add after_read

SeeFlowerX · Dec 10, 2022 · 7da18cc · 7da18cc
1 parent 33e394d
commit 7da18cc
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -143,4 +143,5 @@ adb shell chmod +x /data/local/tmp/estrace
 
 - [ehids/ebpfmanager](https://github.com/ehids/ebpfmanager)
 - [cilium/ebpf](https://github.com/cilium/ebpf)
-- [maiyao1988/ebpf-plugin](https://github.com/maiyao1988/ebpf-plugin)
+- [maiyao1988/ebpf-plugin](https://github.com/maiyao1988/ebpf-plugin)
+- 感谢r0ysue反馈补充的bypass路径
diff --git a/app/config/config_filter.go b/app/config/config_filter.go
@@ -11,6 +11,7 @@ type Filter struct {
     pid                    uint32
     is_32bit               uint32
     try_bypass             uint32
+    after_read             uint32
     tid_blacklist_mask     uint32
     tid_blacklist          [MAX_COUNT]uint32
     syscall_mask           uint32
@@ -87,3 +88,11 @@ func (this *Filter) SetByPass(try_bypass bool) {
         this.try_bypass = 0
     }
 }
+
+func (this *Filter) SetAfterRead(after_read bool) {
+    if after_read {
+        this.after_read = 1
+    } else {
+        this.after_read = 0
+    }
+}
diff --git a/app/config/config_global.go b/app/config/config_global.go
@@ -4,6 +4,7 @@ const MAX_COUNT = 10
 
 type GlobalConfig struct {
     Quiet       bool
+    AfterRead   bool
     Name        string
     GetLR       bool
     GetPC       bool
@@ -36,6 +37,7 @@ func (this *GlobalConfig) GetFilter(systable_config SysTableConfig) (Filter, err
     filter.SetPid(uint32(this.Pid))
     filter.SetArch(this.Is32Bit)
     filter.SetByPass(this.Bypass)
+    filter.SetAfterRead(this.AfterRead)
     var err error = nil
     if this.SysCall != "" {
         err = filter.SetSysCall(this.SysCall, systable_config)

diff --git a/app/module/module.go b/app/module/module.go
@@ -329,6 +329,9 @@ func (this *Module) Decode(em *ebpf.Map, payload []byte) (event event.SyscallDat
 		this.logger.Printf("%s arg_index:%d arg_ret_str:%s\n", base_str, data.arg_index, strings.TrimSpace(arg_str))
 	case 5:
 		this.logger.Printf("%s ret:0x%x\n", base_str, data.ret)
+	case 6:
+		arg_str := strings.SplitN(string(bytes.Trim(data.arg_str[:], "\x00")), "\x00", 2)[0]
+		this.logger.Printf("%s arg_index:%d arg_after_str:%s\n", base_str, data.arg_index, strings.TrimSpace(arg_str))
 	}
 
 	return event, nil

diff --git a/cli/cmd/root.go b/cli/cmd/root.go
@@ -222,4 +222,5 @@ func init() {
 	rootCmd.PersistentFlags().BoolVarP(&global_config.GetPC, "getpc", "", false, "try get pc info")
 	rootCmd.PersistentFlags().BoolVarP(&global_config.Debug, "debug", "d", false, "enable debug logging")
 	rootCmd.PersistentFlags().BoolVarP(&global_config.Quiet, "quiet", "q", false, "wont logging to terminal when used")
+	rootCmd.PersistentFlags().BoolVarP(&global_config.AfterRead, "after", "a", false, "read arg str after syscall")
 }
diff --git a/src/raw_syscalls.c b/src/raw_syscalls.c
@@ -56,6 +56,7 @@ struct filter_t {
     u32 pid;
     u32 is_32bit;
     u32 try_bypass;
+    u32 after_read;
     u32 tid_blacklist_mask;
     u32 tid_blacklist[MAX_COUNT];
     u32 syscall_mask;
@@ -410,18 +411,37 @@ int raw_syscalls_sys_exit(struct bpf_raw_tracepoint_args* ctx) {
         }
     }
 
-    struct arg_mask_t* arg_ret_mask = bpf_map_lookup_elem(&arg_ret_mask_map, &data->syscall_id);
-    if (arg_ret_mask == NULL) {
-        return 0;
-    }
-
     // 获取线程名
     __builtin_memset(&data->comm, 0, sizeof(data->comm));
     bpf_get_current_comm(&data->comm, sizeof(data->comm));
     // 基本信息
     data->pid = pid;
     data->tid = tid;
 
+    // 获取字符串参数类型配置
+    struct arg_mask_t* arg_mask = bpf_map_lookup_elem(&arg_mask_map, &data->syscall_id);
+    if (arg_mask == NULL) {
+        return 0;
+    }
+    if (filter->after_read) {
+        data->type = 6;
+        #pragma unroll
+        for (int i = 0; i < 6; i++) {
+            bpf_probe_read_kernel(&data->args[i], sizeof(u64), &regs->regs[i]);
+            if (arg_mask->mask & (1 << i)) {
+                data->arg_index = i;
+                __builtin_memset(&data->arg_str, 0, sizeof(data->arg_str));
+                bpf_probe_read_user(data->arg_str, sizeof(data->arg_str), (void*)data->args[i]);
+                send_data_arg_str(ctx, data, data->args[i]);
+            }
+        }
+    }
+
+    struct arg_mask_t* arg_ret_mask = bpf_map_lookup_elem(&arg_ret_mask_map, &data->syscall_id);
+    if (arg_ret_mask == NULL) {
+        return 0;
+    }
+
     // 获取syscall执行后才会有内容的字符串参数 比如重定向检测
     data->type = 4;
     #pragma unroll