add --getpc option

SeeFlowerX · Dec 4, 2022 · 6230be2 · 6230be2
1 parent 56d04e8
commit 6230be2
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 0 deletions.
diff --git a/app/config/config_global.go b/app/config/config_global.go
@@ -6,6 +6,7 @@ type GlobalConfig struct {
     Quiet       bool
     Name        string
     GetLR       bool
+    GetPC       bool
     Debug       bool
     Uid         uint64
     Pid         uint64

diff --git a/app/module/module.go b/app/module/module.go
@@ -284,6 +284,12 @@ func (this *Module) Decode(em *ebpf.Map, payload []byte) (event event.SyscallDat
 				this.logger.Printf("ParseLR err:%v\n", err)
 			}
 			this.logger.Printf("%s %s LR:%s\n", base_str, this.ReadArgs(*data), info)
+		} else if this.conf.GetPC {
+			info, err := this.ParsePC(*data)
+			if err != nil {
+				this.logger.Printf("ParsePC err:%v\n", err)
+			}
+			this.logger.Printf("%s %s PC:%s\n", base_str, this.ReadArgs(*data), info)
 		} else {
 			this.logger.Printf("%s %s\n", base_str, this.ReadArgs(*data))
 		}
@@ -333,6 +339,37 @@ func (this *Module) ParseLR(data syscall_data) (string, error) {
 	return info, err
 }
 
+func (this *Module) ParsePC(data syscall_data) (string, error) {
+	info := "UNKNOWN"
+	// 直接读取maps信息 计算pc在什么地方 定位syscall调用也就一目了然了
+	filename := fmt.Sprintf("/proc/%d/maps", data.pid)
+	content, err := ioutil.ReadFile(filename)
+	if err != nil {
+		return info, fmt.Errorf("Error when opening file:%v", err)
+	}
+	var (
+		seg_start  uint64
+		seg_end    uint64
+		permission string
+		seg_offset uint64
+		device     string
+		inode      uint64
+		seg_path   string
+	)
+	for _, line := range strings.Split(string(content), "\n") {
+		reader := strings.NewReader(line)
+		n, err := fmt.Fscanf(reader, "%x-%x %s %x %s %d %s", &seg_start, &seg_end, &permission, &seg_offset, &device, &inode, &seg_path)
+		if err == nil && n == 7 {
+			if data.pc >= seg_start && data.pc < seg_end {
+				offset := seg_offset + (data.pc - seg_start)
+				info = fmt.Sprintf("%s + 0x%x", seg_path, offset)
+				break
+			}
+		}
+	}
+	return info, err
+}
+
 func (this *Module) ReadArgs(data syscall_data) string {
 	config := this.systable_config[fmt.Sprintf("%d", data.syscall_id)]
 	regs := make(map[string]string)

diff --git a/cli/cmd/root.go b/cli/cmd/root.go
@@ -219,6 +219,7 @@ func init() {
 	rootCmd.PersistentFlags().BoolVarP(&global_config.NoUidFilter, "no-uid-filter", "", false, "ignore uid filter")
 	rootCmd.PersistentFlags().BoolVarP(&global_config.Bypass, "bypass", "", false, "try bypass root check")
 	rootCmd.PersistentFlags().BoolVarP(&global_config.GetLR, "getlr", "", false, "try get lr info")
+	rootCmd.PersistentFlags().BoolVarP(&global_config.GetPC, "getpc", "", false, "try get pc info")
 	rootCmd.PersistentFlags().BoolVarP(&global_config.Debug, "debug", "d", false, "enable debug logging")
 	rootCmd.PersistentFlags().BoolVarP(&global_config.Quiet, "quiet", "q", false, "wont logging to terminal when used")
 }