From 7da18cc5b27f8c4ce1a343155c85b1f2ebe07c7f Mon Sep 17 00:00:00 2001
From: sfx <seeflower.dev@gmail.com>
Date: Sat, 10 Dec 2022 07:31:42 -0800
Subject: [PATCH] add after_read

---
 README.md                   |  3 ++-
 app/config/config_filter.go |  9 +++++++++
 app/config/config_global.go |  2 ++
 app/module/module.go        |  3 +++
 cli/cmd/root.go             |  1 +
 src/raw_syscalls.c          | 30 +++++++++++++++++++++++++-----
 6 files changed, 42 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 75a1b31..f4f01bd 100644
--- a/README.md
+++ b/README.md
@@ -143,4 +143,5 @@ adb shell chmod +x /data/local/tmp/estrace
 
 - [ehids/ebpfmanager](https://github.com/ehids/ebpfmanager)
 - [cilium/ebpf](https://github.com/cilium/ebpf)
-- [maiyao1988/ebpf-plugin](https://github.com/maiyao1988/ebpf-plugin)
\ No newline at end of file
+- [maiyao1988/ebpf-plugin](https://github.com/maiyao1988/ebpf-plugin)
+- 感谢r0ysue反馈补充的bypass路径
\ No newline at end of file
diff --git a/app/config/config_filter.go b/app/config/config_filter.go
index 0a96ad7..943d6f3 100644
--- a/app/config/config_filter.go
+++ b/app/config/config_filter.go
@@ -11,6 +11,7 @@ type Filter struct {
     pid                    uint32
     is_32bit               uint32
     try_bypass             uint32
+    after_read             uint32
     tid_blacklist_mask     uint32
     tid_blacklist          [MAX_COUNT]uint32
     syscall_mask           uint32
@@ -87,3 +88,11 @@ func (this *Filter) SetByPass(try_bypass bool) {
         this.try_bypass = 0
     }
 }
+
+func (this *Filter) SetAfterRead(after_read bool) {
+    if after_read {
+        this.after_read = 1
+    } else {
+        this.after_read = 0
+    }
+}
diff --git a/app/config/config_global.go b/app/config/config_global.go
index e2505da..582ab61 100644
--- a/app/config/config_global.go
+++ b/app/config/config_global.go
@@ -4,6 +4,7 @@ const MAX_COUNT = 10
 
 type GlobalConfig struct {
     Quiet       bool
+    AfterRead   bool
     Name        string
     GetLR       bool
     GetPC       bool
@@ -36,6 +37,7 @@ func (this *GlobalConfig) GetFilter(systable_config SysTableConfig) (Filter, err
     filter.SetPid(uint32(this.Pid))
     filter.SetArch(this.Is32Bit)
     filter.SetByPass(this.Bypass)
+    filter.SetAfterRead(this.AfterRead)
     var err error = nil
     if this.SysCall != "" {
         err = filter.SetSysCall(this.SysCall, systable_config)
diff --git a/app/module/module.go b/app/module/module.go
index 8c1a1a5..939713f 100644
--- a/app/module/module.go
+++ b/app/module/module.go
@@ -329,6 +329,9 @@ func (this *Module) Decode(em *ebpf.Map, payload []byte) (event event.SyscallDat
 		this.logger.Printf("%s arg_index:%d arg_ret_str:%s\n", base_str, data.arg_index, strings.TrimSpace(arg_str))
 	case 5:
 		this.logger.Printf("%s ret:0x%x\n", base_str, data.ret)
+	case 6:
+		arg_str := strings.SplitN(string(bytes.Trim(data.arg_str[:], "\x00")), "\x00", 2)[0]
+		this.logger.Printf("%s arg_index:%d arg_after_str:%s\n", base_str, data.arg_index, strings.TrimSpace(arg_str))
 	}
 
 	return event, nil
diff --git a/cli/cmd/root.go b/cli/cmd/root.go
index d7c2fa3..27380eb 100644
--- a/cli/cmd/root.go
+++ b/cli/cmd/root.go
@@ -222,4 +222,5 @@ func init() {
 	rootCmd.PersistentFlags().BoolVarP(&global_config.GetPC, "getpc", "", false, "try get pc info")
 	rootCmd.PersistentFlags().BoolVarP(&global_config.Debug, "debug", "d", false, "enable debug logging")
 	rootCmd.PersistentFlags().BoolVarP(&global_config.Quiet, "quiet", "q", false, "wont logging to terminal when used")
+	rootCmd.PersistentFlags().BoolVarP(&global_config.AfterRead, "after", "a", false, "read arg str after syscall")
 }
diff --git a/src/raw_syscalls.c b/src/raw_syscalls.c
index 58410ec..bda3712 100644
--- a/src/raw_syscalls.c
+++ b/src/raw_syscalls.c
@@ -56,6 +56,7 @@ struct filter_t {
     u32 pid;
     u32 is_32bit;
     u32 try_bypass;
+    u32 after_read;
     u32 tid_blacklist_mask;
     u32 tid_blacklist[MAX_COUNT];
     u32 syscall_mask;
@@ -410,11 +411,6 @@ int raw_syscalls_sys_exit(struct bpf_raw_tracepoint_args* ctx) {
         }
     }
 
-    struct arg_mask_t* arg_ret_mask = bpf_map_lookup_elem(&arg_ret_mask_map, &data->syscall_id);
-    if (arg_ret_mask == NULL) {
-        return 0;
-    }
-
     // 获取线程名
     __builtin_memset(&data->comm, 0, sizeof(data->comm));
     bpf_get_current_comm(&data->comm, sizeof(data->comm));
@@ -422,6 +418,30 @@ int raw_syscalls_sys_exit(struct bpf_raw_tracepoint_args* ctx) {
     data->pid = pid;
     data->tid = tid;
 
+    // 获取字符串参数类型配置
+    struct arg_mask_t* arg_mask = bpf_map_lookup_elem(&arg_mask_map, &data->syscall_id);
+    if (arg_mask == NULL) {
+        return 0;
+    }
+    if (filter->after_read) {
+        data->type = 6;
+        #pragma unroll
+        for (int i = 0; i < 6; i++) {
+            bpf_probe_read_kernel(&data->args[i], sizeof(u64), &regs->regs[i]);
+            if (arg_mask->mask & (1 << i)) {
+                data->arg_index = i;
+                __builtin_memset(&data->arg_str, 0, sizeof(data->arg_str));
+                bpf_probe_read_user(data->arg_str, sizeof(data->arg_str), (void*)data->args[i]);
+                send_data_arg_str(ctx, data, data->args[i]);
+            }
+        }
+    }
+
+    struct arg_mask_t* arg_ret_mask = bpf_map_lookup_elem(&arg_ret_mask_map, &data->syscall_id);
+    if (arg_ret_mask == NULL) {
+        return 0;
+    }
+
     // 获取syscall执行后才会有内容的字符串参数 比如重定向检测
     data->type = 4;
     #pragma unroll