From 29bff39ff8af7f9bd884684477785fe0c969aa26 Mon Sep 17 00:00:00 2001 From: CFC4N Date: Wed, 13 Nov 2024 23:27:20 +0800 Subject: [PATCH] Fix the parameter error issue of the uprobe type hook. (#665) fix:#664 , In the cilium/ebpf library, starting from version 0.10, the meaning of the Offset field in the UprobeOptions attribute has changed, and a new Address parameter has been added. Update the assignment of all fields. Signed-off-by: CFC4N --- COMPILATION_CN.md | 3 ++- pkg/event_processor/processor.go | 9 ++++++--- user/module/probe_bash.go | 2 +- user/module/probe_gotls_text.go | 5 ++--- user/module/probe_mysqld.go | 14 +++++++------- user/module/probe_openssl.go | 6 +++--- 6 files changed, 21 insertions(+), 18 deletions(-) diff --git a/COMPILATION_CN.md b/COMPILATION_CN.md index 481119b93..cbac89726 100644 --- a/COMPILATION_CN.md +++ b/COMPILATION_CN.md @@ -26,7 +26,8 @@ # 编译方法 -针对个别程序使用的openssl类库是静态编译,也可以自行修改源码实现。若函数名不在符号表里,也可以自行反编译找到函数的offset偏移地址,填写到`UprobeOffset` +针对个别程序使用的openssl类库是静态编译,也可以自行修改源码实现。若函数名不在符号表里,也可以自行反编译找到函数的offset偏移地址,填写到 +`Uaddress` 属性上,进行编译。 笔者环境`ubuntu 21.04`, Linux Kernel 4.18以上通用。 **推荐使用`UBUNTU 20.04` 及以上版本的Linux测试。** diff --git a/pkg/event_processor/processor.go b/pkg/event_processor/processor.go index 6c13300ec..d4018df48 100644 --- a/pkg/event_processor/processor.go +++ b/pkg/event_processor/processor.go @@ -15,7 +15,6 @@ package event_processor import ( - "errors" "fmt" "github.com/gojue/ecapture/user/event" "io" @@ -64,8 +63,9 @@ func (ep *EventProcessor) Serve() error { case eventStruct := <-ep.incoming: err = ep.dispatch(eventStruct) if err != nil { - err1 := ep.Close() - return errors.Join(err, err1) + //err1 := ep.Close() + //return errors.Join(err, err1) + return err } case s := <-ep.outComing: _, _ = ep.GetLogger().Write([]byte(s)) @@ -141,6 +141,9 @@ func (ep *EventProcessor) Write(e event.IEventStruct) { func (ep *EventProcessor) Close() error { ep.Lock() defer ep.Unlock() + if ep.isClosed { + return nil + } ep.isClosed = true close(ep.closeChan) close(ep.incoming) diff --git a/user/module/probe_bash.go b/user/module/probe_bash.go index 6caa03ebe..24208570f 100644 --- a/user/module/probe_bash.go +++ b/user/module/probe_bash.go @@ -165,7 +165,7 @@ func (b *MBashProbe) setupManagers() { Section: "uretprobe/bash_readline", EbpfFuncName: "uretprobe_bash_readline", AttachToFuncName: readlineFuncName, - //UprobeOffset: 0x8232, //若找不到 readline 函数,则使用offset偏移地址方式。 + //UAddress: 0x8232, //若找不到 readline 函数,则使用offset偏移地址方式。 BinaryPath: binaryPath, // 可能是 /bin/bash 也可能是 readline.so的真实地址 }, { diff --git a/user/module/probe_gotls_text.go b/user/module/probe_gotls_text.go index ebe952be5..545d5d22f 100644 --- a/user/module/probe_gotls_text.go +++ b/user/module/probe_gotls_text.go @@ -89,9 +89,8 @@ func (g *GoTLSProbe) setupManagersText() error { EbpfFuncName: readFn, AttachToFuncName: config.GoTlsReadFunc, BinaryPath: g.path, - //UprobeOffset: uint64(v), - UAddress: uint64(v), - UID: uid, + UAddress: uint64(v), + UID: uid, }) } g.bpfManagerOptions = manager.Options{ diff --git a/user/module/probe_mysqld.go b/user/module/probe_mysqld.go index ae892bd08..84d4f48ff 100644 --- a/user/module/probe_mysqld.go +++ b/user/module/probe_mysqld.go @@ -136,14 +136,14 @@ func (m *MMysqldProbe) setupManagers() error { Section: "uprobe/dispatch_command_57", EbpfFuncName: "mysql57_query", AttachToFuncName: attachFunc, - UprobeOffset: offset, + UAddress: offset, BinaryPath: binaryPath, }, { Section: "uretprobe/dispatch_command_57", EbpfFuncName: "mysql57_query_return", AttachToFuncName: attachFunc, - UprobeOffset: offset, + UAddress: offset, BinaryPath: binaryPath, }, } @@ -153,14 +153,14 @@ func (m *MMysqldProbe) setupManagers() error { Section: "uprobe/dispatch_command_57", //TODO CHANGE to mysqld80 @CFC4N EbpfFuncName: "mysql57_query", AttachToFuncName: attachFunc, - UprobeOffset: offset, + UAddress: offset, BinaryPath: binaryPath, }, { Section: "uretprobe/dispatch_command_57", EbpfFuncName: "mysql57_query_return", AttachToFuncName: attachFunc, - UprobeOffset: offset, + UAddress: offset, BinaryPath: binaryPath, }, } @@ -170,14 +170,14 @@ func (m *MMysqldProbe) setupManagers() error { Section: "uprobe/dispatch_command", EbpfFuncName: "mysql56_query", AttachToFuncName: attachFunc, - UprobeOffset: offset, + UAddress: offset, BinaryPath: binaryPath, }, { Section: "uretprobe/dispatch_command", EbpfFuncName: "mysql56_query_return", AttachToFuncName: attachFunc, - UprobeOffset: offset, + UAddress: offset, BinaryPath: binaryPath, }, } @@ -193,7 +193,7 @@ func (m *MMysqldProbe) setupManagers() error { } m.logger.Info().Str("binrayPath", binaryPath).Str("FunctionName", attachFunc). - Str("Version", versionInfo).Uint64("UprobeOffset", offset).Msg("Mysql Probe Hooked") + Str("Version", versionInfo).Uint64("UAddress", offset).Msg("Mysql Probe Hooked") m.bpfManagerOptions = manager.Options{ DefaultKProbeMaxActive: 512, diff --git a/user/module/probe_openssl.go b/user/module/probe_openssl.go index b4adc4507..889baaf47 100644 --- a/user/module/probe_openssl.go +++ b/user/module/probe_openssl.go @@ -43,8 +43,8 @@ const ( DefaultAddr = "0.0.0.0" // OpenSSL the classes of BIOs // https://github.com/openssl/openssl/blob/openssl-3.0.0/include/openssl/bio.h.in - BIO_TYPE_DESCRIPTOR = 0x0100 - BIO_TYPE_SOURCE_SINK = 0x0400 + BioTypeDescriptor = 0x0100 + BioTypeSourceSink = 0x0400 ) type Tls13MasterSecret struct { @@ -653,7 +653,7 @@ func (m *MOpenSSLProbe) Dispatcher(eventStruct event.IEventStruct) { func (m *MOpenSSLProbe) dumpSslData(eventStruct *event.SSLDataEvent) { // BIO_TYPE_SOURCE_SINK|BIO_TYPE_DESCRIPTOR = 0x0400|0x0100 = 1280 - if eventStruct.Fd <= 0 && eventStruct.BioType > BIO_TYPE_SOURCE_SINK|BIO_TYPE_DESCRIPTOR { + if eventStruct.Fd <= 0 && eventStruct.BioType > BioTypeSourceSink|BioTypeDescriptor { m.logger.Error().Uint32("pid", eventStruct.Pid).Uint32("fd", eventStruct.Fd).Str("address", eventStruct.Addr).Msg("SSLDataEvent's fd is 0") //return }