Fix the parameter error issue of the uprobe type hook. (#665)

fix:#664 , In the cilium/ebpf library, starting from version 0.10, the meaning of the Offset field in the UprobeOptions attribute has changed, and a new Address parameter has been added. Update the assignment of all fields. Signed-off-by: CFC4N <[email protected]>
gojue · Nov 13, 2024 · 29bff39 · 29bff39
1 parent 8fac90b
commit 29bff39
Show file tree

Hide file tree

Showing 6 changed files with 21 additions and 18 deletions.
diff --git a/COMPILATION_CN.md b/COMPILATION_CN.md
@@ -26,7 +26,8 @@
 
 # 编译方法
 
-针对个别程序使用的openssl类库是静态编译，也可以自行修改源码实现。若函数名不在符号表里，也可以自行反编译找到函数的offset偏移地址，填写到`UprobeOffset`
+针对个别程序使用的openssl类库是静态编译，也可以自行修改源码实现。若函数名不在符号表里，也可以自行反编译找到函数的offset偏移地址，填写到
+`Uaddress`
 属性上，进行编译。
 笔者环境`ubuntu 21.04`， Linux Kernel 4.18以上通用。
 **推荐使用`UBUNTU 20.04` 及以上版本的Linux测试。**

diff --git a/pkg/event_processor/processor.go b/pkg/event_processor/processor.go
@@ -15,7 +15,6 @@
 package event_processor
 
 import (
-	"errors"
 	"fmt"
 	"github.com/gojue/ecapture/user/event"
 	"io"
@@ -64,8 +63,9 @@ func (ep *EventProcessor) Serve() error {
 		case eventStruct := <-ep.incoming:
 			err = ep.dispatch(eventStruct)
 			if err != nil {
-				err1 := ep.Close()
-				return errors.Join(err, err1)
+				//err1 := ep.Close()
+				//return errors.Join(err, err1)
+				return err
 			}
 		case s := <-ep.outComing:
 			_, _ = ep.GetLogger().Write([]byte(s))
@@ -141,6 +141,9 @@ func (ep *EventProcessor) Write(e event.IEventStruct) {
 func (ep *EventProcessor) Close() error {
 	ep.Lock()
 	defer ep.Unlock()
+	if ep.isClosed {
+		return nil
+	}
 	ep.isClosed = true
 	close(ep.closeChan)
 	close(ep.incoming)

diff --git a/user/module/probe_bash.go b/user/module/probe_bash.go
@@ -165,7 +165,7 @@ func (b *MBashProbe) setupManagers() {
 				Section:          "uretprobe/bash_readline",
 				EbpfFuncName:     "uretprobe_bash_readline",
 				AttachToFuncName: readlineFuncName,
-				//UprobeOffset: 0x8232, 	//若找不到 readline 函数，则使用offset偏移地址方式。
+				//UAddress: 0x8232, 	//若找不到 readline 函数，则使用offset偏移地址方式。
 				BinaryPath: binaryPath, // 可能是 /bin/bash 也可能是 readline.so的真实地址
 			},
 			{

diff --git a/user/module/probe_gotls_text.go b/user/module/probe_gotls_text.go
@@ -89,9 +89,8 @@ func (g *GoTLSProbe) setupManagersText() error {
 			EbpfFuncName:     readFn,
 			AttachToFuncName: config.GoTlsReadFunc,
 			BinaryPath:       g.path,
-			//UprobeOffset:     uint64(v),
-			UAddress: uint64(v),
-			UID:      uid,
+			UAddress:         uint64(v),
+			UID:              uid,
 		})
 	}
 	g.bpfManagerOptions = manager.Options{

diff --git a/user/module/probe_mysqld.go b/user/module/probe_mysqld.go
@@ -136,14 +136,14 @@ func (m *MMysqldProbe) setupManagers() error {
 				Section:          "uprobe/dispatch_command_57",
 				EbpfFuncName:     "mysql57_query",
 				AttachToFuncName: attachFunc,
-				UprobeOffset:     offset,
+				UAddress:         offset,
 				BinaryPath:       binaryPath,
 			},
 			{
 				Section:          "uretprobe/dispatch_command_57",
 				EbpfFuncName:     "mysql57_query_return",
 				AttachToFuncName: attachFunc,
-				UprobeOffset:     offset,
+				UAddress:         offset,
 				BinaryPath:       binaryPath,
 			},
 		}
@@ -153,14 +153,14 @@ func (m *MMysqldProbe) setupManagers() error {
 				Section:          "uprobe/dispatch_command_57", //TODO CHANGE to mysqld80 @CFC4N
 				EbpfFuncName:     "mysql57_query",
 				AttachToFuncName: attachFunc,
-				UprobeOffset:     offset,
+				UAddress:         offset,
 				BinaryPath:       binaryPath,
 			},
 			{
 				Section:          "uretprobe/dispatch_command_57",
 				EbpfFuncName:     "mysql57_query_return",
 				AttachToFuncName: attachFunc,
-				UprobeOffset:     offset,
+				UAddress:         offset,
 				BinaryPath:       binaryPath,
 			},
 		}
@@ -170,14 +170,14 @@ func (m *MMysqldProbe) setupManagers() error {
 				Section:          "uprobe/dispatch_command",
 				EbpfFuncName:     "mysql56_query",
 				AttachToFuncName: attachFunc,
-				UprobeOffset:     offset,
+				UAddress:         offset,
 				BinaryPath:       binaryPath,
 			},
 			{
 				Section:          "uretprobe/dispatch_command",
 				EbpfFuncName:     "mysql56_query_return",
 				AttachToFuncName: attachFunc,
-				UprobeOffset:     offset,
+				UAddress:         offset,
 				BinaryPath:       binaryPath,
 			},
 		}
@@ -193,7 +193,7 @@ func (m *MMysqldProbe) setupManagers() error {
 	}
 
 	m.logger.Info().Str("binrayPath", binaryPath).Str("FunctionName", attachFunc).
-		Str("Version", versionInfo).Uint64("UprobeOffset", offset).Msg("Mysql Probe Hooked")
+		Str("Version", versionInfo).Uint64("UAddress", offset).Msg("Mysql Probe Hooked")
 	m.bpfManagerOptions = manager.Options{
 		DefaultKProbeMaxActive: 512,
 

diff --git a/user/module/probe_openssl.go b/user/module/probe_openssl.go
@@ -43,8 +43,8 @@ const (
 	DefaultAddr  = "0.0.0.0"
 	// OpenSSL the classes of BIOs
 	// https://github.com/openssl/openssl/blob/openssl-3.0.0/include/openssl/bio.h.in
-	BIO_TYPE_DESCRIPTOR  = 0x0100
-	BIO_TYPE_SOURCE_SINK = 0x0400
+	BioTypeDescriptor = 0x0100
+	BioTypeSourceSink = 0x0400
 )
 
 type Tls13MasterSecret struct {
@@ -653,7 +653,7 @@ func (m *MOpenSSLProbe) Dispatcher(eventStruct event.IEventStruct) {
 
 func (m *MOpenSSLProbe) dumpSslData(eventStruct *event.SSLDataEvent) {
 	// BIO_TYPE_SOURCE_SINK|BIO_TYPE_DESCRIPTOR = 0x0400|0x0100 = 1280
-	if eventStruct.Fd <= 0 && eventStruct.BioType > BIO_TYPE_SOURCE_SINK|BIO_TYPE_DESCRIPTOR {
+	if eventStruct.Fd <= 0 && eventStruct.BioType > BioTypeSourceSink|BioTypeDescriptor {
 		m.logger.Error().Uint32("pid", eventStruct.Pid).Uint32("fd", eventStruct.Fd).Str("address", eventStruct.Addr).Msg("SSLDataEvent's fd is 0")
 		//return
 	}