This article explains the technical principles behind Linux kernel tracing, covering static tracepoints and dynamic kprobes, demonstrating their use with ftrace and perf, and detailing the underlying macro implementations and low‑level mechanisms that make kernel source tracking possible.
This article explains how to locate and monitor kernel execution using IDE navigation, Linux tracing tools such as ftrace, perf, tracepoints, and kprobes, and dives into the underlying implementation details of static and dynamic tracing mechanisms.
This article analyzes eBPF tracing hook mechanisms—kprobe, tracepoint/raw_tp, and fentry—explaining their implementation, performance trade‑offs, kernel version support, and benchmark results, to guide developers in choosing the most efficient hook for production workloads.
This article demonstrates how to use eBPF to audit fileless command‑execution attacks and reverse‑shell techniques by tracing memfd_create, Kprobe/LSM hooks, dup2 redirections, and related kernel functions, providing concrete code examples and analysis of the detection logic.
This guide explains how to leverage eBPF’s Kprobe, Tracepoint, and LSM features to audit file read/write activity, extract process and file details, and optionally block operations using helpers like bpf_send_signal or bpf_override_return, with complete code examples and configuration steps.
The article explains how attackers exploit SUID binaries for privilege escalation and demonstrates how to use eBPF LSM hooks (file_open, bprm_check_security) and Kprobe tracing to audit such operations, then shows how to block them by returning error codes while exempting root users.
This article explains how to use Linux eBPF kprobe (and kretprobe) to dynamically instrument the unlink system call, covering the underlying concepts, required kernel headers, full eBPF source code, compilation with both eunomia‑bpf and cilium/ebpf, and a detailed comparison with tracepoint probes.
This article explains the Linux kernel ftrace architecture, covering ring buffer principles and code, tracer implementations (function, function_graph, irq_off), trace events, dynamic and static instrumentation, and kprobe mechanisms, illustrating how tracing is integrated, managed, and optimized for various execution contexts.
This article provides a comprehensive overview of Linux kernel debugging, covering core tools such as printk, ftrace, trace‑cmd, kprobe, systemtap, kgdb, kgtp, perf, as well as pseudo filesystems like procfs, sysfs, debugfs and relayfs, and introduces additional tracers including LTTng, eBPF, Ktap, dtrace4linux, OL DTrace and sysdig.
This comprehensive guide explores Linux kernel debugging essentials, covering pseudo filesystems like procfs, sysfs, debugfs, relayfs, and advanced tracing tools such as ftrace, kprobe, systemtap, perf, KGTP, and LTTng, with practical commands and reference links.
This article explores advanced Linux kernel hooking techniques—including kprobe, jprobe, kretprobe, and livepatch—alongside lock mechanisms and atomic operations, providing code examples and practical guidance for safe and effective kernel instrumentation.
