backup

SeeFlowerX · Dec 22, 2023 · db17157 · db17157
1 parent ecab649
commit db17157
Show file tree

Hide file tree

Showing 6 changed files with 155 additions and 34 deletions.
diff --git a/src/syscall.c b/src/syscall.c
@@ -265,6 +265,7 @@ int next_raw_syscalls_sys_enter(struct bpf_raw_tracepoint_args* ctx) {
                 if (op_ctx->read_len > op_ctx->reg_value) {
                     op_ctx->read_len = op_ctx->reg_value;
                 }
+                break;
             case OP_SET_READ_LEN_POINTER_VALUE:
                 // bpf_printk("[stackplz] OP_SET_READ_LEN_POINTER_VALUE old_len:%d new_len:%d\n", op_ctx->read_len, op_ctx->pointer_value);
                 if (op_ctx->read_len > op_ctx->pointer_value) {

diff --git a/src/types.h b/src/types.h
@@ -150,7 +150,9 @@ enum arg_type_e
 	TYPE_EXP_INT,
 	TYPE_INT,
 	TYPE_UINT,
+	TYPE_INT8,
 	TYPE_INT16,
+	TYPE_UINT8,
 	TYPE_UINT16,
 	TYPE_INT32,
 	TYPE_UINT32,

diff --git a/user/config/config_argtype.go b/user/config/config_argtype.go
@@ -0,0 +1,109 @@
+package config
+
+import (
+	"fmt"
+	"syscall"
+	"unsafe"
+)
+
+// 定义 arg_type 即定义读取一个 arg 所需要的操作集合
+
+type OpArgType struct {
+	Alias_type uint32
+	Type_size  uint32
+	Ops        []uint32
+}
+
+func (this *OpArgType) Clone() OpArgType {
+	oat := OpArgType{}
+	oat.Alias_type = this.Alias_type
+	oat.Type_size = this.Type_size
+	// 不能直接 copy 因为被赋值的一方长度为0
+	oat.Ops = append(oat.Ops, this.Ops...)
+	return oat
+}
+
+func (this *OpArgType) AddOp(opc OpConfig, value uint64) {
+	new_op_key := op_key_helper.get_op_key(opc.NewValue(value))
+	this.Ops = append(this.Ops, new_op_key)
+}
+
+func (this *OpArgType) AddOpC(op_code uint32) {
+	// add one op with default value
+	default_op_key := op_key_helper.get_default_op_key(op_code)
+	this.Ops = append(this.Ops, default_op_key)
+}
+
+func (this *OpArgType) AddOpA(arg_type OpArgType) {
+	// add one arg op_keys
+	for _, arg_op_key := range arg_type.Ops {
+		this.Ops = append(this.Ops, arg_op_key)
+	}
+}
+func (this *OpArgType) AddOpK(op_key uint32) {
+	// add one op_key
+	this.Ops = append(this.Ops, op_key)
+}
+
+func (this *OpArgType) NewReadLenRegValue(reg_index uint32) *OpArgType {
+	if this.Alias_type != TYPE_BUFFER {
+		panic(fmt.Sprintf("ArgType is %d, not TYPE_BUFFER", this.Alias_type))
+	}
+	at := this.Clone()
+	at.Ops = []uint32{}
+	for _, op_key := range this.Ops {
+		at.AddOpK(op_key)
+		op_config := op_key_helper.get_op_config(op_key)
+		if op_config.Code == OP_SET_READ_LEN {
+			// 以指定寄存器的值作为读取长度 需要插入以下操作
+			at.AddOp(OPC_SET_REG_INDEX, uint64(reg_index))
+			at.AddOpC(OP_READ_REG)
+			at.AddOp(OPC_SET_READ_LEN_REG_VALUE, uint64(reg_index))
+		}
+	}
+	return &at
+}
+
+func RAT(alias_type, type_size uint32) *OpArgType {
+	// register OpArgType
+	oat := OpArgType{}
+	oat.Alias_type = alias_type
+	oat.Type_size = type_size
+	return &oat
+}
+
+// 基础类型
+var AT_INT8 = RAT(TYPE_INT8, uint32(unsafe.Sizeof(int8(0))))
+var AT_INT16 = RAT(TYPE_INT16, uint32(unsafe.Sizeof(int16(0))))
+var AT_INT32 = RAT(TYPE_INT32, uint32(unsafe.Sizeof(int32(0))))
+var AT_INT64 = RAT(TYPE_INT64, uint32(unsafe.Sizeof(int64(0))))
+
+var AT_UINT8 = RAT(TYPE_UINT8, uint32(unsafe.Sizeof(uint8(0))))
+var AT_UINT16 = RAT(TYPE_UINT16, uint32(unsafe.Sizeof(uint16(0))))
+var AT_UINT32 = RAT(TYPE_UINT32, uint32(unsafe.Sizeof(uint32(0))))
+var AT_UINT64 = RAT(TYPE_UINT64, uint32(unsafe.Sizeof(uint64(0))))
+
+// 常用类型
+var AT_BUFFER = RAT(TYPE_BUFFER, MAX_BUF_READ_SIZE)
+var AT_STRING = RAT(TYPE_STRING, MAX_BUF_READ_SIZE)
+
+// 复杂类型
+var AT_MSGHDR = RAT(TYPE_MSGHDR, uint32(unsafe.Sizeof(Msghdr{})))
+var AT_IOVEC = RAT(TYPE_IOVEC, uint32(unsafe.Sizeof(syscall.Iovec{})))
+
+func init() {
+	// 在这里完成各种类型的操作集合初始化
+
+	// TYPE_BUFFER
+	// 通常按照结构体的方式读取即可 即读取指定地址指定大小的数据即可
+	// 然而数据大小有时候会通过其他参数指定
+	// 所以在读取之前 比较预设的默认读取大小和指定大小 取小的那个
+	// 这里先预设了读取长度 在实际使用时编排操作顺序
+	AT_BUFFER.AddOp(OPC_SET_READ_LEN, uint64(MAX_BUF_READ_SIZE))
+	AT_BUFFER.AddOpC(OP_SAVE_STRUCT)
+
+	// TYPE_STRING
+	AT_BUFFER.AddOpC(OP_SAVE_STRING)
+
+	// Register(&SArgs{206, PAI("sendto", []PArg{A("sockfd", EXP_INT), A("buf", READ_BUFFER_T), A("len", INT), A("flags", EXP_INT), A("dest_addr", SOCKADDR), A("addrlen", EXP_INT)})})
+}
diff --git a/user/config/config_syscall.go b/user/config/config_syscall.go
@@ -114,7 +114,9 @@ const (
 	TYPE_EXP_INT
 	TYPE_INT
 	TYPE_UINT
+	TYPE_INT8
 	TYPE_INT16
+	TYPE_UINT8
 	TYPE_UINT16
 	TYPE_INT32
 	TYPE_UINT32

diff --git a/user/config/config_syscall_aarch64.go b/user/config/config_syscall_aarch64.go
@@ -106,7 +106,7 @@ func (this *SyscallPoints) GetPointByNR(nr uint32) *PointArgsConfig {
 			return &point
 		}
 	}
-	panic(fmt.Sprintf("GetPointByNR failed for nr %s", nr))
+	panic(fmt.Sprintf("GetPointByNR failed for nr:%d", nr))
 }
 
 func GetSyscallPointByName(name string) *PointArgsConfig {
@@ -117,31 +117,6 @@ func GetSyscallPointByNR(nr uint32) *PointArgsConfig {
 	return aarch64_syscall_points.GetPointByNR(nr)
 }
 
-// 基础类型配置
-type OpArgType struct {
-	Alias_type uint32
-	Type_size  uint32
-	Ops        []uint32
-}
-
-func (this *OpArgType) AddOp(opc OpConfig, value uint64) {
-	new_op_key := op_key_helper.get_op_key(opc.NewValue(value))
-	this.Ops = append(this.Ops, new_op_key)
-}
-
-func (this *OpArgType) AddOpC(op_code uint32) {
-	// add one op with default value
-	default_op_key := op_key_helper.get_default_op_key(op_code)
-	this.Ops = append(this.Ops, default_op_key)
-}
-
-func (this *OpArgType) AddOpA(arg_type OpArgType) {
-	// add one arg op_keys
-	for _, arg_op_key := range arg_type.Ops {
-		this.Ops = append(this.Ops, arg_op_key)
-	}
-}
-
 // operation code enum
 const (
 	OP_SKIP uint32 = iota + 233
@@ -215,6 +190,15 @@ type OpKeyHelper struct {
 	reg_index_op_key_map map[int]uint32
 }
 
+func (this *OpKeyHelper) get_op_config(op_key uint32) OpConfig {
+	for k, v := range this.op_list {
+		if k == op_key {
+			return v
+		}
+	}
+	panic(fmt.Sprintf("get_op_config for key:%d not exists", op_key))
+}
+
 func (this *OpKeyHelper) get_default_op_key(op_code uint32) uint32 {
 	for k, v := range this.op_list {
 		if v.Code == op_code && v.Value == 0 {
@@ -269,7 +253,7 @@ func RTO(alias_type, type_size uint32, ops ...OpConfig) OpArgType {
 	return oat
 }
 
-func X(arg_name string, arg_type OpArgType) *ArgOpConfig {
+func X(arg_name string, arg_type *OpArgType) *ArgOpConfig {
 	config := ArgOpConfig{}
 	config.ArgName = arg_name
 	config.AliasType = arg_type.Alias_type
@@ -398,5 +382,11 @@ func init() {
 	}
 	OPA_MSGHDR.AddOpC(OP_RESET_BREAK)
 
-	R(211, "sendmsg", X("sockfd", OPA_INT32), X("*msg", OPA_MSGHDR), X("flags", OPA_INT32))
+	// 以指定寄存器为数据作为读取长度
+	AT_BUFFER_X2 := AT_BUFFER.NewReadLenRegValue(REG_ARM64_X2)
+
+	R(56, "openat", X("dirfd", AT_INT32), X("pathname", AT_STRING), X("flags", AT_INT32), X("mode", AT_INT16))
+	R(206, "sendto", X("sockfd", AT_INT32), X("*buf", AT_BUFFER_X2), X("len", AT_INT32), X("flags", AT_INT32))
+
+	// R(211, "sendmsg", X("sockfd", OPA_INT32), X("*msg", OPA_MSGHDR), X("flags", OPA_INT32))
 }
diff --git a/user/event/event_raw_syscalls.go b/user/event/event_raw_syscalls.go
@@ -28,9 +28,9 @@ type Arg_bytes = config.Arg_str
 
 func (this *SyscallEvent) ParseContextSysEnterNext() (err error) {
     // 输出json会更方便分析 next
-    // if this.mconf.Next {
-    //     this.logger.Printf("ParseContextSysEnterNext RawSample:\n%s", util.HexDump(this.rec.RawSample, util.COLORRED))
-    // }
+    if this.mconf.Next {
+        this.logger.Printf("ParseContextSysEnterNext RawSample:\n%s", util.HexDump(this.rec.RawSample, util.COLORRED))
+    }
     if err = binary.Read(this.buf, binary.LittleEndian, &this.lr); err != nil {
         panic(err)
     }
@@ -42,9 +42,10 @@ func (this *SyscallEvent) ParseContextSysEnterNext() (err error) {
     }
     // 根据调用号解析剩余参数
     this.nr_point_next = config.GetSyscallPointByNR(this.nr.Value)
-    if this.nr_point_next.Name != "sendmsg" {
-        panic("only sendmsg now")
-    }
+    // // if this.nr_point_next.Name != "sendmsg" {
+    // if this.nr_point_next.Name != "sendto" {
+    //     panic("only sendmsg now")
+    // }
     var results []string
     for _, point_arg := range this.nr_point_next.Args {
         var ptr config.Arg_reg
@@ -109,6 +110,22 @@ func (this *SyscallEvent) ParseContextSysEnterNext() (err error) {
             results = append(results, fmt.Sprintf("%s=%s", point_arg.ArgName, arg_msghdr.FormatFull(iov_results_str, control_buf.Format(control_payload))))
         case config.TYPE_INT32:
             results = append(results, fmt.Sprintf("%s=%d", point_arg.ArgName, int32(ptr.Address)))
+        case config.TYPE_BUFFER:
+            var arg config.Arg_str
+            if err := binary.Read(this.buf, binary.LittleEndian, &arg); err != nil {
+                panic(err)
+            }
+            payload := make([]byte, arg.Len)
+            if err := binary.Read(this.buf, binary.LittleEndian, &payload); err != nil {
+                panic(err)
+            }
+            var payload_dump string
+            if this.mconf.DumpHex {
+                payload_dump = arg.HexFormat(payload, this.mconf.Color)
+            } else {
+                payload_dump = arg.Format(payload)
+            }
+            results = append(results, fmt.Sprintf("%s=0x%x%s", point_arg.ArgName, ptr.Address, payload_dump))
         default:
             results = append(results, fmt.Sprintf("%s=0x%x", point_arg.ArgName, ptr.Address))
         }