This is the mail archive of the systemtap@sourceware.org mailing list for the systemtap project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[PATCH] Complete the names-to-numbers conversion in nd_syscalls.stp.


Replace in-scope variables references with *_arg functions. Use 'kprobe'
family of probes instead of 'kernel' family for dwarfless probing. Also
fix a few typos and unify formatting.
---
 tapset/nd_syscalls.stp | 2691 ++++++++++++++++++++++++++++++------------------
 1 files changed, 1711 insertions(+), 980 deletions(-)

diff --git a/tapset/nd_syscalls.stp b/tapset/nd_syscalls.stp
index a0e5286..32c3640 100644
--- a/tapset/nd_syscalls.stp
+++ b/tapset/nd_syscalls.stp
@@ -12,9 +12,6 @@
  * nd_syscalls.stp is a copy of syscalls.stp, modified to refer to
  * function arguments by number rather than name, so that this tapset
  * can be used even when the probed kernel lacks debugging information.
- *
- * So far, the names-to-numbers conversion covers only syscall.a*
- * through syscall.c*, plus a few others.
  */
 
 
@@ -37,7 +34,8 @@
 # accept _____________________________________________________
 # long sys_accept(int fd, struct sockaddr __user *upeer_sockaddr,
 #                 int __user *upeer_addrlen)
-probe nd_syscall.accept = kernel.function("sys_accept") ? {
+probe nd_syscall.accept = kprobe.function("sys_accept") ?
+{
 	name = "accept"
 	// sockfd = $fd
 	// addr_uaddr = $upeer_sockaddr
@@ -49,14 +47,16 @@ probe nd_syscall.accept = kernel.function("sys_accept") ? {
 	addrlen_uaddr = pointer_arg(3)
 	argstr = sprintf("%d, %p, %p", sockfd, addr_uaddr, addrlen_uaddr)
 }
-probe nd_syscall.accept.return = kernel.function("sys_accept").return ? {
+probe nd_syscall.accept.return = kprobe.function("sys_accept").return ?
+{
 	name = "accept"
 	retstr = returnstr(1)
 }
 
 # access _____________________________________________________
 # long sys_access(const char __user * filename, int mode)
-probe nd_syscall.access = kernel.function("sys_access") {
+probe nd_syscall.access = kprobe.function("sys_access")
+{
 	name = "access"
 	// pathname = user_string($filename)
 	// mode = $mode
@@ -68,22 +68,25 @@ probe nd_syscall.access = kernel.function("sys_access") {
 	mode_str = _access_mode_str(mode)
 	argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)), mode_str)
 }
-probe nd_syscall.access.return = kernel.function("sys_access").return {
+probe nd_syscall.access.return = kprobe.function("sys_access").return
+{
 	name = "access"
 	retstr = returnstr(1)
 }
 
 # acct _______________________________________________________
 # long sys_acct(const char __user *name)
-probe nd_syscall.acct = kernel.function("sys_acct") ? {
+probe nd_syscall.acct = kprobe.function("sys_acct") ?
+{
 	name = "acct"
-        // filename = user_string($name)
+	// filename = user_string($name)
 	// argstr = user_string_quoted($name)
 	asmlinkage()
 	filename = user_string(pointer_arg(1))
 	argstr = user_string_quoted(pointer_arg(1))
 }
-probe nd_syscall.acct.return = kernel.function("sys_acct").return ? {
+probe nd_syscall.acct.return = kprobe.function("sys_acct").return ?
+{
 	name = "acct"
 	retstr = returnstr(1)
 }
@@ -95,7 +98,8 @@ probe nd_syscall.acct.return = kernel.function("sys_acct").return ? {
 #             size_t plen,
 #             key_serial_t ringid)
 #
-probe nd_syscall.add_key = kernel.function("sys_add_key") ? {
+probe nd_syscall.add_key = kprobe.function("sys_add_key") ?
+{
 	name = "add_key"
 	// type_uaddr = $_type
 	// description_auddr = $_description
@@ -105,7 +109,7 @@ probe nd_syscall.add_key = kernel.function("sys_add_key") ? {
 	// argstr = sprintf("%s, %s, %s, %d, %d", 
 	// 		user_string_quoted($_type),
 	// 		user_string_quoted($_description),
-	// 		text_strn(user_string($_payload),syscall_string_trunc,1),
+	// 		text_strn(user_string($_payload), syscall_string_trunc, 1),
 	// 		$plen, $ringid)
 	asmlinkage()
 	type_uaddr = pointer_arg(1)
@@ -116,49 +120,54 @@ probe nd_syscall.add_key = kernel.function("sys_add_key") ? {
 	argstr = sprintf("%s, %s, %s, %d, %d", 
 			user_string_quoted(type_uaddr),
 			user_string_quoted(description_uaddr),
-			text_strn(user_string(payload_uaddr),syscall_string_trunc,1),
+			text_strn(user_string(payload_uaddr), syscall_string_trunc, 1),
 			plen, ringid)
 }
-probe nd_syscall.add_key.return = kernel.function("sys_add_key").return ? {
+probe nd_syscall.add_key.return = kprobe.function("sys_add_key").return ?
+{
 	name = "add_key"
 	retstr = returnstr(1)
 }
 
 # adjtimex ___________________________________________________
 # long sys_adjtimex(struct timex __user *txc_p)
-probe nd_syscall.adjtimex = kernel.function("sys_adjtimex") {
+probe nd_syscall.adjtimex = kprobe.function("sys_adjtimex")
+{
 	name = "adjtimex"
 	
 	/*
-	* buf_offset       = __uget_timex_m($txc_p,1)
-	* buf_freq         = __uget_timex_m($txc_p,2)
-	* buf_maxerror     = __uget_timex_m($txc_p,3)
-	* buf_esterror     = __uget_timex_m($txc_p,4)
-	* buf_status       = __uget_timex_m($txc_p,5)
-	* buf_constant     = __uget_timex_m($txc_p,6)
-	* buf_precision    = __uget_timex_m($txc_p,7)
-	* buf_tolerance    = __uget_timex_m($txc_p,8)
-	* buf_time_tv_sec  = __uget_timex_m($txc_p,9)
-	* buf_time_tv_usec = __uget_timex_m($txc_p,10)
-	* buf_tick         = __uget_timex_m($txc_p,11)
+	* buf_offset       = __uget_timex_m($txc_p, 1)
+	* buf_freq         = __uget_timex_m($txc_p, 2)
+	* buf_maxerror     = __uget_timex_m($txc_p, 3)
+	* buf_esterror     = __uget_timex_m($txc_p, 4)
+	* buf_status       = __uget_timex_m($txc_p, 5)
+	* buf_constant     = __uget_timex_m($txc_p, 6)
+	* buf_precision    = __uget_timex_m($txc_p, 7)
+	* buf_tolerance    = __uget_timex_m($txc_p, 8)
+	* buf_time_tv_sec  = __uget_timex_m($txc_p, 9)
+	* buf_time_tv_usec = __uget_timex_m($txc_p, 10)
+	* buf_tick         = __uget_timex_m($txc_p, 11)
 	*/
 	// argstr = sprintf("%p", $txc_p)
 	asmlinkage()
 	argstr = sprintf("%p", pointer_arg(1))
 }
-probe nd_syscall.adjtimex.return = kernel.function("sys_adjtimex").return {
+probe nd_syscall.adjtimex.return = kprobe.function("sys_adjtimex").return
+{
 	name = "adjtimex"
 	// retstr = _adjtimex_return_str($return)
 	retstr = _adjtimex_return_str(returnval())
 }
 # long compat_sys_adjtimex(struct compat_timex __user *utp)
-probe nd_syscall.compat_adjtimex = kernel.function("compat_sys_adjtimex") ? {
+probe nd_syscall.compat_adjtimex = kprobe.function("compat_sys_adjtimex") ?
+{
 	name = "compat_adjtimex"
 	// argstr = sprintf("%p", $utp)
 	asmlinkage()
 	argstr = sprintf("%p", pointer_arg(1))
 }
-probe nd_syscall.compat_adjtimex.return = kernel.function("compat_sys_adjtimex").return ? {
+probe nd_syscall.compat_adjtimex.return = kprobe.function("compat_sys_adjtimex").return ?
+{
 	name = "compat_adjtimex"
 	retstr = returnstr(1)
 }
@@ -167,9 +176,8 @@ probe nd_syscall.compat_adjtimex.return = kernel.function("compat_sys_adjtimex")
 # unsigned long sys_alarm (unsigned int seconds)
 # long sys32_alarm(unsigned int seconds)
 #
-probe nd_syscall.alarm =
-		kernel.function("sys_alarm") ?,
-		kernel.function("sys32_alarm") ?
+probe nd_syscall.alarm = kprobe.function("sys_alarm") ?,
+                         kprobe.function("sys32_alarm") ?
 {
 	name = "alarm"
 	// seconds = $seconds
@@ -178,62 +186,64 @@ probe nd_syscall.alarm =
 	seconds = uint_arg(1)
 	argstr = sprint(seconds)
 }
-probe nd_syscall.alarm.return =
-		kernel.function("sys_alarm").return ?,
-		kernel.function("sys32_alarm").return ?
+probe nd_syscall.alarm.return = kprobe.function("sys_alarm").return ?,
+                                kprobe.function("sys32_alarm").return ?
 {
 	name = "alarm"
 	retstr = returnstr(1)
 }
 
 # bdflush ____________________________________________________
-# long sys_bdflush(int func,long data)
-probe nd_syscall.bdflush = kernel.function("sys_bdflush") ? {
+# long sys_bdflush(int func, long data)
+probe nd_syscall.bdflush = kprobe.function("sys_bdflush") ?
+{
 	name = "bdflush"
 	// func = $func
 	// data = $data
-        // if (($func>=2)&&($func%2==0))
-        //        data_str = sprintf("%p", $data)
-        // else
-        //        data_str = sprintf("%d", $data)
+	// if (($func>=2)&&($func%2==0))
+	// 	data_str = sprintf("%p", $data)
+	// else
+	// 	data_str = sprintf("%d", $data)
 	asmlinkage()
 	func = int_arg(1)
 	data = long_arg(2)
-        if ((func>=2)&&(func%2==0))
-                data_str = sprintf("%p", data)
-        else
-                data_str = sprintf("%d", data)
-        argstr = sprintf("%d, %s",func, data_str)
+	if ((func>=2)&&(func%2==0))
+		data_str = sprintf("%p", data)
+	else
+		data_str = sprintf("%d", data)
+	argstr = sprintf("%d, %s", func, data_str)
 }
-probe nd_syscall.bdflush.return = kernel.function("sys_bdflush").return ? {
+probe nd_syscall.bdflush.return = kprobe.function("sys_bdflush").return ?
+{
 	name = "bdflush"
 	retstr = returnstr(1)
 }
 
 # bind _______________________________________________________
 # long sys_bind(int fd, struct sockaddr __user *umyaddr, int addrlen)
-probe nd_syscall.bind = kernel.function("sys_bind") ? {
+probe nd_syscall.bind = kprobe.function("sys_bind") ?
+{
 	name = "bind"
 	// sockfd = $fd
 	// my_addr_uaddr = $umyaddr
 	// addrlen = $addrlen
-	// argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($umyaddr,$addrlen),$addrlen)
+	// argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($umyaddr, $addrlen), $addrlen)
 	asmlinkage()
 	sockfd = int_arg(1)
 	my_addr_uaddr = pointer_arg(2)
 	addrlen = int_arg(3)
-	argstr = sprintf("%d, %s, %d", sockfd, _struct_sockaddr_u(my_addr_uaddr,addrlen),addrlen)
+	argstr = sprintf("%d, %s, %d", sockfd, _struct_sockaddr_u(my_addr_uaddr, addrlen), addrlen)
 }
-probe nd_syscall.bind.return = kernel.function("sys_bind").return ? {
+probe nd_syscall.bind.return = kprobe.function("sys_bind").return ?
+{
 	name = "bind"
 	retstr = returnstr(1)
 }
 
 # brk ________________________________________________________
 # unsigned long sys_brk(unsigned long brk)
-probe nd_syscall.brk =
-		kernel.function("sys_brk"),
-		kernel.function("ia64_brk") ?
+probe nd_syscall.brk = kprobe.function("sys_brk"),
+                       kprobe.function("ia64_brk") ?
 {
 	name = "brk"
 	// brk = $brk
@@ -241,9 +251,8 @@ probe nd_syscall.brk =
 	brk = ulong_arg(1)
 	argstr = sprintf("%p", brk)
 }
-probe nd_syscall.brk.return =
-		kernel.function("sys_brk").return,
-		kernel.function("ia64_brk").return ?
+probe nd_syscall.brk.return = kprobe.function("sys_brk").return,
+                              kprobe.function("ia64_brk").return ?
 {
 	name = "brk"
 	retstr = returnstr(1)
@@ -262,7 +271,8 @@ probe nd_syscall.brk.return =
  *   functions to export.
  */
 # long sys_capget(cap_user_header_t header, cap_user_data_t dataptr)
-probe nd_syscall.capget = kernel.function("sys_capget") {
+probe nd_syscall.capget = kprobe.function("sys_capget")
+{
 	name = "capget"
 	// header_uaddr = $header
 	// data_uaddr = $dataptr
@@ -272,7 +282,8 @@ probe nd_syscall.capget = kernel.function("sys_capget") {
 	data_uaddr = pointer_arg(2)
 	argstr = sprintf("%p, %p", header_uaddr, data_uaddr)
 }
-probe nd_syscall.capget.return = kernel.function("sys_capget").return {
+probe nd_syscall.capget.return = kprobe.function("sys_capget").return
+{
 	name = "capget"
 	retstr = returnstr(1)
 }
@@ -289,7 +300,8 @@ probe nd_syscall.capget.return = kernel.function("sys_capget").return {
  *   functions to export.
  */
 # long sys_capset(cap_user_header_t header, const cap_user_data_t data)
-probe nd_syscall.capset = kernel.function("sys_capset") {
+probe nd_syscall.capset = kprobe.function("sys_capset")
+{
 	name = "capset"
 	// header_uaddr = $header
 	// data_uaddr = $data
@@ -299,14 +311,16 @@ probe nd_syscall.capset = kernel.function("sys_capset") {
 	data_uaddr = pointer_arg(2)
 	argstr = sprintf("%p, %p", header_uaddr, data_uaddr)
 }
-probe nd_syscall.capset.return = kernel.function("sys_capset").return {
+probe nd_syscall.capset.return = kprobe.function("sys_capset").return
+{
 	name = "capset"
 	retstr = returnstr(1)
 }
 
 # chdir ______________________________________________________
 # long sys_chdir(const char __user * filename)
-probe nd_syscall.chdir = kernel.function("sys_chdir") {
+probe nd_syscall.chdir = kprobe.function("sys_chdir")
+{
 	name = "chdir"
 	// path = user_string($filename)
 	// argstr = user_string_quoted($filename)
@@ -314,14 +328,16 @@ probe nd_syscall.chdir = kernel.function("sys_chdir") {
 	path = user_string(pointer_arg(1))
 	argstr = user_string_quoted(pointer_arg(1))
 }
-probe nd_syscall.chdir.return = kernel.function("sys_chdir").return {
+probe nd_syscall.chdir.return = kprobe.function("sys_chdir").return
+{
 	name = "chdir"
 	retstr = returnstr(1)
 }
 
 # chmod ______________________________________________________
 # long sys_chmod(const char __user * filename, mode_t mode)
-probe nd_syscall.chmod = kernel.function("sys_chmod") {
+probe nd_syscall.chmod = kprobe.function("sys_chmod")
+{
 	name = "chmod"
 	// path = user_string($filename)
 	// mode = $mode
@@ -331,26 +347,29 @@ probe nd_syscall.chmod = kernel.function("sys_chmod") {
 	mode = uint_arg(2)
 	argstr = sprintf("%s, %#o", user_string_quoted(pointer_arg(1)), mode)
 }
-probe nd_syscall.chmod.return = kernel.function("sys_chmod").return {
+probe nd_syscall.chmod.return = kprobe.function("sys_chmod").return
+{
 	name = "chmod"
 	retstr = returnstr(1)
 }
 
 # chown ______________________________________________________
 # long sys_chown(const char __user * filename, uid_t user, gid_t group)
-probe nd_syscall.chown = kernel.function("sys_chown") {
+probe nd_syscall.chown = kprobe.function("sys_chown")
+{
 	name = "chown"
 	// path = user_string($filename)
 	// owner = __int32($user)
 	// group = __int32($group)
-	// argstr = sprintf("%s, %d, %d",user_string_quoted($filename), owner, group) 
+	// argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group) 
 	asmlinkage()
 	path = user_string(pointer_arg(1))
 	owner = __int32(uint_arg(2))
 	group = __int32(uint_arg(3))
-	argstr = sprintf("%s, %d, %d",user_string_quoted(pointer_arg(1)), owner, group) 
+	argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group) 
 }
-probe nd_syscall.chown.return = kernel.function("sys_chown").return {
+probe nd_syscall.chown.return = kprobe.function("sys_chown").return
+{
 	name = "chown"
 	retstr = returnstr(1)
 }
@@ -358,7 +377,8 @@ probe nd_syscall.chown.return = kernel.function("sys_chown").return {
 # long sys_chown16(const char __user * filename, old_uid_t user, 
 #			old_gid_t group)
 #
-probe nd_syscall.chown16 = kernel.function("sys_chown16") ? {
+probe nd_syscall.chown16 = kprobe.function("sys_chown16") ?
+{
 	name = "chown16"
 	// path = user_string($filename)
 	// owner = __short($user)
@@ -370,14 +390,16 @@ probe nd_syscall.chown16 = kernel.function("sys_chown16") ? {
 	group = __short(uint_arg(3))
 	argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group)
 }
-probe nd_syscall.chown16.return = kernel.function("sys_chown16").return ? {
+probe nd_syscall.chown16.return = kprobe.function("sys_chown16").return ?
+{
 	name = "chown16"
 	retstr = returnstr(1)
 }
 
 # chroot _____________________________________________________
 # long sys_chroot(const char __user * filename)
-probe nd_syscall.chroot = kernel.function("sys_chroot") {
+probe nd_syscall.chroot = kprobe.function("sys_chroot")
+{
 	name = "chroot"
 	// path = user_string($filename)
 	// argstr = user_string_quoted($filename)
@@ -385,7 +407,8 @@ probe nd_syscall.chroot = kernel.function("sys_chroot") {
 	path = user_string(pointer_arg(1))
 	argstr = user_string_quoted(pointer_arg(1))
 }
-probe nd_syscall.chroot.return = kernel.function("sys_chroot").return {
+probe nd_syscall.chroot.return = kprobe.function("sys_chroot").return
+{
 	name = "chroot"
 	retstr = returnstr(1)
 }
@@ -394,9 +417,8 @@ probe nd_syscall.chroot.return = kernel.function("sys_chroot").return {
 # long sys_clock_getres(clockid_t which_clock, struct timespec __user *tp)
 # long compat_clock_getres(clockid_t which_clock, struct compat_timespec __user *tp)
 # 
-probe nd_syscall.clock_getres =
-		kernel.function("sys_clock_getres"),
-		kernel.function("compat_clock_getres") ?
+probe nd_syscall.clock_getres = kprobe.function("sys_clock_getres"),
+                                kprobe.function("compat_clock_getres") ?
 {
 	name = "clock_getres"
 	// clk_id = $which_clock
@@ -409,9 +431,8 @@ probe nd_syscall.clock_getres =
 	res_uaddr = pointer_arg(2)
 	argstr = sprintf("%s, %p", clk_id_str, res_uaddr)
 }
-probe nd_syscall.clock_getres.return =
-		kernel.function("sys_clock_getres").return,
-		kernel.function("compat_clock_getres").return ?
+probe nd_syscall.clock_getres.return = kprobe.function("sys_clock_getres").return,
+                                       kprobe.function("compat_clock_getres").return ?
 {
 	name = "clock_getres"
 	retstr = returnstr(1)
@@ -420,8 +441,7 @@ probe nd_syscall.clock_getres.return =
 # clock_gettime ______________________________________________
 # long sys_clock_gettime(clockid_t which_clock, struct timespec __user *tp)
 #
-probe nd_syscall.clock_gettime =
-		kernel.function("sys_clock_gettime")
+probe nd_syscall.clock_gettime = kprobe.function("sys_clock_gettime")
 {
 	name = "clock_gettime"
 	// clk_id = $which_clock
@@ -432,7 +452,7 @@ probe nd_syscall.clock_gettime =
 	clk_id_str = _get_wc_str(clk_id)
 	argstr = sprintf("%s, %p", clk_id_str, pointer_arg(2))
 }
-probe nd_syscall.clock_gettime.return = kernel.function("sys_clock_gettime").return
+probe nd_syscall.clock_gettime.return = kprobe.function("sys_clock_gettime").return
 {
 	name = "clock_gettime"
 	retstr = returnstr(1)
@@ -444,14 +464,15 @@ probe nd_syscall.clock_gettime.return = kernel.function("sys_clock_gettime").ret
 #                     const struct timespec __user *rqtp,
 #                     struct timespec __user *rmtp)
 #
-probe nd_syscall.clock_nanosleep = kernel.function("sys_clock_nanosleep") {
+probe nd_syscall.clock_nanosleep = kprobe.function("sys_clock_nanosleep")
+{
 	name = "clock_nanosleep"
 	// if ($flags == 1)
 	//	flag_str = "TIMER_ABSTIME"
 	// else
 	//	flag_str = sprintf("0x%x", $flags)
 	// argstr = sprintf("%s, %s, %s, %p", _get_wc_str($which_clock), flag_str,
-	//		_struct_timespec_u($rqtp,1), $rmtp)
+	//		_struct_timespec_u($rqtp, 1), $rmtp)
 	asmlinkage()
 	flags = int_arg(2)
 	if (flags == 1)
@@ -459,9 +480,10 @@ probe nd_syscall.clock_nanosleep = kernel.function("sys_clock_nanosleep") {
 	else
 		flag_str = sprintf("0x%x", flags)
 	argstr = sprintf("%s, %s, %s, %p", _get_wc_str(int_arg(1)), flag_str,
-			_struct_timespec_u(pointer_arg(3),1), pointer_arg(4))
+			_struct_timespec_u(pointer_arg(3), 1), pointer_arg(4))
 }
-probe nd_syscall.clock_nanosleep.return = kernel.function("sys_clock_nanosleep").return {
+probe nd_syscall.clock_nanosleep.return = kprobe.function("sys_clock_nanosleep").return
+{
 	name = "clock_nanosleep"
 	retstr = returnstr(1)
 }
@@ -471,9 +493,8 @@ probe nd_syscall.clock_nanosleep.return = kernel.function("sys_clock_nanosleep")
 #			struct compat_timespec __user *rqtp,
 #			struct compat_timespec __user *rmtp)
 #
-probe nd_syscall.compat_clock_nanosleep =
-		kernel.function("compat_clock_nanosleep") ?,
-		kernel.function("compat_sys_clock_nanosleep") ?
+probe nd_syscall.compat_clock_nanosleep = kprobe.function("compat_clock_nanosleep") ?,
+                                          kprobe.function("compat_sys_clock_nanosleep") ?
 {
 	name = "compat_clock_nanosleep"
 	// if ($flags == 1)
@@ -481,7 +502,7 @@ probe nd_syscall.compat_clock_nanosleep =
 	// else
 	//	flag_str = sprintf("0x%x", $flags)
 	// argstr = sprintf("%s, %s, %s, %p", _get_wc_str($which_clock), flag_str,
-	//		_struct_compat_timespec_u($rqtp,1), $rmtp)
+	//		_struct_compat_timespec_u($rqtp, 1), $rmtp)
 	asmlinkage()
 	flags = int_arg(2)
 	if (flags == 1)
@@ -489,12 +510,11 @@ probe nd_syscall.compat_clock_nanosleep =
 	else
 		flag_str = sprintf("0x%x", flags)
 	argstr = sprintf("%s, %s, %s, %p", _get_wc_str(int_arg(1)), flag_str,
-			_struct_compat_timespec_u(pointer_arg(3),1),
+			_struct_compat_timespec_u(pointer_arg(3), 1),
 			pointer_arg(4))
 }
-probe nd_syscall.compat_clock_nanosleep.return =
-		kernel.function("compat_clock_nanosleep").return ?,
-		kernel.function("compat_sys_clock_nanosleep").return ?
+probe nd_syscall.compat_clock_nanosleep.return = kprobe.function("compat_clock_nanosleep").return ?,
+                                                 kprobe.function("compat_sys_clock_nanosleep").return ?
 {
 	name = "compat_clock_nanosleep"
 	retstr = returnstr(1)
@@ -504,68 +524,75 @@ probe nd_syscall.compat_clock_nanosleep.return =
 # long sys_clock_settime(clockid_t which_clock,
 #                   const struct timespec __user *tp)
 #
-probe nd_syscall.clock_settime = kernel.function("sys_clock_settime") {
+probe nd_syscall.clock_settime = kprobe.function("sys_clock_settime")
+{
 	name = "clock_settime"
 	// clk_id = $which_clock
 	// clk_id_str = _get_wc_str($which_clock)
 	// tp_uaddr = $tp
-	// argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u($tp,1))
+	// argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u($tp, 1))
 	asmlinkage()
 	clk_id = int_arg(1)
 	clk_id_str = _get_wc_str(clk_id)
 	tp_uaddr = pointer_arg(2)
-	argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u(tp_uaddr,1))
+	argstr = sprintf("%s, %s", clk_id_str, _struct_timespec_u(tp_uaddr, 1))
 }
-probe nd_syscall.clock_settime.return = kernel.function("sys_clock_settime").return {
+probe nd_syscall.clock_settime.return = kprobe.function("sys_clock_settime").return
+{
 	name = "clock_settime"
 	retstr = returnstr(1)
 }
 
 # close ______________________________________________________
 # long sys_close(unsigned int fd)
-probe nd_syscall.close = kernel.function("sys_close") {
+probe nd_syscall.close = kprobe.function("sys_close")
+{
 	name = "close"
 	// fd = $fd
 	asmlinkage()
 	fd = int_arg(1)
 	argstr = sprint(fd)
 }
-probe nd_syscall.close.return = kernel.function("sys_close").return {
+probe nd_syscall.close.return = kprobe.function("sys_close").return
+{
 	name = "close"
 	retstr = returnstr(1)
 }
 # connect ____________________________________________________
 # long sys_connect(int fd, struct sockaddr __user *uservaddr, int addrlen)
-probe nd_syscall.connect = kernel.function("sys_connect") ? {
+probe nd_syscall.connect = kprobe.function("sys_connect") ?
+{
 	name = "connect"
 	// sockfd = $fd
 	// serv_addr_uaddr = $uservaddr
 	// addrlen = $addrlen
-	// argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($uservaddr,$addrlen),$addrlen)
+	// argstr = sprintf("%d, %s, %d", $fd, _struct_sockaddr_u($uservaddr, $addrlen), $addrlen)
 	asmlinkage()
 	sockfd = int_arg(1)
 	serv_addr_uaddr = pointer_arg(2)
 	addrlen = int_arg(3)
-	argstr = sprintf("%d, %s, %d", sockfd, _struct_sockaddr_u(serv_addr_uaddr,addrlen),addrlen)
+	argstr = sprintf("%d, %s, %d", sockfd, _struct_sockaddr_u(serv_addr_uaddr, addrlen), addrlen)
 }
-probe nd_syscall.connect.return =	kernel.function("sys_connect").return ? {
+probe nd_syscall.connect.return = kprobe.function("sys_connect").return ?
+{
 	name = "connect"
 	retstr = returnstr(1)
 }
 
 # creat
 # long sys_creat(const char __user * pathname, int mode)
-probe nd_syscall.creat = kernel.function("sys_creat") ?
+probe nd_syscall.creat = kprobe.function("sys_creat") ?
 {
 	name = "creat"
 	// mode = $mode
 	// pathname = user_string($pathname)
 	// argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode)
+	asmlinkage()
 	mode = int_arg(2)
 	pathname = user_string(pointer_arg(1))
 	argstr = sprintf("%s, %#o", user_string_quoted(pointer_arg(1)), mode)
 }
-probe nd_syscall.creat.return = kernel.function("sys_creat").return ?
+probe nd_syscall.creat.return = kprobe.function("sys_creat").return ?
 {
 	name = "creat"
 	retstr = returnstr(1)
@@ -573,20 +600,27 @@ probe nd_syscall.creat.return = kernel.function("sys_creat").return ?
 
 # delete_module ______________________________________________
 # long sys_delete_module(const char __user *name_user, unsigned int flags)
-probe nd_syscall.delete_module = kernel.function("sys_delete_module") ? {
+probe nd_syscall.delete_module = kprobe.function("sys_delete_module") ?
+{
 	name = "delete_module"
-	name_user = user_string($name_user)
-	flags = $flags
-	argstr = sprintf("%s, %s", user_string_quoted($name_user), _module_flags_str($flags))
+	// name_user = user_string($name_user)
+	// flags = $flags
+	// argstr = sprintf("%s, %s", user_string_quoted($name_user), _module_flags_str($flags))
+	asmlinkage()
+	name_user = user_string(pointer_arg(1))
+	flags = uint_arg(2)
+	argstr = sprintf("%s, %s", user_string_quoted(pointer_arg(1)), _module_flags_str(uint_arg(2)))
 }
-probe nd_syscall.delete_module.return = kernel.function("sys_delete_module").return ? {
+probe nd_syscall.delete_module.return = kprobe.function("sys_delete_module").return ?
+{
 	name = "delete_module"
 	retstr = returnstr(1)
 }
 
 # dup ________________________________________________________
 # long sys_dup(unsigned int fildes)
-probe nd_syscall.dup = kernel.function("sys_dup") {
+probe nd_syscall.dup = kprobe.function("sys_dup")
+{
 	name = "dup"
 	// oldfd = $fildes
 	// argstr = sprint($fildes)
@@ -594,32 +628,44 @@ probe nd_syscall.dup = kernel.function("sys_dup") {
 	old_fd = int_arg(1)
 	argstr = sprint(old_fd)
 }
-probe nd_syscall.dup.return = kernel.function("sys_dup").return {
+probe nd_syscall.dup.return = kprobe.function("sys_dup").return
+{
 	name = "dup"
 	retstr = returnstr(1)
 }
 
 # dup2 _______________________________________________________
 # long sys_dup2(unsigned int oldfd, unsigned int newfd)
-probe nd_syscall.dup2 = kernel.function("sys_dup2") {
+probe nd_syscall.dup2 = kprobe.function("sys_dup2")
+{
 	name = "dup2"
-	oldfd = $oldfd
-	newfd = $newfd
-	argstr = sprintf("%d, %d", $oldfd, $newfd)
+	// oldfd = $oldfd
+	// newfd = $newfd
+	// argstr = sprintf("%d, %d", $oldfd, $newfd)
+	asmlinkage()
+	oldfd = int_arg(1)
+	newfd = int_arg(2)
+	argstr = sprintf("%d, %d", oldfd, newfd)
 }
-probe nd_syscall.dup2.return = kernel.function("sys_dup2").return {
+probe nd_syscall.dup2.return = kprobe.function("sys_dup2").return
+{
 	name = "dup2"
 	retstr = returnstr(1)
 }
 
 # epoll_create _______________________________________________
 # long sys_epoll_create(int size)
-probe nd_syscall.epoll_create = kernel.function("sys_epoll_create") ? {
+probe nd_syscall.epoll_create = kprobe.function("sys_epoll_create") ?
+{
 	name = "epoll_create"
-	size = $size
-	argstr = sprint($size)
+	// size = $size
+	// argstr = sprint($size)
+	asmlinkage()
+	size = int_arg(1)
+	argstr = sprint(size)
 }
-probe nd_syscall.epoll_create.return = kernel.function("sys_epoll_create").return ? {
+probe nd_syscall.epoll_create.return = kprobe.function("sys_epoll_create").return ?
+{
 	name = "epoll_create"
 	retstr = returnstr(1)
 }
@@ -630,21 +676,26 @@ probe nd_syscall.epoll_create.return = kernel.function("sys_epoll_create").retur
 # long compat_sys_epoll_ctl(int epfd, int op, int fd,
 #			struct compat_epoll_event __user *event)
 #
-probe nd_syscall.epoll_ctl =
-		kernel.function("sys_epoll_ctl") ?,
-		kernel.function("compat_sys_epoll_ctl") ?
+probe nd_syscall.epoll_ctl = kprobe.function("sys_epoll_ctl") ?,
+                             kprobe.function("compat_sys_epoll_ctl") ?
 {
 	name = "epoll_ctl"
-	epfd = $epfd
-	op = $op
-	op_str = _opoll_op_str($op)
-	fd = $fd
-	event_uaddr = $event
-	argstr = sprintf("%d, %s, %d, %p", $epfd, _opoll_op_str($op), $fd, $event)
+	// epfd = $epfd
+	// eop = $op
+	// eop_str = _opoll_op_str($op)
+	// efd = $fd
+	// eevent_uaddr = $event
+	// eargstr = sprintf("%d, %s, %d, %p", $epfd, _opoll_op_str($op), $fd, $event)
+	asmlinkage()
+	epfd = int_arg(1)
+	op = int_arg(2)
+	op_str = _opoll_op_str(op)
+	fd = int_arg(3)
+	event_uaddr = pointer_arg(4)
+	argstr = sprintf("%d, %s, %d, %p", epfd, op_str, fd, event_uaddr)
 }
-probe nd_syscall.epoll_ctl.return =
-		kernel.function("sys_epoll_ctl").return ?,
-		kernel.function("compat_sys_epoll_ctl").return ?
+probe nd_syscall.epoll_ctl.return = kprobe.function("sys_epoll_ctl").return ?,
+                                    kprobe.function("compat_sys_epoll_ctl").return ?
 {
 	name = "epoll_ctl"
 	retstr = returnstr(1)
@@ -661,17 +712,17 @@ probe nd_syscall.epoll_ctl.return =
 #			const compat_sigset_t __user *sigmask,
 #			compat_size_t sigsetsize)
 #
-probe nd_syscall.epoll_pwait =
-		kernel.function("sys_epoll_pwait") ?,
-		kernel.function("compat_sys_epoll_pwait") ?
+probe nd_syscall.epoll_pwait = kprobe.function("sys_epoll_pwait") ?,
+                               kprobe.function("compat_sys_epoll_pwait") ?
 {
 	name = "epoll_pwait"
+	asmlinkage()
 	argstr = sprintf("%d, %p, %d, %d, %p, %d",
-		$epfd, $events, $maxevents, $timeout, $sigmask, $sigsetsize)
+//		$epfd, $events, $maxevents, $timeout, $sigmask, $sigsetsize)
+		int_arg(1), pointer_arg(2), int_arg(3), int_arg(4), pointer_arg(5), ulong_arg(6))
 }
-probe nd_syscall.epoll_pwait.return =
-		kernel.function("sys_epoll_pwait").return ?,
-		kernel.function("compat_sys_epoll_pwait").return ?
+probe nd_syscall.epoll_pwait.return = kprobe.function("sys_epoll_pwait").return ?,
+                                      kprobe.function("compat_sys_epoll_pwait").return ?
 {
 	name = "epoll_pwait"
 	retstr = returnstr(1)
@@ -685,20 +736,24 @@ probe nd_syscall.epoll_pwait.return =
 #		struct compat_epoll_event __user *events,
 #		int maxevents, int timeout)
 #
-probe nd_syscall.epoll_wait =
-		kernel.function("sys_epoll_wait") ?,
-		kernel.function("compat_sys_epoll_wait") ?
+probe nd_syscall.epoll_wait = kprobe.function("sys_epoll_wait") ?,
+                              kprobe.function("compat_sys_epoll_wait") ?
 {
 	name = "epoll_wait"
-	epfd = $epfd
-	events_uaddr = $events
-	maxevents = $maxevents
-	timeout = $timeout
-	argstr = sprintf("%d, %p, %d, %d", $epfd, $events, $maxevents, $timeout)
+	// epfd = $epfd
+	// events_uaddr = $events
+	// maxevents = $maxevents
+	// timeout = $timeout
+	// argstr = sprintf("%d, %p, %d, %d", $epfd, $events, $maxevents, $timeout)
+	asmlinkage()
+	epfd = int_arg(1)
+	events_uaddr = pointer_arg(2)
+	maxevents = int_arg(3)
+	timeout = int_arg(4)
+	argstr = sprintf("%d, %p, %d, %d", epfd, events_uaddr, maxevents, timeout)
 }
-probe nd_syscall.epoll_wait.return =
-		kernel.function("sys_epoll_wait").return ?,
-		kernel.function("compat_sys_epoll_wait").return ?
+probe nd_syscall.epoll_wait.return = kprobe.function("sys_epoll_wait").return ?,
+                                     kprobe.function("compat_sys_epoll_wait").return ?
 {
 	name = "epoll_wait"
 	retstr = returnstr(1)
@@ -707,11 +762,15 @@ probe nd_syscall.epoll_wait.return =
 # eventfd _____________________________________________________
 # long sys_eventfd(unsigned int count)
 #
-probe nd_syscall.eventfd = kernel.function("sys_eventfd") ? {
+probe nd_syscall.eventfd = kprobe.function("sys_eventfd") ?
+{
 	name = "eventfd"
-	argstr = sprint($count)
+	// argstr = sprint($count)
+	asmlinkage()
+	argstr = sprint(uint_arg(1))
 }
-probe nd_syscall.eventfd.return = kernel.function("sys_eventfd").return ? {
+probe nd_syscall.eventfd.return = kprobe.function("sys_eventfd").return ?
+{
 	name = "eventfd"
 	retstr = returnstr(1)
 }
@@ -723,18 +782,21 @@ probe nd_syscall.eventfd.return = kernel.function("sys_eventfd").return ? {
 #	char __user *__user *argv,
 #	char __user *__user *envp,
 #	struct pt_regs * regs)
-probe nd_syscall.execve = kernel.function("do_execve") {
+probe nd_syscall.execve = kprobe.function("do_execve")
+{
 	name = "execve"
 	// filename = kernel_string($filename)
 	// args = __get_argv($argv, 0)
 	// argstr = sprintf("%s %s", filename, __get_argv($argv, 1))
+	asmlinkage()
 	filename = kernel_string(pointer_arg(1))
 	args = __get_argv(pointer_arg(2), 0)
 	argstr = sprintf("%s %s", filename, __get_argv(pointer_arg(2), 1))
 }
 # v2.6.15-rc2 or earlier has problems with sys_execve return probes
 # another reason to probe on do_execve
-probe nd_syscall.execve.return = kernel.function("do_execve").return {
+probe nd_syscall.execve.return = kprobe.function("do_execve").return
+{
 	name = "execve"
 	retstr = returnstr(1)
 }
@@ -742,33 +804,47 @@ probe nd_syscall.execve.return = kernel.function("do_execve").return {
 #	compat_uptr_t __user *argv,
 #	compat_uptr_t __user *envp,
 #	struct pt_regs * regs)
-probe nd_syscall.compat_execve = kernel.function("compat_do_execve") ? {
+probe nd_syscall.compat_execve = kprobe.function("compat_do_execve") ?
+{
 	name = "compat_execve"
-	filename = kernel_string($filename)
-	args = __get_compat_argv($argv, 0)
-	argstr = sprintf("%s %s", filename, __get_compat_argv($argv, 1))
+	// filename = kernel_string($filename)
+	// args = __get_compat_argv($argv, 0)
+	// argstr = sprintf("%s %s", filename, __get_compat_argv($argv, 1))
+	asmlinkage()
+	filename = kernel_string(pointer_arg(1))
+	args = __get_compat_argv(pointer_arg(2), 0)
+	argstr = sprintf("%s %s", filename, __get_compat_argv(pointer_arg(2), 1))
 }
-probe nd_syscall.compat_execve.return = kernel.function("compat_do_execve").return  ? {
+probe nd_syscall.compat_execve.return = kprobe.function("compat_do_execve").return  ?
+{
 	name = "compat_execve"
 	retstr = returnstr(1)
 }
 
 # exit _______________________________________________________
 # long sys_exit(int error_code)
-probe nd_syscall.exit = kernel.function("do_exit") {
+probe nd_syscall.exit = kprobe.function("do_exit")
+{
 	name = "exit"
-	status = $code
-	argstr = sprint($code)
+	// status = $code
+	// argstr = sprint($code)
+	asmlinkage()
+	status = int_arg(1)
+	argstr = sprint(status)
 }
 probe nd_syscall.exit.return = end {}
 
 # exit_group _________________________________________________
 # void sys_exit_group(int error_code)
 #
-probe nd_syscall.exit_group = kernel.function("sys_exit_group") {
+probe nd_syscall.exit_group = kprobe.function("sys_exit_group")
+{
 	name = "exit_group"
-	status = $error_code
-	argstr = sprint($error_code)
+	// status = $error_code
+	// argstr = sprint($error_code)
+	asmlinkage()
+	status = int_arg(1)
+	argstr = sprint(status)
 }
 
 probe nd_syscall.exit_group.return = end {}
@@ -777,15 +853,23 @@ probe nd_syscall.exit_group.return = end {}
 # fadvise64 __________________________________________________
 # long sys_fadvise64(int fd, loff_t offset, size_t len,  int advice)
 #
-probe nd_syscall.fadvise64 = kernel.function("sys_fadvise64") ? {
+probe nd_syscall.fadvise64 = kprobe.function("sys_fadvise64") ?
+{
 	name = "fadvise64"
-	fs = $fd
-	offset = $offset
-	len = $len
-	advice = $advice
-	argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
+	// fd = $fd
+	// offset = $offset
+	// len = $len
+	// advice = $advice
+	// argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
+	asmlinkage()
+	fd = int_arg(1)
+	offset = longlong_arg(2)
+	len = ulong_arg(3)
+	advice = int_arg(4)
+	argstr = sprintf("%d, %d, %d, %s", fd, offset, len, _fadvice_advice_str(advice))
 }
-probe nd_syscall.fadvise64.return = kernel.function("sys_fadvise64").return ? {
+probe nd_syscall.fadvise64.return = kprobe.function("sys_fadvise64").return ?
+{
 	name = "fadvise64"
 	retstr = returnstr(1)
 }
@@ -793,15 +877,23 @@ probe nd_syscall.fadvise64.return = kernel.function("sys_fadvise64").return ? {
 # fadvise64_64 _______________________________________________
 # long sys_fadvise64_64(int fd, loff_t offset, loff_t len,  int advice)
 #
-probe nd_syscall.fadvise64_64 = kernel.function("sys_fadvise64_64") {
+probe nd_syscall.fadvise64_64 = kprobe.function("sys_fadvise64_64")
+{
 	name = "fadvise64_64"
-	fs = $fd
-	offset = $offset
-	len = $len
-	advice = $advice
-	argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
+	// fd = $fd
+	// offset = $offset
+	// len = $len
+	// advice = $advice
+	// argstr = sprintf("%d, %d, %d, %s", $fd, $offset, $len, _fadvice_advice_str($advice))
+	asmlinkage()
+	fd = int_arg(1)
+	offset = longlong_arg(2)
+	len = ulong_arg(3)
+	advice = int_arg(4)
+	argstr = sprintf("%d, %d, %d, %s", fd, offset, len, _fadvice_advice_str(advice))
 }
-probe nd_syscall.fadvise64_64.return =  kernel.function("sys_fadvise64_64").return {
+probe nd_syscall.fadvise64_64.return =  kprobe.function("sys_fadvise64_64").return
+{
 	name = "fadvise64_64"
 	retstr = returnstr(1)
 }
@@ -811,15 +903,17 @@ probe nd_syscall.fadvise64_64.return =  kernel.function("sys_fadvise64_64").retu
 # fadvise64 __________________________________________________
 # long sys_fadvise64(int fd, loff_t offset, size_t len,  int advice)
 #
-probe nd_syscall.fadvise64 = kernel.function("sys_fadvise64") {
+probe nd_syscall.fadvise64 = kprobe.function("sys_fadvise64")
+{
 	name = "fadvise64"
-	fs = 0
+	fd = 0
 	offset = 0
 	len = 0
 	advice = 0
 	argstr = ""
 }
-probe nd_syscall.fadvise64.return = kernel.function("sys_fadvise64").return {
+probe nd_syscall.fadvise64.return = kprobe.function("sys_fadvise64").return
+{
 	name = "fadvise64"
 	retstr = returnstr(1)
 }
@@ -827,15 +921,17 @@ probe nd_syscall.fadvise64.return = kernel.function("sys_fadvise64").return {
 # fadvise64_64 _______________________________________________
 # long sys_fadvise64_64(int fd, loff_t offset, loff_t len,  int advice)
 #
-probe nd_syscall.fadvise64_64 = kernel.function("sys_fadvise64_64") {
+probe nd_syscall.fadvise64_64 = kprobe.function("sys_fadvise64_64")
+{
 	name = "fadvise64_64"
-	fs = 0
+	fd = 0
 	offset = 0
 	len = 0
 	advice = 0
 	argstr = ""
 }
-probe nd_syscall.fadvise64_64.return =  kernel.function("sys_fadvise64_64").return {
+probe nd_syscall.fadvise64_64.return =  kprobe.function("sys_fadvise64_64").return
+{
 	name = "fadvise64_64"
 	retstr = returnstr(1)
 }
@@ -843,53 +939,77 @@ probe nd_syscall.fadvise64_64.return =  kernel.function("sys_fadvise64_64").retu
 
 # fchdir _____________________________________________________
 # long sys_fchdir(unsigned int fd)
-probe nd_syscall.fchdir = kernel.function("sys_fchdir") {
+probe nd_syscall.fchdir = kprobe.function("sys_fchdir")
+{
 	name = "fchdir"
-	fd = $fd
-	argstr = sprint($fd)
+	// fd = $fd
+	// argstr = sprint($fd)
+	asmlinkage()
+	fd = int_arg(1)
+	argstr = sprint(fd)
 }
-probe nd_syscall.fchdir.return = kernel.function("sys_fchdir").return {
+probe nd_syscall.fchdir.return = kprobe.function("sys_fchdir").return
+{
 	name = "fchdir"
 	retstr = returnstr(1)
 }
 
 # fchmod _____________________________________________________
 # long sys_fchmod(unsigned int fd, mode_t mode)
-probe nd_syscall.fchmod = kernel.function("sys_fchmod") {
+probe nd_syscall.fchmod = kprobe.function("sys_fchmod")
+{
 	name = "fchmod"
-	fildes = $fd
-	mode = $mode
-	argstr = sprintf("%d, %#o", $fd, $mode)
+	// fildes = $fd
+	// mode = $mode
+	asmlinkage()
+	fildes = int_arg(1)
+	mode = uint_arg(2) # SAFE?
+	argstr = sprintf("%d, %#o", fildes, mode)
 }
-probe nd_syscall.fchmod.return = kernel.function("sys_fchmod").return {
+probe nd_syscall.fchmod.return = kprobe.function("sys_fchmod").return
+{
 	name = "fchmod"
 	retstr = returnstr(1)
 }
 
 # fchown _____________________________________________________
 # long sys_fchown(unsigned int fd, uid_t user, gid_t group)
-probe nd_syscall.fchown = kernel.function("sys_fchown") {
+probe nd_syscall.fchown = kprobe.function("sys_fchown")
+{
 	name = "fchown"
-	fd = $fd
-	owner = __int32($user)
-	group = __int32($group)
-	argstr = sprintf("%d, %d, %d", $fd, owner, group) 
+	// fd = $fd
+	// owner = __int32($user)
+	// group = __int32($group)
+	// argstr = sprintf("%d, %d, %d", $fd, owner, group) 
+	asmlinkage()
+	fd = int_arg(1)
+	owner = __int32(uint_arg(2))
+	group = __int32(uint_arg(3))
+	argstr = sprintf("%d, %d, %d", fd, owner, group) 
 }
-probe nd_syscall.fchown.return = kernel.function("sys_fchown").return {
+probe nd_syscall.fchown.return = kprobe.function("sys_fchown").return
+{
 	name = "fchown"
 	retstr = returnstr(1)
 }
 
 # fchown16 ___________________________________________________
 # long sys_fchown16(unsigned int fd, old_uid_t user, old_gid_t group)
-probe nd_syscall.fchown16 = kernel.function("sys_fchown16") ? {
+probe nd_syscall.fchown16 = kprobe.function("sys_fchown16") ?
+{
 	name = "fchown16"
-	fd = $fd
-	owner = __short($user)
-	group = __short($group)
-	argstr = sprintf("%d, %d, %d", $fd, owner, group)
+	// fd = $fd
+	// owner = __short($user)
+	// group = __short($group)
+	// argstr = sprintf("%d, %d, %d", $fd, owner, group)
+	asmlinkage()
+	fd = int_arg(1)
+	owner = __short(uint_arg(2))
+	group = __short(uint_arg(3))
+	argstr = sprintf("%d, %d, %d", fd, owner, group)
 }
-probe nd_syscall.fchown16.return = kernel.function("sys_fchown16").return ? {
+probe nd_syscall.fchown16.return = kprobe.function("sys_fchown16").return ?
+{
 	name = "fchown16"
 	retstr = returnstr(1)
 }
@@ -900,24 +1020,28 @@ probe nd_syscall.fchown16.return = kernel.function("sys_fchown16").return ? {
 # long compat_sys_fcntl64(unsigned int fd, unsigned int cmd, unsigned long arg)
 # long compat_sys_fcntl(unsigned int fd, unsigned int cmd, unsigned long arg)
 #
-probe nd_syscall.fcntl = 
-		kernel.function("sys_fcntl") ?,
-		kernel.function("sys_fcntl64") ?,
-		kernel.function("compat_sys_fcntl") ?,
-		kernel.function("compat_sys_fcntl64") ?
+probe nd_syscall.fcntl = kprobe.function("sys_fcntl") ?,
+                         kprobe.function("sys_fcntl64") ?,
+                         kprobe.function("compat_sys_fcntl") ?,
+                         kprobe.function("compat_sys_fcntl64") ?
 {
 	name = "fcntl"
-	fd = $fd
-	cmd = $cmd
-	cmd_str = _fcntl_cmd_str($cmd)
-      	arg = $arg
-	argstr = sprintf("%d, %s, %p", $fd, _fcntl_cmd_str($cmd), $arg)
-}
-probe nd_syscall.fcntl.return = 
-		kernel.function("sys_fcntl").return ?,
-		kernel.function("sys_fcntl64").return ?,
-		kernel.function("compat_sys_fcntl").return ?,
-		kernel.function("compat_sys_fcntl64").return ?
+	// fd = $fd
+	// cmd = $cmd
+	// cmd_str = _fcntl_cmd_str($cmd)
+	// arg = $arg
+	// argstr = sprintf("%d, %s, %p", $fd, _fcntl_cmd_str($cmd), $arg)
+	asmlinkage()
+	fd = int_arg(1)
+	cmd = int_arg(2)
+	cmd_str = _fcntl_cmd_str(cmd)
+	arg = long_arg(3)
+	argstr = sprintf("%d, %s, %p", fd, cmd_str, arg)
+}
+probe nd_syscall.fcntl.return = kprobe.function("sys_fcntl").return ?,
+                                kprobe.function("sys_fcntl64").return ?,
+                                kprobe.function("compat_sys_fcntl").return ?,
+                                kprobe.function("compat_sys_fcntl64").return ?
 {
 	name = "fcntl"
 	retstr = returnstr(1)
@@ -925,12 +1049,16 @@ probe nd_syscall.fcntl.return =
 
 # fdatasync __________________________________________________
 # long sys_fdatasync(unsigned int fd)
-probe nd_syscall.fdatasync = kernel.function("sys_fdatasync") {
+probe nd_syscall.fdatasync = kprobe.function("sys_fdatasync")
+{
 	name = "fdatasync"
-	fd = $fd
+	// fd = $fd
+	asmlinkage()
+	fd = int_arg(1)
 	argstr = sprint(fd)
 }
-probe nd_syscall.fdatasync.return = kernel.function("sys_fdatasync").return {
+probe nd_syscall.fdatasync.return = kprobe.function("sys_fdatasync").return
+{
 	name = "fdatasync"
 	retstr = returnstr(1)
 }
@@ -938,42 +1066,61 @@ probe nd_syscall.fdatasync.return = kernel.function("sys_fdatasync").return {
 # fgetxattr __________________________________________________
 # ssize_t sys_fgetxattr(int fd, char __user *name,
 # 		void __user *value, size_t size)
-probe nd_syscall.fgetxattr = kernel.function("sys_fgetxattr") {
+probe nd_syscall.fgetxattr = kprobe.function("sys_fgetxattr")
+{
 	name = "fgetxattr"
-	filedes = $fd
-#FIXME
-	name2 = user_string($name)
-	value_uaddr = $value
-	size  = $size
-	argstr = sprintf("%d, %s, %p, %d", filedes, user_string_quoted($name), value_uaddr, size)
-}
-probe nd_syscall.fgetxattr.return = kernel.function("sys_fgetxattr").return {
+	// filedes = $fd
+	// name2 = user_string($name)
+	// value_uaddr = $value
+	// size  = $size
+	// argstr = sprintf("%d, %s, %p, %d", $fd, user_string_quoted($name), value_uaddr, size)
+	asmlinkage()
+	filedes = int_arg(1)
+	# FIXME
+	name2 = user_string(pointer_arg(2))
+	value_uaddr = pointer_arg(3)
+	size  = ulong_arg(4)
+	argstr = sprintf("%d, %s, %p, %d", filedes, user_string_quoted(pointer_arg(2)), value_uaddr, size)
+}
+probe nd_syscall.fgetxattr.return = kprobe.function("sys_fgetxattr").return
+{
 	name = "fgetxattr"
 	retstr = returnstr(1)
 }
 # flistxattr _________________________________________________
 # ssize_t sys_flistxattr(int fd, char __user *list, size_t size)
-probe nd_syscall.flistxattr = kernel.function("sys_flistxattr") {
+probe nd_syscall.flistxattr = kprobe.function("sys_flistxattr")
+{
 	name = "flistxattr"
-	filedes = $fd
-	list_uaddr = $list
-	size = $size
+	// filedes = $fd
+	// list_uaddr = $list
+	// size = $size
+	asmlinkage()
+	filedes = int_arg(1)
+	list_uaddr = pointer_arg(2)
+	size = ulong_arg(3)
 	argstr = sprintf("%d, %p, %d", filedes, list_uaddr, size)
 }
-probe nd_syscall.flistxattr.return = kernel.function("sys_flistxattr").return {
+probe nd_syscall.flistxattr.return = kprobe.function("sys_flistxattr").return
+{
 	name = "flistxattr"
 	retstr = returnstr(1)
 }
 
 # flock ______________________________________________________
 # long sys_flock(unsigned int fd, unsigned int cmd)
-probe nd_syscall.flock = kernel.function("sys_flock") {
+probe nd_syscall.flock = kprobe.function("sys_flock")
+{
 	name = "flock"
-	fd = $fd
-	operation = $cmd
+	// fd = $fd
+	// operation = $cmd
+	asmlinkage()
+	fd = int_arg(1)
+	operation = int_arg(2)
 	argstr = sprintf("%d, %s", fd, _flock_cmd_str(operation))
 }
-probe nd_syscall.flock.return = kernel.function("sys_flock").return {
+probe nd_syscall.flock.return = kprobe.function("sys_flock").return
+{
 	name = "flock"
 	retstr = returnstr(1)
 }
@@ -1016,13 +1163,15 @@ CATCH_DEREF_FAULT();
 #	unsigned long stack_size,
 #	int __user *parent_tidptr,
 #	int __user *child_tidptr)
-probe nd_syscall.fork = kernel.function("do_fork") {
+probe nd_syscall.fork = kprobe.function("do_fork")
+{
 	// clone_flags = $clone_flags
 	// stack_start = $stack_start
 	// regs = $regs
 	// stack_size = $stack_size
 	// parent_tid_uaddr = $parent_tidptr
 	// child_tid_uaddr = $child_tidptr
+	asmlinkage()
 	clone_flags = ulong_arg(1)
 	stack_start = ulong_arg(2)
 	regs = pointer_arg(3)
@@ -1042,19 +1191,27 @@ probe nd_syscall.fork = kernel.function("do_fork") {
 		argstr = __fork_flags(clone_flags)
 	}
 }
-probe nd_syscall.fork.return = kernel.function("do_fork").return {
+probe nd_syscall.fork.return = kprobe.function("do_fork").return
+{
 	name = "fork"
 	retstr = returnstr(1)
 }
 # fremovexattr _______________________________________________
 # long sys_fremovexattr(int fd, char __user *name)
-probe nd_syscall.fremovexattr = kernel.function("sys_fremovexattr") {
+probe nd_syscall.fremovexattr = kprobe.function("sys_fremovexattr")
+{
 	name = "fremovexattr"
-	filedes = $fd
-	name_uaddr = $name
-	argstr = sprintf("FIXME PLEASE")
+	// filedes = $fd
+	// name2 = user_string($name)
+	// argstr = sprintf("%d, %s", $fd, user_string_quoted($name))
+	asmlinkage()
+	filedes = int_arg(1)
+	# FIXME
+	name2 = user_string(pointer_arg(2))
+	argstr = sprintf("%d, %s", filedes, user_string_quoted(pointer_arg(2)))
 }
-probe nd_syscall.fremovexattr.return = kernel.function("sys_fremovexattr").return {
+probe nd_syscall.fremovexattr.return = kprobe.function("sys_fremovexattr").return
+{
 	name = "fremovexattr"
 	retstr = returnstr(1)
 }
@@ -1068,17 +1225,26 @@ probe nd_syscall.fremovexattr.return = kernel.function("sys_fremovexattr").retur
  *               size_t size,
  *               int flags)
  */
-probe nd_syscall.fsetxattr = kernel.function("sys_fsetxattr") {
+probe nd_syscall.fsetxattr = kprobe.function("sys_fsetxattr")
+{
 	name = "fsetxattr"
-	filedes = $fd
-# FIXME
-	name2 = user_string($name)
-	value_uaddr = $value
-	size = $size
-	flags = $flags
-	argstr = sprintf("%d, %s, %p, %d, %p", filedes, user_string_quoted($name), value_uaddr, size, flags)
-}
-probe nd_syscall.fsetxattr.return = kernel.function("sys_fsetxattr").return {
+	// filedes = $fd
+	// name2 = user_string($name)
+	// value_uaddr = $value
+	// size = $size
+	// flags = $flags
+	// argstr = sprintf("%d, %s, %p, %d, %p", filedes, user_string_quoted($name), value_uaddr, size, flags)
+	asmlinkage()
+	filedes = int_arg(1)
+	# FIXME
+	name2 = user_string(pointer_arg(2))
+	value_uaddr = pointer_arg(3)
+	size = ulong_arg(4)
+	flags = int_arg(5)
+	argstr = sprintf("%d, %s, %p, %d, %p", filedes, user_string_quoted(pointer_arg(2)), value_uaddr, size, flags)
+}
+probe nd_syscall.fsetxattr.return = kprobe.function("sys_fsetxattr").return
+{
 	name = "fsetxattr"
 	retstr = returnstr(1)
 }
@@ -1092,26 +1258,28 @@ probe nd_syscall.fsetxattr.return = kernel.function("sys_fsetxattr").return {
 #			struct oldabi_stat64 __user * statbuf)
 # long compat_sys_newfstat(unsigned int fd, struct compat_stat __user * statbuf)
 #
-probe nd_syscall.fstat = 
-		kernel.function("sys_fstat") ?, 
-		kernel.function("sys_fstat64") ?,
-		kernel.function("sys32_fstat64") ?,
-		kernel.function("sys_newfstat") ?,
-		kernel.function("sys_oabi_fstat64") ?,
-		kernel.function("compat_sys_newfstat") ?
+probe nd_syscall.fstat = kprobe.function("sys_fstat") ?, 
+                         kprobe.function("sys_fstat64") ?,
+                         kprobe.function("sys32_fstat64") ?,
+                         kprobe.function("sys_newfstat") ?,
+                         kprobe.function("sys_oabi_fstat64") ?,
+                         kprobe.function("compat_sys_newfstat") ?
 {
 	name = "fstat"
-	filedes = $fd
-	buf_uaddr = $statbuf
-	argstr = sprintf("%d, %p", $fd, $statbuf)
-}
-probe nd_syscall.fstat.return = 
-		kernel.function("sys_fstat").return ?,
-		kernel.function("sys_fstat64").return ?,
-		kernel.function("sys32_fstat64").return ?,
-		kernel.function("sys_newfstat").return ?,
-		kernel.function("sys_oabi_fstat64").return ?,
-		kernel.function("compat_sys_newfstat").return ?
+	// filedes = $fd
+	// buf_uaddr = $statbuf
+	// argstr = sprintf("%d, %p", $fd, $statbuf)
+	asmlinkage()
+	filedes = int_arg(1)
+	buf_uaddr = pointer_arg(2)
+	argstr = sprintf("%d, %p", filedes, buf_uaddr)
+}
+probe nd_syscall.fstat.return = kprobe.function("sys_fstat").return ?,
+                                kprobe.function("sys_fstat64").return ?,
+                                kprobe.function("sys32_fstat64").return ?,
+                                kprobe.function("sys_newfstat").return ?,
+                                kprobe.function("sys_oabi_fstat64").return ?,
+                                kprobe.function("compat_sys_newfstat").return ?
 {
 	name = "fstat"
 	retstr = returnstr(1)
@@ -1122,23 +1290,26 @@ probe nd_syscall.fstat.return =
 # long sys_newfstatat(int dfd, char __user *filename, struct stat __user *statbuf, int flag)
 # long sys_fstatat64(int dfd, char __user *filename, struct stat64 __user *statbuf, int flag)
 # long compat_sys_newfstatat(unsigned int dfd, char __user *filename, struct compat_stat __user *statbuf, int flag)
-probe nd_syscall.fstatat = 
-		kernel.function("sys_fstatat64") ?, 
-		kernel.function("sys_newfstatat") ?,
-		kernel.function("compat_sys_newfstatat") ?,
-		kernel.function("sys32_fstatat64") ?
+probe nd_syscall.fstatat = kprobe.function("sys_fstatat64") ?, 
+                           kprobe.function("sys_newfstatat") ?,
+                           kprobe.function("compat_sys_newfstatat") ?,
+                           kprobe.function("sys32_fstatat64") ?
 {
 	name = "fstatat"
-	dirfd = $dfd
-	path = user_string($filename)
-	buf_uaddr = $statbuf
-	argstr = sprintf("%s, %s, %p, %s", _dfd_str($dfd), user_string_quoted($filename), $statbuf, _at_flag_str($flag))
+	// dirfd = $dfd
+	// path = user_string($filename)
+	// buf_uaddr = $statbuf
+	// argstr = sprintf("%s, %s, %p, %s", _dfd_str($dfd), user_string_quoted($filename), $statbuf, _at_flag_str($flag))
+	asmlinkage()
+	dirfd = int_arg(1)
+	path = user_string(pointer_arg(2))
+	buf_uaddr = pointer_arg(3)
+	argstr = sprintf("%s, %s, %p, %s", _dfd_str(dirfd), user_string_quoted(pointer_arg(2)), buf_uaddr, _at_flag_str(int_arg(4)))
 }
-probe nd_syscall.fstatat.return = 
-		kernel.function("sys_fstatat64").return ?, 
-		kernel.function("sys_newfstatat").return ?,
-		kernel.function("compat_sys_newfstatat").return ?,
-		kernel.function("sys32_fstatat64").return ?
+probe nd_syscall.fstatat.return = kprobe.function("sys_fstatat64").return ?, 
+                                  kprobe.function("sys_newfstatat").return ?,
+                                  kprobe.function("compat_sys_newfstatat").return ?,
+                                  kprobe.function("sys32_fstatat64").return ?
 {
 	name = "fstatat"
 	retstr = returnstr(1)
@@ -1148,18 +1319,20 @@ probe nd_syscall.fstatat.return =
 # long sys_fstatfs(unsigned int fd, struct statfs __user * buf)
 # long compat_sys_fstatfs(unsigned int fd, struct compat_statfs __user *buf)
 #
-probe nd_syscall.fstatfs = 
-		kernel.function("sys_fstatfs"),
-		kernel.function("compat_sys_fstatfs") ?
+probe nd_syscall.fstatfs = kprobe.function("sys_fstatfs"),
+                           kprobe.function("compat_sys_fstatfs") ?
 {
 	name = "fstatfs"
-	fd = $fd
-	buf_uaddr = $buf
-	argstr = sprintf("%d, %p", $fd, $buf)
+	// fd = $fd
+	// buf_uaddr = $buf
+	// argstr = sprintf("%d, %p", $fd, $buf)
+	asmlinkage()
+	fd = int_arg(1)
+	buf_uaddr = pointer_arg(2)
+	argstr = sprintf("%d, %p", fd, buf_uaddr)
 }
-probe nd_syscall.fstatfs.return = 
-		kernel.function("sys_fstatfs").return,
-		kernel.function("compat_sys_fstatfs").return ?
+probe nd_syscall.fstatfs.return = kprobe.function("sys_fstatfs").return,
+                                  kprobe.function("compat_sys_fstatfs").return ?
 {
 	name = "fstatfs"
 	retstr = returnstr(1)
@@ -1169,19 +1342,22 @@ probe nd_syscall.fstatfs.return =
 # long sys_fstatfs64(unsigned int fd, size_t sz, struct statfs64 __user *buf)
 # long compat_sys_fstatfs64(unsigned int fd, compat_size_t sz, struct compat_statfs64 __user *buf)
 #
-probe nd_syscall.fstatfs64 = 
-		kernel.function("sys_fstatfs64") ?,
-		kernel.function("compat_sys_fstatfs64") ?
+probe nd_syscall.fstatfs64 = kprobe.function("sys_fstatfs64") ?,
+                             kprobe.function("compat_sys_fstatfs64") ?
 {
 	name = "fstatfs"
-	fd = $fd
-	sz = $sz
-	buf_uaddr = $buf
-	argstr = sprintf("%d, %d, %p", $fd, $sz, $buf)
+	// fd = $fd
+	// sz = $sz
+	// buf_uaddr = $buf
+	// argstr = sprintf("%d, %d, %p", $fd, $sz, $buf)
+	asmlinkage()
+	fd = int_arg(1)
+	sz = ulong_arg(2)
+	buf_uaddr = pointer_arg(3)
+	argstr = sprintf("%d, %d, %p", fd, sz, buf_uaddr)
 }
-probe nd_syscall.fstatfs64.return =
-		kernel.function("sys_fstatfs64").return ?,
-		kernel.function("compat_sys_fstatfs64").return ?
+probe nd_syscall.fstatfs64.return = kprobe.function("sys_fstatfs64").return ?,
+                                    kprobe.function("compat_sys_fstatfs64").return ?
 {
 	name = "fstatfs"
 	retstr = returnstr(1)
@@ -1189,37 +1365,51 @@ probe nd_syscall.fstatfs64.return =
 
 # fsync ______________________________________________________
 # long sys_fsync(unsigned int fd)
-probe nd_syscall.fsync = kernel.function("sys_fsync") {
+probe nd_syscall.fsync = kprobe.function("sys_fsync")
+{
 	name = "fsync"
-	fd = $fd
+	// fd = $fd
+	asmlinkage()
+	fd = int_arg(1)
 	argstr = sprint(fd)
 }
-probe nd_syscall.fsync.return = kernel.function("sys_fsync").return {
+probe nd_syscall.fsync.return = kprobe.function("sys_fsync").return
+{
 	name = "fsync"
 	retstr = returnstr(1)
 }
 # ftruncate __________________________________________________
 # long sys_ftruncate(unsigned int fd, unsigned long length)
-probe nd_syscall.ftruncate = kernel.function("sys_ftruncate") {
+probe nd_syscall.ftruncate = kprobe.function("sys_ftruncate")
+{
 	name = "ftruncate"
-	fd = $fd
-	length = $length
+	// fd = $fd
+	// length = $length
+	asmlinkage()
+	fd = int_arg(1)
+	length = ulong_arg(2)
 	argstr = sprintf("%d, %d", fd, length)
 }
-probe nd_syscall.ftruncate.return = kernel.function("sys_ftruncate").return {
+probe nd_syscall.ftruncate.return = kprobe.function("sys_ftruncate").return
+{
 	name = "ftruncate"
 	retstr = returnstr(1)
 }
 
 # ftruncate64 ________________________________________________
 # long sys_ftruncate64(unsigned int fd, loff_t length)
-probe nd_syscall.ftruncate64 = kernel.function("sys_ftruncate64") ? {
+probe nd_syscall.ftruncate64 = kprobe.function("sys_ftruncate64") ?
+{
 	name = "ftruncate"
-	fd = $fd
-	length = $length
+	// fd = $fd
+	// length = $length
+	asmlinkage()
+	fd = int_arg(1)
+	length = longlong_arg(2)
 	argstr = sprintf("%d, %d", fd, length)
 }
-probe nd_syscall.ftruncate64.return = kernel.function("sys_ftruncate64").return ? {
+probe nd_syscall.ftruncate64.return = kprobe.function("sys_ftruncate64").return ?
+{
 	name = "ftruncate"
 	retstr = returnstr(1)
 }
@@ -1235,7 +1425,8 @@ probe nd_syscall.ftruncate64.return = kernel.function("sys_ftruncate64").return
 #		struct compat_timespec __user *utime, u32 __user *uaddr2,
 #		u32 val3)
 #
-probe nd_syscall.futex = kernel.function("sys_futex") ? {
+probe nd_syscall.futex = kprobe.function("sys_futex") ?
+{
 	name = "futex"
 	// futex_uaddr = $uaddr
 	// op = $op
@@ -1245,7 +1436,7 @@ probe nd_syscall.futex = kernel.function("sys_futex") ? {
 	// val3 = $val3
 	// if (op == 0)
 	//	argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op), 
-	//		$val, _struct_timespec_u($utime,1)) 
+	//		$val, _struct_timespec_u($utime, 1)) 
 	// else
 	//	argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op), 
 	//		$val) 
@@ -1259,16 +1450,18 @@ probe nd_syscall.futex = kernel.function("sys_futex") ? {
 	if (op == 0)
 		argstr = sprintf("%p, %s, %d, %s", futex_uaddr,
 			_futex_op_str(op), val,
-			_struct_timespec_u(utime_uaddr,1)) 
+			_struct_timespec_u(utime_uaddr, 1)) 
 	else
 		argstr = sprintf("%p, %s, %d", futex_uaddr,
 			_futex_op_str(op), val) 
 }
-probe nd_syscall.futex.return = kernel.function("sys_futex").return ? {
+probe nd_syscall.futex.return = kprobe.function("sys_futex").return ?
+{
 	name = "futex"
 	retstr = returnstr(1)
 }
-probe nd_syscall.compat_futex = kernel.function("compat_sys_futex") ? {
+probe nd_syscall.compat_futex = kprobe.function("compat_sys_futex") ?
+{
 	name = "futex"
 	// futex_uaddr = $uaddr
 	// op = $op
@@ -1278,7 +1471,7 @@ probe nd_syscall.compat_futex = kernel.function("compat_sys_futex") ? {
 	// val3 = $val3
 	// if (op == 0)
 	//	argstr = sprintf("%p, %s, %d, %s", $uaddr, _futex_op_str($op), 
-	//		$val, _struct_compat_timespec_u($utime,1)) 
+	//		$val, _struct_compat_timespec_u($utime, 1)) 
 	// else
 	//	argstr = sprintf("%p, %s, %d", $uaddr, _futex_op_str($op), 
 	//		$val) 
@@ -1292,12 +1485,13 @@ probe nd_syscall.compat_futex = kernel.function("compat_sys_futex") ? {
 	if (op == 0)
 		argstr = sprintf("%p, %s, %d, %s", futex_uaddr,
 			_futex_op_str(op), val,
-			_struct_compat_timespec_u(utime_uaddr,1)) 
+			_struct_compat_timespec_u(utime_uaddr, 1)) 
 	else
 		argstr = sprintf("%p, %s, %d", futex_uaddr,
 			_futex_op_str(op), val) 
 }
-probe nd_syscall.compat_futex.return = kernel.function("compat_sys_futex").return ? {
+probe nd_syscall.compat_futex.return = kprobe.function("compat_sys_futex").return ?
+{
 	name = "futex"
 	retstr = returnstr(1)
 }
@@ -1308,69 +1502,95 @@ probe nd_syscall.compat_futex.return = kernel.function("compat_sys_futex").retur
 # long compat_sys_futimesat(unsigned int dfd, char __user *filename, struct compat_timeval __user *t)
 #
 
-probe nd_syscall.futimesat = kernel.function("sys_futimesat") ? {
+probe nd_syscall.futimesat = kprobe.function("sys_futimesat") ?
+{
 	name = "futimesat"
-	dirfd = $dfd
-	filename_uaddr = $filename
-	filename = user_string($filename)
-	tvp_uaddr = $utimes
-	argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),  
-		_struct_timeval_u($utimes, 2))
-}
-probe nd_syscall.compat_futimesat = kernel.function("compat_sys_futimesat") ? {
+	// dirfd = $dfd
+	// filename_uaddr = $filename
+	// filename = user_string($filename)
+	// tvp_uaddr = $utimes
+	// argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),  
+	// 	_struct_timeval_u($utimes, 2))
+	asmlinkage()
+	dirfd = int_arg(1)
+	filename_uaddr = pointer_arg(2)
+	filename = user_string(filename_uaddr)
+	tvp_uaddr = pointer_arg(3)
+	argstr = sprintf("%s, %s, %s", _dfd_str(dirfd), user_string_quoted(filename_uaddr),  
+		_struct_timeval_u(tvp_uaddr, 2))
+}
+probe nd_syscall.compat_futimesat = kprobe.function("compat_sys_futimesat") ?
+{
 	name = "futimesat"
-	dirfd = $dfd
-	filename_uaddr = $filename
-	filename = user_string($filename)
-	tvp_uaddr = $t
-	argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),  
-		_struct_compat_timeval_u($t, 2))
-}
-probe nd_syscall.futimesat.return = kernel.function("sys_futimesat").return ? {
+	// dirfd = $dfd
+	// filename_uaddr = $filename
+	// filename = user_string($filename)
+	// tvp_uaddr = $utimes
+	// argstr = sprintf("%s, %s, %s", _dfd_str($dfd), user_string_quoted($filename),  
+	// 	_struct_timeval_u($utimes, 2))
+	asmlinkage()
+	dirfd = uint_arg(1)
+	filename_uaddr = pointer_arg(2)
+	filename = user_string(pointer_arg(2))
+	tvp_uaddr = pointer_arg(3)
+	argstr = sprintf("%s, %s, %s", _dfd_str(uint_arg(1)), user_string_quoted(pointer_arg(2)),  
+		_struct_compat_timeval_u(pointer_arg(3), 2))
+}
+probe nd_syscall.futimesat.return = kprobe.function("sys_futimesat").return ?
+{
 	name = "futimesat"
 	retstr = returnstr(1)
 }
-probe nd_syscall.compat_futimesat.return = kernel.function("compat_sys_futimesat").return ? {
+probe nd_syscall.compat_futimesat.return = kprobe.function("compat_sys_futimesat").return ?
+{
 	name = "futimesat"
 	retstr = returnstr(1)
 }
 
 # getcwd _____________________________________________________
 # long sys_getcwd(char __user *buf, unsigned long size)
-probe nd_syscall.getcwd = kernel.function("sys_getcwd") {
+probe nd_syscall.getcwd = kprobe.function("sys_getcwd")
+{
 	name = "getcwd"
-	buf_uaddr = $buf
-	size = $size
+	// buf_uaddr = $buf
+	// size = $size
+	asmlinkage()
+	buf_uaddr = pointer_arg(1)
+	size = ulong_arg(2)
 	argstr = sprintf("%p, %d", buf_uaddr, size)
 }
-probe nd_syscall.getcwd.return = kernel.function("sys_getcwd").return {
+probe nd_syscall.getcwd.return = kprobe.function("sys_getcwd").return
+{
 	name = "getcwd"
 	retstr = returnstr(1)
 }
 
 # getdents ___________________________________________________
 # long sys_getdents(unsigned int fd, struct linux_dirent __user * dirent, unsigned int count)
-# long compat_sys_getdents(unsigned int fd,struct compat_linux_dirent __user *dirent, unsigned int count)
+# long compat_sys_getdents(unsigned int fd, struct compat_linux_dirent __user *dirent, unsigned int count)
 # long sys_getdents64(unsigned int fd, struct linux_dirent64 __user * dirent, unsigned int count)
 # long compat_sys_getdents64(unsigned int fd, struct linux_dirent64 __user * dirent, unsigned int count)
 #
-probe nd_syscall.getdents =
-		kernel.function("sys_getdents") ?,
-		kernel.function("sys_getdents64") ?,
-		kernel.function("compat_sys_getdents") ?,
-		kernel.function("compat_sys_getdents64") ?
+probe nd_syscall.getdents = kprobe.function("sys_getdents") ?,
+                            kprobe.function("sys_getdents64") ?,
+                            kprobe.function("compat_sys_getdents") ?,
+                            kprobe.function("compat_sys_getdents64") ?
 {
 	name = "getdents"
-	fd = $fd
-	dirp_uaddr = $dirent
-	count = $count
-	argstr = sprintf("%d, %p, %d", $fd, $dirent, $count)
+	// fd = $fd
+	// dirp_uaddr = $dirent
+	// count = $count
+	// argstr = sprintf("%d, %p, %d", $fd, $dirent, $count)
+	asmlinkage()
+	fd = int_arg(1)
+	dirp_uaddr = pointer_arg(2)
+	count = uint_arg(3)
+	argstr = sprintf("%d, %p, %d", fd, dirp_uaddr, count)
 }
-probe nd_syscall.getdents.return =
-		kernel.function("sys_getdents").return ?,
-		kernel.function("sys_getdents64").return ?,
-		kernel.function("compat_sys_getdents").return ?,
-		kernel.function("compat_sys_getdents64").return ?
+probe nd_syscall.getdents.return = kprobe.function("sys_getdents").return ?,
+                                   kprobe.function("sys_getdents64").return ?,
+                                   kprobe.function("compat_sys_getdents").return ?,
+                                   kprobe.function("compat_sys_getdents64").return ?
 {
 	name = "getdents"
 	retstr = returnstr(1)
@@ -1381,18 +1601,16 @@ probe nd_syscall.getdents.return =
 # long sys_getegid16(void)
 # long sys32_getegid16(void)
 #
-probe nd_syscall.getegid =
-		kernel.function("sys_getegid16") ?,
-		kernel.function("sys32_getegid16") ?,
-		kernel.function("sys_getegid")
+probe nd_syscall.getegid = kprobe.function("sys_getegid16") ?,
+                           kprobe.function("sys32_getegid16") ?,
+                           kprobe.function("sys_getegid")
 {
 	name = "getegid"
 	argstr = ""
 }
-probe nd_syscall.getegid.return =
-		kernel.function("sys_getegid16").return ?,
-		kernel.function("sys32_getegid16").return ?,
-		kernel.function("sys_getegid").return
+probe nd_syscall.getegid.return = kprobe.function("sys_getegid16").return ?,
+                                  kprobe.function("sys32_getegid16").return ?,
+                                  kprobe.function("sys_getegid").return
 {
 	name = "getegid"
 	retstr = returnstr(1)
@@ -1402,18 +1620,16 @@ probe nd_syscall.getegid.return =
 # long sys_geteuid(void)
 # long sys32_geteuid16(void)
 #
-probe nd_syscall.geteuid = 
-		kernel.function("sys_geteuid16") ?,
-		kernel.function("sys32_geteuid16") ?,
-		kernel.function("sys_geteuid")
+probe nd_syscall.geteuid = kprobe.function("sys_geteuid16") ?,
+                           kprobe.function("sys32_geteuid16") ?,
+                           kprobe.function("sys_geteuid")
 {
 	name = "geteuid"
 	argstr = ""
 }
-probe nd_syscall.geteuid.return = 
-		kernel.function("sys_geteuid16").return ?,
-		kernel.function("sys32_geteuid16").return ?,
-		kernel.function("sys_geteuid").return
+probe nd_syscall.geteuid.return = kprobe.function("sys_geteuid16").return ?,
+                                  kprobe.function("sys32_geteuid16").return ?,
+                                  kprobe.function("sys_geteuid").return
 {
 	name = "geteuid"
 	retstr = returnstr(1)
@@ -1423,18 +1639,16 @@ probe nd_syscall.geteuid.return =
 # long sys_getgid(void)
 # long sys32_getgid16(void)
 #
-probe nd_syscall.getgid = 
-		kernel.function("sys_getgid16") ?,
-		kernel.function("sys32_getgid16") ?,
-		kernel.function("sys_getgid") 
+probe nd_syscall.getgid = kprobe.function("sys_getgid16") ?,
+                          kprobe.function("sys32_getgid16") ?,
+                          kprobe.function("sys_getgid") 
 {
 	name = "getgid"
 	argstr = ""
 }
-probe nd_syscall.getgid.return = 
-		kernel.function("sys_getgid16").return ?,
-		kernel.function("sys32_getgid16").return ?,
-		kernel.function("sys_getgid").return
+probe nd_syscall.getgid.return = kprobe.function("sys_getgid16").return ?,
+                                 kprobe.function("sys32_getgid16").return ?,
+                                 kprobe.function("sys_getgid").return
 {
 	name = "getgid"
 	retstr = returnstr(1)
@@ -1445,20 +1659,22 @@ probe nd_syscall.getgid.return =
 # long sys_getgroups16(int gidsetsize, old_gid_t __user *grouplist)
 # long sys32_getgroups16(int gidsetsize, u16 __user *grouplist)
 #
-probe nd_syscall.getgroups = 
-		kernel.function("sys_getgroups") ?,
-		kernel.function("sys_getgroups16") ?,
-		kernel.function("sys32_getgroups16") ?
+probe nd_syscall.getgroups = kprobe.function("sys_getgroups") ?,
+                             kprobe.function("sys_getgroups16") ?,
+                             kprobe.function("sys32_getgroups16") ?
 {
 	name = "getgroups"
-	size = $gidsetsize
-	list_uaddr = $grouplist
-	argstr = sprintf("%d, %p", $gidsetsize, $grouplist)
+	// size = $gidsetsize
+	// list_uaddr = $grouplist
+	// argstr = sprintf("%d, %p", $gidsetsize, $grouplist)
+	asmlinkage()
+	size = int_arg(1)
+	list_uaddr = pointer_arg(2)
+	argstr = sprintf("%d, %p", size, list_uaddr)
 }
-probe nd_syscall.getgroups.return = 
-		kernel.function("sys_getgroups").return ?,
-		kernel.function("sys_getgroups16").return ?,
-		kernel.function("sys32_getgroups16").return ?
+probe nd_syscall.getgroups.return = kprobe.function("sys_getgroups").return ?,
+                                    kprobe.function("sys_getgroups16").return ?,
+                                    kprobe.function("sys32_getgroups16").return ?
 {
 	name = "getgroups"
 	retstr = returnstr(1)
@@ -1466,13 +1682,18 @@ probe nd_syscall.getgroups.return =
 
 # gethostname ________________________________________________
 # long sys_gethostname(char __user *name, int len)
-probe nd_syscall.gethostname = kernel.function("sys_gethostname") ? {
+probe nd_syscall.gethostname = kprobe.function("sys_gethostname") ?
+{
 	name = "gethostname"
-	name_uaddr = $name
-	len = $len
+	// name_uaddr = $name
+	// len = $len
+	asmlinkage()
+	name_uaddr = pointer_arg(1)
+	len = int_arg(2)
 	argstr = sprintf ("%p, %d", name_uaddr, len)
 }
-probe nd_syscall.gethostname.return = kernel.function("sys_gethostname").return ? {
+probe nd_syscall.gethostname.return = kprobe.function("sys_gethostname").return ?
+{
 	name = "gethostname"
 	retstr = returnstr(1)
 }
@@ -1480,24 +1701,36 @@ probe nd_syscall.gethostname.return = kernel.function("sys_gethostname").return
 # getitimer __________________________________________________
 # sys_getitimer(int which, struct itimerval __user *value)
 #
-probe nd_syscall.getitimer = kernel.function("sys_getitimer") {
+probe nd_syscall.getitimer = kprobe.function("sys_getitimer")
+{
 	name = "getitimer"
-	which = $which
-	value_uaddr = $value
-	argstr = sprintf("%s, %p", _itimer_which_str($which), $value) 
+	// which = $which
+	// value_uaddr = $value
+	// argstr = sprintf("%s, %p", _itimer_which_str($which), $value) 
+	asmlinkage()
+	which = int_arg(1)
+	value_uaddr = pointer_arg(2)
+	argstr = sprintf("%s, %p", _itimer_which_str(which), value_uaddr ) 
 }
-probe nd_syscall.getitimer.return = kernel.function("sys_getitimer").return {
+probe nd_syscall.getitimer.return = kprobe.function("sys_getitimer").return
+{
 	name = "getitimer"
 	retstr = returnstr(1)
 }
 # long compat_sys_getitimer(int which, struct compat_itimerval __user *it
-probe nd_syscall.compat_getitimer = kernel.function("compat_sys_getitimer") ? {
+probe nd_syscall.compat_getitimer = kprobe.function("compat_sys_getitimer") ?
+{
 	name = "getitimer"
-	which = $which
-	value_uaddr = $it
-	argstr = sprintf("%s, %p", _itimer_which_str($which), $it) 
+	// which = $which
+	// value_uaddr = $it
+	// argstr = sprintf("%s, %p", _itimer_which_str($which), $it) 
+	asmlinkage()
+	which = int_arg(1)
+	value_uaddr = pointer_arg(2)
+	argstr = sprintf("%s, %p", _itimer_which_str(which), value_uaddr) 
 }
-probe nd_syscall.compat_getitimer.return = kernel.function("compat_sys_getitimer").return ? {
+probe nd_syscall.compat_getitimer.return = kprobe.function("compat_sys_getitimer").return ?
+{
 	name = "getitimer"
 	retstr = returnstr(1)
 }
@@ -1513,22 +1746,28 @@ probe nd_syscall.compat_getitimer.return = kernel.function("compat_sys_getitimer
 #		     compat_ulong_t maxnode,
 #		     compat_ulong_t addr, compat_ulong_t flags)
 #
-probe nd_syscall.get_mempolicy = 
-		kernel.function("sys_get_mempolicy") ?,
-		kernel.function("compat_sys_get_mempolicy") ?
+probe nd_syscall.get_mempolicy = kprobe.function("sys_get_mempolicy") ?,
+                                 kprobe.function("compat_sys_get_mempolicy") ?
 {
 	name = "get_mempolicy"
-	policy_uaddr = $policy
-	nmask_uaddr = $nmask
-	maxnode = $maxnode
-	addr = $addr
-	flags = $flags
-	argstr = sprintf("%p, %p, %d, %p, 0x%x", $policy,
-			$nmask, $maxnode, $addr, $flags)
-}
-probe nd_syscall.get_mempolicy.return = 
-	kernel.function("sys_get_mempolicy").return ?,
-	kernel.function("compat_sys_get_mempolicy").return ?
+	// policy_uaddr = $policy
+	// nmask_uaddr = $nmask
+	// maxnode = $maxnode
+	// addr = $addr
+	// flags = $flags
+	// argstr = sprintf("%p, %p, %d, %p, 0x%x", $policy,
+	// 		$nmask, $maxnode, $addr, $flags)
+	asmlinkage()
+	policy_uaddr = pointer_arg(1)
+	nmask_uaddr = pointer_arg(2)
+	maxnode = ulong_arg(3)
+	addr = ulong_arg(4)
+	flags = ulong_arg(5)
+	argstr = sprintf("%p, %p, %d, %p, 0x%x", policy_uaddr,
+			nmask_uaddr, maxnode, addr, flags)
+}
+probe nd_syscall.get_mempolicy.return = kprobe.function("sys_get_mempolicy").return ?,
+                                        kprobe.function("compat_sys_get_mempolicy").return ?
 {
 	name = "get_mempolicy"
 	retstr = returnstr(1)
@@ -1537,72 +1776,95 @@ probe nd_syscall.get_mempolicy.return =
 # getpeername ________________________________________________
 # long sys_getpeername(int fd, struct sockaddr __user *usockaddr, int __user *usockaddr_len)
 #
-probe nd_syscall.getpeername = kernel.function("sys_getpeername") ? {
+probe nd_syscall.getpeername = kprobe.function("sys_getpeername") ?
+{
 	name = "getpeername"
-	s = $fd
-	name_uaddr = $usockaddr
-	namelen_uaddr = $usockaddr_len
-	argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
+	// s = $fd
+	// name_uaddr = $usockaddr
+	// namelen_uaddr = $usockaddr_len
+	// argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
+	asmlinkage()
+	s = int_arg(1)
+	name_uaddr = pointer_arg(2)
+	namelen_uaddr = pointer_arg(3)
+	argstr = sprintf("%d, %p, %p", s, name_uaddr, namelen_uaddr)
 }
-probe nd_syscall.getpeername.return = kernel.function("sys_getpeername").return ? {
+probe nd_syscall.getpeername.return = kprobe.function("sys_getpeername").return ?
+{
 	name = "getpeername"
 	retstr = returnstr(1)
 }
 
 # getpgid ____________________________________________________
 # long sys_getpgid(pid_t pid)
-probe nd_syscall.getpgid = kernel.function("sys_getpgid") {
+probe nd_syscall.getpgid = kprobe.function("sys_getpgid")
+{
 	name = "getpgid"
-	pid = $pid
-	argstr = sprintf("%d", $pid)
+	// pid = $pid
+	// argstr = sprintf("%d", $pid)
+	asmlinkage()
+	pid = int_arg(1)
+	argstr = sprintf("%d", pid)
 }
-probe nd_syscall.getpgid.return = kernel.function("sys_getpgid").return {
+probe nd_syscall.getpgid.return = kprobe.function("sys_getpgid").return
+{
 	name = "getpgid"
 	retstr = returnstr(1)
 }
 
 # getpgrp ____________________________________________________
 # long sys_getpgrp(void)
-probe nd_syscall.getpgrp = kernel.function("sys_getpgrp") ? {
+probe nd_syscall.getpgrp = kprobe.function("sys_getpgrp") ?
+{
 	name = "getpgrp"
 	argstr = ""
 }
-probe nd_syscall.getpgrp.return = kernel.function("sys_getpgrp").return ? {
+probe nd_syscall.getpgrp.return = kprobe.function("sys_getpgrp").return ?
+{
 	name = "getpgrp"
 	retstr = returnstr(1)
 }
 
 # getpid _____________________________________________________
 # long sys_getpid(void)
-probe nd_syscall.getpid = kernel.function("sys_getpid") {
+probe nd_syscall.getpid = kprobe.function("sys_getpid")
+{
 	name = "getpid"
 	argstr = ""
 }
-probe nd_syscall.getpid.return = kernel.function("sys_getpid").return {
+probe nd_syscall.getpid.return = kprobe.function("sys_getpid").return
+{
 	name = "getpid"
 	retstr = returnstr(1)
 }
 
 # getppid ____________________________________________________
 # long sys_getppid(void)
-probe nd_syscall.getppid = kernel.function("sys_getppid") {
+probe nd_syscall.getppid = kprobe.function("sys_getppid")
+{
 	name = "getppid"
 	argstr = ""
 }
-probe nd_syscall.getppid.return = kernel.function("sys_getppid").return {
+probe nd_syscall.getppid.return = kprobe.function("sys_getppid").return
+{
 	name = "getppid"
 	retstr = returnstr(1)
 }
 
 # getpriority ________________________________________________
 # long sys_getpriority(int which, int who)
-probe nd_syscall.getpriority = kernel.function("sys_getpriority") {
+probe nd_syscall.getpriority = kprobe.function("sys_getpriority")
+{
 	name = "getpriority"
-	which = $which
-	who = $who
+	// which = $which
+	// who = $who
+	asmlinkage()
+	which = int_arg(1)
+	who = int_arg(2)
 	argstr = sprintf("%s, %d", _priority_which_str(which), who)
 }
-probe nd_syscall.getpriority.return = kernel.function("sys_getpriority").return {
+probe nd_syscall.getpriority.return = kprobe.function("sys_getpriority").return
+{
 	name = "getpriority"
 	retstr = returnstr(1)
 }
@@ -1614,19 +1876,22 @@ probe nd_syscall.getpriority.return = kernel.function("sys_getpriority").return
 # long sys_getresgid16(old_uid_t __user *rgid,
 #                 old_uid_t __user *egid,
 #                 old_uid_t __user *sgid)
-probe nd_syscall.getresgid =
-		kernel.function("sys_getresgid16") ?,
-		kernel.function("sys_getresgid") 
+probe nd_syscall.getresgid = kprobe.function("sys_getresgid16") ?,
+                             kprobe.function("sys_getresgid") 
 {
 	name = "getresgid"
-	rgid_uaddr = $rgid
-	egid_uaddr = $egid
-	sgid_uaddr = $sgid
-	argstr = sprintf("%p, %p, %p", $rgid, $egid, $sgid)
+	// rgid_uaddr = $rgid
+	// egid_uaddr = $egid
+	// sgid_uaddr = $sgid
+	// argstr = sprintf("%p, %p, %p", $rgid, $egid, $sgid)
+	asmlinkage()
+	rgid_uaddr = pointer_arg(1)
+	egid_uaddr = pointer_arg(2)
+	sgid_uaddr = pointer_arg(3)
+	argstr = sprintf("%p, %p, %p", rgid_uaddr, egid_uaddr, sgid_uaddr)
 }
-probe nd_syscall.getresgid.return =
-		kernel.function("sys_getresgid16").return ?,
-		kernel.function("sys_getresgid").return
+probe nd_syscall.getresgid.return = kprobe.function("sys_getresgid16").return ?,
+                                    kprobe.function("sys_getresgid").return
 {
 	name = "getresgid"
 	retstr = returnstr(1)
@@ -1636,19 +1901,22 @@ probe nd_syscall.getresgid.return =
 # long sys_getresuid(uid_t __user *ruid, 
 #		uid_t __user *euid,
 #		uid_t __user *suid)
-probe nd_syscall.getresuid = 
-		kernel.function("sys_getresuid16") ?,
-		kernel.function("sys_getresuid")
+probe nd_syscall.getresuid = kprobe.function("sys_getresuid16") ?,
+                             kprobe.function("sys_getresuid")
 {
 	name = "getresuid"
-	ruid_uaddr = $ruid
-	euid_uaddr = $euid
-	suid_uaddr = $suid
-	argstr = sprintf("%p, %p, %p", $ruid, $euid, $suid)
+	// ruid_uaddr = $ruid
+	// euid_uaddr = $euid
+	// suid_uaddr = $suid
+	// argstr = sprintf("%p, %p, %p", $ruid, $euid, $suid)
+	asmlinkage()
+	ruid_uaddr = pointer_arg(1)
+	euid_uaddr = pointer_arg(2)
+	suid_uaddr = pointer_arg(3)
+	argstr = sprintf("%p, %p, %p", ruid_uaddr, euid_uaddr, suid_uaddr)
 }
-probe nd_syscall.getresuid.return =
-		kernel.function("sys_getresuid16").return ?,
-		kernel.function("sys_getresuid").return 
+probe nd_syscall.getresuid.return = kprobe.function("sys_getresuid16").return ?,
+                                    kprobe.function("sys_getresuid").return 
 {
 	name = "getresuid"
 	retstr = returnstr(1)
@@ -1658,18 +1926,22 @@ probe nd_syscall.getresuid.return =
 # long sys_getrlimit(unsigned int resource, struct rlimit __user *rlim)
 # long sys_old_getrlimit(unsigned int resource, struct rlimit __user *rlim)
 # long compat_sys_getrlimit (unsigned int resource, struct compat_rlimit __user *rlim)
-probe nd_syscall.getrlimit = kernel.function("sys_getrlimit"),
-                          kernel.function("sys_old_getrlimit") ?,
-                          kernel.function("compat_sys_getrlimit") ?
+probe nd_syscall.getrlimit = kprobe.function("sys_getrlimit"),
+                             kprobe.function("sys_old_getrlimit") ?,
+                             kprobe.function("compat_sys_getrlimit") ?
 {
 	name = "getrlimit"
-	resource = $resource
-	rlim_uaddr = $rlim
-	argstr = sprintf("%s, %p", _rlimit_resource_str($resource), $rlim)
+	// resource = $resource
+	// rlim_uaddr = $rlim
+	// argstr = sprintf("%s, %p", _rlimit_resource_str($resource), $rlim)
+	asmlinkage()
+	resource = uint_arg(1)
+	rlim_uaddr = pointer_arg(2)
+	argstr = sprintf("%s, %p", _rlimit_resource_str(resource), rlim_uaddr)
 }
-probe nd_syscall.getrlimit.return = kernel.function("sys_getrlimit").return,
-                                 kernel.function("sys_old_getrlimit").return ?,
-	                         kernel.function("compat_sys_getrlimit").return ?
+probe nd_syscall.getrlimit.return = kprobe.function("sys_getrlimit").return,
+                                    kprobe.function("sys_old_getrlimit").return ?,
+                                    kprobe.function("compat_sys_getrlimit").return ?
 {
 	name = "getrlimit"
 	retstr = returnstr(1)
@@ -1677,7 +1949,8 @@ probe nd_syscall.getrlimit.return = kernel.function("sys_getrlimit").return,
 
 # getrusage __________________________________________________
 # long sys_getrusage(int who, struct rusage __user *ru)
-probe nd_syscall.getrusage = kernel.function("sys_getrusage") {
+probe nd_syscall.getrusage = kprobe.function("sys_getrusage")
+{
 	name = "getrusage"
 	// who = $who
 	// if($who==-2)
@@ -1704,19 +1977,24 @@ probe nd_syscall.getrusage = kernel.function("sys_getrusage") {
 	usage_uaddr = pointer_arg(2)
 	argstr = sprintf("%s, %p", who_str, usage_uaddr)
 }
-probe nd_syscall.getrusage.return = kernel.function("sys_getrusage").return {
+probe nd_syscall.getrusage.return = kprobe.function("sys_getrusage").return
+{
 	name = "getrusage"
 	retstr = returnstr(1)
 }
 
 # getsid _____________________________________________________
 # long sys_getsid(pid_t pid)
-probe nd_syscall.getsid = kernel.function("sys_getsid") {
+probe nd_syscall.getsid = kprobe.function("sys_getsid")
+{
 	name = "getsid"
-	pid = $pid
+	// pid = $pid
+	asmlinkage()
+	pid = int_arg(1)
 	argstr = sprint(pid)
 }
-probe nd_syscall.getsid.return = kernel.function("sys_getsid").return {
+probe nd_syscall.getsid.return = kprobe.function("sys_getsid").return
+{
 	name = "getsid"
 	retstr = returnstr(1)
 }
@@ -1725,14 +2003,21 @@ probe nd_syscall.getsid.return = kernel.function("sys_getsid").return {
 # long sys_getsockname(int fd,
 #		struct sockaddr __user *usockaddr,
 #		int __user *usockaddr_len)
-probe nd_syscall.getsockname = kernel.function("sys_getsockname") ? {
+probe nd_syscall.getsockname = kprobe.function("sys_getsockname") ?
+{
 	name = "getsockname"
-	s = $fd
-	name_uaddr = $usockaddr
-	namelen_uaddr = $usockaddr_len
-	argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
+	// s = $fd
+	// name_uaddr = $usockaddr
+	// namelen_uaddr = $usockaddr_len
+	// argstr = sprintf("%d, %p, %p", $fd, $usockaddr, $usockaddr_len)
+	asmlinkage()
+	s = int_arg(1)
+	name_uaddr = pointer_arg(2)
+	namelen_uaddr = pointer_arg(3)
+	argstr = sprintf("%d, %p, %p", s, name_uaddr, namelen_uaddr)
 }
-probe nd_syscall.getsockname.return = kernel.function("sys_getsockname").return ? {
+probe nd_syscall.getsockname.return = kprobe.function("sys_getsockname").return ?
+{
 	name = "getsockname"
 	retstr = returnstr(1)
 }
@@ -1744,24 +2029,32 @@ probe nd_syscall.getsockname.return = kernel.function("sys_getsockname").return
 #                char __user *optval,
 #                int __user *optlen)
 #
-probe nd_syscall.getsockopt = 
-		kernel.function("sys_getsockopt") ?,
-		kernel.function("compat_sys_getsockopt") ?
+probe nd_syscall.getsockopt = kprobe.function("sys_getsockopt") ?,
+                              kprobe.function("compat_sys_getsockopt") ?
 {
 	name = "getsockopt"
-	fd = $fd
-	level = $level
-	level_str = _sockopt_level_str($level)
-	optname = $optname
-	optname_str = _sockopt_optname_str($optname)
-	optval_uaddr = $optval
-	optlen_uaddr = $optlen
-	argstr = sprintf("%d, %s, %s, %p, %p", $fd,  _sockopt_level_str($level),
-			_sockopt_optname_str($optname), $optval, $optlen)
-}
-probe nd_syscall.getsockopt.return =
-		kernel.function("sys_getsockopt").return ?,
-		kernel.function("compat_sys_getsockopt").return ? 
+	// fd = $fd
+	// level = $level
+	// level_str = _sockopt_level_str($level)
+	// optname = $optname
+	// optname_str = _sockopt_optname_str($optname)
+	// optval_uaddr = $optval
+	// optlen_uaddr = $optlen
+	// argstr = sprintf("%d, %s, %s, %p, %p", $fd,  _sockopt_level_str($level),
+	// 		_sockopt_optname_str($optname), $optval, $optlen)
+	asmlinkage()
+	fd = int_arg(1)
+	level = int_arg(2)
+	level_str = _sockopt_level_str(level)
+	optname = int_arg(3)
+	optname_str = _sockopt_optname_str(optname)
+	optval_uaddr = pointer_arg(4)
+	optlen_uaddr = pointer_arg(5)
+	argstr = sprintf("%d, %s, %s, %p, %p", fd,  _sockopt_level_str(level),
+			_sockopt_optname_str(optname), optval_uaddr, optlen_uaddr)
+}
+probe nd_syscall.getsockopt.return = kprobe.function("sys_getsockopt").return ?,
+                                     kprobe.function("compat_sys_getsockopt").return ? 
 {
 	name = "getsockopt"
 	retstr = returnstr(1)
@@ -1769,11 +2062,13 @@ probe nd_syscall.getsockopt.return =
 
 # gettid _____________________________________________________
 # long sys_gettid(void)
-probe nd_syscall.gettid = kernel.function("sys_gettid") {
+probe nd_syscall.gettid = kprobe.function("sys_gettid")
+{
 	name = "gettid"
 	argstr = ""
 }
-probe nd_syscall.gettid.return = kernel.function("sys_gettid").return {
+probe nd_syscall.gettid.return = kprobe.function("sys_gettid").return
+{
 	name = "gettid"
 	retstr = returnstr(1)
 }
@@ -1785,21 +2080,23 @@ probe nd_syscall.gettid.return = kernel.function("sys_gettid").return {
 #	struct timezone __user *tz)
 # long compat_sys_gettimeofday(struct compat_timeval __user *tv,
 #	struct timezone __user *tz)
-probe nd_syscall.gettimeofday = 
-		kernel.function("sys_gettimeofday"),
-		kernel.function("sys32_gettimeofday") ?,
-		kernel.function("compat_sys_gettimeofday") ?
+probe nd_syscall.gettimeofday = kprobe.function("sys_gettimeofday"),
+                                kprobe.function("sys32_gettimeofday") ?,
+                                kprobe.function("compat_sys_gettimeofday") ?
 {
 	name = "gettimeofday"
-	tv_uaddr = $tv
-	tz_uaddr = $tz
-	argstr = sprintf("%p, %p", $tv, $tz)
+	// tv_uaddr = $tv
+	// tz_uaddr = $tz
+	// argstr = sprintf("%p, %p", $tv, $tz)
+	asmlinkage()
+	tv_uaddr = pointer_arg(1)
+	tz_uaddr = pointer_arg(2)
+	argstr = sprintf("%p, %p", tv_uaddr, tz_uaddr)
 }
 
-probe nd_syscall.gettimeofday.return = 
-		kernel.function("sys_gettimeofday").return,
-		kernel.function("sys32_gettimeofday").return ?,
-		kernel.function("compat_sys_gettimeofday").return ?
+probe nd_syscall.gettimeofday.return = kprobe.function("sys_gettimeofday").return,
+                                       kprobe.function("sys32_gettimeofday").return ?,
+                                       kprobe.function("compat_sys_gettimeofday").return ?
 {
 	name = "gettimeofday"
 	retstr = returnstr(1)
@@ -1810,18 +2107,16 @@ probe nd_syscall.gettimeofday.return =
 # long sys_getuid16(void)
 # long sys32_getuid16(void)
 #
-probe nd_syscall.getuid =
-		kernel.function("sys_getuid16") ?,
-		kernel.function("sys32_getuid16") ?,
-		kernel.function("sys_getuid")
+probe nd_syscall.getuid = kprobe.function("sys_getuid16") ?,
+                          kprobe.function("sys32_getuid16") ?,
+                          kprobe.function("sys_getuid")
 {
 	name = "getuid"
 	argstr = ""
 }
-probe nd_syscall.getuid.return =
-		kernel.function("sys_getuid16").return ?,
-		kernel.function("sys32_getuid16").return ?,
-		kernel.function("sys_getuid").return
+probe nd_syscall.getuid.return = kprobe.function("sys_getuid16").return ?,
+                                 kprobe.function("sys32_getuid16").return ?,
+                                 kprobe.function("sys_getuid").return
 {
 	name = "getuid"
 	retstr = returnstr(1)
@@ -1830,19 +2125,38 @@ probe nd_syscall.getuid.return =
 # getxattr ___________________________________________________
 # ssize_t sys_getxattr(char __user *path, char __user *name,
 #		void __user *value, size_t size)
-probe nd_syscall.getxattr = kernel.function("sys_getxattr") {
+probe nd_syscall.getxattr = kprobe.function("sys_getxattr")
+{
 	name = "getxattr"
-	path = user_string($path)
+	// %( kernel_v >= "2.6.27" %?
+	// 	path = user_string($pathname)
+	// %:
+	// 	path = user_string($path)
+	// %)
+	// 	name2 = user_string($name)
+	// 	value_uaddr = $value
+	// 	size = $size
+	// 	argstr = sprintf("%s, %s, %p, %d", 
+	// %( kernel_v >= "2.6.27" %?
+	// 		user_string_quoted($pathname), 
+	// %:
+	// 		user_string_quoted($path), 
+	// %)
+	// 		user_string_quoted($name),
+	// 		value_uaddr, size)
+	asmlinkage()
+	path = pointer_arg(1)
 	# FIXME
-	name2 = user_string($name)
-	value_uaddr = $value
-	size = $size
+	name2 = user_string(pointer_arg(2))
+	value_uaddr = pointer_arg(3)
+	size = ulong_arg(4)
 	argstr = sprintf("%s, %s, %p, %d", 
-		user_string_quoted($path), 
-		user_string_quoted($name),
+		user_string_quoted(path), 
+		user_string_quoted(pointer_arg(2)),
 		value_uaddr, size)
 }
-probe nd_syscall.getxattr.return = kernel.function("sys_getxattr").return {
+probe nd_syscall.getxattr.return = kprobe.function("sys_getxattr").return
+{
 	name = "getxattr"
 	retstr = returnstr(1)
 }
@@ -1852,14 +2166,21 @@ probe nd_syscall.getxattr.return = kernel.function("sys_getxattr").return {
 #		unsigned long len,
 #		const char __user *uargs)
 #
-probe nd_syscall.init_module = kernel.function("sys_init_module") ? {
+probe nd_syscall.init_module = kprobe.function("sys_init_module") ?
+{
 	name = "init_module"
-	umod_uaddr = $umod
-	len = $len
-	uargs = user_string($uargs)
-	argstr = sprintf("%p, %d, %s", $umod, $len, user_string_quoted($uargs))
+	// umod_uaddr = $umod
+	// len = $len
+	// uargs = user_string($uargs)
+	// argstr = sprintf("%p, %d, %s", $umod, $len, user_string_quoted($uargs))
+	asmlinkage()
+	umod_uaddr = pointer_arg(1)
+	len = ulong_arg(2)
+	uargs = user_string(pointer_arg(3))
+	argstr = sprintf("%p, %d, %s", umod_uaddr, len, user_string_quoted(pointer_arg(4)))
 }
-probe nd_syscall.init_module.return = kernel.function("sys_init_module").return ? {
+probe nd_syscall.init_module.return = kprobe.function("sys_init_module").return ?
+{
 	name = "init_module"
 	retstr = returnstr(1)
 }
@@ -1868,15 +2189,29 @@ probe nd_syscall.init_module.return = kernel.function("sys_init_module").return
 #
 # long sys_inotify_add_watch(int fd, const char __user *path, u32 mask)
 #
-probe nd_syscall.inotify_add_watch = kernel.function("sys_inotify_add_watch") ? {
+probe nd_syscall.inotify_add_watch = kprobe.function("sys_inotify_add_watch") ?
+{
 	name = "inotify_add_watch"
-	fd = $fd
-	path_uaddr = $path
-	path = user_string($path)
-	mask = $mask
-	argstr = sprintf("%d, %s, %d", $fd, user_string_quoted($path), $mask)
+	// 	fd = $fd
+	// 	mask = $mask
+	// %( kernel_v >= "2.6.27" %?
+	// 	path_uaddr = $pathname
+	// 	path = user_string($pathname)
+	// 	argstr = sprintf("%d, %s, %d", $fd, user_string_quoted($pathname), $mask)
+	// %:
+	// 	path_uaddr = $path
+	// 	path = user_string($path)
+	// 	argstr = sprintf("%d, %s, %d", $fd, user_string_quoted($path), $mask)
+	// %)
+	asmlinkage()
+	fd = int_arg(1)
+	path_uaddr = pointer_arg(2)
+	path = user_string(path_uaddr)
+	mask = uint_arg(3)
+	argstr = sprintf("%d, %s, %d", fd, user_string_quoted(path_uaddr), mask)
 }
-probe nd_syscall.inotify_add_watch.return = kernel.function("sys_inotify_add_watch").return ? {
+probe nd_syscall.inotify_add_watch.return = kprobe.function("sys_inotify_add_watch").return ?
+{
 	name = "inotify_add_watch"
 	retstr = returnstr(1)
 }
@@ -1885,11 +2220,13 @@ probe nd_syscall.inotify_add_watch.return = kernel.function("sys_inotify_add_wat
 #
 # long sys_inotify_init(void)
 #
-probe nd_syscall.inotify_init = kernel.function("sys_inotify_init") ? {
+probe nd_syscall.inotify_init = kprobe.function("sys_inotify_init") ?
+{
 	name = "inotify_init"
 	argstr = ""
 }
-probe nd_syscall.inotify_init.return = kernel.function("sys_inotify_init").return ? {
+probe nd_syscall.inotify_init.return = kprobe.function("sys_inotify_init").return ?
+{
 	name = "inotify_init"
 	retstr = returnstr(1)
 }
@@ -1898,13 +2235,19 @@ probe nd_syscall.inotify_init.return = kernel.function("sys_inotify_init").retur
 #
 # long sys_inotify_rm_watch(int fd, u32 wd)
 #
-probe nd_syscall.inotify_rm_watch = kernel.function("sys_inotify_rm_watch") ? {
+probe nd_syscall.inotify_rm_watch = kprobe.function("sys_inotify_rm_watch") ?
+{
 	name = "inotify_rm_watch"
-	fd = $fd
-	wd = $wd
-	argstr = sprintf("%d, %d", $fd, $wd)
+	// fd = $fd
+	// wd = $wd
+	// argstr = sprintf("%d, %d", $fd, $wd)
+	asmlinkage()
+	fd = int_arg(1)
+	wd = uint_arg(2)
+	argstr = sprintf("%d, %d", fd, wd)
 }
-probe nd_syscall.inotify_rm_watch.return = kernel.function("sys_inotify_rm_watch").return ? {
+probe nd_syscall.inotify_rm_watch.return = kprobe.function("sys_inotify_rm_watch").return ?
+{
 	name = "inotify_rm_watch"
 	retstr = returnstr(1)
 }
@@ -1913,14 +2256,20 @@ probe nd_syscall.inotify_rm_watch.return = kernel.function("sys_inotify_rm_watch
 # long sys_io_cancel(aio_context_t ctx_id,
 #		struct iocb __user *iocb,
 #		struct io_event __user *result)
-probe nd_syscall.io_cancel = kernel.function("sys_io_cancel") {
+probe nd_syscall.io_cancel = kprobe.function("sys_io_cancel")
+{
 	name = "io_cancel"
-	ctx_id = $ctx_id
-	iocb_uaddr = $iocb
-	result_uaddr = $result
+	// ctx_id = $ctx_id
+	// iocb_uaddr = $iocb
+	// result_uaddr = $result
+	asmlinkage()
+	ctx_id = ulong_arg(1)
+	iocb_uaddr = pointer_arg(2)
+	result_uaddr = pointer_arg(3)
 	argstr = sprintf("%d, %p, %p", ctx_id, iocb_uaddr, result_uaddr)	
 }
-probe nd_syscall.io_cancel.return = kernel.function("sys_io_cancel").return {
+probe nd_syscall.io_cancel.return = kprobe.function("sys_io_cancel").return
+{
 	name = "io_cancel"
 	retstr = returnstr(1)
 }
@@ -1929,19 +2278,22 @@ probe nd_syscall.io_cancel.return = kernel.function("sys_io_cancel").return {
 # long sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
 # long compat_sys_ioctl(unsigned int fd, unsigned int cmd, unsigned long arg)
 #
-probe nd_syscall.ioctl =
-		kernel.function("sys_ioctl") ?,
-		kernel.function("compat_sys_ioctl") ?
+probe nd_syscall.ioctl = kprobe.function("sys_ioctl") ?,
+                         kprobe.function("compat_sys_ioctl") ?
 {
 	name = "ioctl"
-	fd = $fd
-	request = $cmd
-	argp = $arg
-	argstr = sprintf("%d, %d, %p", $fd, $cmd, $arg)
+	// fd = $fd
+	// request = $cmd
+	// argp = $arg
+	// argstr = sprintf("%d, %d, %p", $fd, $cmd, $arg)
+	asmlinkage()
+	fd = int_arg(1)
+	request = int_arg(2)
+	argp = ulong_arg(3)
+	argstr = sprintf("%d, %d, %p", fd, request, argp)
 }
-probe nd_syscall.ioctl.return =
-		kernel.function("sys_ioctl").return ?,
-		kernel.function("compat_sys_ioctl").return ?
+probe nd_syscall.ioctl.return = kprobe.function("sys_ioctl").return ?,
+                                kprobe.function("compat_sys_ioctl").return ?
 {
 	name = "ioctl"
 	retstr = returnstr(1)
@@ -1949,12 +2301,16 @@ probe nd_syscall.ioctl.return =
 
 # io_destroy _________________________________________________
 # long sys_io_destroy(aio_context_t ctx)
-probe nd_syscall.io_destroy = kernel.function("sys_io_destroy") {
+probe nd_syscall.io_destroy = kprobe.function("sys_io_destroy")
+{
 	name = "io_destroy"
-	ctx = $ctx
+	// ctx = $ctx
+	asmlinkage()
+	ctx = ulong_arg(1)
 	argstr = sprintf("%d", ctx)
 }
-probe nd_syscall.io_destroy.return = kernel.function("sys_io_destroy").return {
+probe nd_syscall.io_destroy.return = kprobe.function("sys_io_destroy").return
+{
 	name = "io_destroy"
 	retstr = returnstr(1)
 }
@@ -1971,23 +2327,30 @@ probe nd_syscall.io_destroy.return = kernel.function("sys_io_destroy").return {
 #		 struct io_event __user *events,
 #		 struct compat_timespec __user *timeout)
 #
-probe nd_syscall.io_getevents =
-		kernel.function("sys_io_getevents") ?,
-		kernel.function("compat_sys_io_getevents") ?
+probe nd_syscall.io_getevents = kprobe.function("sys_io_getevents") ?,
+                                kprobe.function("compat_sys_io_getevents") ?
 {
 	name = "io_getevents"
-	ctx_id = $ctx_id
-	min_nr = $min_nr
-	nr = $nr
-	events_uaddr = $events
-	timeout_uaddr = $timeout
-	timestr = _struct_timespec_u($timeout,1)
-	argstr = sprintf("%d, %d, %d, %p, %p, %s", $ctx_id, $min_nr,
-		$nr, $events, $timeout, timestr)
-}
-probe nd_syscall.io_getevents.return =
-		kernel.function("sys_io_getevents").return ?,
-		kernel.function("compat_sys_io_getevents").return ?
+	// ctx_id = $ctx_id
+	// min_nr = $min_nr
+	// nr = $nr
+	// events_uaddr = $events
+	// timeout_uaddr = $timeout
+	// timestr = _struct_timespec_u($timeout, 1)
+	// argstr = sprintf("%d, %d, %d, %p, %p, %s", $ctx_id, $min_nr,
+	// 	$nr, $events, $timeout, timestr)
+	asmlinkage()
+	ctx_id = ulong_arg(1)
+	min_nr = long_arg(2)
+	nr = long_arg(3)
+	events_uaddr = pointer_arg(4)
+	timeout_uaddr = pointer_arg(5)
+	timestr = _struct_timespec_u(timeout_uaddr, 1)
+	argstr = sprintf("%d, %d, %d, %p, %p, %s", ctx_id, min_nr,
+		nr, events_uaddr, timeout_uaddr, timestr)
+}
+probe nd_syscall.io_getevents.return = kprobe.function("sys_io_getevents").return ?,
+                                       kprobe.function("compat_sys_io_getevents").return ?
 {
 	name = "io_getevents"
 	retstr = returnstr(1)
@@ -1996,14 +2359,21 @@ probe nd_syscall.io_getevents.return =
 # ioperm _____________________________________________________
 # long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
 #
-probe nd_syscall.ioperm = kernel.function("sys_ioperm") ? {
+probe nd_syscall.ioperm = kprobe.function("sys_ioperm") ?
+{
 	name = "ioperm"
-	from = $from
-	num = $num
-	turn_on = $turn_on
-	argstr = sprintf("%d, %d, %d", $from, $num, $turn_on)
+	// from = $from
+	// num = $num
+	// turn_on = $turn_on
+	// argstr = sprintf("%d, %d, %d", $from, $num, $turn_on)
+	asmlinkage()
+	from = ulong_arg(1)
+	num = ulong_arg(2)
+	turn_on = int_arg(3)
+	argstr = sprintf("%d, %d, %d", from, num, turn_on)
 }
-probe nd_syscall.ioperm.return = kernel.function("sys_ioperm").return ? {
+probe nd_syscall.ioperm.return = kprobe.function("sys_ioperm").return ?
+{
 	name = "ioperm"
 	retstr = returnstr(1)
 }
@@ -2011,27 +2381,39 @@ probe nd_syscall.ioperm.return = kernel.function("sys_ioperm").return ? {
 # io_setup ___________________________________________________
 # long sys_io_setup(unsigned nr_events, aio_context_t __user *ctxp)
 # 
-probe nd_syscall.io_setup = kernel.function("sys_io_setup") {
+probe nd_syscall.io_setup = kprobe.function("sys_io_setup")
+{
 	name = "io_setup"
-	maxevents = $nr_events
-	ctxp_uaddr = $ctxp
-	argstr = sprintf("%d, %p", $nr_events, $ctxp)
+	// maxevents = $nr_events
+	// ctxp_uaddr = $ctxp
+	// argstr = sprintf("%d, %p", $nr_events, $ctxp)
+	asmlinkage()
+	maxevents = uint_arg(1)
+	ctxp_uaddr = pointer_arg(2)
+	argstr = sprintf("%d, %p", maxevents, ctxp_uaddr)
 }
 
-probe nd_syscall.io_setup.return = kernel.function("sys_io_setup").return {
+probe nd_syscall.io_setup.return = kprobe.function("sys_io_setup").return
+{
 	name = "io_setup"
 	retstr = returnstr(1)
 }
 # long compat_sys_io_setup(unsigned nr_reqs, u32 __user *ctx32p)
 #
-probe nd_syscall.compat_io_setup = kernel.function("compat_sys_io_setup") ? {
+probe nd_syscall.compat_io_setup = kprobe.function("compat_sys_io_setup") ?
+{
 	name = "io_setup"
-	maxevents = $nr_reqs
-	ctxp_uaddr = $ctx32p
-	argstr = sprintf("%d, %p", $nr_reqs, $ctx32p)
+	// maxevents = $nr_reqs
+	// ctxp_uaddr = $ctx32p
+	// argstr = sprintf("%d, %p", $nr_reqs, $ctx32p)
+	asmlinkage()
+	maxevents = uint_arg(1)
+	ctxp_uaddr = pointer_arg(2)
+	argstr = sprintf("%d, %p", maxevents, ctxp_uaddr)
 }
 
-probe nd_syscall.compat_io_setup.return = kernel.function("compat_sys_io_setup").return ? {
+probe nd_syscall.compat_io_setup.return = kprobe.function("compat_sys_io_setup").return ?
+{
 	name = "io_setup"
 	retstr = returnstr(1)
 }
@@ -2039,27 +2421,41 @@ probe nd_syscall.compat_io_setup.return = kernel.function("compat_sys_io_setup")
 # io_submit __________________________________________________
 # long sys_io_submit(aio_context_t ctx_id, long nr, struct iocb __user * __user *iocbpp)
 #
-probe nd_syscall.io_submit = kernel.function("sys_io_submit") {
+probe nd_syscall.io_submit = kprobe.function("sys_io_submit")
+{
 	name = "io_submit"
-	ctx_id = $ctx_id
-	nr = $nr
-	iocbpp_uaddr = $iocbpp
-	argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocbpp)
+	// ctx_id = $ctx_id
+	// nr = $nr
+	// iocbpp_uaddr = $iocbpp
+	// argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocbpp)
+	asmlinkage()
+	ctx_id = ulong_arg(1)
+	nr = long_arg(2)
+	iocbpp_uaddr = pointer_arg(3)
+	argstr = sprintf("%d, %d, %p", ctx_id, nr, iocbpp_uaddr)
 }
-probe nd_syscall.io_submit.return = kernel.function("sys_io_submit").return {
+probe nd_syscall.io_submit.return = kprobe.function("sys_io_submit").return
+{
 	name = "io_submit"
 	retstr = returnstr(1)
 }
 # long compat_sys_io_submit(aio_context_t ctx_id, int nr, u32 __user *iocb)
 #
-probe nd_syscall.compat_io_submit = kernel.function("compat_sys_io_submit") ? {
+probe nd_syscall.compat_io_submit = kprobe.function("compat_sys_io_submit") ?
+{
 	name = "io_submit"
-	ctx_id = $ctx_id
-	nr = $nr
-	iocbpp_uaddr = $iocb
-	argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocb)
+	// ctx_id = $ctx_id
+	// nr = $nr
+	// iocbpp_uaddr = $iocb
+	// argstr = sprintf("%d, %d, %p", $ctx_id, $nr, $iocb)
+	asmlinkage()
+	ctx_id = ulong_arg(1)
+	nr = int_arg(2)
+	iocbpp_uaddr = pointer_arg(3)
+	argstr = sprintf("%d, %d, %p", ctx_id, nr, iocbpp_uaddr)
 }
-probe nd_syscall.compat_io_submit.return = kernel.function("compat_sys_io_submit").return ? {
+probe nd_syscall.compat_io_submit.return = kprobe.function("compat_sys_io_submit").return ?
+{
 	name = "io_submit"
 	retstr = returnstr(1)
 }
@@ -2067,13 +2463,19 @@ probe nd_syscall.compat_io_submit.return = kernel.function("compat_sys_io_submit
 # ioprio_get _________________________________________________
 # long sys_ioprio_get(int which, int who)
 #
-probe nd_syscall.ioprio_get = kernel.function("sys_ioprio_get") ? {
+probe nd_syscall.ioprio_get = kprobe.function("sys_ioprio_get") ?
+{
 	name = "ioprio_get"
-	which = $which
-	who = $who
-	argstr = sprintf("%d, %d", $which, $who)
+	// which = $which
+	// who = $who
+	// argstr = sprintf("%d, %d", $which, $who)
+	asmlinkage()
+	which = int_arg(1)
+	who = int_arg(2)
+	argstr = sprintf("%d, %d", which, who)
 }
-probe nd_syscall.ioprio_get.return = kernel.function("sys_ioprio_get").return ? {
+probe nd_syscall.ioprio_get.return = kprobe.function("sys_ioprio_get").return ?
+{
 	name = "ioprio_get"
 	retstr = returnstr(1)
 }
@@ -2081,14 +2483,21 @@ probe nd_syscall.ioprio_get.return = kernel.function("sys_ioprio_get").return ?
 # ioprio_set _________________________________________________
 # long sys_ioprio_set(int which, int who, int ioprio)
 #
-probe nd_syscall.ioprio_set = kernel.function("sys_ioprio_set") ? {
+probe nd_syscall.ioprio_set = kprobe.function("sys_ioprio_set") ?
+{
 	name = "ioprio_set"
-	which = $which
-	who = $who
-	ioprio = $ioprio
-	argstr = sprintf("%d, %d, %d", $which, $who, $ioprio)
+	// which = $which
+	// who = $who
+	// ioprio = $ioprio
+	// argstr = sprintf("%d, %d, %d", $which, $who, $ioprio)
+	asmlinkage()
+	which = int_arg(1)
+	who = int_arg(2)
+	ioprio = int_arg(3)
+	argstr = sprintf("%d, %d, %d", which, who, ioprio)
 }
-probe nd_syscall.ioprio_set.return = kernel.function("sys_ioprio_set").return ? {
+probe nd_syscall.ioprio_set.return = kprobe.function("sys_ioprio_set").return ?
+{
 	name = "ioprio_set"
 	retstr = returnstr(1)
 }
@@ -2103,20 +2512,24 @@ probe nd_syscall.ioprio_set.return = kernel.function("sys_ioprio_set").return ?
 #		struct compat_kexec_segment __user *segments,
 #		unsigned long flags)
 #
-probe nd_syscall.kexec_load = 
-		kernel.function("sys_kexec_load") ?,
-		kernel.function("compat_sys_kexec_load") ?
+probe nd_syscall.kexec_load = kprobe.function("sys_kexec_load") ?,
+                              kprobe.function("compat_sys_kexec_load") ?
 {
 	name = "kexec_load"
-	entry = $entry
-	nr_segments = $nr_segments
-	segments_uaddr = $segments
-	flags = $flags
-	argstr = sprintf("%p, %d, %p, %d", $entry, $nr_segments, $segments, $flags)
+	// entry = $entry
+	// nr_segments = $nr_segments
+	// segments_uaddr = $segments
+	// flags = $flags
+	// argstr = sprintf("%p, %d, %p, %d", $entry, $nr_segments, $segments, $flags)
+	asmlinkage()
+	entry = ulong_arg(1)
+	nr_segments = ulong_arg(2)
+	segments_uaddr = pointer_arg(3)
+	flags = ulong_arg(4)
+	argstr = sprintf("%p, %d, %p, %d", entry, nr_segments, segments_uaddr, flags)
 }
-probe nd_syscall.kexec_load.return = 
-		kernel.function("sys_kexec_load").return ?,
-		kernel.function("compat_sys_kexec_load").return ?
+probe nd_syscall.kexec_load.return = kprobe.function("sys_kexec_load").return ?,
+                                     kprobe.function("compat_sys_kexec_load").return ?
 {
 	name = "kexec_load"
 	retstr = returnstr(1)	
@@ -2130,17 +2543,17 @@ probe nd_syscall.kexec_load.return =
 #            unsigned long arg5)
 # long compat_sys_keyctl(u32 option, u32 arg2, u32 arg3, u32 arg4, u32 arg5)
 #
-probe nd_syscall.keyctl =
-		kernel.function("sys_keyctl") ?,
-		kernel.function("compat_sys_keyctl") ?
+probe nd_syscall.keyctl = kprobe.function("sys_keyctl") ?,
+                          kprobe.function("compat_sys_keyctl") ?
 {
 	name = "keyctl"
-	argstr = sprintf("%d, ...", $option)
+	// argstr = sprintf("%d, ...", $option)
+	asmlinkage()
+	argstr = sprintf("%d, ...", uint_arg(1))
 
 }
-probe nd_syscall.keyctl.return =
-		kernel.function("sys_keyctl").return ?,
-		kernel.function("compat_sys_keyctl").return ?
+probe nd_syscall.keyctl.return = kprobe.function("sys_keyctl").return ?,
+                                 kprobe.function("compat_sys_keyctl").return ?
 {
 	name = "keyctl"
 	retstr = returnstr(1)
@@ -2148,13 +2561,19 @@ probe nd_syscall.keyctl.return =
 
 # kill _______________________________________________________
 # long sys_kill(int pid, int sig)
-probe nd_syscall.kill = kernel.function("sys_kill") {
+probe nd_syscall.kill = kprobe.function("sys_kill")
+{
 	name = "kill"
-	pid = $pid
-	sig = $sig
-	argstr = sprintf("%d, %s", $pid, _signal_name($sig))
+	// pid = $pid
+	// sig = $sig
+	// argstr = sprintf("%d, %s", $pid, _signal_name($sig))
+	asmlinkage()
+	pid = int_arg(1)
+	sig = int_arg(2)
+	argstr = sprintf("%d, %s", pid, _signal_name(sig))
 }
-probe nd_syscall.kill.return = kernel.function("sys_kill").return {
+probe nd_syscall.kill.return = kprobe.function("sys_kill").return
+{
 	name = "kill"
 	retstr = returnstr(1)
 }
@@ -2162,14 +2581,21 @@ probe nd_syscall.kill.return = kernel.function("sys_kill").return {
 # lchown _____________________________________________________
 # long sys_lchown(const char __user * filename, uid_t user, gid_t group)
 #
-probe nd_syscall.lchown = kernel.function("sys_lchown") {
+probe nd_syscall.lchown = kprobe.function("sys_lchown")
+{
 	name = "lchown"
-	path = user_string($filename)
-	owner = __int32($user)
-	group = __int32($group)
-	argstr = sprintf("%s, %d, %d",user_string_quoted($filename), owner, group)
+	// path = user_string($filename)
+	// owner = __int32($user)
+	// group = __int32($group)
+	// argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
+	asmlinkage()
+	path = user_string(pointer_arg(1))
+	owner = __int32(uint_arg(2))
+	group = __int32(uint_arg(3))
+	argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group)
 }	
-probe nd_syscall.lchown.return = kernel.function("sys_lchown").return {
+probe nd_syscall.lchown.return = kprobe.function("sys_lchown").return
+{
 	name = "lchown"
 	retstr = returnstr(1)
 }
@@ -2178,14 +2604,21 @@ probe nd_syscall.lchown.return = kernel.function("sys_lchown").return {
 # long sys_lchown16(const char __user * filename, old_uid_t user, 
 #			old_gid_t group)
 #
-probe nd_syscall.lchown16 = kernel.function("sys_lchown16") ? {
+probe nd_syscall.lchown16 = kprobe.function("sys_lchown16") ?
+{
 	name = "lchown16"
-	path = user_string($filename)
-	owner = __short($user)
-	group = __short($group)
-	argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
+	// path = user_string($filename)
+	// owner = __short($user)
+	// group = __short($group)
+	// argstr = sprintf("%s, %d, %d", user_string_quoted($filename), owner, group)
+	asmlinkage()
+	path = user_string(pointer_arg(1))
+	owner = __short(uint_arg(2))
+	group = __short(uint_arg(3))
+	argstr = sprintf("%s, %d, %d", user_string_quoted(pointer_arg(1)), owner, group)
 }
-probe nd_syscall.lchown16.return = kernel.function("sys_lchown16").return ? {
+probe nd_syscall.lchown16.return = kprobe.function("sys_lchown16").return ?
+{
 	name = "lchown16"
 	retstr = returnstr(1)
 }
@@ -2195,47 +2628,81 @@ probe nd_syscall.lchown16.return = kernel.function("sys_lchown16").return ? {
 #               void __user *value,
 #               size_t size)
 #
-probe nd_syscall.lgetxattr = kernel.function("sys_lgetxattr") {
+probe nd_syscall.lgetxattr = kprobe.function("sys_lgetxattr")
+{
 	name = "lgetxattr"
-	path = user_string($path)
+	// %( kernel_v >= "2.6.27" %?
+	// 	path = user_string($pathname)
+	// %:
+	// 	path = user_string($path)
+	// %)
+	// 	# FIXME
+	// 	name2 = user_string($name)
+	// 	value_uaddr = $value
+	// 	size = $size
+	// 	argstr = sprintf("%s, %s, %p, %d", 
+	// %( kernel_v >= "2.6.27" %?
+	// 		user_string_quoted($pathname), 
+	// %:
+	// 		user_string_quoted($path), 
+	// %)
+	// 		user_string_quoted($name),
+	// 		value_uaddr, size)
+	asmlinkage()
+	path = user_string(pointer_arg(1))
 	# FIXME
-	name2 = user_string($name)
-	value_uaddr = $value
-	size = $size
+	name2 = user_string(pointer_arg(2))
+	value_uaddr = pointer_arg(3)
+	size = ulong_arg(4)
 	argstr = sprintf("%s, %s, %p, %d", 
-		user_string_quoted($path), 
-		user_string_quoted($name),
+		user_string_quoted(pointer_arg(1)), 
+		user_string_quoted(pointer_arg(2)),
 		value_uaddr, size)
 }
-probe nd_syscall.lgetxattr.return = kernel.function("sys_lgetxattr").return {
+probe nd_syscall.lgetxattr.return = kprobe.function("sys_lgetxattr").return
+{
 	name = "lgetxattr"
 	retstr = returnstr(1)
 }
 # link _______________________________________________________
 # long sys_link(const char __user * oldname,
 #          const char __user * newname)
-probe nd_syscall.link = kernel.function("sys_link") {
+probe nd_syscall.link = kprobe.function("sys_link")
+{
 	name = "link"
-	oldpath = user_string($oldname)
-	newpath = user_string($newname)
+	// oldpath = user_string($oldname)
+	// newpath = user_string($newname)
+	// argstr = sprintf("%s, %s", 
+	// 	user_string_quoted($oldname), 
+	// 	user_string_quoted($newname))
+	asmlinkage()
+	oldpath = user_string(pointer_arg(1))
+	newpath = user_string(pointer_arg(2))
 	argstr = sprintf("%s, %s", 
-		user_string_quoted($oldname), 
-		user_string_quoted($newname))
+		user_string_quoted(pointer_arg(1)), 
+		user_string_quoted(pointer_arg(2)))
 }
-probe nd_syscall.link.return = kernel.function("sys_link").return {
+probe nd_syscall.link.return = kprobe.function("sys_link").return
+{
 	name = "link"
 	retstr = returnstr(1)	
 }
 
 # listen _____________________________________________________
 # long sys_listen(int fd, int backlog)
-probe nd_syscall.listen = kernel.function("sys_listen") ? {
+probe nd_syscall.listen = kprobe.function("sys_listen") ?
+{
 	name = "listen"
-	sockfd = $fd
-      	backlog = $backlog
-	argstr = sprintf("%d, %d", $fd, $backlog) 
+	// sockfd = $fd
+	// backlog = $backlog
+	// argstr = sprintf("%d, %d", $fd, $backlog) 
+	asmlinkage()
+	sockfd = int_arg(1)
+	backlog = int_arg(2)
+	argstr = sprintf("%d, %d", sockfd, backlog) 
 }	
-probe nd_syscall.listen.return = kernel.function("sys_listen").return ? {
+probe nd_syscall.listen.return = kprobe.function("sys_listen").return ?
+{
 	name = "listen"
 	retstr = returnstr(1)
 }
@@ -2243,15 +2710,29 @@ probe nd_syscall.listen.return = kernel.function("sys_listen").return ? {
 # listxattr __________________________________________________
 # ssize_t sys_listxattr(char __user *path, char __user *list, size_t size)
 #
-probe nd_syscall.listxattr = kernel.function("sys_listxattr") {
+probe nd_syscall.listxattr = kprobe.function("sys_listxattr")
+{
 	name = "listxattr"
-	path_uaddr = $path
-	path = user_string($path)
-	list_uaddr = $list
-	size = $size
-	argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size)
+	// 	list_uaddr = $list
+	// 	size = $size
+	// %( kernel_v >= "2.6.27" %?
+	// 	path_uaddr = $pathname
+	// 	path = user_string($pathname)
+	// 	argstr = sprintf("%s, %p, %d", user_string_quoted($pathname), $list, $size)
+	// %:
+	// 	path_uaddr = $path
+	// 	path = user_string($path)
+	// 	argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size)
+	// %)
+	asmlinkage()
+	path_uaddr = pointer_arg(1)
+	path = user_string(path_uaddr)
+	list_uaddr = pointer_arg(2)
+	size = ulong_arg(3)
+	argstr = sprintf("%s, %p, %d", user_string_quoted(path_uaddr), list_uaddr, size)
 }
-probe nd_syscall.listxattr.return = kernel.function("sys_listxattr").return {
+probe nd_syscall.listxattr.return = kprobe.function("sys_listxattr").return
+{
 	name = "listxattr"
 	retstr = returnstr(1)
 }
@@ -2259,15 +2740,29 @@ probe nd_syscall.listxattr.return = kernel.function("sys_listxattr").return {
 # llistxattr _________________________________________________
 # ssize_t sys_llistxattr(char __user *path, char __user *list, size_t size)
 #
-probe nd_syscall.llistxattr = kernel.function("sys_llistxattr") {
+probe nd_syscall.llistxattr = kprobe.function("sys_llistxattr")
+{
 	name = "llistxattr"
-	path_uaddr = $path
-	path = user_string($path)
-	list_uaddr = $list
-	size = $size
-	argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size)
+	// 	list_uaddr = $list
+	// 	size = $size
+	// %( kernel_v >= "2.6.27" %?
+	// 	path_uaddr = $pathname
+	// 	path = user_string($pathname)
+	// 	argstr = sprintf("%s, %p, %d", user_string_quoted($pathname), $list, $size)
+	// %:
+	// 	path_uaddr = $path
+	// 	path = user_string($path)
+	// 	argstr = sprintf("%s, %p, %d", user_string_quoted($path), $list, $size)
+	// %)
+	asmlinkage()
+	path_uaddr = pointer_arg(1)
+	path = user_string(path_uaddr)
+	list_uaddr = pointer_arg(2)
+	size = ulong_arg(3)
+	argstr = sprintf("%s, %p, %d", user_string_quoted(path_uaddr), list_uaddr, size)
 }
-probe nd_syscall.llistxattr.return = kernel.function("sys_llistxattr").return {
+probe nd_syscall.llistxattr.return = kprobe.function("sys_llistxattr").return
+{
 	name = "llistxattr"
 	retstr = returnstr(1)
 }
@@ -2278,18 +2773,29 @@ probe nd_syscall.llistxattr.return = kernel.function("sys_llistxattr").return {
 #            unsigned long offset_low,
 #            loff_t __user * result,
 #            unsigned int origin)
-probe nd_syscall.llseek = kernel.function("sys_llseek") ? {
+probe nd_syscall.llseek = kprobe.function("sys_llseek") ?
+{
 	name = "llseek"
-	fd = $fd
-	offset_high = $offset_high
-	offset_low = $offset_low
-	result_uaddr = $result
-	whence = $origin
-	whence_str = _seek_whence_str($origin)
-	argstr = sprintf("%d, 0x%x, 0x%x, %p, %s", $fd, $offset_high,
-		$offset_low, $result, whence_str)
-}
-probe nd_syscall.llseek.return = kernel.function("sys_llseek").return ? {
+	// fd = $fd
+	// offset_high = $offset_high
+	// offset_low = $offset_low
+	// result_uaddr = $result
+	// whence = $origin
+	// whence_str = _seek_whence_str($origin)
+	// argstr = sprintf("%d, 0x%x, 0x%x, %p, %s", $fd, $offset_high,
+	// 	$offset_low, $result, whence_str)
+	asmlinkage()
+	fd = int_arg(1)
+	offset_high = ulong_arg(2)
+	offset_low = ulong_arg(3)
+	result_uaddr = pointer_arg(4)
+	whence = uint_arg(5)
+	whence_str = _seek_whence_str(whence)
+	argstr = sprintf("%d, 0x%x, 0x%x, %p, %s", fd, offset_high,
+		offset_low, result_uaddr, whence_str)
+}
+probe nd_syscall.llseek.return = kprobe.function("sys_llseek").return ?
+{
 	name = "llseek"
 	retstr = returnstr(1)
 }
@@ -2297,14 +2803,21 @@ probe nd_syscall.llseek.return = kernel.function("sys_llseek").return ? {
 # lookup_dcookie _____________________________________________
 # long sys_lookup_dcookie(u64 cookie64, char __user * buf, size_t len)
 #
-probe nd_syscall.lookup_dcookie = kernel.function("sys_lookup_dcookie") ? {
+probe nd_syscall.lookup_dcookie = kprobe.function("sys_lookup_dcookie") ?
+{
 	name = "lookup_dcookie"
-	cookie = $cookie64
-	buffer_uaddr = $buf
-	len = $len
-	argstr = sprintf("%d, %p, %d", $cookie64, $buf, $len)
+	// cookie = $cookie64
+	// buffer_uaddr = $buf
+	// len = $len
+	// argstr = sprintf("%d, %p, %d", $cookie64, $buf, $len)
+	asmlinkage()
+	cookie = ulonglong_arg(1)
+	buffer_uaddr = pointer_arg(2)
+	len = ulong_arg(3)
+	argstr = sprintf("%d, %p, %d", cookie, buffer_uaddr, len)
 }
-probe nd_syscall.lookup_dcookie.return = kernel.function("sys_lookup_dcookie").return ? {
+probe nd_syscall.lookup_dcookie.return = kprobe.function("sys_lookup_dcookie").return ?
+{
 	name = "lookup_dcookie"
 	retstr = returnstr(1)
 }
@@ -2312,31 +2825,53 @@ probe nd_syscall.lookup_dcookie.return = kernel.function("sys_lookup_dcookie").r
 # lremovexattr _______________________________________________
 # long sys_lremovexattr(char __user *path, char __user *name)
 #
-probe nd_syscall.lremovexattr = kernel.function("sys_lremovexattr") {
+probe nd_syscall.lremovexattr = kprobe.function("sys_lremovexattr")
+{
 	name = "lremovexattr"
-	path_uaddr = $path
-	path = user_string($path)
-	name_uaddr = $name
-	name2 = user_string($name)
-	argstr = sprintf("%s, %s", user_string_quoted($path), user_string_quoted($name)) 
+	// 	name_uaddr = $name
+	// 	name2 = user_string($name)
+	// %( kernel_v >= "2.6.27" %?
+	// 	path_uaddr = $pathname
+	// 	path = user_string($pathname)
+	// 	argstr = sprintf("%s, %s", user_string_quoted($pathname), user_string_quoted($name)) 
+	// %:
+	// 	path_uaddr = $path
+	// 	path = user_string($path)
+	// 	argstr = sprintf("%s, %s", user_string_quoted($path), user_string_quoted($name)) 
+	// %)
+	asmlinkage()
+	path_uaddr = pointer_arg(1)
+	path = user_string(path_uaddr)
+	name_uaddr = pointer_arg(2)
+	name2 = user_string(name_uaddr)
+	argstr = sprintf("%s, %s", user_string_quoted(path_uaddr), user_string_quoted(name_uaddr))
 }
-probe nd_syscall.lremovexattr.return = kernel.function("sys_lremovexattr").return {
+probe nd_syscall.lremovexattr.return = kprobe.function("sys_lremovexattr").return
+{
 	name = "lremovexattr"
 	retstr = returnstr(1)
 }
 
 # lseek ______________________________________________________
 # off_t sys_lseek(unsigned int fd, off_t offset, unsigned int origin)
-probe nd_syscall.lseek = kernel.function("sys_lseek") {
-	name = "lseek"
-	fildes = $fd
-#	offset = __int32($offset)
-	offset = $offset
-	whence = $origin
-	whence_str = _seek_whence_str($origin)
-	argstr = sprintf("%d, %d, %s", $fd, offset, whence_str)
-}
-probe nd_syscall.lseek.return = kernel.function("sys_lseek").return {
+probe nd_syscall.lseek = kprobe.function("sys_lseek")
+{
+	// name = "lseek"
+	// fildes = $fd
+	// # offset = __int32($offset)
+	// offset = $offset
+	// whence = $origin
+	// whence_str = _seek_whence_str($origin)
+	// argstr = sprintf("%d, %d, %s", $fd, offset, whence_str)
+	asmlinkage()
+	fildes = int_arg(1)
+	offset = long_arg(2)
+	whence = uint_arg(3)
+	whence_str = _seek_whence_str(whence)
+	argstr = sprintf("%d, %d, %s", fildes, offset, whence_str)
+}
+probe nd_syscall.lseek.return = kprobe.function("sys_lseek").return
+{
 	name = "lseek"
 	retstr = returnstr(1)
 }
@@ -2348,21 +2883,44 @@ probe nd_syscall.lseek.return = kernel.function("sys_lseek").return {
 #               size_t size,
 #               int flags)
 #
-probe nd_syscall.lsetxattr = kernel.function("sys_lsetxattr") {
+probe nd_syscall.lsetxattr = kprobe.function("sys_lsetxattr")
+{
 	name = "lsetxattr"
-	path_uaddr = $path
-	path = user_string($path)
-	name_uaddr = $name
-	name_str = user_string($name)
-	value_uaddr = $value
-	size = $size
-	flags = $flags
+	// %( kernel_v >= "2.6.27" %?
+	// 	path_uaddr = $pathname
+	// 	path = user_string($pathname)
+	// %:
+	// 	path_uaddr = $path
+	// 	path = user_string($path)
+	// %)
+	// 	name_uaddr = $name
+	// 	name_str = user_string($name)
+	// 	value_uaddr = $value
+	// 	size = $size
+	// 	flags = $flags
+	// 	argstr = sprintf("%s, %s, %p, %d, %d", 
+	// %( kernel_v >= "2.6.27" %?
+	// 			user_string_quoted($pathname), 
+	// %:
+	// 			user_string_quoted($path), 
+	// %)
+	// 			user_string_quoted($name),
+	// 			value_uaddr, $size, $flags)
+	asmlinkage()
+	path_uaddr = pointer_arg(1)
+	path = user_string(path_uaddr)
+	name_uaddr = pointer_arg(2)
+	name_str = user_string(name_uaddr)
+	value_uaddr = pointer_arg(3)
+	size = ulong_arg(4)
+	flags = int_arg(5)
 	argstr = sprintf("%s, %s, %p, %d, %d", 
-			user_string_quoted($path), 
-			user_string_quoted($name),
-			value_uaddr, $size, $flags)
+			user_string_quoted(path_uaddr), 
+			user_string_quoted(name_uaddr),
+			value_uaddr, size, flags)
 }
-probe nd_syscall.lsetxattr.return = kernel.function("sys_lsetxattr").return {
+probe nd_syscall.lsetxattr.return = kprobe.function("sys_lsetxattr").return
+{
 	name = "lsetxattr"
 	retstr = returnstr(1)
 }
@@ -2376,26 +2934,28 @@ probe nd_syscall.lsetxattr.return = kernel.function("sys_lsetxattr").return {
 # long sys_oabi_lstat64(char __user * filename,
 #			struct oldabi_stat64 __user * statbuf)
 #
-probe nd_syscall.lstat = 
-		kernel.function("sys_lstat") ?,
-		kernel.function("sys_newlstat") ?,
-		kernel.function("compat_sys_newlstat") ?,
-		kernel.function("sys32_lstat64") ?,
-		kernel.function("sys_lstat64") ?,
-		kernel.function("sys_oabi_lstat64") ?
+probe nd_syscall.lstat = kprobe.function("sys_lstat") ?,
+                         kprobe.function("sys_newlstat") ?,
+                         kprobe.function("compat_sys_newlstat") ?,
+                         kprobe.function("sys32_lstat64") ?,
+                         kprobe.function("sys_lstat64") ?,
+                         kprobe.function("sys_oabi_lstat64") ?
 {
 	name = "lstat"
-	path = user_string($filename)
-	buf_uaddr = $statbuf
-	argstr = sprintf("%s, %p", user_string_quoted($filename), $statbuf) 
-}
-probe nd_syscall.lstat.return = 
-		kernel.function("sys_lstat").return ?,
-		kernel.function("sys_newlstat").return ?,
-		kernel.function("compat_sys_newlstat").return ?,
-		kernel.function("sys32_lstat64").return ?,
-		kernel.function("sys_lstat64").return ?,
-		kernel.function("sys_oabi_lstat64").return ?
+	// path = user_string($filename)
+	// buf_uaddr = $statbuf
+	// argstr = sprintf("%s, %p", user_string_quoted($filename), $statbuf) 
+	asmlinkage()
+	path = user_string(pointer_arg(1))
+	buf_uaddr = pointer_arg(2)
+	argstr = sprintf("%s, %p", user_string_quoted(pointer_arg(1)), buf_uaddr) 
+}
+probe nd_syscall.lstat.return = kprobe.function("sys_lstat").return ?,
+                                kprobe.function("sys_newlstat").return ?,
+                                kprobe.function("compat_sys_newlstat").return ?,
+                                kprobe.function("sys32_lstat64").return ?,
+                                kprobe.function("sys_lstat64").return ?,
+                                kprobe.function("sys_oabi_lstat64").return ?
 { 
 	name = "lstat"
 	retstr = returnstr(1)
@@ -2404,15 +2964,23 @@ probe nd_syscall.lstat.return =
 # madvise ____________________________________________________
 # long sys_madvise(unsigned long start, size_t len_in, int behavior)
 #
-probe nd_syscall.madvise = kernel.function("sys_madvise") ? {
+probe nd_syscall.madvise = kprobe.function("sys_madvise") ?
+{
 	name = "madvise"
-	start = $start
-	length = $len_in
-	advice = $behavior
-	advice_str = _madvice_advice_str($behavior)
-	argstr = sprintf("%p, %d, %s", $start, $len_in, _madvice_advice_str($behavior))
+	// start = $start
+	// length = $len_in
+	// advice = $behavior
+	// advice_str = _madvice_advice_str($behavior)
+	// argstr = sprintf("%p, %d, %s", $start, $len_in, _madvice_advice_str($behavior))
+	asmlinkage()
+	start = ulong_arg(1)
+	length = ulong_arg(2)
+	advice = int_arg(3)
+	advice_str = _madvice_advice_str(advice)
+	argstr = sprintf("%p, %d, %s", start, length, _madvice_advice_str(advice))
 }
-probe nd_syscall.madvise.return = kernel.function("sys_madvise").return ? {
+probe nd_syscall.madvise.return = kprobe.function("sys_madvise").return ?
+{
 	name = "madvise"
 	retstr = returnstr(1)
 }
@@ -2432,23 +3000,30 @@ probe nd_syscall.madvise.return = kernel.function("sys_madvise").return ? {
 #	compat_ulong_t maxnode,
 #	compat_ulong_t flags)
 #
-probe nd_syscall.mbind = 
-		kernel.function("sys_mbind") ?,
-		kernel.function("compat_sys_mbind") ?
+probe nd_syscall.mbind = kprobe.function("sys_mbind") ?,
+                         kprobe.function("compat_sys_mbind") ?
 {
 	name = "mbind"
-	start = $start
-	len = $len
-	mode = $mode
-	nmask_uaddr = $nmask
-	maxnode = $maxnode
-	flags = $flags
-	argstr = sprintf("%d, %d, %d, %p, %d, 0x%x", $start, $len, $mode,
-				$nmask, $maxnode, $flags)
-}
-probe nd_syscall.mbind.return = 
-		kernel.function("sys_mbind").return ?,
-		kernel.function("compat_sys_mbind").return ?
+	// start = $start
+	// len = $len
+	// mode = $mode
+	// nmask_uaddr = $nmask
+	// maxnode = $maxnode
+	// flags = $flags
+	// argstr = sprintf("%d, %d, %d, %p, %d, 0x%x", $start, $len, $mode,
+	// 			$nmask, $maxnode, $flags)
+	asmlinkage()
+	start = ulong_arg(1)
+	len = long_arg(2)
+	mode = ulong_arg(3)
+	nmask_uaddr = pointer_arg(4)
+	maxnode = ulong_arg(5)
+	flags = uint_arg(6)
+	argstr = sprintf("%d, %d, %d, %p, %d, 0x%x", start, len, mode,
+				nmask_uaddr, maxnode, flags)
+}
+probe nd_syscall.mbind.return = kprobe.function("sys_mbind").return ?,
+                                kprobe.function("compat_sys_mbind").return ?
 {
 	name = "mbind"
 	retstr = returnstr(1)
@@ -2458,11 +3033,15 @@ probe nd_syscall.mbind.return =
 # long sys_migrate_pages(pid_t pid, unsigned long maxnode,
 #		const unsigned long __user *old_nodes,
 #		const unsigned long __user *new_nodes)
-probe nd_syscall.migrate_pages = kernel.function("sys_migrate_pages") ? {
+probe nd_syscall.migrate_pages = kprobe.function("sys_migrate_pages") ?
+{
 	name = "migrate_pages"
-	argstr = sprintf("%d, %d, %p, %p", $pid, $maxnode, $old_nodes, $new_nodes)
+	// argstr = sprintf("%d, %d, %p, %p", $pid, $maxnode, $old_nodes, $new_nodes)
+	asmlinkage()
+	argstr = sprintf("%d, %d, %p, %p", int_arg(1), ulong_arg(2), pointer_arg(3), pointer_arg(4))
 }
-probe nd_syscall.migrate_pages.return = kernel.function("sys_migrate_pages").return ? {
+probe nd_syscall.migrate_pages.return = kprobe.function("sys_migrate_pages").return ?
+{
 	name = "migrate_pages"
 	retstr = returnstr(1)
 }
@@ -2470,28 +3049,42 @@ probe nd_syscall.migrate_pages.return = kernel.function("sys_migrate_pages").ret
 # mincore ____________________________________________________
 # long sys_mincore(unsigned long start, size_t len, unsigned char __user * vec)
 #
-probe nd_syscall.mincore = kernel.function("sys_mincore") ? {
+probe nd_syscall.mincore = kprobe.function("sys_mincore") ?
+{
 	name = "mincore"
-	start = $start
-	length = $len
-	vec_uaddr = $vec
-	argstr = sprintf("%p, %d, %p", $start, $len, $vec)
+	// start = $start
+	// length = $len
+	// vec_uaddr = $vec
+	// argstr = sprintf("%p, %d, %p", $start, $len, $vec)
+	asmlinkage()
+	start = ulong_arg(1)
+	length = ulong_arg(2)
+	vec_uaddr = pointer_arg(3)
+	argstr = sprintf("%p, %d, %p", start, length, vec_uaddr)
 }
-probe nd_syscall.mincore.return = kernel.function("sys_mincore").return ? {
+probe nd_syscall.mincore.return = kprobe.function("sys_mincore").return ?
+{
 	name = "mincore"
 	retstr = returnstr(1)	
 }
 
 # mkdir ______________________________________________________
 # long sys_mkdir(const char __user * pathname, int mode)
-probe nd_syscall.mkdir = kernel.function("sys_mkdir") {
+probe nd_syscall.mkdir = kprobe.function("sys_mkdir")
+{
 	name = "mkdir"
-	pathname_uaddr = $pathname
-	pathname = user_string($pathname)
-	mode = $mode
-	argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode)
+	// pathname_uaddr = $pathname
+	// pathname = user_string($pathname)
+	// mode = $mode
+	// argstr = sprintf("%s, %#o", user_string_quoted($pathname), $mode)
+	asmlinkage()
+	pathname_uaddr = pointer_arg(1)
+	pathname = user_string(pathname_uaddr)
+	mode = int_arg(2)
+	argstr = sprintf("%s, %#o", user_string_quoted(pathname_uaddr), mode)
 }
-probe nd_syscall.mkdir.return = kernel.function("sys_mkdir").return {
+probe nd_syscall.mkdir.return = kprobe.function("sys_mkdir").return
+{
 	name = "mkdir"
 	retstr = returnstr(1)	
 }
@@ -2499,29 +3092,43 @@ probe nd_syscall.mkdir.return = kernel.function("sys_mkdir").return {
 # mkdirat ____________________________________________________
 # new function with 2.6.16
 # long sys_mkdirat(int dfd, const char __user *pathname, int mode)
-probe nd_syscall.mkdirat = kernel.function("sys_mkdirat") ? {
+probe nd_syscall.mkdirat = kprobe.function("sys_mkdirat") ?
+{
 	name = "mkdirat"
-	dirfd = $dfd
-	pathname = user_string($pathname)
-	mode = $mode
-	argstr = sprintf("%d, %s, %#o", $dfd, user_string_quoted($pathname), $mode)
+	// dirfd = $dfd
+	// pathname = user_string($pathname)
+	// mode = $mode
+	// argstr = sprintf("%d, %s, %#o", $dfd, user_string_quoted($pathname), $mode)
+	asmlinkage()
+	dirfd = int_arg(1)
+	pathname = user_string(pointer_arg(2))
+	mode = int_arg(3)
+	argstr = sprintf("%d, %s, %#o", dirfd, user_string_quoted(pointer_arg(2)), mode)
 }
-probe nd_syscall.mkdirat.return = kernel.function("sys_mkdirat").return ? {
+probe nd_syscall.mkdirat.return = kprobe.function("sys_mkdirat").return ?
+{
 	name = "mkdirat"
 	retstr = returnstr(1)
 }
 
 # mknod
 # long sys_mknod(const char __user * filename, int mode, unsigned dev)
-probe nd_syscall.mknod = kernel.function("sys_mknod") {
+probe nd_syscall.mknod = kprobe.function("sys_mknod")
+{
 	name = "mknod"
-      	pathname = user_string($filename)
-	mode = $mode
-	dev = $dev
-	argstr = sprintf("%s, %s, %p", user_string_quoted($filename), _mknod_mode_str($mode), dev)
+	// pathname = user_string($filename)
+	// mode = $mode
+	// dev = $dev
+	// argstr = sprintf("%s, %s, %p", user_string_quoted($filename), _mknod_mode_str($mode), dev)
+	asmlinkage()
+	pathname = user_string(pointer_arg(1))
+	mode = int_arg(2)
+	dev = uint_arg(3)
+	argstr = sprintf("%s, %s, %p", user_string_quoted(pointer_arg(1)), _mknod_mode_str(mode), dev)
 }
 
-probe nd_syscall.mknod.return = kernel.function("sys_mknod").return {
+probe nd_syscall.mknod.return = kprobe.function("sys_mknod").return
+{
 	name = "mknod"
 	retstr = returnstr(1)
 }
@@ -2530,13 +3137,19 @@ probe nd_syscall.mknod.return = kernel.function("sys_mknod").return {
 #
 # long sys_mlock(unsigned long start, size_t len)
 #
-probe nd_syscall.mlock = kernel.function("sys_mlock") ? {
+probe nd_syscall.mlock = kprobe.function("sys_mlock") ?
+{
 	name = "mlock"
-	addr = $start
-	len = $len
-	argstr = sprintf("%p, %d", $start, $len)
+	// addr = $start
+	// len = $len
+	// argstr = sprintf("%p, %d", $start, $len)
+	asmlinkage()
+	addr = ulong_arg(1)
+	len = ulong_arg(2)
+	argstr = sprintf("%p, %d", addr, len)
 }
-probe nd_syscall.mlock.return = kernel.function("sys_mlock").return ? {
+probe nd_syscall.mlock.return = kprobe.function("sys_mlock").return ?
+{
 	name = "mlock"
 	retstr = returnstr(1)
 }
@@ -2544,12 +3157,17 @@ probe nd_syscall.mlock.return = kernel.function("sys_mlock").return ? {
 #
 # long sys_mlockall(int flags)
 #
-probe nd_syscall.mlockall = kernel.function("sys_mlockall") ? {
+probe nd_syscall.mlockall = kprobe.function("sys_mlockall") ?
+{
 	name = "mlockall"
-	flags = $flags
-	argstr = _mlockall_flags_str($flags)
+	// flags = $flags
+	// argstr = _mlockall_flags_str($flags)
+	asmlinkage()
+	flags = int_arg(1)
+	argstr = _mlockall_flags_str(flags)
 }
-probe nd_syscall.mlockall.return = kernel.function("sys_mlockall").return ? {
+probe nd_syscall.mlockall.return = kprobe.function("sys_mlockall").return ?
+{
 	name = "mlockall"
 	retstr = returnstr(1)
 }
@@ -2557,14 +3175,21 @@ probe nd_syscall.mlockall.return = kernel.function("sys_mlockall").return ? {
 # modify_ldt _________________________________________________
 # int sys_modify_ldt(int func, void __user *ptr, unsigned long bytecount)
 #
-probe nd_syscall.modify_ldt = kernel.function("sys_modify_ldt") ? {
+probe nd_syscall.modify_ldt = kprobe.function("sys_modify_ldt") ?
+{
 	name = "modify_ldt"
-	func = $func
-	ptr_uaddr = $ptr
-	bytecount = $bytecount
-	argstr = sprintf("%d, %p, %d", $func, $ptr, $bytecount)
+	// func = $func
+	// ptr_uaddr = $ptr
+	// bytecount = $bytecount
+	// argstr = sprintf("%d, %p, %d", $func, $ptr, $bytecount)
+	asmlinkage()
+	func = int_arg(1)
+	ptr_uaddr = pointer_arg(2)
+	bytecount = ulong_arg(3)
+	argstr = sprintf("%d, %p, %d", func, ptr_uaddr, bytecount)
 }
-probe nd_syscall.modify_ldt.return = kernel.function("sys_modify_ldt").return ? {
+probe nd_syscall.modify_ldt.return = kprobe.function("sys_modify_ldt").return ?
+{
 	name = "modify_ldt"
 	retstr = returnstr(1)
 }
@@ -2582,16 +3207,16 @@ probe nd_syscall.modify_ldt.return = kernel.function("sys_modify_ldt").return ?
 #                int __user *status,
 #                int flags)
 #
-probe nd_syscall.move_pages = 
-		kernel.function("sys_move_pages") ?,
-		kernel.function("compat_sys_move_pages") ?
+probe nd_syscall.move_pages = kprobe.function("sys_move_pages") ?,
+                              kprobe.function("compat_sys_move_pages") ?
 {
 	name = "move_pages"
-	argstr = sprintf("%d, %d, %p, %p, 0x%x", $pid, $nr_pages, $nodes, $status, $flags)
+	// argstr = sprintf("%d, %d, %p, %p, 0x%x", $pid, $nr_pages, $nodes, $status, $flags)
+	asmlinkage()
+	argstr = sprintf("%d, %d, %p, %p, 0x%x", int_arg(1), ulong_arg(2), pointer_arg(4), pointer_arg(5), int_arg(6))
 }
-probe nd_syscall.move_pages.return = 
-		kernel.function("sys_move_pages").return ?,
-		kernel.function("compat_sys_move_pages").return ?
+probe nd_syscall.move_pages.return = kprobe.function("sys_move_pages").return ?,
+                                     kprobe.function("compat_sys_move_pages").return ?
 {
 	name = "move_pages"
 	retstr = returnstr(1)
@@ -2608,26 +3233,36 @@ probe nd_syscall.move_pages.return =
 #		char __user * type, 
 #		unsigned long flags, 
 #		void __user * data)
-probe nd_syscall.mount = 
-		kernel.function("sys_mount"),
-		kernel.function("compat_sys_mount") ?
+probe nd_syscall.mount = kprobe.function("sys_mount"),
+                         kprobe.function("compat_sys_mount") ?
 {
 	name = "mount"
-	source = user_string($dev_name)
-	target = user_string($dir_name)
-	filesystemtype = user_string($type)
-	mountflags = $flags
-	mountflags_str = _mountflags_str($flags)
-	data = text_strn(user_string($data),syscall_string_trunc,1)
+	// source = user_string($dev_name)
+	// target = user_string($dir_name)
+	// filesystemtype = user_string($type)
+	// mountflags = $flags
+	// mountflags_str = _mountflags_str($flags)
+	// data = text_strn(user_string($data), syscall_string_trunc, 1)
+	// argstr = sprintf("%s, %s, %s, %s, %s", 
+	// 	user_string_quoted($dev_name), 
+	// 	user_string_quoted($dir_name), 
+	// 	user_string_quoted($type), 
+	// 	mountflags_str, data)
+	asmlinkage()
+	source = user_string(pointer_arg(1))
+	target = user_string(pointer_arg(2))
+	filesystemtype = user_string(pointer_arg(3))
+	mountflags = ulong_arg(4)
+	mountflags_str = _mountflags_str(mountflags)
+	data = text_strn(user_string(pointer_arg(5)), syscall_string_trunc, 1)
 	argstr = sprintf("%s, %s, %s, %s, %s", 
-		user_string_quoted($dev_name), 
-		user_string_quoted($dir_name), 
-		user_string_quoted($type), 
+		user_string_quoted(pointer_arg(1)), 
+		user_string_quoted(pointer_arg(2)), 
+		user_string_quoted(pointer_arg(3)), 
 		mountflags_str, data)
 }
-probe nd_syscall.mount.return = 
-		kernel.function("sys_mount").return, 
-		kernel.function("compat_sys_mount").return ?
+probe nd_syscall.mount.return = kprobe.function("sys_mount").return, 
+                                kprobe.function("compat_sys_mount").return ?
 {
 	name = "mount"
 	retstr = returnstr(1)
@@ -2636,15 +3271,23 @@ probe nd_syscall.mount.return =
 # mprotect ___________________________________________________
 # long sys_mprotect(unsigned long start, size_t len, unsigned long prot)
 #
-probe nd_syscall.mprotect = kernel.function("sys_mprotect") ? {
+probe nd_syscall.mprotect = kprobe.function("sys_mprotect") ?
+{
 	name = "mprotect"
-	addr = $start
-	len = $len
-	prot = $prot
-	prot_str = _mprotect_prot_str($prot)
-	argstr = sprintf("%p, %d, %s", $start, $len, _mprotect_prot_str($prot))
+	// addr = $start
+	// len = $len
+	// prot = $prot
+	// prot_str = _mprotect_prot_str($prot)
+	// argstr = sprintf("%p, %d, %s", $start, $len, _mprotect_prot_str($prot))
+	asmlinkage()
+	addr = ulong_arg(1)
+	len = ulong_arg(2)
+	prot = ulong_arg(3)
+	prot_str = _mprotect_prot_str(prot)
+	argstr = sprintf("%p, %d, %s", addr, len, _mprotect_prot_str(prot))
 }
-probe nd_syscall.mprotect.return = kernel.function("sys_mprotect").return ? {
+probe nd_syscall.mprotect.return = kprobe.function("sys_mprotect").return ?
+{
 	name = "mprotect"
 	retstr = returnstr(1)
 }
@@ -2657,19 +3300,22 @@ probe nd_syscall.mprotect.return = kernel.function("sys_mprotect").return ? {
 #			const struct compat_mq_attr __user *u_mqstat,
 #			struct compat_mq_attr __user *u_omqstat)
 #
-probe nd_syscall.mq_getsetattr =
-		kernel.function("sys_mq_getsetattr") ?,
-		kernel.function("compat_sys_mq_getsetattr") ?
+probe nd_syscall.mq_getsetattr = kprobe.function("sys_mq_getsetattr") ?,
+                                 kprobe.function("compat_sys_mq_getsetattr") ?
 {
 	name = "mq_getsetattr"
-	mqdes = $mqdes
-	u_mqstat_uaddr = $u_mqstat
-	u_omqstat_uaddr = $u_omqstat
-	argstr = sprintf("%d, %p, %p", $mqdes, $u_mqstat, $u_omqstat)
+	// mqdes = $mqdes
+	// u_mqstat_uaddr = $u_mqstat
+	// u_omqstat_uaddr = $u_omqstat
+	// argstr = sprintf("%d, %p, %p", $mqdes, $u_mqstat, $u_omqstat)
+	asmlinkage()
+	mqdes = int_arg(1)
+	u_mqstat_uaddr = pointer_arg(2)
+	u_omqstat_uaddr = pointer_arg(3)
+	argstr = sprintf("%d, %p, %p", mqdes, u_mqstat_uaddr, u_omqstat_uaddr)
 }
-probe nd_syscall.mq_getsetattr.return =
-		kernel.function("sys_mq_getsetattr").return ?,
-		kernel.function("compat_sys_mq_getsetattr").return ?
+probe nd_syscall.mq_getsetattr.return = kprobe.function("sys_mq_getsetattr").return ?,
+                                        kprobe.function("compat_sys_mq_getsetattr").return ?
 {
 	name = "mq_getsetattr"
 	retstr = returnstr(1)
@@ -2679,18 +3325,20 @@ probe nd_syscall.mq_getsetattr.return =
 # long sys_mq_notify(mqd_t mqdes, const struct sigevent __user *u_notification)
 # long compat_sys_mq_notify(mqd_t mqdes, const struct compat_sigevent __user *u_notification)
 #
-probe nd_syscall.mq_notify =
-		kernel.function("sys_mq_notify") ?,
-		kernel.function("compat_sys_mq_notify") ?
+probe nd_syscall.mq_notify = kprobe.function("sys_mq_notify") ?,
+                             kprobe.function("compat_sys_mq_notify") ?
 {
 	name = "mq_notify"
-	mqdes = $mqdes
-	notification_uaddr = $u_notification
-	argstr = sprintf("%d, %p", $mqdes, $u_notification)
+	// mqdes = $mqdes
+	// notification_uaddr = $u_notification
+	// argstr = sprintf("%d, %p", $mqdes, $u_notification)
+	asmlinkage()
+	mqdes = int_arg(1)
+	notification_uaddr = pointer_arg(2)
+	argstr = sprintf("%d, %p", mqdes, notification_uaddr)
 }
-probe nd_syscall.mq_notify.return =
-		kernel.function("sys_mq_notify").return ?,
-		kernel.function("compat_sys_mq_notify").return ?
+probe nd_syscall.mq_notify.return = kprobe.function("sys_mq_notify").return ?,
+                                    kprobe.function("compat_sys_mq_notify").return ?
 {
 	name = "mq_notify"
 	retstr = returnstr(1)
@@ -2705,9 +3353,8 @@ probe nd_syscall.mq_notify.return =
 #			int oflag, compat_mode_t mode,
 #			struct compat_mq_attr __user *u_attr)
 #
-probe nd_syscall.mq_open =
-		kernel.function("sys_mq_open") ?,
-		kernel.function("compat_sys_mq_open") ?
+probe nd_syscall.mq_open = kprobe.function("sys_mq_open") ?,
+                           kprobe.function("compat_sys_mq_open") ?
 {
 	name = "mq_open"
 	// name_uaddr = $u_name
@@ -2733,9 +3380,8 @@ probe nd_syscall.mq_open =
 	else
 		argstr = sprintf("%s, %s", user_string_quoted(name_uaddr), _sys_open_flag_str(oflag))
 }
-probe nd_syscall.mq_open.return =
-		kernel.function("sys_mq_open").return ?,
-		kernel.function("compat_sys_mq_open").return ?
+probe nd_syscall.mq_open.return = kprobe.function("sys_mq_open").return ?,
+                                  kprobe.function("compat_sys_mq_open").return ?
 {
 	name = "mq_open"
 	retstr = returnstr(1)
@@ -2752,22 +3398,28 @@ probe nd_syscall.mq_open.return =
 #			size_t msg_len, unsigned int __user *u_msg_prio,
 #			const struct compat_timespec __user *u_abs_timeout)
 #
-probe nd_syscall.mq_timedreceive =
-		kernel.function("sys_mq_timedreceive") ?,
-		kernel.function("compat_sys_mq_timedreceive") ?
+probe nd_syscall.mq_timedreceive = kprobe.function("sys_mq_timedreceive") ?,
+                                   kprobe.function("compat_sys_mq_timedreceive") ?
 {
 	name = "mq_timedreceive"
-	mqdes = $mqdes
-	msg_ptr_uaddr = $u_msg_ptr
-	msg_len = $msg_len
-	msg_prio_uaddr = $u_msg_prio
-	abs_timout_uaddr = $u_abs_timeout
-	argstr = sprintf("%d, %p, %d, %p, %p", $mqdes, $u_msg_ptr, $msg_len,
-			$u_msg_prio, $u_abs_timeout)
-}
-probe nd_syscall.mq_timedreceive.return =
-		kernel.function("sys_mq_timedreceive").return ?,
-		kernel.function("compat_sys_mq_timedreceive").return ?
+	// mqdes = $mqdes
+	// msg_ptr_uaddr = $u_msg_ptr
+	// msg_len = $msg_len
+	// msg_prio_uaddr = $u_msg_prio
+	// abs_timout_uaddr = $u_abs_timeout
+	// argstr = sprintf("%d, %p, %d, %p, %p", $mqdes, $u_msg_ptr, $msg_len,
+	// 		$u_msg_prio, $u_abs_timeout)
+	asmlinkage()
+	mqdes = int_arg(1)
+	msg_ptr_uaddr = pointer_arg(2)
+	msg_len = ulong_arg(3)
+	msg_prio_uaddr = pointer_arg(4)
+	abs_timeout_uaddr = pointer_arg(5)
+	argstr = sprintf("%d, %p, %d, %p, %p", mqdes, msg_ptr_uaddr, msg_len,
+			msg_prio_uaddr, abs_timeout_uaddr)
+}
+probe nd_syscall.mq_timedreceive.return = kprobe.function("sys_mq_timedreceive").return ?,
+                                          kprobe.function("compat_sys_mq_timedreceive").return ?
 {
 	name = "mq_timedreceive"
 	retstr = returnstr(1)
@@ -2784,22 +3436,28 @@ probe nd_syscall.mq_timedreceive.return =
 #			size_t msg_len, unsigned int msg_prio,
 #			const struct compat_timespec __user *u_abs_timeout)
 #
-probe nd_syscall.mq_timedsend =
-		kernel.function("sys_mq_timedsend") ?,
-		kernel.function("compat_sys_mq_timedsend") ?
+probe nd_syscall.mq_timedsend = kprobe.function("sys_mq_timedsend") ?,
+                                kprobe.function("compat_sys_mq_timedsend") ?
 {
 	name = "mq_timedsend"
-	mqdes = $mqdes
-	msg_ptr_uaddr = $u_msg_ptr
-	msg_len = $msg_len
-	msg_prio = $msg_prio
-	abs_timeout_uaddr = $u_abs_timeout
-	argstr = sprintf("%d, %p, %d, %d, %p", $mqdes, $u_msg_ptr, $msg_len,
-			$msg_prio, $u_abs_timeout)
-}
-probe nd_syscall.mq_timedsend.return =
-		kernel.function("sys_mq_timedsend").return ?,
-		kernel.function("compat_sys_mq_timedsend").return ?
+	// mqdes = $mqdes
+	// msg_ptr_uaddr = $u_msg_ptr
+	// msg_len = $msg_len
+	// msg_prio = $msg_prio
+	// abs_timeout_uaddr = $u_abs_timeout
+	// argstr = sprintf("%d, %p, %d, %d, %p", $mqdes, $u_msg_ptr, $msg_len,
+	// 		$msg_prio, $u_abs_timeout)
+	asmlinkage()
+	mqdes = int_arg(1)
+	msg_ptr_uaddr = pointer_arg(2)
+	msg_len = ulong_arg(3)
+	msg_prio = uint_arg(4)
+	abs_timeout_uaddr = pointer_arg(5)
+	argstr = sprintf("%d, %p, %d, %d, %p", mqdes, msg_ptr_uaddr, msg_len,
+			msg_prio, abs_timeout_uaddr)
+}
+probe nd_syscall.mq_timedsend.return = kprobe.function("sys_mq_timedsend").return ?,
+                                       kprobe.function("compat_sys_mq_timedsend").return ?
 {
 	name = "mq_timedsend"
 	retstr = returnstr(1)
@@ -2808,13 +3466,19 @@ probe nd_syscall.mq_timedsend.return =
 # mq_unlink __________________________________________________
 # long sys_mq_unlink(const char __user *u_name)
 #
-probe nd_syscall.mq_unlink = kernel.function("sys_mq_unlink") ? {
+probe nd_syscall.mq_unlink = kprobe.function("sys_mq_unlink") ?
+{
 	name = "mq_unlink"
-	u_name_uaddr = $u_name
-	u_name = user_string($u_name)
-	argstr = user_string_quoted($u_name)
+	// u_name_uaddr = $u_name
+	// u_name = user_string($u_name)
+	// argstr = user_string_quoted($u_name)
+	asmlinkage()
+	u_name_uaddr = pointer_arg(1)
+	u_name = user_string(u_name_uaddr)
+	argstr = user_string_quoted(u_name_uaddr)
 }
-probe nd_syscall.mq_unlink.return = kernel.function("sys_mq_unlink").return ? {
+probe nd_syscall.mq_unlink.return = kprobe.function("sys_mq_unlink").return ?
+{
 	name = "mq_unlink"
 	retstr = returnstr(1)
 }
@@ -2826,22 +3490,28 @@ probe nd_syscall.mq_unlink.return = kernel.function("sys_mq_unlink").return ? {
 #            unsigned long flags,
 #            unsigned long new_addr)
 #
-probe nd_syscall.mremap =
-		kernel.function("sys_mremap") ?,
-		kernel.function("ia64_mremap") ?
+probe nd_syscall.mremap = kprobe.function("sys_mremap") ?,
+                          kprobe.function("ia64_mremap") ?
 {
 	name = "mremap"
-	old_address = $addr
-	old_size = $old_len
-	new_size = $new_len
-	flags = $flags
-	new_address = $new_addr
-	argstr = sprintf("%p, %d, %d, %s, %p", $addr, $old_len, $new_len,
-		_mremap_flags($flags), $new_addr)
-}
-probe nd_syscall.mremap.return =
-		kernel.function("sys_mremap").return ?,
-		kernel.function("ia64_mremap").return ?
+	// old_address = $addr
+	// old_size = $old_len
+	// new_size = $new_len
+	// flags = $flags
+	// new_address = $new_addr
+	// argstr = sprintf("%p, %d, %d, %s, %p", $addr, $old_len, $new_len,
+	// 	_mremap_flags($flags), $new_addr)
+	asmlinkage()
+	old_address = ulong_arg(1)
+	old_size = ulong_arg(2)
+	new_size = ulong_arg(3)
+	flags = ulong_arg(4)
+	new_address = ulong_arg(5)
+	argstr = sprintf("%p, %d, %d, %s, %p", old_address, old_size, new_size,
+		_mremap_flags(flags), new_address)
+}
+probe nd_syscall.mremap.return = kprobe.function("sys_mremap").return ?,
+                                 kprobe.function("ia64_mremap").return ?
 {
 	name = "mremap"
 	retstr = returnstr(2)
@@ -2850,14 +3520,21 @@ probe nd_syscall.mremap.return =
 # msgctl _____________________________________________________
 # long sys_msgctl (int msqid, int cmd, struct msqid_ds __user *buf)
 #
-probe nd_syscall.msgctl = kernel.function("sys_msgctl") ? {
+probe nd_syscall.msgctl = kprobe.function("sys_msgctl") ?
+{
 	name = "msgctl"
-	msqid = $msqid
-	cmd = $cmd
-	buf_uaddr = $buf
-	argstr = sprintf("%d, %d, %p", $msqid, $cmd, $buf)
+	// msqid = $msqid
+	// cmd = $cmd
+	// buf_uaddr = $buf
+	// argstr = sprintf("%d, %d, %p", $msqid, $cmd, $buf)
+	asmlinkage()
+	msqid = int_arg(1)
+	cmd = int_arg(2)
+	buf_uaddr = pointer_arg(3)
+	argstr = sprintf("%d, %d, %p", msqid, cmd, buf_uaddr)
 }
-probe nd_syscall.msgctl.return = kernel.function("sys_msgctl").return ? {
+probe nd_syscall.msgctl.return = kprobe.function("sys_msgctl").return ?
+{
 	name = "msgctl"
 	retstr = returnstr(1)
 }
@@ -2865,11 +3542,15 @@ probe nd_syscall.msgctl.return = kernel.function("sys_msgctl").return ? {
 #
 # long compat_sys_msgctl(int first, int second, void __user *uptr)
 #
-probe nd_syscall.compat_sys_msgctl = kernel.function("compat_sys_msgctl") ? {
+probe nd_syscall.compat_sys_msgctl = kprobe.function("compat_sys_msgctl") ?
+{
 	name = "compat_sys_msgctl"
-	argstr = sprintf("%d, %d, %p", $first, $second, $uptr)
+	// argstr = sprintf("%d, %d, %p", $first, $second, $uptr)
+	asmlinkage()
+	argstr = sprintf("%d, %d, %p", int_arg(1), int_arg(2), pointer_arg(3))
 }
-probe nd_syscall.compat_sys_msgctl.return = kernel.function("compat_sys_msgctl").return ? {
+probe nd_syscall.compat_sys_msgctl.return = kprobe.function("compat_sys_msgctl").return ?
+{
 	name = "compat_sys_msgctl"
 	retstr = returnstr(1)
 }
@@ -2877,14 +3558,21 @@ probe nd_syscall.compat_sys_msgctl.return = kernel.function("compat_sys_msgctl")
 # msgget _____________________________________________________
 # long sys_msgget (key_t key, int msgflg)
 #
-probe nd_syscall.msgget = kernel.function("sys_msgget") ? {
+probe nd_syscall.msgget = kprobe.function("sys_msgget") ?
+{
 	name = "msgget"
-	key = $key
-	msgflg = $msgflg
-	msgflg_str = _sys_open_flag_str($msgflg)
-	argstr = sprintf("%d, %s", $key, _sys_open_flag_str($msgflg))
+	// key = $key
+	// msgflg = $msgflg
+	// msgflg_str = _sys_open_flag_str($msgflg)
+	// argstr = sprintf("%d, %s", $key, _sys_open_flag_str($msgflg))
+	asmlinkage()
+	key = int_arg(1)
+	msgflg = int_arg(2)
+	msgflg_str = _sys_open_flag_str(msgflg)
+	argstr = sprintf("%d, %s", key, _sys_open_flag_str(msgflg))
 }
-probe nd_syscall.msgget.return = kernel.function("sys_msgget").return ? {
+probe nd_syscall.msgget.return = kprobe.function("sys_msgget").return ?
+{
 	name = "msgget"
 	retstr = returnstr(1)
 }
@@ -2896,16 +3584,25 @@ probe nd_syscall.msgget.return = kernel.function("sys_msgget").return ? {
 #             long msgtyp,
 #             int msgflg)
 #
-probe nd_syscall.msgrcv = kernel.function("sys_msgrcv") ? {
+probe nd_syscall.msgrcv = kprobe.function("sys_msgrcv") ?
+{
 	name = "msgrcv"
-	msqid = $msqid
-	msgp_uaddr = $msgp
-	msgsz = $msgsz
-	msgtyp = $msgtyp
-	msgflg = $msgflg
-	argstr = sprintf("%d, %p, %d, %d, %d", $msqid, $msgp, $msgsz, $msgtyp, $msgflg)
-}
-probe nd_syscall.msgrcv.return = kernel.function("sys_msgrcv").return ? {
+	// msqid = $msqid
+	// msgp_uaddr = $msgp
+	// msgsz = $msgsz
+	// msgtyp = $msgtyp
+	// msgflg = $msgflg
+	// argstr = sprintf("%d, %p, %d, %d, %d", $msqid, $msgp, $msgsz, $msgtyp, $msgflg)
+	asmlinkage()
+	msqid = int_arg(1)
+	msgp_uaddr = pointer_arg(2)
+	msgsz = ulong_arg(3)
+	msgtyp = long_arg(4)
+	msgflg = int_arg(5)
+	argstr = sprintf("%d, %p, %d, %d, %d", msqid, msgp_uaddr, msgsz, msgtyp, msgflg)
+}
+probe nd_syscall.msgrcv.return = kprobe.function("sys_msgrcv").return ?
+{
 	name = "msgrcv"
 	retstr = returnstr(1)
 }
@@ -2914,11 +3611,15 @@ probe nd_syscall.msgrcv.return = kernel.function("sys_msgrcv").return ? {
 # long compat_sys_msgrcv(int first, int second, int msgtyp, int third,
 #			int version, void __user *uptr)
 #
-probe nd_syscall.compat_sys_msgrcv = kernel.function("compat_sys_msgrcv") ? {
+probe nd_syscall.compat_sys_msgrcv = kprobe.function("compat_sys_msgrcv") ?
+{
 	name = "compat_sys_msgrcv"
-	argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr)
+	// argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr)
+	asmlinkage()
+	argstr = sprintf("%d, %d, %d, %p", int_arg(1), int_arg(2), int_arg(3), pointer_arg(5))
 }
-probe nd_syscall.compat_sys_msgrcv.return = kernel.function("compat_sys_msgrcv").return ? {
+probe nd_syscall.compat_sys_msgrcv.return = kprobe.function("compat_sys_msgrcv").return ?
+{
 	name = "compat_sys_msgrcv"
 	retstr = returnstr(1)
 }
@@ -2929,15 +3630,23 @@ probe nd_syscall.compat_sys_msgrcv.return = kernel.function("compat_sys_msgrcv")
 #             size_t msgsz,
 #             int msgflg)
 #
-probe nd_syscall.msgsnd = kernel.function("sys_msgsnd") ? {
+probe nd_syscall.msgsnd = kprobe.function("sys_msgsnd") ?
+{
 	name = "msgsnd"
-	msqid = $msqid
-	msgp_uaddr = $msgp
-	msgsz = $msgsz
-	msgflg = $msgflg
-	argstr = sprintf("%d, %p, %d, %d", $msqid, $msgp, $msgsz, $msgflg)
+	// msqid = $msqid
+	// msgp_uaddr = $msgp
+	// msgsz = $msgsz
+	// msgflg = $msgflg
+	// argstr = sprintf("%d, %p, %d, %d", $msqid, $msgp, $msgsz, $msgflg)
+	asmlinkage()
+	msqid = int_arg(1)
+	msgp_uaddr = pointer_arg(2)
+	msgsz = ulong_arg(3)
+	msgflg = int_arg(4)
+	argstr = sprintf("%d, %p, %d, %d", msqid, msgp_uaddr, msgsz, msgflg)
 }
-probe nd_syscall.msgsnd.return = kernel.function("sys_msgsnd").return ? {
+probe nd_syscall.msgsnd.return = kprobe.function("sys_msgsnd").return ?
+{
 	name = "msgsnd"
 	retstr = returnstr(1)
 }
@@ -2945,62 +3654,84 @@ probe nd_syscall.msgsnd.return = kernel.function("sys_msgsnd").return ? {
 #
 # long compat_sys_msgsnd(int first, int second, int third, void __user *uptr)
 #
-probe nd_syscall.compat_sys_msgsnd = kernel.function("compat_sys_msgsnd") ? {
+probe nd_syscall.compat_sys_msgsnd = kprobe.function("compat_sys_msgsnd") ?
+{
 	name = "compat_sys_msgsnd"
-	argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr)
+	// argstr = sprintf("%d, %d, %d, %p", $first, $second, $third, $uptr)
+	asmlinkage()
+	argstr = sprintf("%d, %d, %d, %p", int_arg(1), int_arg(2), int_arg(3), pointer_arg(4))
 }
-probe nd_syscall.compat_sys_msgsnd.return = kernel.function("compat_sys_msgsnd").return ? {
+probe nd_syscall.compat_sys_msgsnd.return = kprobe.function("compat_sys_msgsnd").return ?
+{
 	name = "compat_sys_msgsnd"
 	retstr = returnstr(1)
 }
 
 # msync ______________________________________________________
 # long sys_msync(unsigned long start, size_t len, int flags)
-probe nd_syscall.msync = kernel.function("sys_msync") ? {
+probe nd_syscall.msync = kprobe.function("sys_msync") ?
+{
 	name = "msync"
-	start = $start
-	length = $len
-	flags = $flags
-	argstr = sprintf("%p, %d, %s",start, length, _msync_flag_str(flags))
+	// start = $start
+	// length = $len
+	// flags = $flags
+	asmlinkage()
+	start = ulong_arg(1)
+	length = ulong_arg(2)
+	flags = int_arg(3)
+	argstr = sprintf("%p, %d, %s", start, length, _msync_flag_str(flags))
 }
-probe nd_syscall.msync.return = kernel.function("sys_msync").return ? {
+probe nd_syscall.msync.return = kprobe.function("sys_msync").return ?
+{
 	name = "msync"
 	retstr = returnstr(1)
 }
 
 # munlock ____________________________________________________
 # long sys_munlock(unsigned long start, size_t len)
-probe nd_syscall.munlock = kernel.function("sys_munlock") ? {
+probe nd_syscall.munlock = kprobe.function("sys_munlock") ?
+{
 	name = "munlock"
-	addr = $start
-	len = $len
+	// addr = $start
+	// len = $len
+	asmlinkage()
+	addr = ulong_arg(1)
+	len = ulong_arg(2)
 	argstr = sprintf("%p, %d", addr, len)
 }
-probe nd_syscall.munlock.return = kernel.function("sys_munlock").return ? {
+probe nd_syscall.munlock.return = kprobe.function("sys_munlock").return ?
+{
 	name = "munlock"
 	retstr = returnstr(1)
 }
 
 # munlockall _________________________________________________
 # long sys_munlockall(void)
-probe nd_syscall.munlockall = kernel.function("sys_munlockall") ? {
+probe nd_syscall.munlockall = kprobe.function("sys_munlockall") ?
+{
 	name = "munlockall"
 	argstr = ""
 }
-probe nd_syscall.munlockall.return = kernel.function("sys_munlockall").return ? {
+probe nd_syscall.munlockall.return = kprobe.function("sys_munlockall").return ?
+{
 	name = "munlockall"
 	retstr = returnstr(1)
 }
 
 # munmap _____________________________________________________
 # long sys_munmap(unsigned long addr, size_t len)
-probe nd_syscall.munmap = kernel.function("sys_munmap") {
+probe nd_syscall.munmap = kprobe.function("sys_munmap")
+{
 	name = "munmap"
-	start = $addr
-	length = $len
+	// start = $addr
+	// length = $len
+	asmlinkage()
+	start = ulong_arg(1)
+	length = ulong_arg(2)
 	argstr = sprintf("%p, %d", start, length)
 }
-probe nd_syscall.munmap.return = kernel.function("sys_munmap").return {
+probe nd_syscall.munmap.return = kprobe.function("sys_munmap").return
+{
 	name = "munmap"
 	retstr = returnstr(1)
 }
-- 
1.5.6.5


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]