kallsyms_lookup_name - lookup the address for a symbol
This event is invoked when the 'kallsyms_lookup_name()' kernel function returns. It suggests a lookup of kernel symbol address. This function is used mainly by external kernel extensions like kernel modules or BPF programs. It might be interesting in cases where a sensitive kernel symbol is looked-up.
const char*[K] - the symbol that is being looked-up.
void*[K] - the address of the symbol returned by the function. 0 if not found.
kprobe + kretprobe
tracing the kallsyms_lookup_name event
Example Use Case¶
./dist/tracee-ebpf -t e=kallsyms_lookup_name