execmon is unable to run on kernels >= 4.6 #2
Description
Hi Kfir, thanks for this awesome utility. It helped me a lot.
Your utility, execmon, works well on kernels up till 4.5. I'd tested it on Ubuntu 16.04 with kernel 4.4.
Till kernel 4.5, assembly stubs had been used to call sys_execve and by patching call sys_execve in stub_execve did the job. Awesome !
But starting from 4.6 these stubs had been changed and now ptregs_sys_execve is a replace of stub_execve. But it's highly different than older stubs. Now registers are being used to store the real syscall address and there are two way calls 'slow_path' and 'fast_path'.
I'd tried hard but failing to make some logic that how to patch execve calls in this new scheme. Could you please spare some time to have a look and find some clues to upgrading execmon to work for kernels greater than 4.5.
thanks