BPF_HASH(counts, struct key_t);
int count(struct pt_regs *ctx) {
- if (!PT_REGS_PARM2(ctx))
+ if (!PT_REGS_PARM1(ctx))
return 0;
struct key_t key = {};
u64 zero = 0, *val;
- bpf_probe_read(&key.c, sizeof(key.c), (void *)PT_REGS_PARM2(ctx));
+ bpf_probe_read(&key.c, sizeof(key.c), (void *)PT_REGS_PARM1(ctx));
val = counts.lookup_or_init(&key, &zero);
(*val)++;
return 0;
bpf_text = """
#include <uapi/linux/ptrace.h>
int printarg(struct pt_regs *ctx) {
- if (!PT_REGS_PARM2(ctx))
+ if (!PT_REGS_PARM1(ctx))
return 0;
u32 pid = bpf_get_current_pid_tgid();
return 0;
char str[80] = {};
- bpf_probe_read(&str, sizeof(str), (void *)PT_REGS_PARM2(ctx));
+ bpf_probe_read(&str, sizeof(str), (void *)PT_REGS_PARM1(ctx));
bpf_trace_printk("%s\\n", &str);
return 0;