I tried to hook syscall __x64_sys_execve with kretprobe. So in the entry handler, I tried to get its params, and use strncpy_from_user to get the char* filename, (char**)argv.But after I compiled the module and insmod, nothing new was got from dmesg, and when i tried to removed the module, it was killed and system broke down.

I’m trying to set a kprobe on stat syscall to capture some information. When checking /proc/kallsyms I have many similar names and it’s a bit confusing which is the right one for me too use.

I have been learning and experimenting with kernel probes(both kprobes and kretprobes) recently and today I managed to make it work for Ubuntu 22.04 kernel 5.x(which is the kernel I use on my development machine) and Debian 12.5 kernel 6.x which is a VM I have and it worked without any issue.

I’m installing a kprobe on sys_kill and I want to monitor PID and Signals.

Unfortunately the title might not be the best for describing the problem.