Hi Fatih, There are different ways you can do this. One could be to write your own syscall wrapper library. The wrapper can read LBRs and then fallback to the system provided syscall. You can look at the --wrap option of the linker (man ld) as a possible implementation option for this. The linker --wrap option assumes you can build the application from sources. If that is not the case you can still try with LD_PRELOAD of the wrapper library, but this will only work if the syscalls are made directly by the application and not by a third party dependency library (take this with a grain of salt, I might recall incorrectly). If the LD_PRELOAD does not work either, another way could be to use the ptrace syscall to attach to your application process (this is what strace uses). There might even be other, better, ways of achieving the same result that I am not aware of, but these should be good starting points.
Best, Giuseppe On Wed, Dec 21, 2022 at 11:48 AM Muhammet Fatih Öztank (Student) via perfmon2-devel <perfmon2-devel@lists.sourceforge.net> wrote: > Hello, > > I'm working on a project which requires usage of Intel LBR functionality, > I'm currently developing a tool to detect process specific malicious > behavior by reading Intel Last Branch Recording entries after each syscall. > Currently, I managed to develop a LBR reader program by using perf events > and libpfm4. > > However, my program uses sampling to retrieve LBR entries which is not the > requested functionality due to the fact that sampling is nondeterministic. > Our requested functionality is a request based structure where on each > syscall we would like to retrieve all LBR entries on the debug registers > which belong to the traced process. > > What I want to ask is is there any other way to read LBR entries in a > deterministic manner(i.e. I am calling my function and I will get all LBR > entries related to the process which is being traced). Any help is greatly > appreciated. > > Thanks in advance > -Fatih > _______________________________________________ > perfmon2-devel mailing list > perfmon2-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/perfmon2-devel >
_______________________________________________ perfmon2-devel mailing list perfmon2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/perfmon2-devel
