mirror of
https://github.com/kubeshark/kubeshark.git
synced 2025-07-07 13:29:31 +00:00
Find the ret instructions using Capstone Engine and uprobe the return statements
This commit is contained in:
M. Mert Yildiran
parent
ba2738b7a4
commit
ade3407d63
@ -85,6 +85,7 @@ require (
|
||||
github.com/josharian/intern v1.0.0 // indirect
|
||||
github.com/json-iterator/go v1.1.12 // indirect
|
||||
github.com/klauspost/compress v1.14.2 // indirect
|
||||
github.com/knightsc/gapstone v0.0.0-20211014144438-5e0e64002a6e // indirect
|
||||
github.com/leodido/go-urn v1.2.1 // indirect
|
||||
github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
|
||||
github.com/mailru/easyjson v0.7.7 // indirect
|
||||
|
||||
@ -457,6 +457,8 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o
|
||||
github.com/klauspost/compress v1.9.8/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
|
||||
github.com/klauspost/compress v1.14.2 h1:S0OHlFk/Gbon/yauFJ4FfJJF5V0fc5HbBTJazi28pRw=
|
||||
github.com/klauspost/compress v1.14.2/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
|
||||
github.com/knightsc/gapstone v0.0.0-20211014144438-5e0e64002a6e h1:6J5obSn9umEThiYzWzndcPOZR0Qj/sVCZpH6V1G7yNE=
|
||||
github.com/knightsc/gapstone v0.0.0-20211014144438-5e0e64002a6e/go.mod h1:1K5hEzsMBLTPdRJKEHqBFJ8Zt2VRqDhomcQ11KH0WW4=
|
||||
github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
|
||||
github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
|
||||
github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
|
||||
|
||||
6
devops/install-capstone.sh
Executable file
6
devops/install-capstone.sh
Executable file
@ -0,0 +1,6 @@
|
||||
#!/bin/bash
|
||||
|
||||
git clone https://github.com/capstone-engine/capstone.git -b 4.0.2 && \
|
||||
git checkout capstone && \
|
||||
./make.sh && \
|
||||
sudo ./make.sh install
|
||||
@ -8,6 +8,7 @@ require (
|
||||
github.com/go-errors/errors v1.4.2
|
||||
github.com/google/gopacket v1.1.19
|
||||
github.com/hashicorp/golang-lru v0.5.4
|
||||
github.com/knightsc/gapstone v0.0.0-20211014144438-5e0e64002a6e
|
||||
github.com/shirou/gopsutil v3.21.11+incompatible
|
||||
github.com/struCoder/pidusage v0.2.1
|
||||
github.com/up9inc/mizu/logger v0.0.0
|
||||
|
||||
@ -83,6 +83,8 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr
|
||||
github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
|
||||
github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
|
||||
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
|
||||
github.com/knightsc/gapstone v0.0.0-20211014144438-5e0e64002a6e h1:6J5obSn9umEThiYzWzndcPOZR0Qj/sVCZpH6V1G7yNE=
|
||||
github.com/knightsc/gapstone v0.0.0-20211014144438-5e0e64002a6e/go.mod h1:1K5hEzsMBLTPdRJKEHqBFJ8Zt2VRqDhomcQ11KH0WW4=
|
||||
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
|
||||
github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
|
||||
github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
|
||||
|
||||
@ -19,11 +19,12 @@ If stack size exceeds 2Kb, Go runtime reallocates the stack. That causes the
|
||||
return address to become wrong in case of `uretprobe` and probed Go program crashes.
|
||||
Therefore `uretprobe` CAN'T BE USED for a Go program.
|
||||
|
||||
`golang_crypto_tls_read_uprobe` suppose to be `uretprobe` is actually a `uprobe` because of the ABI problems
|
||||
and we probe an arbitrary point in a function body (offset +559):
|
||||
`_ex_uprobe` suffixed probes suppose to be `uretprobe`(s) are actually `uprobe`(s)
|
||||
because of the non-standard ABI of Go. Therefore we probe `ret` mnemonics under the symbol
|
||||
by automatically finding them through reading the ELF binary and disassembling the symbols.
|
||||
Disassembly related code located in `golang_offsets.go` file.
|
||||
Example: We probe an arbitrary point in a function body (offset +559):
|
||||
https://github.com/golang/go/blob/go1.17.6/src/crypto/tls/conn.go#L1296
|
||||
Therefore `golang_crypto_tls_read_uprobe` is fragile any changes in `crypto/tls` library
|
||||
and it's only tested on x86-64.
|
||||
|
||||
---
|
||||
|
||||
@ -69,6 +70,31 @@ static int golang_crypto_tls_write_uprobe(struct pt_regs *ctx) {
|
||||
log_error(ctx, LOG_ERROR_PUTTING_SSL_CONTEXT, pid_tgid, err, 0l);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
SEC("uprobe/golang_crypto_tls_write_ex")
|
||||
static int golang_crypto_tls_write_ex_uprobe(struct pt_regs *ctx) {
|
||||
__u64 pid_tgid = bpf_get_current_pid_tgid();
|
||||
__u64 pid = pid_tgid >> 32;
|
||||
if (!should_tap(pid)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
struct ssl_info *info_ptr = bpf_map_lookup_elem(&ssl_write_context, &pid_tgid);
|
||||
|
||||
if (info_ptr == NULL) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
struct ssl_info info;
|
||||
long err = bpf_probe_read(&info, sizeof(struct ssl_info), info_ptr);
|
||||
|
||||
if (err != 0) {
|
||||
log_error(ctx, LOG_ERROR_READING_SSL_CONTEXT, pid_tgid, err, ORIGIN_SSL_URETPROBE_CODE);
|
||||
return 0;
|
||||
}
|
||||
|
||||
output_ssl_chunk(ctx, &info, info.buffer_len, pid_tgid, 0);
|
||||
|
||||
return 0;
|
||||
@ -82,19 +108,10 @@ static int golang_crypto_tls_read_uprobe(struct pt_regs *ctx) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
void* stack_addr = (void*)GO_ABI_INTERNAL_PT_REGS_SP(ctx);
|
||||
__u64 data_p;
|
||||
// Address at stack pointer + 0xd8 holds the data (*fragile* and probably specific to x86-64)
|
||||
__u32 status = bpf_probe_read(&data_p, sizeof(data_p), stack_addr + 0xd8);
|
||||
if (status < 0) {
|
||||
log_error(ctx, LOG_ERROR_GOLANG_READ_READING_DATA_POINTER, pid_tgid, status, 0l);
|
||||
return 0;
|
||||
}
|
||||
|
||||
struct ssl_info info = lookup_ssl_info(ctx, &ssl_read_context, pid_tgid);
|
||||
|
||||
info.buffer_len = GO_ABI_INTERNAL_PT_REGS_R2(ctx);
|
||||
info.buffer = (void*)data_p;
|
||||
info.buffer = (void*)GO_ABI_INTERNAL_PT_REGS_R4(ctx);
|
||||
|
||||
long err = bpf_map_update_elem(&ssl_read_context, &pid_tgid, &info, BPF_ANY);
|
||||
|
||||
@ -102,6 +119,31 @@ static int golang_crypto_tls_read_uprobe(struct pt_regs *ctx) {
|
||||
log_error(ctx, LOG_ERROR_PUTTING_SSL_CONTEXT, pid_tgid, err, 0l);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
SEC("uprobe/golang_crypto_tls_read_ex")
|
||||
static int golang_crypto_tls_read_ex_uprobe(struct pt_regs *ctx) {
|
||||
__u64 pid_tgid = bpf_get_current_pid_tgid();
|
||||
__u64 pid = pid_tgid >> 32;
|
||||
if (!should_tap(pid)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
struct ssl_info *info_ptr = bpf_map_lookup_elem(&ssl_read_context, &pid_tgid);
|
||||
|
||||
if (info_ptr == NULL) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
struct ssl_info info;
|
||||
long err = bpf_probe_read(&info, sizeof(struct ssl_info), info_ptr);
|
||||
|
||||
if (err != 0) {
|
||||
log_error(ctx, LOG_ERROR_READING_SSL_CONTEXT, pid_tgid, err, ORIGIN_SSL_URETPROBE_CODE);
|
||||
return 0;
|
||||
}
|
||||
|
||||
output_ssl_chunk(ctx, &info, info.buffer_len, pid_tgid, FLAGS_IS_READ_BIT);
|
||||
|
||||
return 0;
|
||||
|
||||
@ -6,8 +6,10 @@ import (
|
||||
)
|
||||
|
||||
type golangHooks struct {
|
||||
golangWriteProbe link.Link
|
||||
golangReadProbe link.Link
|
||||
golangWriteProbe link.Link
|
||||
golangWriteExProbes []link.Link
|
||||
golangReadProbe link.Link
|
||||
golangReadExProbes []link.Link
|
||||
}
|
||||
|
||||
func (s *golangHooks) installUprobes(bpfObjects *tlsTapperObjects, filePath string) error {
|
||||
@ -32,23 +34,45 @@ func (s *golangHooks) installHooks(bpfObjects *tlsTapperObjects, ex *link.Execut
|
||||
// Symbol points to
|
||||
// [`crypto/tls.(*Conn).Write`](https://github.com/golang/go/blob/go1.17.6/src/crypto/tls/conn.go#L1099)
|
||||
s.golangWriteProbe, err = ex.Uprobe(golangWriteSymbol, bpfObjects.GolangCryptoTlsWriteUprobe, &link.UprobeOptions{
|
||||
Offset: offsets.GolangWriteOffset,
|
||||
Offset: offsets.GolangWriteOffset.enter,
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
return errors.Wrap(err, 0)
|
||||
}
|
||||
|
||||
// Relative offset points to
|
||||
// [`crypto/tls.(*Conn).Read+559`](https://github.com/golang/go/blob/go1.17.6/src/crypto/tls/conn.go#L1296)
|
||||
s.golangReadProbe, err = ex.Uprobe(golangReadSymbol, bpfObjects.GolangCryptoTlsReadUprobe, &link.UprobeOptions{
|
||||
Offset: offsets.GolangReadOffset + 0x22f,
|
||||
})
|
||||
for _, offset := range offsets.GolangWriteOffset.exits {
|
||||
probe, err := ex.Uprobe(golangWriteSymbol, bpfObjects.GolangCryptoTlsWriteExUprobe, &link.UprobeOptions{
|
||||
Offset: offset,
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
return errors.Wrap(err, 0)
|
||||
}
|
||||
|
||||
s.golangWriteExProbes = append(s.golangWriteExProbes, probe)
|
||||
}
|
||||
|
||||
// Symbol points to
|
||||
// [`crypto/tls.(*Conn).Read`](https://github.com/golang/go/blob/go1.17.6/src/crypto/tls/conn.go#L1263)
|
||||
s.golangReadProbe, err = ex.Uprobe(golangReadSymbol, bpfObjects.GolangCryptoTlsReadUprobe, nil)
|
||||
|
||||
if err != nil {
|
||||
return errors.Wrap(err, 0)
|
||||
}
|
||||
|
||||
for _, offset := range offsets.GolangReadOffset.exits {
|
||||
probe, err := ex.Uprobe(golangReadSymbol, bpfObjects.GolangCryptoTlsReadExUprobe, &link.UprobeOptions{
|
||||
Offset: offset,
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
return errors.Wrap(err, 0)
|
||||
}
|
||||
|
||||
s.golangReadExProbes = append(s.golangReadExProbes, probe)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -59,9 +83,21 @@ func (s *golangHooks) close() []error {
|
||||
errors = append(errors, err)
|
||||
}
|
||||
|
||||
for _, probe := range s.golangWriteExProbes {
|
||||
if err := probe.Close(); err != nil {
|
||||
errors = append(errors, err)
|
||||
}
|
||||
}
|
||||
|
||||
if err := s.golangReadProbe.Close(); err != nil {
|
||||
errors = append(errors, err)
|
||||
}
|
||||
|
||||
for _, probe := range s.golangReadExProbes {
|
||||
if err := probe.Close(); err != nil {
|
||||
errors = append(errors, err)
|
||||
}
|
||||
}
|
||||
|
||||
return errors
|
||||
}
|
||||
|
||||
@ -8,11 +8,17 @@ import (
|
||||
|
||||
"github.com/Masterminds/semver"
|
||||
"github.com/cilium/ebpf/link"
|
||||
"github.com/knightsc/gapstone"
|
||||
)
|
||||
|
||||
type golangOffsets struct {
|
||||
GolangWriteOffset uint64
|
||||
GolangReadOffset uint64
|
||||
GolangWriteOffset *golangExtendedOffset
|
||||
GolangReadOffset *golangExtendedOffset
|
||||
}
|
||||
|
||||
type golangExtendedOffset struct {
|
||||
enter uint64
|
||||
exits []uint64
|
||||
}
|
||||
|
||||
const (
|
||||
@ -58,8 +64,17 @@ func findGolangOffsets(filePath string) (golangOffsets, error) {
|
||||
}, nil
|
||||
}
|
||||
|
||||
func getOffsets(filePath string) (offsets map[string]uint64, err error) {
|
||||
offsets = make(map[string]uint64)
|
||||
func getOffsets(filePath string) (offsets map[string]*golangExtendedOffset, err error) {
|
||||
var engine gapstone.Engine
|
||||
engine, err = gapstone.New(
|
||||
gapstone.CS_ARCH_X86,
|
||||
gapstone.CS_MODE_64,
|
||||
)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
offsets = make(map[string]*golangExtendedOffset)
|
||||
var fd *os.File
|
||||
fd, err = os.Open(filePath)
|
||||
if err != nil {
|
||||
@ -70,34 +85,85 @@ func getOffsets(filePath string) (offsets map[string]uint64, err error) {
|
||||
var se *elf.File
|
||||
se, err = elf.NewFile(fd)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return
|
||||
}
|
||||
|
||||
textSection := se.Section(".text")
|
||||
if textSection == nil {
|
||||
err = fmt.Errorf("No text section")
|
||||
return
|
||||
}
|
||||
|
||||
// extract the raw bytes from the .text section
|
||||
var textSectionData []byte
|
||||
textSectionData, err = textSection.Data()
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
syms, err := se.Symbols()
|
||||
for _, sym := range syms {
|
||||
offset := sym.Value
|
||||
|
||||
var lastProg *elf.Prog
|
||||
for _, prog := range se.Progs {
|
||||
if prog.Vaddr <= sym.Value && sym.Value < (prog.Vaddr+prog.Memsz) {
|
||||
offset = sym.Value - prog.Vaddr + prog.Off
|
||||
lastProg = prog
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
offsets[sym.Name] = offset
|
||||
extendedOffset := &golangExtendedOffset{enter: offset}
|
||||
|
||||
// source: https://gist.github.com/grantseltzer/3efa8ecc5de1fb566e8091533050d608
|
||||
// skip over any symbols that aren't functinons/methods
|
||||
if sym.Info != byte(2) && sym.Info != byte(18) {
|
||||
offsets[sym.Name] = extendedOffset
|
||||
continue
|
||||
}
|
||||
|
||||
// skip over empty symbols
|
||||
if sym.Size == 0 {
|
||||
offsets[sym.Name] = extendedOffset
|
||||
continue
|
||||
}
|
||||
|
||||
// calculate starting and ending index of the symbol within the text section
|
||||
symStartingIndex := sym.Value - textSection.Addr
|
||||
symEndingIndex := symStartingIndex + sym.Size
|
||||
|
||||
// collect the bytes of the symbol
|
||||
symBytes := textSectionData[symStartingIndex:symEndingIndex]
|
||||
|
||||
// disasemble the symbol
|
||||
var instructions []gapstone.Instruction
|
||||
instructions, err = engine.Disasm(symBytes, sym.Value, 0)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
// iterate over each instruction and if the mnemonic is `ret` then that's an exit offset
|
||||
for _, ins := range instructions {
|
||||
if ins.Mnemonic == "ret" {
|
||||
extendedOffset.exits = append(extendedOffset.exits, uint64(ins.Address)-lastProg.Vaddr+lastProg.Off)
|
||||
}
|
||||
}
|
||||
|
||||
offsets[sym.Name] = extendedOffset
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func getOffset(offsets map[string]uint64, symbol string) (uint64, error) {
|
||||
func getOffset(offsets map[string]*golangExtendedOffset, symbol string) (*golangExtendedOffset, error) {
|
||||
if offset, ok := offsets[symbol]; ok {
|
||||
return offset, nil
|
||||
}
|
||||
return 0, fmt.Errorf("symbol %s: %w", symbol, link.ErrNoSymbol)
|
||||
return nil, fmt.Errorf("symbol %s: %w", symbol, link.ErrNoSymbol)
|
||||
}
|
||||
|
||||
func checkGoVersion(filePath string, offset uint64) (bool, string, error) {
|
||||
func checkGoVersion(filePath string, offset *golangExtendedOffset) (bool, string, error) {
|
||||
fd, err := os.Open(filePath)
|
||||
if err != nil {
|
||||
return false, "", err
|
||||
@ -106,7 +172,7 @@ func checkGoVersion(filePath string, offset uint64) (bool, string, error) {
|
||||
|
||||
reader := bufio.NewReader(fd)
|
||||
|
||||
_, err = reader.Discard(int(offset))
|
||||
_, err = reader.Discard(int(offset.enter))
|
||||
if err != nil {
|
||||
return false, "", err
|
||||
}
|
||||
|
||||
@ -42,7 +42,7 @@ func (r *tlsReader) Read(p []byte) (int, error) {
|
||||
}
|
||||
|
||||
r.data = chunk.getRecordedData()
|
||||
case <-time.After(time.Second * 3):
|
||||
case <-time.After(time.Second * 120):
|
||||
r.doneHandler(r)
|
||||
return 0, io.EOF
|
||||
}
|
||||
|
||||
@ -66,22 +66,24 @@ type tlsTapperSpecs struct {
|
||||
//
|
||||
// It can be passed ebpf.CollectionSpec.Assign.
|
||||
type tlsTapperProgramSpecs struct {
|
||||
GolangCryptoTlsReadUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_read_uprobe"`
|
||||
GolangCryptoTlsWriteUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_write_uprobe"`
|
||||
SslRead *ebpf.ProgramSpec `ebpf:"ssl_read"`
|
||||
SslReadEx *ebpf.ProgramSpec `ebpf:"ssl_read_ex"`
|
||||
SslRetRead *ebpf.ProgramSpec `ebpf:"ssl_ret_read"`
|
||||
SslRetReadEx *ebpf.ProgramSpec `ebpf:"ssl_ret_read_ex"`
|
||||
SslRetWrite *ebpf.ProgramSpec `ebpf:"ssl_ret_write"`
|
||||
SslRetWriteEx *ebpf.ProgramSpec `ebpf:"ssl_ret_write_ex"`
|
||||
SslWrite *ebpf.ProgramSpec `ebpf:"ssl_write"`
|
||||
SslWriteEx *ebpf.ProgramSpec `ebpf:"ssl_write_ex"`
|
||||
SysEnterAccept4 *ebpf.ProgramSpec `ebpf:"sys_enter_accept4"`
|
||||
SysEnterConnect *ebpf.ProgramSpec `ebpf:"sys_enter_connect"`
|
||||
SysEnterRead *ebpf.ProgramSpec `ebpf:"sys_enter_read"`
|
||||
SysEnterWrite *ebpf.ProgramSpec `ebpf:"sys_enter_write"`
|
||||
SysExitAccept4 *ebpf.ProgramSpec `ebpf:"sys_exit_accept4"`
|
||||
SysExitConnect *ebpf.ProgramSpec `ebpf:"sys_exit_connect"`
|
||||
GolangCryptoTlsReadExUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_read_ex_uprobe"`
|
||||
GolangCryptoTlsReadUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_read_uprobe"`
|
||||
GolangCryptoTlsWriteExUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_write_ex_uprobe"`
|
||||
GolangCryptoTlsWriteUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_write_uprobe"`
|
||||
SslRead *ebpf.ProgramSpec `ebpf:"ssl_read"`
|
||||
SslReadEx *ebpf.ProgramSpec `ebpf:"ssl_read_ex"`
|
||||
SslRetRead *ebpf.ProgramSpec `ebpf:"ssl_ret_read"`
|
||||
SslRetReadEx *ebpf.ProgramSpec `ebpf:"ssl_ret_read_ex"`
|
||||
SslRetWrite *ebpf.ProgramSpec `ebpf:"ssl_ret_write"`
|
||||
SslRetWriteEx *ebpf.ProgramSpec `ebpf:"ssl_ret_write_ex"`
|
||||
SslWrite *ebpf.ProgramSpec `ebpf:"ssl_write"`
|
||||
SslWriteEx *ebpf.ProgramSpec `ebpf:"ssl_write_ex"`
|
||||
SysEnterAccept4 *ebpf.ProgramSpec `ebpf:"sys_enter_accept4"`
|
||||
SysEnterConnect *ebpf.ProgramSpec `ebpf:"sys_enter_connect"`
|
||||
SysEnterRead *ebpf.ProgramSpec `ebpf:"sys_enter_read"`
|
||||
SysEnterWrite *ebpf.ProgramSpec `ebpf:"sys_enter_write"`
|
||||
SysExitAccept4 *ebpf.ProgramSpec `ebpf:"sys_exit_accept4"`
|
||||
SysExitConnect *ebpf.ProgramSpec `ebpf:"sys_exit_connect"`
|
||||
}
|
||||
|
||||
// tlsTapperMapSpecs contains maps before they are loaded into the kernel.
|
||||
@ -147,27 +149,31 @@ func (m *tlsTapperMaps) Close() error {
|
||||
//
|
||||
// It can be passed to loadTlsTapperObjects or ebpf.CollectionSpec.LoadAndAssign.
|
||||
type tlsTapperPrograms struct {
|
||||
GolangCryptoTlsReadUprobe *ebpf.Program `ebpf:"golang_crypto_tls_read_uprobe"`
|
||||
GolangCryptoTlsWriteUprobe *ebpf.Program `ebpf:"golang_crypto_tls_write_uprobe"`
|
||||
SslRead *ebpf.Program `ebpf:"ssl_read"`
|
||||
SslReadEx *ebpf.Program `ebpf:"ssl_read_ex"`
|
||||
SslRetRead *ebpf.Program `ebpf:"ssl_ret_read"`
|
||||
SslRetReadEx *ebpf.Program `ebpf:"ssl_ret_read_ex"`
|
||||
SslRetWrite *ebpf.Program `ebpf:"ssl_ret_write"`
|
||||
SslRetWriteEx *ebpf.Program `ebpf:"ssl_ret_write_ex"`
|
||||
SslWrite *ebpf.Program `ebpf:"ssl_write"`
|
||||
SslWriteEx *ebpf.Program `ebpf:"ssl_write_ex"`
|
||||
SysEnterAccept4 *ebpf.Program `ebpf:"sys_enter_accept4"`
|
||||
SysEnterConnect *ebpf.Program `ebpf:"sys_enter_connect"`
|
||||
SysEnterRead *ebpf.Program `ebpf:"sys_enter_read"`
|
||||
SysEnterWrite *ebpf.Program `ebpf:"sys_enter_write"`
|
||||
SysExitAccept4 *ebpf.Program `ebpf:"sys_exit_accept4"`
|
||||
SysExitConnect *ebpf.Program `ebpf:"sys_exit_connect"`
|
||||
GolangCryptoTlsReadExUprobe *ebpf.Program `ebpf:"golang_crypto_tls_read_ex_uprobe"`
|
||||
GolangCryptoTlsReadUprobe *ebpf.Program `ebpf:"golang_crypto_tls_read_uprobe"`
|
||||
GolangCryptoTlsWriteExUprobe *ebpf.Program `ebpf:"golang_crypto_tls_write_ex_uprobe"`
|
||||
GolangCryptoTlsWriteUprobe *ebpf.Program `ebpf:"golang_crypto_tls_write_uprobe"`
|
||||
SslRead *ebpf.Program `ebpf:"ssl_read"`
|
||||
SslReadEx *ebpf.Program `ebpf:"ssl_read_ex"`
|
||||
SslRetRead *ebpf.Program `ebpf:"ssl_ret_read"`
|
||||
SslRetReadEx *ebpf.Program `ebpf:"ssl_ret_read_ex"`
|
||||
SslRetWrite *ebpf.Program `ebpf:"ssl_ret_write"`
|
||||
SslRetWriteEx *ebpf.Program `ebpf:"ssl_ret_write_ex"`
|
||||
SslWrite *ebpf.Program `ebpf:"ssl_write"`
|
||||
SslWriteEx *ebpf.Program `ebpf:"ssl_write_ex"`
|
||||
SysEnterAccept4 *ebpf.Program `ebpf:"sys_enter_accept4"`
|
||||
SysEnterConnect *ebpf.Program `ebpf:"sys_enter_connect"`
|
||||
SysEnterRead *ebpf.Program `ebpf:"sys_enter_read"`
|
||||
SysEnterWrite *ebpf.Program `ebpf:"sys_enter_write"`
|
||||
SysExitAccept4 *ebpf.Program `ebpf:"sys_exit_accept4"`
|
||||
SysExitConnect *ebpf.Program `ebpf:"sys_exit_connect"`
|
||||
}
|
||||
|
||||
func (p *tlsTapperPrograms) Close() error {
|
||||
return _TlsTapperClose(
|
||||
p.GolangCryptoTlsReadExUprobe,
|
||||
p.GolangCryptoTlsReadUprobe,
|
||||
p.GolangCryptoTlsWriteExUprobe,
|
||||
p.GolangCryptoTlsWriteUprobe,
|
||||
p.SslRead,
|
||||
p.SslReadEx,
|
||||
|
||||
Binary file not shown.
@ -66,22 +66,24 @@ type tlsTapperSpecs struct {
|
||||
//
|
||||
// It can be passed ebpf.CollectionSpec.Assign.
|
||||
type tlsTapperProgramSpecs struct {
|
||||
GolangCryptoTlsReadUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_read_uprobe"`
|
||||
GolangCryptoTlsWriteUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_write_uprobe"`
|
||||
SslRead *ebpf.ProgramSpec `ebpf:"ssl_read"`
|
||||
SslReadEx *ebpf.ProgramSpec `ebpf:"ssl_read_ex"`
|
||||
SslRetRead *ebpf.ProgramSpec `ebpf:"ssl_ret_read"`
|
||||
SslRetReadEx *ebpf.ProgramSpec `ebpf:"ssl_ret_read_ex"`
|
||||
SslRetWrite *ebpf.ProgramSpec `ebpf:"ssl_ret_write"`
|
||||
SslRetWriteEx *ebpf.ProgramSpec `ebpf:"ssl_ret_write_ex"`
|
||||
SslWrite *ebpf.ProgramSpec `ebpf:"ssl_write"`
|
||||
SslWriteEx *ebpf.ProgramSpec `ebpf:"ssl_write_ex"`
|
||||
SysEnterAccept4 *ebpf.ProgramSpec `ebpf:"sys_enter_accept4"`
|
||||
SysEnterConnect *ebpf.ProgramSpec `ebpf:"sys_enter_connect"`
|
||||
SysEnterRead *ebpf.ProgramSpec `ebpf:"sys_enter_read"`
|
||||
SysEnterWrite *ebpf.ProgramSpec `ebpf:"sys_enter_write"`
|
||||
SysExitAccept4 *ebpf.ProgramSpec `ebpf:"sys_exit_accept4"`
|
||||
SysExitConnect *ebpf.ProgramSpec `ebpf:"sys_exit_connect"`
|
||||
GolangCryptoTlsReadExUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_read_ex_uprobe"`
|
||||
GolangCryptoTlsReadUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_read_uprobe"`
|
||||
GolangCryptoTlsWriteExUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_write_ex_uprobe"`
|
||||
GolangCryptoTlsWriteUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_write_uprobe"`
|
||||
SslRead *ebpf.ProgramSpec `ebpf:"ssl_read"`
|
||||
SslReadEx *ebpf.ProgramSpec `ebpf:"ssl_read_ex"`
|
||||
SslRetRead *ebpf.ProgramSpec `ebpf:"ssl_ret_read"`
|
||||
SslRetReadEx *ebpf.ProgramSpec `ebpf:"ssl_ret_read_ex"`
|
||||
SslRetWrite *ebpf.ProgramSpec `ebpf:"ssl_ret_write"`
|
||||
SslRetWriteEx *ebpf.ProgramSpec `ebpf:"ssl_ret_write_ex"`
|
||||
SslWrite *ebpf.ProgramSpec `ebpf:"ssl_write"`
|
||||
SslWriteEx *ebpf.ProgramSpec `ebpf:"ssl_write_ex"`
|
||||
SysEnterAccept4 *ebpf.ProgramSpec `ebpf:"sys_enter_accept4"`
|
||||
SysEnterConnect *ebpf.ProgramSpec `ebpf:"sys_enter_connect"`
|
||||
SysEnterRead *ebpf.ProgramSpec `ebpf:"sys_enter_read"`
|
||||
SysEnterWrite *ebpf.ProgramSpec `ebpf:"sys_enter_write"`
|
||||
SysExitAccept4 *ebpf.ProgramSpec `ebpf:"sys_exit_accept4"`
|
||||
SysExitConnect *ebpf.ProgramSpec `ebpf:"sys_exit_connect"`
|
||||
}
|
||||
|
||||
// tlsTapperMapSpecs contains maps before they are loaded into the kernel.
|
||||
@ -147,27 +149,31 @@ func (m *tlsTapperMaps) Close() error {
|
||||
//
|
||||
// It can be passed to loadTlsTapperObjects or ebpf.CollectionSpec.LoadAndAssign.
|
||||
type tlsTapperPrograms struct {
|
||||
GolangCryptoTlsReadUprobe *ebpf.Program `ebpf:"golang_crypto_tls_read_uprobe"`
|
||||
GolangCryptoTlsWriteUprobe *ebpf.Program `ebpf:"golang_crypto_tls_write_uprobe"`
|
||||
SslRead *ebpf.Program `ebpf:"ssl_read"`
|
||||
SslReadEx *ebpf.Program `ebpf:"ssl_read_ex"`
|
||||
SslRetRead *ebpf.Program `ebpf:"ssl_ret_read"`
|
||||
SslRetReadEx *ebpf.Program `ebpf:"ssl_ret_read_ex"`
|
||||
SslRetWrite *ebpf.Program `ebpf:"ssl_ret_write"`
|
||||
SslRetWriteEx *ebpf.Program `ebpf:"ssl_ret_write_ex"`
|
||||
SslWrite *ebpf.Program `ebpf:"ssl_write"`
|
||||
SslWriteEx *ebpf.Program `ebpf:"ssl_write_ex"`
|
||||
SysEnterAccept4 *ebpf.Program `ebpf:"sys_enter_accept4"`
|
||||
SysEnterConnect *ebpf.Program `ebpf:"sys_enter_connect"`
|
||||
SysEnterRead *ebpf.Program `ebpf:"sys_enter_read"`
|
||||
SysEnterWrite *ebpf.Program `ebpf:"sys_enter_write"`
|
||||
SysExitAccept4 *ebpf.Program `ebpf:"sys_exit_accept4"`
|
||||
SysExitConnect *ebpf.Program `ebpf:"sys_exit_connect"`
|
||||
GolangCryptoTlsReadExUprobe *ebpf.Program `ebpf:"golang_crypto_tls_read_ex_uprobe"`
|
||||
GolangCryptoTlsReadUprobe *ebpf.Program `ebpf:"golang_crypto_tls_read_uprobe"`
|
||||
GolangCryptoTlsWriteExUprobe *ebpf.Program `ebpf:"golang_crypto_tls_write_ex_uprobe"`
|
||||
GolangCryptoTlsWriteUprobe *ebpf.Program `ebpf:"golang_crypto_tls_write_uprobe"`
|
||||
SslRead *ebpf.Program `ebpf:"ssl_read"`
|
||||
SslReadEx *ebpf.Program `ebpf:"ssl_read_ex"`
|
||||
SslRetRead *ebpf.Program `ebpf:"ssl_ret_read"`
|
||||
SslRetReadEx *ebpf.Program `ebpf:"ssl_ret_read_ex"`
|
||||
SslRetWrite *ebpf.Program `ebpf:"ssl_ret_write"`
|
||||
SslRetWriteEx *ebpf.Program `ebpf:"ssl_ret_write_ex"`
|
||||
SslWrite *ebpf.Program `ebpf:"ssl_write"`
|
||||
SslWriteEx *ebpf.Program `ebpf:"ssl_write_ex"`
|
||||
SysEnterAccept4 *ebpf.Program `ebpf:"sys_enter_accept4"`
|
||||
SysEnterConnect *ebpf.Program `ebpf:"sys_enter_connect"`
|
||||
SysEnterRead *ebpf.Program `ebpf:"sys_enter_read"`
|
||||
SysEnterWrite *ebpf.Program `ebpf:"sys_enter_write"`
|
||||
SysExitAccept4 *ebpf.Program `ebpf:"sys_exit_accept4"`
|
||||
SysExitConnect *ebpf.Program `ebpf:"sys_exit_connect"`
|
||||
}
|
||||
|
||||
func (p *tlsTapperPrograms) Close() error {
|
||||
return _TlsTapperClose(
|
||||
p.GolangCryptoTlsReadExUprobe,
|
||||
p.GolangCryptoTlsReadUprobe,
|
||||
p.GolangCryptoTlsWriteExUprobe,
|
||||
p.GolangCryptoTlsWriteUprobe,
|
||||
p.SslRead,
|
||||
p.SslReadEx,
|
||||
|
||||
Binary file not shown.
Loading…
Reference in New Issue
Block a user