Kprobe具有一个模糊的预处理程序功能,记录如下:
n = d-1
N = len(X)
idx = 2*N + np.concatenate(( [0], np.arange(n,0,-1).cumsum() ))
start, stop = idx[:-1], idx[1:]
L = n*(n+1)//2
Z_out = np.empty((2*N + L,X.shape[1]), dtype=X.dtype)
Z_out[:N] = X
Z_out[N:2*N] = X**2
for i,(s0,s1) in enumerate(zip(start,stop)):
Z_out[s0:s1] = X[i] * X[i+1:]
我想知道是否可以使用此功能(或任何其他Kprobe功能)来防止进程执行\分叉。
答案 0 :(得分:2)
如内核文档中所述,您可以通过更改适当的寄存器(例如x86中的IP寄存器)来更改执行路径:
Changing Execution Path
-----------------------
Since kprobes can probe into a running kernel code, it can change the
register set, including instruction pointer. This operation requires
maximum care, such as keeping the stack frame, recovering the execution
path etc. Since it operates on a running kernel and needs deep knowledge
of computer architecture and concurrent computing, you can easily shoot
your foot.
If you change the instruction pointer (and set up other related
registers) in pre_handler, you must return !0 so that kprobes stops
single stepping and just returns to the given address.
This also means post_handler should not be called anymore.
Note that this operation may be harder on some architectures which use
TOC (Table of Contents) for function call, since you have to setup a new
TOC for your function in your module, and recover the old one after
returning from it.
因此,您可以通过跳过一些代码来阻止进程的执行。我不推荐它。与成功停止执行新进程相比,您更有可能导致内核崩溃。
seccomp-bpf可能更适合您的用例。 This StackOverflow answer为您提供了利用seccomp-bpf所需的所有信息。