C

In the last post we introduced the BCC framework to interface Python code with eBPF facility. Now we are ready to make one step further! #!/usr/bin/python3 import bcc bpf = bcc.BPF(text=""" #include <uapi/linux/ptrace.h> int trace_malloc(struct pt_regs *ctx, size_t size) { bpf_trace_printk("size=%d\\n",size); return 0; };""") bpf.attach_uprobe(name="c",sym="malloc",fn_name="trace_malloc") while 1: (task, pid, cpu, flags, ts, msg) = bpf.trace_fields() print(f"task={task}\tmsg={msg}") This code is a little more complex, but still quite easy: first of all we use bcc to attach an “user space probe” instead of a kernel probe, and the function being observed will be libc’s malloc. ...

eBPF is a revolutionary technology that can run sandboxed programs in the Linux kernel without changing kernel source code or loading kernel modules. Basically any user can write code for a virtual machine that can interact with the kernel data structure and functions. bcc is an high-level helper interface to eBPF (another is bpftrace). To use it, start by following installation guide , but if you have a recent Debian system, it’s just a matter of installing some packages: ...