From db17157841cad1dc11cab53d73c59767a6192d7c Mon Sep 17 00:00:00 2001 From: see Date: Fri, 22 Dec 2023 17:58:24 +0800 Subject: [PATCH] backup --- src/syscall.c | 1 + src/types.h | 2 + user/config/config_argtype.go | 109 ++++++++++++++++++++++++++ user/config/config_syscall.go | 2 + user/config/config_syscall_aarch64.go | 46 +++++------ user/event/event_raw_syscalls.go | 29 +++++-- 6 files changed, 155 insertions(+), 34 deletions(-) create mode 100644 user/config/config_argtype.go diff --git a/src/syscall.c b/src/syscall.c index 118f772..b1efb74 100644 --- a/src/syscall.c +++ b/src/syscall.c @@ -265,6 +265,7 @@ int next_raw_syscalls_sys_enter(struct bpf_raw_tracepoint_args* ctx) { if (op_ctx->read_len > op_ctx->reg_value) { op_ctx->read_len = op_ctx->reg_value; } + break; case OP_SET_READ_LEN_POINTER_VALUE: // bpf_printk("[stackplz] OP_SET_READ_LEN_POINTER_VALUE old_len:%d new_len:%d\n", op_ctx->read_len, op_ctx->pointer_value); if (op_ctx->read_len > op_ctx->pointer_value) { diff --git a/src/types.h b/src/types.h index 4fda3c2..cc47615 100644 --- a/src/types.h +++ b/src/types.h @@ -150,7 +150,9 @@ enum arg_type_e TYPE_EXP_INT, TYPE_INT, TYPE_UINT, + TYPE_INT8, TYPE_INT16, + TYPE_UINT8, TYPE_UINT16, TYPE_INT32, TYPE_UINT32, diff --git a/user/config/config_argtype.go b/user/config/config_argtype.go new file mode 100644 index 0000000..07606fb --- /dev/null +++ b/user/config/config_argtype.go @@ -0,0 +1,109 @@ +package config + +import ( + "fmt" + "syscall" + "unsafe" +) + +// 定义 arg_type 即定义读取一个 arg 所需要的操作集合 + +type OpArgType struct { + Alias_type uint32 + Type_size uint32 + Ops []uint32 +} + +func (this *OpArgType) Clone() OpArgType { + oat := OpArgType{} + oat.Alias_type = this.Alias_type + oat.Type_size = this.Type_size + // 不能直接 copy 因为被赋值的一方长度为0 + oat.Ops = append(oat.Ops, this.Ops...) + return oat +} + +func (this *OpArgType) AddOp(opc OpConfig, value uint64) { + new_op_key := op_key_helper.get_op_key(opc.NewValue(value)) + this.Ops = append(this.Ops, new_op_key) +} + +func (this *OpArgType) AddOpC(op_code uint32) { + // add one op with default value + default_op_key := op_key_helper.get_default_op_key(op_code) + this.Ops = append(this.Ops, default_op_key) +} + +func (this *OpArgType) AddOpA(arg_type OpArgType) { + // add one arg op_keys + for _, arg_op_key := range arg_type.Ops { + this.Ops = append(this.Ops, arg_op_key) + } +} +func (this *OpArgType) AddOpK(op_key uint32) { + // add one op_key + this.Ops = append(this.Ops, op_key) +} + +func (this *OpArgType) NewReadLenRegValue(reg_index uint32) *OpArgType { + if this.Alias_type != TYPE_BUFFER { + panic(fmt.Sprintf("ArgType is %d, not TYPE_BUFFER", this.Alias_type)) + } + at := this.Clone() + at.Ops = []uint32{} + for _, op_key := range this.Ops { + at.AddOpK(op_key) + op_config := op_key_helper.get_op_config(op_key) + if op_config.Code == OP_SET_READ_LEN { + // 以指定寄存器的值作为读取长度 需要插入以下操作 + at.AddOp(OPC_SET_REG_INDEX, uint64(reg_index)) + at.AddOpC(OP_READ_REG) + at.AddOp(OPC_SET_READ_LEN_REG_VALUE, uint64(reg_index)) + } + } + return &at +} + +func RAT(alias_type, type_size uint32) *OpArgType { + // register OpArgType + oat := OpArgType{} + oat.Alias_type = alias_type + oat.Type_size = type_size + return &oat +} + +// 基础类型 +var AT_INT8 = RAT(TYPE_INT8, uint32(unsafe.Sizeof(int8(0)))) +var AT_INT16 = RAT(TYPE_INT16, uint32(unsafe.Sizeof(int16(0)))) +var AT_INT32 = RAT(TYPE_INT32, uint32(unsafe.Sizeof(int32(0)))) +var AT_INT64 = RAT(TYPE_INT64, uint32(unsafe.Sizeof(int64(0)))) + +var AT_UINT8 = RAT(TYPE_UINT8, uint32(unsafe.Sizeof(uint8(0)))) +var AT_UINT16 = RAT(TYPE_UINT16, uint32(unsafe.Sizeof(uint16(0)))) +var AT_UINT32 = RAT(TYPE_UINT32, uint32(unsafe.Sizeof(uint32(0)))) +var AT_UINT64 = RAT(TYPE_UINT64, uint32(unsafe.Sizeof(uint64(0)))) + +// 常用类型 +var AT_BUFFER = RAT(TYPE_BUFFER, MAX_BUF_READ_SIZE) +var AT_STRING = RAT(TYPE_STRING, MAX_BUF_READ_SIZE) + +// 复杂类型 +var AT_MSGHDR = RAT(TYPE_MSGHDR, uint32(unsafe.Sizeof(Msghdr{}))) +var AT_IOVEC = RAT(TYPE_IOVEC, uint32(unsafe.Sizeof(syscall.Iovec{}))) + +func init() { + // 在这里完成各种类型的操作集合初始化 + + // TYPE_BUFFER + // 通常按照结构体的方式读取即可 即读取指定地址指定大小的数据即可 + // 然而数据大小有时候会通过其他参数指定 + // 所以在读取之前 比较预设的默认读取大小和指定大小 取小的那个 + // 这里先预设了读取长度 在实际使用时编排操作顺序 + AT_BUFFER.AddOp(OPC_SET_READ_LEN, uint64(MAX_BUF_READ_SIZE)) + AT_BUFFER.AddOpC(OP_SAVE_STRUCT) + + // TYPE_STRING + AT_BUFFER.AddOpC(OP_SAVE_STRING) + + // Register(&SArgs{206, PAI("sendto", []PArg{A("sockfd", EXP_INT), A("buf", READ_BUFFER_T), A("len", INT), A("flags", EXP_INT), A("dest_addr", SOCKADDR), A("addrlen", EXP_INT)})}) +} diff --git a/user/config/config_syscall.go b/user/config/config_syscall.go index 15cad69..5ac620f 100644 --- a/user/config/config_syscall.go +++ b/user/config/config_syscall.go @@ -114,7 +114,9 @@ const ( TYPE_EXP_INT TYPE_INT TYPE_UINT + TYPE_INT8 TYPE_INT16 + TYPE_UINT8 TYPE_UINT16 TYPE_INT32 TYPE_UINT32 diff --git a/user/config/config_syscall_aarch64.go b/user/config/config_syscall_aarch64.go index 52ba56f..e385a25 100644 --- a/user/config/config_syscall_aarch64.go +++ b/user/config/config_syscall_aarch64.go @@ -106,7 +106,7 @@ func (this *SyscallPoints) GetPointByNR(nr uint32) *PointArgsConfig { return &point } } - panic(fmt.Sprintf("GetPointByNR failed for nr %s", nr)) + panic(fmt.Sprintf("GetPointByNR failed for nr:%d", nr)) } func GetSyscallPointByName(name string) *PointArgsConfig { @@ -117,31 +117,6 @@ func GetSyscallPointByNR(nr uint32) *PointArgsConfig { return aarch64_syscall_points.GetPointByNR(nr) } -// 基础类型配置 -type OpArgType struct { - Alias_type uint32 - Type_size uint32 - Ops []uint32 -} - -func (this *OpArgType) AddOp(opc OpConfig, value uint64) { - new_op_key := op_key_helper.get_op_key(opc.NewValue(value)) - this.Ops = append(this.Ops, new_op_key) -} - -func (this *OpArgType) AddOpC(op_code uint32) { - // add one op with default value - default_op_key := op_key_helper.get_default_op_key(op_code) - this.Ops = append(this.Ops, default_op_key) -} - -func (this *OpArgType) AddOpA(arg_type OpArgType) { - // add one arg op_keys - for _, arg_op_key := range arg_type.Ops { - this.Ops = append(this.Ops, arg_op_key) - } -} - // operation code enum const ( OP_SKIP uint32 = iota + 233 @@ -215,6 +190,15 @@ type OpKeyHelper struct { reg_index_op_key_map map[int]uint32 } +func (this *OpKeyHelper) get_op_config(op_key uint32) OpConfig { + for k, v := range this.op_list { + if k == op_key { + return v + } + } + panic(fmt.Sprintf("get_op_config for key:%d not exists", op_key)) +} + func (this *OpKeyHelper) get_default_op_key(op_code uint32) uint32 { for k, v := range this.op_list { if v.Code == op_code && v.Value == 0 { @@ -269,7 +253,7 @@ func RTO(alias_type, type_size uint32, ops ...OpConfig) OpArgType { return oat } -func X(arg_name string, arg_type OpArgType) *ArgOpConfig { +func X(arg_name string, arg_type *OpArgType) *ArgOpConfig { config := ArgOpConfig{} config.ArgName = arg_name config.AliasType = arg_type.Alias_type @@ -398,5 +382,11 @@ func init() { } OPA_MSGHDR.AddOpC(OP_RESET_BREAK) - R(211, "sendmsg", X("sockfd", OPA_INT32), X("*msg", OPA_MSGHDR), X("flags", OPA_INT32)) + // 以指定寄存器为数据作为读取长度 + AT_BUFFER_X2 := AT_BUFFER.NewReadLenRegValue(REG_ARM64_X2) + + R(56, "openat", X("dirfd", AT_INT32), X("pathname", AT_STRING), X("flags", AT_INT32), X("mode", AT_INT16)) + R(206, "sendto", X("sockfd", AT_INT32), X("*buf", AT_BUFFER_X2), X("len", AT_INT32), X("flags", AT_INT32)) + + // R(211, "sendmsg", X("sockfd", OPA_INT32), X("*msg", OPA_MSGHDR), X("flags", OPA_INT32)) } diff --git a/user/event/event_raw_syscalls.go b/user/event/event_raw_syscalls.go index e807d01..0604942 100644 --- a/user/event/event_raw_syscalls.go +++ b/user/event/event_raw_syscalls.go @@ -28,9 +28,9 @@ type Arg_bytes = config.Arg_str func (this *SyscallEvent) ParseContextSysEnterNext() (err error) { // 输出json会更方便分析 next - // if this.mconf.Next { - // this.logger.Printf("ParseContextSysEnterNext RawSample:\n%s", util.HexDump(this.rec.RawSample, util.COLORRED)) - // } + if this.mconf.Next { + this.logger.Printf("ParseContextSysEnterNext RawSample:\n%s", util.HexDump(this.rec.RawSample, util.COLORRED)) + } if err = binary.Read(this.buf, binary.LittleEndian, &this.lr); err != nil { panic(err) } @@ -42,9 +42,10 @@ func (this *SyscallEvent) ParseContextSysEnterNext() (err error) { } // 根据调用号解析剩余参数 this.nr_point_next = config.GetSyscallPointByNR(this.nr.Value) - if this.nr_point_next.Name != "sendmsg" { - panic("only sendmsg now") - } + // // if this.nr_point_next.Name != "sendmsg" { + // if this.nr_point_next.Name != "sendto" { + // panic("only sendmsg now") + // } var results []string for _, point_arg := range this.nr_point_next.Args { var ptr config.Arg_reg @@ -109,6 +110,22 @@ func (this *SyscallEvent) ParseContextSysEnterNext() (err error) { results = append(results, fmt.Sprintf("%s=%s", point_arg.ArgName, arg_msghdr.FormatFull(iov_results_str, control_buf.Format(control_payload)))) case config.TYPE_INT32: results = append(results, fmt.Sprintf("%s=%d", point_arg.ArgName, int32(ptr.Address))) + case config.TYPE_BUFFER: + var arg config.Arg_str + if err := binary.Read(this.buf, binary.LittleEndian, &arg); err != nil { + panic(err) + } + payload := make([]byte, arg.Len) + if err := binary.Read(this.buf, binary.LittleEndian, &payload); err != nil { + panic(err) + } + var payload_dump string + if this.mconf.DumpHex { + payload_dump = arg.HexFormat(payload, this.mconf.Color) + } else { + payload_dump = arg.Format(payload) + } + results = append(results, fmt.Sprintf("%s=0x%x%s", point_arg.ArgName, ptr.Address, payload_dump)) default: results = append(results, fmt.Sprintf("%s=0x%x", point_arg.ArgName, ptr.Address)) }