Skip to content

uprobes API issues #728

New issue
New issue
Closed
Closed
uprobes API issues#728
Labels
usability
@lacraig2

Description

@lacraig2
lacraig2
opened on Dec 10, 2025

The uprobes API has proven to be confusing to many people.

In particular, the fact that the value provided is an offset into the file and not an address.

penguin/pyplugins/apis/uprobes.py

Lines 239 to 276 in 83015c8

def uprobe(
self,
path: Optional[str],
symbol: Union[str, int],
process_filter: Optional[str] = None,
on_enter: bool = True,
on_return: bool = False,
pid_filter: Optional[int] = None,
read_only: bool = False,
fail_register_ok: bool = False
) -> Callable[[Callable], Callable]:
"""
Decorator to register a uprobe at the specified path and symbol/offset.
Parameters
----------
path : Optional[str]
Path to the executable or library file (can include wildcards), or None to match all libraries containing the symbol.
symbol : Union[str, int]
Symbol name (string) or offset (integer) in the file.
process_filter : Optional[str]
Process name to filter events.
on_enter : bool
Trigger on function entry (default: True).
on_return : bool
Trigger on function return (default: False).
pid_filter : Optional[int]
PID to filter events for a specific process.
read_only: bool
fail_register_ok : bool
If True, silently return if symbol not found.
Returns
-------
Callable[[Callable], Callable]
Decorator function that registers the uprobe.
"""
def _register_decorator(uprobe_configs):

The value that the kernel itself needs when we call the setup function is the actual offset.

We could do a few different things to respond here.

First, it should be reasonably obvious when an offset is not valid. i.e. we can make it uprobe's job to verify that the file exists and is at least the size of the value provided.

Negatives: the library then has to exist in our fs.tar.gz statically for this to work. Though we could make it only check the size if it knows about the file.

Second, we could provide an API that allows us to try to convert addresses to offsets. This could be in uprobes or another plugin.

Negatives: we'd still have an API that a little confusing and we'd have to hammer the distinction.

Definitely open to more suggestions.

Metadata

Metadata

Assignees

No one assigned

    Labels

    usability

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions