One Hat Cyber Team

View File Name : sysc_move_pages.stp

# move_pages ____________________________________________________
# long sys_move_pages(pid_t pid, unsigned long nr_pages,
#			const void __user * __user *pages,
#			const int __user *nodes,
#			int __user *status,
#			int flags)
#
# long compat_sys_move_pages(pid_t pid, unsigned long nr_pages,
#                compat_uptr_t __user *pages32,
#                const int __user *nodes,
#                int __user *status,
#                int flags)
#

@define _SYSCALL_MOVE_PAGES_NAME
%(
	name = "move_pages"
%)

@define _SYSCALL_MOVE_PAGES_ARGSTR
%(
	argstr = sprintf("%d, %u, %p, %p, %p, %s", pid, nr_pages, pages,
	                 nodes, status, flags_str)
%)

@define _SYSCALL_MOVE_PAGES_REGARGS
%(
	pid = int_arg(1)
	nr_pages = ulong_arg(2)
	pages = pointer_arg(3)
	nodes = pointer_arg(4)
	status = pointer_arg(5)
	flags = int_arg(6)
	flags_str = _mempolicy_flags_str(flags)
%)

@define _SYSCALL_MOVE_PAGES_REGARGS_STORE
%(
        if (@probewrite(pid))
          set_int_arg(1, pid)

	if (@probewrite(nr_pages))
	  set_ulong_arg(2, nr_pages)

	if (@probewrite(pages))
	  set_pointer_arg(3, pages)

	if (@probewrite(nodes))
	  set_pointer_arg(4, nodes)

	if (@probewrite(status))
	  set_pointer_arg(5, status)

	if (@probewrite(flags))
	  set_int_arg(6, flags)
%)

probe syscall.move_pages = dw_syscall.move_pages !, nd_syscall.move_pages ? {}
probe syscall.move_pages.return = dw_syscall.move_pages.return !, nd_syscall.move_pages.return ? {}

# dw_move_pages _____________________________________________________

probe dw_syscall.move_pages = __syscall.move_pages ?,
                           kernel.function("compat_sys_move_pages").call ?
{
	@_SYSCALL_MOVE_PAGES_NAME
	pages = @choose_defined($pages32, $pages)
	pid = __int32($pid)
	nodes = $nodes
	status = $status
	flags = __int32($flags)
	flags_str = _mempolicy_flags_str(flags)
	nr_pages = @__compat_ulong($nr_pages)
	@_SYSCALL_MOVE_PAGES_ARGSTR
}
probe __syscall.move_pages = kernel.function("sys_move_pages").call
{
	@__syscall_gate(@const("__NR_move_pages"))
}
probe dw_syscall.move_pages.return = __syscall.move_pages.return ?,
                                  kernel.function("compat_sys_move_pages").return ?
{
	@_SYSCALL_MOVE_PAGES_NAME
	@SYSC_RETVALSTR($return)
}
probe __syscall.move_pages.return = kernel.function("sys_move_pages").return
{
	@__syscall_gate(@const("__NR_move_pages"))
}

# nd_move_pages _____________________________________________________

probe nd_syscall.move_pages = nd1_syscall.move_pages!, nd2_syscall.move_pages!, tp_syscall.move_pages
  { }

probe nd1_syscall.move_pages = __nd1_syscall.move_pages ?,
                               kprobe.function("compat_sys_move_pages") ?
{
	@_SYSCALL_MOVE_PAGES_NAME
	asmlinkage()
	@_SYSCALL_MOVE_PAGES_REGARGS
	@_SYSCALL_MOVE_PAGES_ARGSTR
}
probe __nd1_syscall.move_pages = kprobe.function("sys_move_pages")
{
	@__syscall_gate(@const("__NR_move_pages"))
}

/* kernel 4.17+ */
probe nd2_syscall.move_pages =
	kprobe.function(@arch_syscall_prefix "sys_move_pages") ?,
	kprobe.function(@arch_syscall_prefix "compat_sys_move_pages") ?
{
	__set_syscall_pt_regs(pointer_arg(1))
	@_SYSCALL_MOVE_PAGES_NAME
	@_SYSCALL_MOVE_PAGES_REGARGS
	@_SYSCALL_MOVE_PAGES_ARGSTR
},
{
        %( @_IS_SREG_KERNEL %? @_SYSCALL_MOVE_PAGES_REGARGS_STORE %)
}

/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.move_pages = kernel.trace("sys_enter")
{
	__set_syscall_pt_regs($regs)
	@__syscall_compat_gate(@const("__NR_move_pages"), @const("__NR_compat_move_pages"))
	@_SYSCALL_MOVE_PAGES_NAME
	@_SYSCALL_MOVE_PAGES_REGARGS
	@_SYSCALL_MOVE_PAGES_ARGSTR
},
{
        %( @_IS_SREG_KERNEL %? @_SYSCALL_MOVE_PAGES_REGARGS_STORE %)
}

probe nd_syscall.move_pages.return = nd1_syscall.move_pages.return!, nd2_syscall.move_pages.return!, tp_syscall.move_pages.return
  { }

probe nd1_syscall.move_pages.return = __nd1_syscall.move_pages.return ?,
                                      kprobe.function("compat_sys_move_pages").return ?
{
	@_SYSCALL_MOVE_PAGES_NAME
	@SYSC_RETVALSTR(returnval())
}
probe __nd1_syscall.move_pages.return = kprobe.function("sys_move_pages").return
{
	@__syscall_gate(@const("__NR_move_pages"))
}

/* kernel 4.17+ */
probe nd2_syscall.move_pages.return =
	kprobe.function(@arch_syscall_prefix "sys_move_pages").return ?,
	kprobe.function(@arch_syscall_prefix "compat_sys_move_pages").return ?
{
	@_SYSCALL_MOVE_PAGES_NAME
	@SYSC_RETVALSTR(returnval())
}

/* kernel 3.5+, but undesirable because it affects all syscalls */
probe tp_syscall.move_pages.return = kernel.trace("sys_exit")
{
	__set_syscall_pt_regs($regs)
	@__syscall_compat_gate(@const("__NR_move_pages"), @const("__NR_compat_move_pages"))
	@_SYSCALL_MOVE_PAGES_NAME
	@SYSC_RETVALSTR($ret)
}