/ripzero

Syscall tracer via eBPF

Primary LanguageC++

ripzero - Advanced eBPF Syscall Monitor

Overview

ripzero is an advanced eBPF-based syscall monitor that provides comprehensive real-time tracing of system calls for specific processes on Linux. It captures not only syscall entry/exit events but also full stack traces (both user and kernel space), file descriptor introspection, and supports multiple output formats including perf.data for integration with performance analysis tools.

Key Features

  • Dual Stack Trace Capture: Records both user-space and kernel-space stack traces with symbol resolution
  • File Descriptor Introspection: Automatically identifies file types (regular files, directories, devices, sockets, etc.) for I/O syscalls
  • BTF-Enhanced Symbol Resolution: Uses kernel BTF (BPF Type Format) for accurate kernel symbol resolution with function signatures
  • User Symbol Resolution: Resolves user-space addresses to source file:line using DWARF debug information
  • ioctl Command Decoding: Automatically decodes ioctl command numbers to human-readable names
  • Configurable Features: Runtime toggles for kernel stacks and introspection via BPF maps
  • Performance Data Export: Supports exporting trace data in perf.data format for analysis with standard tools
  • Command Execution Mode: Can spawn and trace child processes with ptrace synchronization

Build Instructions

Dependencies

sudo apt install cmake g++ clang llvm libbpf-dev bpftool zlib1g-dev libelf-dev libdw-dev

Note: libdw-dev (elfutils) is required for user-space symbol resolution with DWARF debug information.

Building

mkdir build && cd build
cmake ..
cmake --build .

Usage

Monitor an existing process

sudo ./monitor <pid>

Spawn and monitor a command

sudo ./monitor -c -- <command> [args...]

Export to perf.data format

sudo ./monitor -p <pid>              # Creates trace.perf.data
sudo ./monitor -p -c -- <command>    # Combine with command mode

Examples

# Monitor a running process
sudo ./monitor $(pidof firefox)

# Trace a command from start
sudo ./monitor -c -- ls -la /tmp

# Create perf.data for analysis
sudo ./monitor -p $(pidof myapp)
perf report -i trace.perf.data    # Analyze with perf tools

Output Format

  • ENTER events: TS, PID, COMM, syscall name, args[0-5].
  • EXIT events: TS, PID, COMM, syscall name, return value.

Example:

TS: 1234567890 PID: 1234 COMM: myprocess ENTER open args: 140000000000 0 0 0 0 0
TS: 1234567891 PID: 1234 COMM: myprocess EXIT open ret: 3

Technical Details

  • eBPF attaches to raw_syscalls:sys_enter and raw_syscalls:sys_exit tracepoints.
  • Filters by PID to avoid global overhead.
  • Uses ring buffer for zero-copy data transfer to user space.
  • Syscall names are mapped exhaustively for x86_64; extend the map in main.cpp for custom needs.
  • Handles signals for clean shutdown.

Troubleshooting

  • Ensure kernel has BTF enabled (ls /sys/kernel/btf/vmlinux).
  • Run as root; for unprivileged, use CAP_BPF/CAP_PERFMON (kernel >=5.8).
  • If vmlinux.h generation fails, ensure kernel debug info is available.

License

GPL (as required for eBPF programs interfacing with Linux kernel).