eBPF on Linux: kprobe vs fentry (tracing) — Hooking Internals & Assembly Analysis

Technical deep-dive comparing kprobe and fentry eBPF program attachment in the Linux kernel: how each probe loads, where the hook lands in machine code, and what overhead each carries.

August 4, 2025
Harrison Guo
Video by: HarrisonSecurityLab
Published on YouTube: 2025-08-04
eBPF Linux Kernel kprobe fentry Kernel Tracing Observability Assembly

Two ways to attach an eBPF program to a kernel function: kprobe (old, INT3-based, more overhead) and fentry (newer, BPF trampoline, lower overhead). This video disassembles both attachment paths so you can see exactly where the hook intercepts the function and why fentry is the production-grade choice.

Foundation work for the SentinelEdge project — anything serious about kernel-level observability ends up here.

🎧 More Ways to Consume This Content

Read the Blog Post HarrisonSecurityLab Podcast

Comments

This space is waiting for your voice.

Comments will be supported shortly. Stay connected for updates!

Preview of future curated comments

This section will display user comments from various platforms like X, Reddit, YouTube, and more. Comments will be curated for quality and relevance.

[ Connect_With_Me ]

© 2026 HarrisonSec. All rights reserved.