Defeating eBPF Uprobe Monitoring(blog.quarkslab.com) |
Defeating eBPF Uprobe Monitoring(blog.quarkslab.com) |
But the probes themselves are just int3 instructions, and userland code can shake them off by unmapping and remapping the memory; what's more, as I understand this: if you remap a uprobe target page writeable, the kernel won't re-install breakpoints there.
Net-net: uprobes are useful for monitoring cooperative processes, but right now probably aren't that trustworthy as a sandboxing primitive.