06(07).幽兰代码本上用ChatGPT4.0学习eBPF_BCC_opensnoop上.下
帮助中心 •
陪太子读书:ChatGPT4.0
BCC is a toolkit for creating efficient kernel tracing and manipulation programs, and includes several useful tools and examples. It makes use of extended BPF (Berkeley Packet Filters), formally known as eBPF, a new feature that was first added to Linux 3.15. Much of what BCC uses requires Linux 4.1 and above.
BCC 是一个用于创建高效内核跟踪和处理程序的工具包,它包含几个有用的工具和示例。它使用扩展的 BPF(Berkeley Packet Filters),正式名称为 eBPF,这是 Linux 3.15 中首次添加的一项新功能。BCC 使用的大部分内容都需要 Linux 4.1 及更高版本。
One of the more interesting features in this cycle is the ability to attach eBPF programs (user-defined, sandboxed bytecode executed by the kernel) to kprobes. This allows user-defined instrumentation on a live kernel image that can never crash, hang or interfere with the kernel negatively.
这个循环中更有趣的功能之一是能够将 eBPF 程序(用户定义的、由内核执行的沙箱字节码)附加到 kprobes。这允许对 live kernel 映像进行用户定义的插桩,该映像永远不会崩溃、挂起或对内核产生负面影响。
BCC makes BPF programs easier to write, with kernel instrumentation in C (and includes a C wrapper around LLVM), and front-ends in Python and lua. It is suited for many tasks, including performance analysis and network traffic control.
BCC 使 BPF 程序更易于编写,具有 C 语言的内核插桩(包括围绕 LLVM 的 C 包装器)以及 Python 和 lua 的前端。它适用于许多任务,包括性能分析和网络流量控制。
This example traces a disk I/O kernel function, and populates an in-kernel power-of-2 histogram of the I/O size. For efficiency, only the histogram summary is returned to user-level.
此示例跟踪磁盘 I/O 内核函数,并填充 I/O 大小的内核内 2 次方直方图。为了提高效率,仅将直方图摘要返回到用户级别。
eBPF linux tools
BCC ====> BCC – Tools for BPF-based Linux IO analysis, networking, monitoring, and more
检测内核是否支持, eBPF 的内核编译.
zcat /proc/config.gz | grep bpf
幽兰本的 eBPF的选项 几乎全开.
以上是幽兰的版本的 系统信息.
Install build dependencies
# For Noble Numbat (24.04)
sudo apt install -y zip bison build-essential cmake flex git libedit-dev \
libllvm18 llvm-18-dev libclang-18-dev python3 zlib1g-dev libelf-dev libfl-dev python3-setuptools \
liblzma-dev libdebuginfod-dev arping netperf iperf libpolly-18-devInstall and compile BCC
git clone https://github.com/iovisor/bcc.git
mkdir bcc/build; cd bcc/build
cmake ..
make
sudo make install
cmake -DPYTHON_CMD=python3 .. # build python3 binding
pushd src/python/
make
sudo make install
popdbpftrace: 前端
bpftrace is a high-level tracing language for Linux. bpftrace uses LLVM as a backend to compile scripts to eBPF-bytecode and makes use of libbpf and bcc for interacting with the Linux BPF subsystem, as well as existing Linux tracing capabilities: kernel dynamic tracing (kprobes), user-level dynamic tracing (uprobes), tracepoints, etc. The bpftrace language is inspired by awk, C, and predecessor tracers such as DTrace and SystemTap. bpftrace was created by Alastair Robertson.
bpftrace 是 Linux 的高级跟踪语言。bpftrace 使用 LLVM 作为后端将脚本编译为 eBPF 字节码,并利用 libbpf 和 bcc 与 Linux BPF 子系统以及现有的 Linux 跟踪功能进行交互:内核动态跟踪 (kprobes)、用户级动态跟踪 (uprobes)、跟踪点等。bpftrace 语言的灵感来自 awk、C 和以前的跟踪器,例如 DTrace 和 SystemTap。bpftrace 由 Alastair Robertson 创建。
bpftrace 定位和 lua , python 使用一样的.
安装了 bcc-lua 的前端. /usr/share/类似我们 / program files 这个 目录 , 程序一般安装在这个地方. 用户的共享文件里面 .
这是 bcc的一些工具.
还有工具配套的文档.
等会儿,看看这里又什么绑定.
编译了一些 二进制工具.
还有一些共享库
开发中, 一定会用到这些的头文件.
你要编译,写自己的, eBPF开发的时候,就会用到这个东西. 你没有的时候, 编译就会报错.
所谓的搞逆向,就是把你眼前的所有的东西,全部记住.
把python的脚本, 编译为二进制, 的pyc 文件.
开始第一个案例 hello world
opensnoop:监控Linux,(云手机)app内部所有open操作
等他开完了我再加入.
什么是系统调用
是系统内核提供给上层应用的一个交互接口, 内核对用户层,提供的一种抽象的服务.
Linux系统调用是应用程序与操作系统内核交互的基本方式。它们是一组由内核提供的函数,允许用户空间的程序请求内核为它们执行各种低级操作,这些操作通常是应用程序无法直接执行的。
系统调用的作用
系统调用充当用户空间和内核空间之间的接口。常见的系统调用功能包括:
文件操作: 打开、读取、写入和关闭文件。
进程控制: 创建新进程(例如fork0)、执行新程序(例如exec0)和进程结束
通信: 通过管道、信号、共享内存和套接字进行进程间通信。
内存管理: 分配和释放内存(例如malloc0和free0在底层使用系统调用)。
设备操作: 访问和控制硬件设备。
安卓的架构有哪些
这个 libssl.so这个库,位于 docker 的安卓镜像的 内部. …
我们如果要抓包 ,我们需要 hook 这个so 内部的 ssl_Read 和 ssl_Write 这个函数.
eCapture 抓包: hook的是libssl.so位于安卓的框架库,所以在宿主机上是抓不到的
http-parse-complete.py
https://github.com/iovisor/bcc/blob/master/examples/networking/http_filter/http-parse-complete.py
看来,还找到了这个地方了.
# initialize BPF
b = BPF(text=bpf_text)
if not is_support_kfunc:
b.attach_kprobe(event=fnname_open, fn_name="syscall__trace_entry_open")
b.attach_kretprobe(event=fnname_open, fn_name="trace_return")
b.attach_kprobe(event=fnname_openat, fn_name="syscall__trace_entry_openat")
b.attach_kretprobe(event=fnname_openat, fn_name="trace_return")
if fnname_openat2:
b.attach_kprobe(event=fnname_openat2, fn_name="syscall__trace_entry_openat2")
b.attach_kretprobe(event=fnname_openat2, fn_name="trace_return")
initial_ts = 0opensnoop.py
https://github.com/iovisor/bcc/blob/003b00374b052ed0da59776eb2be812fa1bbcb79/tools/opensnoop.py所有的 syscall__trace_entry_openat2 都已经hook了.
xposed ,我们需要找到包, 再找到方法, 参数, 调用栈 ,返回值, Frida 学了这么久, 就是这么几件事情. 然后就是其他和java js 的就是这么几件事情. Frida , xposed 就是干的这么几件事情.
eBPF 能干就是 [系统调用] system_call , 其他的都是干不了.
安卓逆向 相关系统调用表 , 列举你所知道的, 高频率的
在 Android 逆向工程中,高频率使用的系统调用(syscall)主要涉及进程管理、内存操作、文件操作、网络通信等方面。以下是常见的高频系统调用列表:
1. 进程与线程管理
fork - 创建子进程
vfork - 创建子进程但不复制页表
execve - 执行新程序
clone - 创建线程或新进程
getpid - 获取当前进程 ID
getppid - 获取父进程 ID
gettid - 获取当前线程 ID
tgkill - 发送信号给特定线程(用于杀死进程或调试挂起)
kill - 向进程发送信号
2. 内存管理
mmap - 映射内存
munmap - 解除内存映射
mprotect - 修改内存页的权限(如可执行)
brk - 调整堆的大小
madvise - 内存访问建议,可能用于优化
remap_file_pages - 重新映射文件页(可能用于代码隐藏)
3. 文件系统操作
openat / open - 打开文件
read / write - 读写文件
lseek - 调整文件偏移量
stat / fstat - 获取文件信息
mmap - 通过文件映射共享内存
unlink - 删除文件
rename - 重命名文件
ioctl - 对设备执行 I/O 操作(常用于 /dev/ashmem、Binder 相关操作)
4. 网络操作
socket - 创建套接字
connect - 连接到远程服务器
bind - 绑定本地地址
listen - 监听端口
accept - 接受连接
send / recv - 发送和接收数据
sendto / recvfrom - UDP 相关操作
getsockopt / setsockopt - 获取或设置套接字选项
poll / select / epoll_wait - 监听多个文件描述符
5. 时间相关
gettimeofday - 获取当前时间
clock_gettime - 获取高精度时间戳(用于时间检测或反调试)
nanosleep - 线程休眠
6. 权限与安全
getuid / geteuid - 获取用户 ID(用于权限检测)
setuid - 设置用户 ID(提权相关)
prctl - 进程控制(常用于隐藏进程信息,如 PR_SET_NAME 修改进程名)
seccomp - 配置系统调用过滤(常用于沙盒安全策略)
7. Binder 相关
ioctl - Binder 通信核心
mmap - 用于 Binder 共享内存
write / read - 发送/接收 Binder 消息
poll - 监听 Binder 事件
这些系统调用在 Android 逆向过程中会频繁出现,尤其是在 ptrace 反调试、mmap 加载 dex 文件、execve 进程替换等场景下。
如果你有特定分析目标,可以关注相关的 strace 或 frida hook 这些 syscall 来进行拦截分析。# initialize BPF
b = BPF(text=bpf_text) # b . 这里代表的是 ebfp
if not is_support_kfunc:
b.attach_kprobe(event=fnname_open, fn_name="syscall__trace_entry_open") // 和x86架构的调用表, 并不一样.
b.attach_kretprobe(event=fnname_open, fn_name="trace_return")
b.attach_kprobe(event=fnname_openat, fn_name="syscall__trace_entry_openat")
b.attach_kretprobe(event=fnname_openat, fn_name="trace_return")
if fnname_openat2:
b.attach_kprobe(event=fnname_openat2, fn_name="syscall__trace_entry_openat2")
b.attach_kretprobe(event=fnname_openat2, fn_name="trace_return")
initial_ts = 0
x86 的syscall 和 arm64 的调用表 并不相同.
Calling Conventions /arm64
| arch | syscall NR | return | arg0 | arg1 | arg2 | arg3 | arg4 | arg5 |
|---|---|---|---|---|---|---|---|---|
| arm | r7 | r0 | r0 | r1 | r2 | r3 | r4 | r5 |
| arm64 | x8 | x0 | x0 | x1 | x2 | x3 | x4 | x5 |
| x86 | eax | eax | ebx | ecx | edx | esi | edi | ebp |
| x86_64 | rax | rax | rdi | rsi | rdx | r10 | r8 | r9 |
Table /arm64
| NR | syscall name | references | %x8 | arg0 (%x0) | arg1 (%x1) | arg2 (%x2) | arg3 (%x3) | arg4 (%x4) | arg5 (%x5) |
|---|---|---|---|---|---|---|---|---|---|
| 0 | io_setup | man/ cs/ | 0x00 | unsigned nr_reqs | aio_context_t *ctx | – | – | – | – |
| 1 | io_destroy | man/ cs/ | 0x01 | aio_context_t ctx | – | – | – | – | – |
| 2 | io_submit | man/ cs/ | 0x02 | aio_context_t | long | struct iocb * * | – | – | – |
| 3 | io_cancel | man/ cs/ | 0x03 | aio_context_t ctx_id | struct iocb *iocb | struct io_event *result | – | – | – |
| 4 | io_getevents | man/ cs/ | 0x04 | aio_context_t ctx_id | long min_nr | long nr | struct io_event *events | struct __kernel_timespec *timeout | – |
| 5 | setxattr | man/ cs/ | 0x05 | const char *path | const char *name | const void *value | size_t size | int flags | – |
| 6 | lsetxattr | man/ cs/ | 0x06 | const char *path | const char *name | const void *value | size_t size | int flags | – |
| 7 | fsetxattr | man/ cs/ | 0x07 | int fd | const char *name | const void *value | size_t size | int flags | – |
| 8 | getxattr | man/ cs/ | 0x08 | const char *path | const char *name | void *value | size_t size | – | – |
| 9 | lgetxattr | man/ cs/ | 0x09 | const char *path | const char *name | void *value | size_t size | – | – |
| 10 | fgetxattr | man/ cs/ | 0x0a | int fd | const char *name | void *value | size_t size | – | – |
| 11 | listxattr | man/ cs/ | 0x0b | const char *path | char *list | size_t size | – | – | – |
| 12 | llistxattr | man/ cs/ | 0x0c | const char *path | char *list | size_t size | – | – | – |
| 13 | flistxattr | man/ cs/ | 0x0d | int fd | char *list | size_t size | – | – | – |
| 14 | removexattr | man/ cs/ | 0x0e | const char *path | const char *name | – | – | – | – |
| 15 | lremovexattr | man/ cs/ | 0x0f | const char *path | const char *name | – | – | – | – |
| 16 | fremovexattr | man/ cs/ | 0x10 | int fd | const char *name | – | – | – | – |
| 17 | getcwd | man/ cs/ | 0x11 | char *buf | unsigned long size | – | – | – | – |
| 18 | lookup_dcookie | man/ cs/ | 0x12 | u64 cookie64 | char *buf | size_t len | – | – | – |
| 19 | eventfd2 | man/ cs/ | 0x13 | unsigned int count | int flags | – | – | – | – |
| 20 | epoll_create1 | man/ cs/ | 0x14 | int flags | – | – | – | – | – |
| 21 | epoll_ctl | man/ cs/ | 0x15 | int epfd | int op | int fd | struct epoll_event *event | – | – |
| 22 | epoll_pwait | man/ cs/ | 0x16 | int epfd | struct epoll_event *events | int maxevents | int timeout | const sigset_t *sigmask | size_t sigsetsize |
| 23 | dup | man/ cs/ | 0x17 | unsigned int fildes | – | – | – | – | – |
| 24 | dup3 | man/ cs/ | 0x18 | unsigned int oldfd | unsigned int newfd | int flags | – | – | – |
| 25 | fcntl | man/ cs/ | 0x19 | unsigned int fd | unsigned int cmd | unsigned long arg | – | – | – |
| 26 | inotify_init1 | man/ cs/ | 0x1a | int flags | – | – | – | – | – |
| 27 | inotify_add_watch | man/ cs/ | 0x1b | int fd | const char *path | u32 mask | – | – | – |
| 28 | inotify_rm_watch | man/ cs/ | 0x1c | int fd | __s32 wd | – | – | – | – |
| 29 | ioctl | man/ cs/ | 0x1d | unsigned int fd | unsigned int cmd | unsigned long arg | – | – | – |
| 30 | ioprio_set | man/ cs/ | 0x1e | int which | int who | int ioprio | – | – | – |
| 31 | ioprio_get | man/ cs/ | 0x1f | int which | int who | – | – | – | – |
| 32 | flock | man/ cs/ | 0x20 | unsigned int fd | unsigned int cmd | – | – | – | – |
| 33 | mknodat | man/ cs/ | 0x21 | int dfd | const char * filename | umode_t mode | unsigned dev | – | – |
| 34 | mkdirat | man/ cs/ | 0x22 | int dfd | const char * pathname | umode_t mode | – | – | – |
| 35 | unlinkat | man/ cs/ | 0x23 | int dfd | const char * pathname | int flag | – | – | – |
| 36 | symlinkat | man/ cs/ | 0x24 | const char * oldname | int newdfd | const char * newname | – | – | – |
| 37 | linkat | man/ cs/ | 0x25 | int olddfd | const char *oldname | int newdfd | const char *newname | int flags | – |
| 38 | renameat | man/ cs/ | 0x26 | int olddfd | const char * oldname | int newdfd | const char * newname | – | – |
| 39 | umount2 | man/ cs/ | 0x27 | ? | ? | ? | ? | ? | ? |
| 40 | mount | man/ cs/ | 0x28 | char *dev_name | char *dir_name | char *type | unsigned long flags | void *data | – |
| 41 | pivot_root | man/ cs/ | 0x29 | const char *new_root | const char *put_old | – | – | – | – |
| 42 | nfsservctl | man/ cs/ | 0x2a | ? | ? | ? | ? | ? | ? |
| 43 | statfs | man/ cs/ | 0x2b | const char * path | struct statfs *buf | – | – | – | – |
| 44 | fstatfs | man/ cs/ | 0x2c | unsigned int fd | struct statfs *buf | – | – | – | – |
| 45 | truncate | man/ cs/ | 0x2d | const char *path | long length | – | – | – | – |
| 46 | ftruncate | man/ cs/ | 0x2e | unsigned int fd | unsigned long length | – | – | – | – |
| 47 | fallocate | man/ cs/ | 0x2f | int fd | int mode | loff_t offset | loff_t len | – | – |
| 48 | faccessat | man/ cs/ | 0x30 | int dfd | const char *filename | int mode | – | – | – |
| 49 | chdir | man/ cs/ | 0x31 | const char *filename | – | – | – | – | – |
| 50 | fchdir | man/ cs/ | 0x32 | unsigned int fd | – | – | – | – | – |
| 51 | chroot | man/ cs/ | 0x33 | const char *filename | – | – | – | – | – |
| 52 | fchmod | man/ cs/ | 0x34 | unsigned int fd | umode_t mode | – | – | – | – |
| 53 | fchmodat | man/ cs/ | 0x35 | int dfd | const char * filename | umode_t mode | – | – | – |
| 54 | fchownat | man/ cs/ | 0x36 | int dfd | const char *filename | uid_t user | gid_t group | int flag | – |
| 55 | fchown | man/ cs/ | 0x37 | unsigned int fd | uid_t user | gid_t group | – | – | – |
| 56 | openat | man/ cs/ | 0x38 | int dfd | const char *filename | int flags | umode_t mode | – | – |
| 57 | close | man/ cs/ | 0x39 | unsigned int fd | – | – | – | – | – |
| 58 | vhangup | man/ cs/ | 0x3a | – | – | – | – | – | – |
| 59 | pipe2 | man/ cs/ | 0x3b | int *fildes | int flags | – | – | – | – |
| 60 | quotactl | man/ cs/ | 0x3c | unsigned int cmd | const char *special | qid_t id | void *addr | – | – |
| 61 | getdents64 | man/ cs/ | 0x3d | unsigned int fd | struct linux_dirent64 *dirent | unsigned int count | – | – | – |
| 62 | lseek | man/ cs/ | 0x3e | unsigned int fd | off_t offset | unsigned int whence | – | – | – |
| 63 | read | man/ cs/ | 0x3f | unsigned int fd | char *buf | size_t count | – | – | – |
| 64 | write | man/ cs/ | 0x40 | unsigned int fd | const char *buf | size_t count | – | – | – |
| 65 | readv | man/ cs/ | 0x41 | unsigned long fd | const struct iovec *vec | unsigned long vlen | – | – | – |
| 66 | writev | man/ cs/ | 0x42 | unsigned long fd | const struct iovec *vec | unsigned long vlen | – | – | – |
| 67 | pread64 | man/ cs/ | 0x43 | unsigned int fd | char *buf | size_t count | loff_t pos | – | – |
| 68 | pwrite64 | man/ cs/ | 0x44 | unsigned int fd | const char *buf | size_t count | loff_t pos | – | – |
| 69 | preadv | man/ cs/ | 0x45 | unsigned long fd | const struct iovec *vec | unsigned long vlen | unsigned long pos_l | unsigned long pos_h | – |
| 70 | pwritev | man/ cs/ | 0x46 | unsigned long fd | const struct iovec *vec | unsigned long vlen | unsigned long pos_l | unsigned long pos_h | – |
| 71 | sendfile | man/ cs/ | 0x47 | int out_fd | int in_fd | off_t *offset | size_t count | – | – |
| 72 | pselect6 | man/ cs/ | 0x48 | int | fd_set * | fd_set * | fd_set * | struct __kernel_timespec * | void * |
| 73 | ppoll | man/ cs/ | 0x49 | struct pollfd * | unsigned int | struct __kernel_timespec * | const sigset_t * | size_t | – |
| 74 | signalfd4 | man/ cs/ | 0x4a | int ufd | sigset_t *user_mask | size_t sizemask | int flags | – | – |
| 75 | vmsplice | man/ cs/ | 0x4b | int fd | const struct iovec *iov | unsigned long nr_segs | unsigned int flags | – | – |
| 76 | splice | man/ cs/ | 0x4c | int fd_in | loff_t *off_in | int fd_out | loff_t *off_out | size_t len | unsigned int flags |
| 77 | tee | man/ cs/ | 0x4d | int fdin | int fdout | size_t len | unsigned int flags | – | – |
| 78 | readlinkat | man/ cs/ | 0x4e | int dfd | const char *path | char *buf | int bufsiz | – | – |
| 79 | newfstatat | man/ cs/ | 0x4f | int dfd | const char *filename | struct stat *statbuf | int flag | – | – |
| 80 | fstat | man/ cs/ | 0x50 | unsigned int fd | struct __old_kernel_stat *statbuf | – | – | – | – |
| 81 | sync | man/ cs/ | 0x51 | – | – | – | – | – | – |
| 82 | fsync | man/ cs/ | 0x52 | unsigned int fd | – | – | – | – | – |
| 83 | fdatasync | man/ cs/ | 0x53 | unsigned int fd | – | – | – | – | – |
| 84 | sync_file_range | man/ cs/ | 0x54 | int fd | loff_t offset | loff_t nbytes | unsigned int flags | – | – |
| 85 | timerfd_create | man/ cs/ | 0x55 | int clockid | int flags | – | – | – | – |
| 86 | timerfd_settime | man/ cs/ | 0x56 | int ufd | int flags | const struct __kernel_itimerspec *utmr | struct __kernel_itimerspec *otmr | – | – |
| 87 | timerfd_gettime | man/ cs/ | 0x57 | int ufd | struct __kernel_itimerspec *otmr | – | – | – | – |
| 88 | utimensat | man/ cs/ | 0x58 | int dfd | const char *filename | struct __kernel_timespec *utimes | int flags | – | – |
| 89 | acct | man/ cs/ | 0x59 | const char *name | – | – | – | – | – |
| 90 | capget | man/ cs/ | 0x5a | cap_user_header_t header | cap_user_data_t dataptr | – | – | – | – |
| 91 | capset | man/ cs/ | 0x5b | cap_user_header_t header | const cap_user_data_t data | – | – | – | – |
| 92 | personality | man/ cs/ | 0x5c | unsigned int personality | – | – | – | – | – |
| 93 | exit | man/ cs/ | 0x5d | int error_code | – | – | – | – | – |
| 94 | exit_group | man/ cs/ | 0x5e | int error_code | – | – | – | – | – |
| 95 | waitid | man/ cs/ | 0x5f | int which | pid_t pid | struct siginfo *infop | int options | struct rusage *ru | – |
| 96 | set_tid_address | man/ cs/ | 0x60 | int *tidptr | – | – | – | – | – |
| 97 | unshare | man/ cs/ | 0x61 | unsigned long unshare_flags | – | – | – | – | – |
| 98 | futex | man/ cs/ | 0x62 | u32 *uaddr | int op | u32 val | const struct __kernel_timespec *utime | u32 *uaddr2 | u32 val3 |
| 99 | set_robust_list | man/ cs/ | 0x63 | struct robust_list_head *head | size_t len | – | – | – | – |
| 100 | get_robust_list | man/ cs/ | 0x64 | int pid | struct robust_list_head * *head_ptr | size_t *len_ptr | – | – | – |
| 101 | nanosleep | man/ cs/ | 0x65 | struct __kernel_timespec *rqtp | struct __kernel_timespec *rmtp | – | – | – | – |
| 102 | getitimer | man/ cs/ | 0x66 | int which | struct __kernel_old_itimerval *value | – | – | – | – |
| 103 | setitimer | man/ cs/ | 0x67 | int which | struct __kernel_old_itimerval *value | struct __kernel_old_itimerval *ovalue | – | – | – |
| 104 | kexec_load | man/ cs/ | 0x68 | unsigned long entry | unsigned long nr_segments | struct kexec_segment *segments | unsigned long flags | – | – |
| 105 | init_module | man/ cs/ | 0x69 | void *umod | unsigned long len | const char *uargs | – | – | – |
| 106 | delete_module | man/ cs/ | 0x6a | const char *name_user | unsigned int flags | – | – | – | – |
| 107 | timer_create | man/ cs/ | 0x6b | clockid_t which_clock | struct sigevent *timer_event_spec | timer_t * created_timer_id | – | – | – |
| 108 | timer_gettime | man/ cs/ | 0x6c | timer_t timer_id | struct __kernel_itimerspec *setting | – | – | – | – |
| 109 | timer_getoverrun | man/ cs/ | 0x6d | timer_t timer_id | – | – | – | – | – |
| 110 | timer_settime | man/ cs/ | 0x6e | timer_t timer_id | int flags | const struct __kernel_itimerspec *new_setting | struct __kernel_itimerspec *old_setting | – | – |
| 111 | timer_delete | man/ cs/ | 0x6f | timer_t timer_id | – | – | – | – | – |
| 112 | clock_settime | man/ cs/ | 0x70 | clockid_t which_clock | const struct __kernel_timespec *tp | – | – | – | – |
| 113 | clock_gettime | man/ cs/ | 0x71 | clockid_t which_clock | struct __kernel_timespec *tp | – | – | – | – |
| 114 | clock_getres | man/ cs/ | 0x72 | clockid_t which_clock | struct __kernel_timespec *tp | – | – | – | – |
| 115 | clock_nanosleep | man/ cs/ | 0x73 | clockid_t which_clock | int flags | const struct __kernel_timespec *rqtp | struct __kernel_timespec *rmtp | – | – |
| 116 | syslog | man/ cs/ | 0x74 | int type | char *buf | int len | – | – | – |
| 117 | ptrace | man/ cs/ | 0x75 | long request | long pid | unsigned long addr | unsigned long data | – | – |
| 118 | sched_setparam | man/ cs/ | 0x76 | pid_t pid | struct sched_param *param | – | – | – | – |
| 119 | sched_setscheduler | man/ cs/ | 0x77 | pid_t pid | int policy | struct sched_param *param | – | – | – |
| 120 | sched_getscheduler | man/ cs/ | 0x78 | pid_t pid | – | – | – | – | – |
| 121 | sched_getparam | man/ cs/ | 0x79 | pid_t pid | struct sched_param *param | – | – | – | – |
| 122 | sched_setaffinity | man/ cs/ | 0x7a | pid_t pid | unsigned int len | unsigned long *user_mask_ptr | – | – | – |
| 123 | sched_getaffinity | man/ cs/ | 0x7b | pid_t pid | unsigned int len | unsigned long *user_mask_ptr | – | – | – |
| 124 | sched_yield | man/ cs/ | 0x7c | – | – | – | – | – | – |
| 125 | sched_get_priority_max | man/ cs/ | 0x7d | int policy | – | – | – | – | – |
| 126 | sched_get_priority_min | man/ cs/ | 0x7e | int policy | – | – | – | – | – |
| 127 | sched_rr_get_interval | man/ cs/ | 0x7f | pid_t pid | struct __kernel_timespec *interval | – | – | – | – |
| 128 | restart_syscall | man/ cs/ | 0x80 | – | – | – | – | – | – |
| 129 | kill | man/ cs/ | 0x81 | pid_t pid | int sig | – | – | – | – |
| 130 | tkill | man/ cs/ | 0x82 | pid_t pid | int sig | – | – | – | – |
| 131 | tgkill | man/ cs/ | 0x83 | pid_t tgid | pid_t pid | int sig | – | – | – |
| 132 | sigaltstack | man/ cs/ | 0x84 | const struct sigaltstack *uss | struct sigaltstack *uoss | – | – | – | – |
| 133 | rt_sigsuspend | man/ cs/ | 0x85 | sigset_t *unewset | size_t sigsetsize | – | – | – | – |
| 134 | rt_sigaction | man/ cs/ | 0x86 | int | const struct sigaction * | struct sigaction * | size_t | – | – |
| 135 | rt_sigprocmask | man/ cs/ | 0x87 | int how | sigset_t *set | sigset_t *oset | size_t sigsetsize | – | – |
| 136 | rt_sigpending | man/ cs/ | 0x88 | sigset_t *set | size_t sigsetsize | – | – | – | – |
| 137 | rt_sigtimedwait | man/ cs/ | 0x89 | const sigset_t *uthese | siginfo_t *uinfo | const struct __kernel_timespec *uts | size_t sigsetsize | – | – |
| 138 | rt_sigqueueinfo | man/ cs/ | 0x8a | pid_t pid | int sig | siginfo_t *uinfo | – | – | – |
| 139 | rt_sigreturn | man/ cs/ | 0x8b | ? | ? | ? | ? | ? | ? |
| 140 | setpriority | man/ cs/ | 0x8c | int which | int who | int niceval | – | – | – |
| 141 | getpriority | man/ cs/ | 0x8d | int which | int who | – | – | – | – |
| 142 | reboot | man/ cs/ | 0x8e | int magic1 | int magic2 | unsigned int cmd | void *arg | – | – |
| 143 | setregid | man/ cs/ | 0x8f | gid_t rgid | gid_t egid | – | – | – | – |
| 144 | setgid | man/ cs/ | 0x90 | gid_t gid | – | – | – | – | – |
| 145 | setreuid | man/ cs/ | 0x91 | uid_t ruid | uid_t euid | – | – | – | – |
| 146 | setuid | man/ cs/ | 0x92 | uid_t uid | – | – | – | – | – |
| 147 | setresuid | man/ cs/ | 0x93 | uid_t ruid | uid_t euid | uid_t suid | – | – | – |
| 148 | getresuid | man/ cs/ | 0x94 | uid_t *ruid | uid_t *euid | uid_t *suid | – | – | – |
| 149 | setresgid | man/ cs/ | 0x95 | gid_t rgid | gid_t egid | gid_t sgid | – | – | – |
| 150 | getresgid | man/ cs/ | 0x96 | gid_t *rgid | gid_t *egid | gid_t *sgid | – | – | – |
| 151 | setfsuid | man/ cs/ | 0x97 | uid_t uid | – | – | – | – | – |
| 152 | setfsgid | man/ cs/ | 0x98 | gid_t gid | – | – | – | – | – |
| 153 | times | man/ cs/ | 0x99 | struct tms *tbuf | – | – | – | – | – |
| 154 | setpgid | man/ cs/ | 0x9a | pid_t pid | pid_t pgid | – | – | – | – |
| 155 | getpgid | man/ cs/ | 0x9b | pid_t pid | – | – | – | – | – |
| 156 | getsid | man/ cs/ | 0x9c | pid_t pid | – | – | – | – | – |
| 157 | setsid | man/ cs/ | 0x9d | – | – | – | – | – | – |
| 158 | getgroups | man/ cs/ | 0x9e | int gidsetsize | gid_t *grouplist | – | – | – | – |
| 159 | setgroups | man/ cs/ | 0x9f | int gidsetsize | gid_t *grouplist | – | – | – | – |
| 160 | uname | man/ cs/ | 0xa0 | struct old_utsname * | – | – | – | – | – |
| 161 | sethostname | man/ cs/ | 0xa1 | char *name | int len | – | – | – | – |
| 162 | setdomainname | man/ cs/ | 0xa2 | char *name | int len | – | – | – | – |
| 163 | getrlimit | man/ cs/ | 0xa3 | unsigned int resource | struct rlimit *rlim | – | – | – | – |
| 164 | setrlimit | man/ cs/ | 0xa4 | unsigned int resource | struct rlimit *rlim | – | – | – | – |
| 165 | getrusage | man/ cs/ | 0xa5 | int who | struct rusage *ru | – | – | – | – |
| 166 | umask | man/ cs/ | 0xa6 | int mask | – | – | – | – | – |
| 167 | prctl | man/ cs/ | 0xa7 | int option | unsigned long arg2 | unsigned long arg3 | unsigned long arg4 | unsigned long arg5 | – |
| 168 | getcpu | man/ cs/ | 0xa8 | unsigned *cpu | unsigned *node | struct getcpu_cache *cache | – | – | – |
| 169 | gettimeofday | man/ cs/ | 0xa9 | struct __kernel_old_timeval *tv | struct timezone *tz | – | – | – | – |
| 170 | settimeofday | man/ cs/ | 0xaa | struct __kernel_old_timeval *tv | struct timezone *tz | – | – | – | – |
| 171 | adjtimex | man/ cs/ | 0xab | struct __kernel_timex *txc_p | – | – | – | – | – |
| 172 | getpid | man/ cs/ | 0xac | – | – | – | – | – | – |
| 173 | getppid | man/ cs/ | 0xad | – | – | – | – | – | – |
| 174 | getuid | man/ cs/ | 0xae | – | – | – | – | – | – |
| 175 | geteuid | man/ cs/ | 0xaf | – | – | – | – | – | – |
| 176 | getgid | man/ cs/ | 0xb0 | – | – | – | – | – | – |
| 177 | getegid | man/ cs/ | 0xb1 | – | – | – | – | – | – |
| 178 | gettid | man/ cs/ | 0xb2 | – | – | – | – | – | – |
| 179 | sysinfo | man/ cs/ | 0xb3 | struct sysinfo *info | – | – | – | – | – |
| 180 | mq_open | man/ cs/ | 0xb4 | const char *name | int oflag | umode_t mode | struct mq_attr *attr | – | – |
| 181 | mq_unlink | man/ cs/ | 0xb5 | const char *name | – | – | – | – | – |
| 182 | mq_timedsend | man/ cs/ | 0xb6 | mqd_t mqdes | const char *msg_ptr | size_t msg_len | unsigned int msg_prio | const struct __kernel_timespec *abs_timeout | – |
| 183 | mq_timedreceive | man/ cs/ | 0xb7 | mqd_t mqdes | char *msg_ptr | size_t msg_len | unsigned int *msg_prio | const struct __kernel_timespec *abs_timeout | – |
| 184 | mq_notify | man/ cs/ | 0xb8 | mqd_t mqdes | const struct sigevent *notification | – | – | – | – |
| 185 | mq_getsetattr | man/ cs/ | 0xb9 | mqd_t mqdes | const struct mq_attr *mqstat | struct mq_attr *omqstat | – | – | – |
| 186 | msgget | man/ cs/ | 0xba | key_t key | int msgflg | – | – | – | – |
| 187 | msgctl | man/ cs/ | 0xbb | int msqid | int cmd | struct msqid_ds *buf | – | – | – |
| 188 | msgrcv | man/ cs/ | 0xbc | int msqid | struct msgbuf *msgp | size_t msgsz | long msgtyp | int msgflg | – |
| 189 | msgsnd | man/ cs/ | 0xbd | int msqid | struct msgbuf *msgp | size_t msgsz | int msgflg | – | – |
| 190 | semget | man/ cs/ | 0xbe | key_t key | int nsems | int semflg | – | – | – |
| 191 | semctl | man/ cs/ | 0xbf | int semid | int semnum | int cmd | unsigned long arg | – | – |
| 192 | semtimedop | man/ cs/ | 0xc0 | int semid | struct sembuf *sops | unsigned nsops | const struct __kernel_timespec *timeout | – | – |
| 193 | semop | man/ cs/ | 0xc1 | int semid | struct sembuf *sops | unsigned nsops | – | – | – |
| 194 | shmget | man/ cs/ | 0xc2 | key_t key | size_t size | int flag | – | – | – |
| 195 | shmctl | man/ cs/ | 0xc3 | int shmid | int cmd | struct shmid_ds *buf | – | – | – |
| 196 | shmat | man/ cs/ | 0xc4 | int shmid | char *shmaddr | int shmflg | – | – | – |
| 197 | shmdt | man/ cs/ | 0xc5 | char *shmaddr | – | – | – | – | – |
| 198 | socket | man/ cs/ | 0xc6 | int | int | int | – | – | – |
| 199 | socketpair | man/ cs/ | 0xc7 | int | int | int | int * | – | – |
| 200 | bind | man/ cs/ | 0xc8 | int | struct sockaddr * | int | – | – | – |
| 201 | listen | man/ cs/ | 0xc9 | int | int | – | – | – | – |
| 202 | accept | man/ cs/ | 0xca | int | struct sockaddr * | int * | – | – | – |
| 203 | connect | man/ cs/ | 0xcb | int | struct sockaddr * | int | – | – | – |
| 204 | getsockname | man/ cs/ | 0xcc | int | struct sockaddr * | int * | – | – | – |
| 205 | getpeername | man/ cs/ | 0xcd | int | struct sockaddr * | int * | – | – | – |
| 206 | sendto | man/ cs/ | 0xce | int | void * | size_t | unsigned | struct sockaddr * | int |
| 207 | recvfrom | man/ cs/ | 0xcf | int | void * | size_t | unsigned | struct sockaddr * | int * |
| 208 | setsockopt | man/ cs/ | 0xd0 | int fd | int level | int optname | char *optval | int optlen | – |
| 209 | getsockopt | man/ cs/ | 0xd1 | int fd | int level | int optname | char *optval | int *optlen | – |
| 210 | shutdown | man/ cs/ | 0xd2 | int | int | – | – | – | – |
| 211 | sendmsg | man/ cs/ | 0xd3 | int fd | struct user_msghdr *msg | unsigned flags | – | – | – |
| 212 | recvmsg | man/ cs/ | 0xd4 | int fd | struct user_msghdr *msg | unsigned flags | – | – | – |
| 213 | readahead | man/ cs/ | 0xd5 | int fd | loff_t offset | size_t count | – | – | – |
| 214 | brk | man/ cs/ | 0xd6 | unsigned long brk | – | – | – | – | – |
| 215 | munmap | man/ cs/ | 0xd7 | unsigned long addr | size_t len | – | – | – | – |
| 216 | mremap | man/ cs/ | 0xd8 | unsigned long addr | unsigned long old_len | unsigned long new_len | unsigned long flags | unsigned long new_addr | – |
| 217 | add_key | man/ cs/ | 0xd9 | const char *_type | const char *_description | const void *_payload | size_t plen | key_serial_t destringid | – |
| 218 | request_key | man/ cs/ | 0xda | const char *_type | const char *_description | const char *_callout_info | key_serial_t destringid | – | – |
| 219 | keyctl | man/ cs/ | 0xdb | int cmd | unsigned long arg2 | unsigned long arg3 | unsigned long arg4 | unsigned long arg5 | – |
| 220 | clone | man/ cs/ | 0xdc | unsigned long | unsigned long | int * | int * | unsigned long | – |
| 221 | execve | man/ cs/ | 0xdd | const char *filename | const char *const *argv | const char *const *envp | – | – | – |
| 222 | mmap | man/ cs/ | 0xde | ? | ? | ? | ? | ? | ? |
| 223 | fadvise64 | man/ cs/ | 0xdf | int fd | loff_t offset | size_t len | int advice | – | – |
| 224 | swapon | man/ cs/ | 0xe0 | const char *specialfile | int swap_flags | – | – | – | – |
| 225 | swapoff | man/ cs/ | 0xe1 | const char *specialfile | – | – | – | – | – |
| 226 | mprotect | man/ cs/ | 0xe2 | unsigned long start | size_t len | unsigned long prot | – | – | – |
| 227 | msync | man/ cs/ | 0xe3 | unsigned long start | size_t len | int flags | – | – | – |
| 228 | mlock | man/ cs/ | 0xe4 | unsigned long start | size_t len | – | – | – | – |
| 229 | munlock | man/ cs/ | 0xe5 | unsigned long start | size_t len | – | – | – | – |
| 230 | mlockall | man/ cs/ | 0xe6 | int flags | – | – | – | – | – |
| 231 | munlockall | man/ cs/ | 0xe7 | – | – | – | – | – | – |
| 232 | mincore | man/ cs/ | 0xe8 | unsigned long start | size_t len | unsigned char * vec | – | – | – |
| 233 | madvise | man/ cs/ | 0xe9 | unsigned long start | size_t len | int behavior | – | – | – |
| 234 | remap_file_pages | man/ cs/ | 0xea | unsigned long start | unsigned long size | unsigned long prot | unsigned long pgoff | unsigned long flags | – |
| 235 | mbind | man/ cs/ | 0xeb | unsigned long start | unsigned long len | unsigned long mode | const unsigned long *nmask | unsigned long maxnode | unsigned flags |
| 236 | get_mempolicy | man/ cs/ | 0xec | int *policy | unsigned long *nmask | unsigned long maxnode | unsigned long addr | unsigned long flags | – |
| 237 | set_mempolicy | man/ cs/ | 0xed | int mode | const unsigned long *nmask | unsigned long maxnode | – | – | – |
| 238 | migrate_pages | man/ cs/ | 0xee | pid_t pid | unsigned long maxnode | const unsigned long *from | const unsigned long *to | – | – |
| 239 | move_pages | man/ cs/ | 0xef | pid_t pid | unsigned long nr_pages | const void * *pages | const int *nodes | int *status | int flags |
| 240 | rt_tgsigqueueinfo | man/ cs/ | 0xf0 | pid_t tgid | pid_t pid | int sig | siginfo_t *uinfo | – | – |
| 241 | perf_event_open | man/ cs/ | 0xf1 | struct perf_event_attr *attr_uptr | pid_t pid | int cpu | int group_fd | unsigned long flags | – |
| 242 | accept4 | man/ cs/ | 0xf2 | int | struct sockaddr * | int * | int | – | – |
| 243 | recvmmsg | man/ cs/ | 0xf3 | int fd | struct mmsghdr *msg | unsigned int vlen | unsigned flags | struct __kernel_timespec *timeout | – |
| 244 | not implemented | 0xf4 | |||||||
| 245 | not implemented | 0xf5 | |||||||
| 246 | not implemented | 0xf6 | |||||||
| 247 | not implemented | 0xf7 | |||||||
| 248 | not implemented | 0xf8 | |||||||
| 249 | not implemented | 0xf9 | |||||||
| 250 | not implemented | 0xfa | |||||||
| 251 | not implemented | 0xfb | |||||||
| 252 | not implemented | 0xfc | |||||||
| 253 | not implemented | 0xfd | |||||||
| 254 | not implemented | 0xfe | |||||||
| 255 | not implemented | 0xff | |||||||
| 256 | not implemented | 0x100 | |||||||
| 257 | not implemented | 0x101 | |||||||
| 258 | not implemented | 0x102 | |||||||
| 259 | not implemented | 0x103 | |||||||
| 260 | wait4 | man/ cs/ | 0x104 | pid_t pid | int *stat_addr | int options | struct rusage *ru | – | – |
| 261 | prlimit64 | man/ cs/ | 0x105 | pid_t pid | unsigned int resource | const struct rlimit64 *new_rlim | struct rlimit64 *old_rlim | – | – |
| 262 | fanotify_init | man/ cs/ | 0x106 | unsigned int flags | unsigned int event_f_flags | – | – | – | – |
| 263 | fanotify_mark | man/ cs/ | 0x107 | int fanotify_fd | unsigned int flags | u64 mask | int fd | const char *pathname | – |
| 264 | name_to_handle_at | man/ cs/ | 0x108 | int dfd | const char *name | struct file_handle *handle | int *mnt_id | int flag | – |
| 265 | open_by_handle_at | man/ cs/ | 0x109 | int mountdirfd | struct file_handle *handle | int flags | – | – | – |
| 266 | clock_adjtime | man/ cs/ | 0x10a | clockid_t which_clock | struct __kernel_timex *tx | – | – | – | – |
| 267 | syncfs | man/ cs/ | 0x10b | int fd | – | – | – | – | – |
| 268 | setns | man/ cs/ | 0x10c | int fd | int nstype | – | – | – | – |
| 269 | sendmmsg | man/ cs/ | 0x10d | int fd | struct mmsghdr *msg | unsigned int vlen | unsigned flags | – | – |
| 270 | process_vm_readv | man/ cs/ | 0x10e | pid_t pid | const struct iovec *lvec | unsigned long liovcnt | const struct iovec *rvec | unsigned long riovcnt | unsigned long flags |
| 271 | process_vm_writev | man/ cs/ | 0x10f | pid_t pid | const struct iovec *lvec | unsigned long liovcnt | const struct iovec *rvec | unsigned long riovcnt | unsigned long flags |
| 272 | kcmp | man/ cs/ | 0x110 | pid_t pid1 | pid_t pid2 | int type | unsigned long idx1 | unsigned long idx2 | – |
| 273 | finit_module | man/ cs/ | 0x111 | int fd | const char *uargs | int flags | – | – | – |
| 274 | sched_setattr | man/ cs/ | 0x112 | pid_t pid | struct sched_attr *attr | unsigned int flags | – | – | – |
| 275 | sched_getattr | man/ cs/ | 0x113 | pid_t pid | struct sched_attr *attr | unsigned int size | unsigned int flags | – | – |
| 276 | renameat2 | man/ cs/ | 0x114 | int olddfd | const char *oldname | int newdfd | const char *newname | unsigned int flags | – |
| 277 | seccomp | man/ cs/ | 0x115 | unsigned int op | unsigned int flags | void *uargs | – | – | – |
| 278 | getrandom | man/ cs/ | 0x116 | char *buf | size_t count | unsigned int flags | – | – | – |
| 279 | memfd_create | man/ cs/ | 0x117 | const char *uname_ptr | unsigned int flags | – | – | – | – |
| 280 | bpf | man/ cs/ | 0x118 | int cmd | union bpf_attr *attr | unsigned int size | – | – | – |
| 281 | execveat | man/ cs/ | 0x119 | int dfd | const char *filename | const char *const *argv | const char *const *envp | int flags | – |
| 282 | userfaultfd | man/ cs/ | 0x11a | int flags | – | – | – | – | – |
| 283 | membarrier | man/ cs/ | 0x11b | int cmd | unsigned int flags | int cpu_id | – | – | – |
| 284 | mlock2 | man/ cs/ | 0x11c | unsigned long start | size_t len | int flags | – | – | – |
| 285 | copy_file_range | man/ cs/ | 0x11d | int fd_in | loff_t *off_in | int fd_out | loff_t *off_out | size_t len | unsigned int flags |
| 286 | preadv2 | man/ cs/ | 0x11e | unsigned long fd | const struct iovec *vec | unsigned long vlen | unsigned long pos_l | unsigned long pos_h | rwf_t flags |
| 287 | pwritev2 | man/ cs/ | 0x11f | unsigned long fd | const struct iovec *vec | unsigned long vlen | unsigned long pos_l | unsigned long pos_h | rwf_t flags |
| 288 | pkey_mprotect | man/ cs/ | 0x120 | unsigned long start | size_t len | unsigned long prot | int pkey | – | – |
| 289 | pkey_alloc | man/ cs/ | 0x121 | unsigned long flags | unsigned long init_val | – | – | – | – |
| 290 | pkey_free | man/ cs/ | 0x122 | int pkey | – | – | – | – | – |
| 291 | statx | man/ cs/ | 0x123 | int dfd | const char *path | unsigned flags | unsigned mask | struct statx *buffer | – |
| 425 | io_uring_setup | man/ cs/ | 0x1a9 | u32 entries | struct io_uring_params *p | – | – | – | – |
| 426 | io_uring_enter | man/ cs/ | 0x1aa | unsigned int fd | u32 to_submit | u32 min_complete | u32 flags | const void *argp | size_t argsz |
| 427 | not implemented | 0x1ab | |||||||
| 428 | not implemented | 0x1ac | |||||||
| 429 | not implemented | 0x1ad | |||||||
| 430 | not implemented | 0x1ae | |||||||
| 431 | not implemented | 0x1af | |||||||
| 432 | not implemented | 0x1b0 | |||||||
| 433 | not implemented | 0x1b1 | |||||||
| 434 | not implemented | 0x1b2 | |||||||
| 435 | not implemented | 0x1b3 | |||||||
| 436 | not implemented | 0x1b4 | |||||||
| 437 | not implemented | 0x1b5 | |||||||
| 438 | not implemented | 0x1b6 | |||||||
| 439 | faccessat2 | man/ cs/ | 0x1b7 | int dfd | const char *filename | int mode | int flags | – | – |
源码的核心位置2
# process event
def print_event(cpu, data, size):
event = b["events"].event(data)
global initial_ts
if not args.full_path or event.type == EventType.EVENT_END:
skip = False
# split return value into FD and errno columns
if event.ret >= 0:
fd_s = event.ret
err = 0
else:
fd_s = -1
err = - event.ret
if not initial_ts:
initial_ts = event.ts
if args.failed and (event.ret >= 0):
skip = True
if args.name and bytes(args.name) not in event.comm:
skip = True
if not skip:
if args.timestamp:
delta = event.ts - initial_ts
printb(b"%-14.9f" % (float(delta) / 1000000), nl="")
if args.print_uid:
printb(b"%-6d" % event.uid, nl="")
printb(b"%-6d %-16s %4d %3d " %
(event.id & 0xffffffff if args.tid else event.id >> 32,
event.comm, fd_s, err), nl="")
if args.extended_fields:
printb(b"%08o " % event.flags, nl="")
if not args.full_path:
printb(b"%s" % event.name)
else:
paths = entries[event.id]
paths.reverse()
printb(b"%s" % os.path.join(*paths))
if args.full_path:
try:
del(entries[event.id])
except Exception:
pass
elif event.type == EventType.EVENT_ENTRY:
entries[event.id].append(event.name)
内容全部复现, 全部深刻理解, 全部形成文档, 即可.
eBPF android tools
重要参考
https://github.com/iovisor/bcc/blob/master/INSTALL.md#ubuntu—source
https://blog.xhyeax.com/2022/04/28/arm64-syscall-table/
https://github.com/iovisor/bcc/blob/003b00374b052ed0da59776eb2be812fa1bbcb79/tools/opensnoop.py
