uint(max_entries, 512); } arg_mask_map SEC(".maps"); +struct arg_ret_mask_t { + u32 ret_mask; +}; + +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __type(key, u32); + __type(value, struct arg_ret_mask_t); + __uint(max_entries, 512); +} arg_ret_mask_map SEC(".maps"); + // 用于设置过滤配置 struct filter_t { u32 uid; @@ -60,7 +71,7 @@ struct { __uint(max_entries, 1); } filter_map SEC(".maps"); -static long inline send_data(struct bpf_raw_tracepoint_args* ctx, struct syscall_data_t* data, u64 addr) { +static int inline send_data_arg_str(struct bpf_raw_tracepoint_args* ctx, struct syscall_data_t* data, u64 addr) { u32 filter_key = 0; struct filter_t* filter = bpf_map_lookup_elem(&filter_map, &filter_key); if (filter == NULL) { @@ -91,9 +102,8 @@ static long inline send_data(struct bpf_raw_tracepoint_args* ctx, struct syscall } } } - - long status = bpf_perf_event_output(ctx, &syscall_events, BPF_F_CURRENT_CPU, data, sizeof(struct syscall_data_t)); - return status; + bpf_perf_event_output(ctx, &syscall_events, BPF_F_CURRENT_CPU, data, sizeof(struct syscall_data_t)); + return 0; } SEC("raw_tracepoint/sys_enter") @@ -178,6 +188,11 @@ int raw_syscalls_sys_enter(struct bpf_raw_tracepoint_args* ctx) { if (data == NULL) { return 0; } + // 获取字符串参数类型配置 + struct arg_mask_t* arg_mask = bpf_map_lookup_elem(&arg_mask_map, &data->syscall_id); + if (arg_mask == NULL) { + return 0; + } // 获取线程名 __builtin_memset(&data->comm, 0, sizeof(data->comm)); @@ -201,12 +216,10 @@ int raw_syscalls_sys_enter(struct bpf_raw_tracepoint_args* ctx) { bpf_probe_read_kernel(&data->sp, sizeof(data->sp), ®s->sp); __builtin_memset(&data->arg_str, 0, sizeof(data->arg_str)); data->type = 1; - long status = bpf_perf_event_output(ctx, &syscall_events, BPF_F_CURRENT_CPU, data, sizeof(struct syscall_data_t)); + bpf_perf_event_output(ctx, &syscall_events, BPF_F_CURRENT_CPU, data, sizeof(struct syscall_data_t)); // 获取参数 data->type = 2; - // 获取字符串参数类型配置 - struct arg_mask_t* arg_mask = bpf_map_lookup_elem(&arg_mask_map, &data->syscall_id); if ((filter->is_32bit && data->syscall_id == 11) || (!filter->is_32bit && data->syscall_id == 221)) { // execve 3个参数 // const char *filename char *const argv[] char *const envp[] @@ -219,8 +232,7 @@ int raw_syscalls_sys_enter(struct bpf_raw_tracepoint_args* ctx) { if (j == 0) { __builtin_memset(&data->arg_str, 0, sizeof(data->arg_str)); bpf_probe_read_user(data->arg_str, sizeof(data->arg_str), (void*)data->args[j]); - // bpf_perf_event_output(ctx, &syscall_events, BPF_F_CURRENT_CPU, data, sizeof(struct syscall_data_t)); - send_data(ctx, data, data->args[j]); + send_data_arg_str(ctx, data, data->args[j]); } else { // 最多遍历得到6个子参数 for (int i = 0; i < 6; i++) { @@ -231,8 +243,7 @@ int raw_syscalls_sys_enter(struct bpf_raw_tracepoint_args* ctx) { bpf_probe_read_user(&addr, sizeof(u64), ptr); if (addr != 0) { bpf_probe_read_user(data->arg_str, sizeof(data->arg_str), (void*)addr); - // bpf_perf_event_output(ctx, &syscall_events, BPF_F_CURRENT_CPU, data, sizeof(struct syscall_data_t)); - send_data(ctx, data, addr); + send_data_arg_str(ctx, data, addr); } else { // 遇到为NULL的 直接结束内部遍历 break; @@ -247,12 +258,11 @@ int raw_syscalls_sys_enter(struct bpf_raw_tracepoint_args* ctx) { data->arg_index = j; bpf_probe_read_kernel(&data->args[j], sizeof(u64), ®s->regs[j]); if (data->args[j] == 0) continue; - if (arg_mask && !(arg_mask->mask & (1 << j))) continue; + if (!(arg_mask->mask & (1 << j))) continue; if (j == 1) { __builtin_memset(&data->arg_str, 0, sizeof(data->arg_str)); bpf_probe_read_user(data->arg_str, sizeof(data->arg_str), (void*)data->args[j]); - // bpf_perf_event_output(ctx, &syscall_events, BPF_F_CURRENT_CPU, data, sizeof(struct syscall_data_t)); - send_data(ctx, data, data->args[j]); + send_data_arg_str(ctx, data, data->args[j]); } else { for (int i = 0; i < 6; i++) { __builtin_memset(&data->arg_str, 0, sizeof(data->arg_str)); @@ -261,8 +271,7 @@ int raw_syscalls_sys_enter(struct bpf_raw_tracepoint_args* ctx) { bpf_probe_read_user(&addr, sizeof(u64), ptr); if (addr != 0) { bpf_probe_read_user(data->arg_str, sizeof(data->arg_str), (void*)addr); - // bpf_perf_event_output(ctx, &syscall_events, BPF_F_CURRENT_CPU, data, sizeof(struct syscall_data_t)); - send_data(ctx, data, addr); + send_data_arg_str(ctx, data, addr); } else { break; } @@ -274,7 +283,7 @@ int raw_syscalls_sys_enter(struct bpf_raw_tracepoint_args* ctx) { #pragma unroll for (int i = 0; i < 6; i++) { // 栈空间大小限制 分组发送 - if (arg_mask && arg_mask->mask & (1 << i)) { + if (arg_mask->mask & (1 << i)) { data->arg_index = i; bpf_probe_read_kernel(&data->args[i], sizeof(u64), ®s->regs[i]); __builtin_memset(&data->arg_str, 0, sizeof(data->arg_str)); @@ -284,12 +293,14 @@ int raw_syscalls_sys_enter(struct bpf_raw_tracepoint_args* ctx) { // 综合测试使用 bpf_probe_read_user 最合理 在前端处理 NUL // 不过仍然有部分结果是空 调整大小又能读到 原因未知 bpf_probe_read_user(data->arg_str, sizeof(data->arg_str), (void*)data->args[i]); - // long status = bpf_perf_event_output(ctx, &syscall_events, BPF_F_CURRENT_CPU, data, sizeof(struct syscall_data_t)); - send_data(ctx, data, data->args[i]); + send_data_arg_str(ctx, data, data->args[i]); } } } - + // 这里会得到完整参数对应的寄存器信息 + __builtin_memset(&data->arg_str, 0, sizeof(data->arg_str)); + data->type = 3; + bpf_perf_event_output(ctx, &syscall_events, BPF_F_CURRENT_CPU, data, sizeof(struct syscall_data_t)); return 0; } @@ -381,13 +392,34 @@ int raw_syscalls_sys_exit(struct bpf_raw_tracepoint_args* ctx) { } } - data->type = 3; - data->ret = ctx->args[1]; - data->pid = pid; - data->tid = tid; + struct arg_mask_t* arg_ret_mask = bpf_map_lookup_elem(&arg_ret_mask_map, &data->syscall_id); + if (arg_ret_mask == NULL) { + return 0; + } + // 获取线程名 + __builtin_memset(&data->comm, 0, sizeof(data->comm)); bpf_get_current_comm(&data->comm, sizeof(data->comm)); - // 发送数据 - long status = bpf_perf_event_output(ctx, &syscall_events, BPF_F_CURRENT_CPU, data, sizeof(struct syscall_data_t)); + // 基本信息 + data->pid = pid; + data->tid = tid; + + // 获取syscall执行后才会有内容的字符串参数 比如重定向检测 + data->type = 4; + #pragma unroll + for (int i = 0; i < 6; i++) { + if (arg_ret_mask->mask & (1 << i)) { + data->arg_index = i; + bpf_probe_read_kernel(&data->args[i], sizeof(u64), ®s->regs[i]); + __builtin_memset(&data->arg_str, 0, sizeof(data->arg_str)); + bpf_probe_read_user(data->arg_str, sizeof(data->arg_str), (void*)data->args[i]); + send_data_arg_str(ctx, data, data->args[i]); + } + } + + // 发送返回结果 + data->type = 5; + data->ret = ctx->args[1]; + bpf_perf_event_output(ctx, &syscall_events, BPF_F_CURRENT_CPU, data, sizeof(struct syscall_data_t)); return 0; } \ No newline at end of file