Hello Giuseppe, Thank you for your quick reply. However, I can already intercept syscalls with ptrace calls in my program. My main problem is that I can only capture LBR entries with perf event samples which is not the desired method due to the nondeterministic behavior of sampling. What I want to do is read LBR entries which are generated by a specific process and don't use a sampling based approach. Below, you can find the list of the approaches I tried until so far:
- Until now, I developed my tool by looking at the perf_examples/branch_smpl.c example under the libpfm4 repository. I tried to change the frequency of sampling in order to get a much more deterministic LBR reader but it doesn't help much. - I also tried to use wrmsr - rdmsr tools as well in order to read LBR entries on demand but those tools weren't working on a process level(returns all entries instead of specific LBR entries belong on a specific process) - I investigated the linux source code itself as well and observed that a function called "intel_pmu_lbr_read_64" which is used with Performance Monitor Unit but I have very little knowledge about how does PMU works in general. Again, my question is how can I implement a function(preferably in C/C++) such that it will return process specific LBR entries on demand without any sampling. Any guidance about Last Branch Reading or/and Performance Monitor Unit would be a great help. Have a nice day all! -Fatih On Wed, Dec 21, 2022 at 3:04 PM Giuseppe Congiu <gcon...@icl.utk.edu> wrote: > Hi Fatih, > > There are different ways you can do this. One could be to write your own > syscall wrapper library. The wrapper can read LBRs and then fallback to the > system provided syscall. You can look at the --wrap option of the > linker (man ld) as a possible implementation option for this. The linker > --wrap option assumes you can build the application from sources. If that > is not the case you can still try with LD_PRELOAD of the wrapper library, > but this will only work if the syscalls are made directly by the > application and not by a third party dependency library (take this with a > grain of salt, I might recall incorrectly). If the LD_PRELOAD does not work > either, another way could be to use the ptrace syscall to attach to your > application process (this is what strace uses). There might even be other, > better, ways of achieving the same result that I am not aware of, but these > should be good starting points. > > Best, > Giuseppe > > > > > On Wed, Dec 21, 2022 at 11:48 AM Muhammet Fatih Öztank (Student) via > perfmon2-devel <perfmon2-devel@lists.sourceforge.net> wrote: > >> Hello, >> >> I'm working on a project which requires usage of Intel LBR functionality, >> I'm currently developing a tool to detect process specific malicious >> behavior by reading Intel Last Branch Recording entries after each syscall. >> Currently, I managed to develop a LBR reader program by using perf events >> and libpfm4. >> >> However, my program uses sampling to retrieve LBR entries which is not >> the requested functionality due to the fact that sampling is >> nondeterministic. Our requested functionality is a request based structure >> where on each syscall we would like to retrieve all LBR entries on the >> debug registers which belong to the traced process. >> >> What I want to ask is is there any other way to read LBR entries in a >> deterministic manner(i.e. I am calling my function and I will get all LBR >> entries related to the process which is being traced). Any help is greatly >> appreciated. >> >> Thanks in advance >> -Fatih >> _______________________________________________ >> perfmon2-devel mailing list >> perfmon2-devel@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/perfmon2-devel >> >
_______________________________________________ perfmon2-devel mailing list perfmon2-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/perfmon2-devel
