Find the ret instructions using Capstone Engine and uprobe the return statements

agent/go.mod

@@ -85,6 +85,7 @@ require (
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.14.2 // indirect
+	github.com/knightsc/gapstone v0.0.0-20211014144438-5e0e64002a6e // indirect
 	github.com/leodido/go-urn v1.2.1 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect

agent/go.sum

@@ -457,6 +457,8 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o
 github.com/klauspost/compress v1.9.8/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
 github.com/klauspost/compress v1.14.2 h1:S0OHlFk/Gbon/yauFJ4FfJJF5V0fc5HbBTJazi28pRw=
 github.com/klauspost/compress v1.14.2/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
+github.com/knightsc/gapstone v0.0.0-20211014144438-5e0e64002a6e h1:6J5obSn9umEThiYzWzndcPOZR0Qj/sVCZpH6V1G7yNE=
+github.com/knightsc/gapstone v0.0.0-20211014144438-5e0e64002a6e/go.mod h1:1K5hEzsMBLTPdRJKEHqBFJ8Zt2VRqDhomcQ11KH0WW4=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=

devops/install-capstone.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+git clone https://github.com/capstone-engine/capstone.git -b 4.0.2 && \
+git checkout capstone && \
+./make.sh && \
+sudo ./make.sh install

tap/go.mod

@@ -8,6 +8,7 @@ require (
 	github.com/go-errors/errors v1.4.2
 	github.com/google/gopacket v1.1.19
 	github.com/hashicorp/golang-lru v0.5.4
+	github.com/knightsc/gapstone v0.0.0-20211014144438-5e0e64002a6e
 	github.com/shirou/gopsutil v3.21.11+incompatible
 	github.com/struCoder/pidusage v0.2.1
 	github.com/up9inc/mizu/logger v0.0.0

tap/go.sum

@@ -83,6 +83,8 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/knightsc/gapstone v0.0.0-20211014144438-5e0e64002a6e h1:6J5obSn9umEThiYzWzndcPOZR0Qj/sVCZpH6V1G7yNE=
+github.com/knightsc/gapstone v0.0.0-20211014144438-5e0e64002a6e/go.mod h1:1K5hEzsMBLTPdRJKEHqBFJ8Zt2VRqDhomcQ11KH0WW4=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=

tap/tlstapper/bpf/golang_uprobes.c

@@ -19,11 +19,12 @@ If stack size exceeds 2Kb, Go runtime reallocates the stack. That causes the
 return address to become wrong in case of `uretprobe` and probed Go program crashes.
 Therefore `uretprobe` CAN'T BE USED for a Go program.
 
-`golang_crypto_tls_read_uprobe` suppose to be `uretprobe` is actually a `uprobe` because of the ABI problems
+`_ex_uprobe` suffixed probes suppose to be `uretprobe`(s) are actually `uprobe`(s)
-and we probe an arbitrary point in a function body (offset +559):
+because of the non-standard ABI of Go. Therefore we probe `ret` mnemonics under the symbol
+by automatically finding them through reading the ELF binary and disassembling the symbols.
+Disassembly related code located in `golang_offsets.go` file.
+Example: We probe an arbitrary point in a function body (offset +559):
 https://github.com/golang/go/blob/go1.17.6/src/crypto/tls/conn.go#L1296
-Therefore `golang_crypto_tls_read_uprobe` is fragile any changes in `crypto/tls` library
-and it's only tested on x86-64.
 
 ---
 
@@ -69,6 +70,31 @@ static int golang_crypto_tls_write_uprobe(struct pt_regs *ctx) {
         log_error(ctx, LOG_ERROR_PUTTING_SSL_CONTEXT, pid_tgid, err, 0l);
     }
 
+    return 0;
+}
+
+SEC("uprobe/golang_crypto_tls_write_ex")
+static int golang_crypto_tls_write_ex_uprobe(struct pt_regs *ctx) {
+    __u64 pid_tgid = bpf_get_current_pid_tgid();
+    __u64 pid = pid_tgid >> 32;
+    if (!should_tap(pid)) {
+        return 0;
+    }
+
+    struct ssl_info *info_ptr = bpf_map_lookup_elem(&ssl_write_context, &pid_tgid);
+
+    if (info_ptr == NULL) {
+        return 0;
+    }
+
+    struct ssl_info info;
+    long err = bpf_probe_read(&info, sizeof(struct ssl_info), info_ptr);
+
+    if (err != 0) {
+        log_error(ctx, LOG_ERROR_READING_SSL_CONTEXT, pid_tgid, err, ORIGIN_SSL_URETPROBE_CODE);
+        return 0;
+    }
+
     output_ssl_chunk(ctx, &info, info.buffer_len, pid_tgid, 0);
 
     return 0;
@@ -82,19 +108,10 @@ static int golang_crypto_tls_read_uprobe(struct pt_regs *ctx) {
         return 0;
     }
 
-    void* stack_addr = (void*)GO_ABI_INTERNAL_PT_REGS_SP(ctx);
-    __u64 data_p;
-    // Address at stack pointer + 0xd8 holds the data (*fragile* and probably specific to x86-64)
-    __u32 status = bpf_probe_read(&data_p, sizeof(data_p), stack_addr + 0xd8);
-    if (status < 0) {
-        log_error(ctx, LOG_ERROR_GOLANG_READ_READING_DATA_POINTER, pid_tgid, status, 0l);
-        return 0;
-    }
-
     struct ssl_info info = lookup_ssl_info(ctx, &ssl_read_context, pid_tgid);
 
     info.buffer_len = GO_ABI_INTERNAL_PT_REGS_R2(ctx);
-    info.buffer = (void*)data_p;
+    info.buffer = (void*)GO_ABI_INTERNAL_PT_REGS_R4(ctx);
 
     long err = bpf_map_update_elem(&ssl_read_context, &pid_tgid, &info, BPF_ANY);
 
@@ -102,6 +119,31 @@ static int golang_crypto_tls_read_uprobe(struct pt_regs *ctx) {
         log_error(ctx, LOG_ERROR_PUTTING_SSL_CONTEXT, pid_tgid, err, 0l);
     }
 
+    return 0;
+}
+
+SEC("uprobe/golang_crypto_tls_read_ex")
+static int golang_crypto_tls_read_ex_uprobe(struct pt_regs *ctx) {
+    __u64 pid_tgid = bpf_get_current_pid_tgid();
+    __u64 pid = pid_tgid >> 32;
+    if (!should_tap(pid)) {
+        return 0;
+    }
+
+    struct ssl_info *info_ptr = bpf_map_lookup_elem(&ssl_read_context, &pid_tgid);
+
+    if (info_ptr == NULL) {
+        return 0;
+    }
+
+    struct ssl_info info;
+    long err = bpf_probe_read(&info, sizeof(struct ssl_info), info_ptr);
+
+    if (err != 0) {
+        log_error(ctx, LOG_ERROR_READING_SSL_CONTEXT, pid_tgid, err, ORIGIN_SSL_URETPROBE_CODE);
+        return 0;
+    }
+
     output_ssl_chunk(ctx, &info, info.buffer_len, pid_tgid, FLAGS_IS_READ_BIT);
 
     return 0;

tap/tlstapper/golang_hooks.go

@@ -6,8 +6,10 @@ import (
 )
 
 type golangHooks struct {
-	golangWriteProbe link.Link
+	golangWriteProbe    link.Link
-	golangReadProbe  link.Link
+	golangWriteExProbes []link.Link
+	golangReadProbe     link.Link
+	golangReadExProbes  []link.Link
 }
 
 func (s *golangHooks) installUprobes(bpfObjects *tlsTapperObjects, filePath string) error {
@@ -32,23 +34,45 @@ func (s *golangHooks) installHooks(bpfObjects *tlsTapperObjects, ex *link.Execut
 	// Symbol points to
 	// [`crypto/tls.(*Conn).Write`](https://github.com/golang/go/blob/go1.17.6/src/crypto/tls/conn.go#L1099)
 	s.golangWriteProbe, err = ex.Uprobe(golangWriteSymbol, bpfObjects.GolangCryptoTlsWriteUprobe, &link.UprobeOptions{
-		Offset: offsets.GolangWriteOffset,
+		Offset: offsets.GolangWriteOffset.enter,
 	})
 
 	if err != nil {
 		return errors.Wrap(err, 0)
 	}
 
-	// Relative offset points to
+	for _, offset := range offsets.GolangWriteOffset.exits {
-	// [`crypto/tls.(*Conn).Read+559`](https://github.com/golang/go/blob/go1.17.6/src/crypto/tls/conn.go#L1296)
+		probe, err := ex.Uprobe(golangWriteSymbol, bpfObjects.GolangCryptoTlsWriteExUprobe, &link.UprobeOptions{
-	s.golangReadProbe, err = ex.Uprobe(golangReadSymbol, bpfObjects.GolangCryptoTlsReadUprobe, &link.UprobeOptions{
+			Offset: offset,
-		Offset: offsets.GolangReadOffset + 0x22f,
+		})
-	})
+
+		if err != nil {
+			return errors.Wrap(err, 0)
+		}
+
+		s.golangWriteExProbes = append(s.golangWriteExProbes, probe)
+	}
+
+	// Symbol points to
+	// [`crypto/tls.(*Conn).Read`](https://github.com/golang/go/blob/go1.17.6/src/crypto/tls/conn.go#L1263)
+	s.golangReadProbe, err = ex.Uprobe(golangReadSymbol, bpfObjects.GolangCryptoTlsReadUprobe, nil)
 
 	if err != nil {
 		return errors.Wrap(err, 0)
 	}
 
+	for _, offset := range offsets.GolangReadOffset.exits {
+		probe, err := ex.Uprobe(golangReadSymbol, bpfObjects.GolangCryptoTlsReadExUprobe, &link.UprobeOptions{
+			Offset: offset,
+		})
+
+		if err != nil {
+			return errors.Wrap(err, 0)
+		}
+
+		s.golangReadExProbes = append(s.golangReadExProbes, probe)
+	}
+
 	return nil
 }
 
@@ -59,9 +83,21 @@ func (s *golangHooks) close() []error {
 		errors = append(errors, err)
 	}
 
+	for _, probe := range s.golangWriteExProbes {
+		if err := probe.Close(); err != nil {
+			errors = append(errors, err)
+		}
+	}
+
 	if err := s.golangReadProbe.Close(); err != nil {
 		errors = append(errors, err)
 	}
 
+	for _, probe := range s.golangReadExProbes {
+		if err := probe.Close(); err != nil {
+			errors = append(errors, err)
+		}
+	}
+
 	return errors
 }

tap/tlstapper/golang_offsets.go

@@ -8,11 +8,17 @@ import (
 
 	"github.com/Masterminds/semver"
 	"github.com/cilium/ebpf/link"
+	"github.com/knightsc/gapstone"
 )
 
 type golangOffsets struct {
-	GolangWriteOffset uint64
+	GolangWriteOffset *golangExtendedOffset
-	GolangReadOffset  uint64
+	GolangReadOffset  *golangExtendedOffset
+}
+
+type golangExtendedOffset struct {
+	enter uint64
+	exits []uint64
 }
 
 const (
@@ -58,8 +64,17 @@ func findGolangOffsets(filePath string) (golangOffsets, error) {
 	}, nil
 }
 
-func getOffsets(filePath string) (offsets map[string]uint64, err error) {
+func getOffsets(filePath string) (offsets map[string]*golangExtendedOffset, err error) {
-	offsets = make(map[string]uint64)
+	var engine gapstone.Engine
+	engine, err = gapstone.New(
+		gapstone.CS_ARCH_X86,
+		gapstone.CS_MODE_64,
+	)
+	if err != nil {
+		return
+	}
+
+	offsets = make(map[string]*golangExtendedOffset)
 	var fd *os.File
 	fd, err = os.Open(filePath)
 	if err != nil {
@@ -70,34 +85,85 @@ func getOffsets(filePath string) (offsets map[string]uint64, err error) {
 	var se *elf.File
 	se, err = elf.NewFile(fd)
 	if err != nil {
-		return nil, err
+		return
+	}
+
+	textSection := se.Section(".text")
+	if textSection == nil {
+		err = fmt.Errorf("No text section")
+		return
+	}
+
+	// extract the raw bytes from the .text section
+	var textSectionData []byte
+	textSectionData, err = textSection.Data()
+	if err != nil {
+		return
 	}
 
 	syms, err := se.Symbols()
 	for _, sym := range syms {
 		offset := sym.Value
 
+		var lastProg *elf.Prog
 		for _, prog := range se.Progs {
 			if prog.Vaddr <= sym.Value && sym.Value < (prog.Vaddr+prog.Memsz) {
 				offset = sym.Value - prog.Vaddr + prog.Off
+				lastProg = prog
 				break
 			}
 		}
 
-		offsets[sym.Name] = offset
+		extendedOffset := &golangExtendedOffset{enter: offset}
+
+		// source: https://gist.github.com/grantseltzer/3efa8ecc5de1fb566e8091533050d608
+		// skip over any symbols that aren't functinons/methods
+		if sym.Info != byte(2) && sym.Info != byte(18) {
+			offsets[sym.Name] = extendedOffset
+			continue
+		}
+
+		// skip over empty symbols
+		if sym.Size == 0 {
+			offsets[sym.Name] = extendedOffset
+			continue
+		}
+
+		// calculate starting and ending index of the symbol within the text section
+		symStartingIndex := sym.Value - textSection.Addr
+		symEndingIndex := symStartingIndex + sym.Size
+
+		// collect the bytes of the symbol
+		symBytes := textSectionData[symStartingIndex:symEndingIndex]
+
+		// disasemble the symbol
+		var instructions []gapstone.Instruction
+		instructions, err = engine.Disasm(symBytes, sym.Value, 0)
+		if err != nil {
+			return
+		}
+
+		// iterate over each instruction and if the mnemonic is `ret` then that's an exit offset
+		for _, ins := range instructions {
+			if ins.Mnemonic == "ret" {
+				extendedOffset.exits = append(extendedOffset.exits, uint64(ins.Address)-lastProg.Vaddr+lastProg.Off)
+			}
+		}
+
+		offsets[sym.Name] = extendedOffset
 	}
 
 	return
 }
 
-func getOffset(offsets map[string]uint64, symbol string) (uint64, error) {
+func getOffset(offsets map[string]*golangExtendedOffset, symbol string) (*golangExtendedOffset, error) {
 	if offset, ok := offsets[symbol]; ok {
 		return offset, nil
 	}
-	return 0, fmt.Errorf("symbol %s: %w", symbol, link.ErrNoSymbol)
+	return nil, fmt.Errorf("symbol %s: %w", symbol, link.ErrNoSymbol)
 }
 
-func checkGoVersion(filePath string, offset uint64) (bool, string, error) {
+func checkGoVersion(filePath string, offset *golangExtendedOffset) (bool, string, error) {
 	fd, err := os.Open(filePath)
 	if err != nil {
 		return false, "", err
@@ -106,7 +172,7 @@ func checkGoVersion(filePath string, offset uint64) (bool, string, error) {
 
 	reader := bufio.NewReader(fd)
 
-	_, err = reader.Discard(int(offset))
+	_, err = reader.Discard(int(offset.enter))
 	if err != nil {
 		return false, "", err
 	}

tap/tlstapper/tls_reader.go

@@ -42,7 +42,7 @@ func (r *tlsReader) Read(p []byte) (int, error) {
 			}
 
 			r.data = chunk.getRecordedData()
-		case <-time.After(time.Second * 3):
+		case <-time.After(time.Second * 120):
 			r.doneHandler(r)
 			return 0, io.EOF
 		}

tap/tlstapper/tlstapper_bpfeb.go

@@ -66,22 +66,24 @@ type tlsTapperSpecs struct {
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type tlsTapperProgramSpecs struct {
-	GolangCryptoTlsReadUprobe  *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_read_uprobe"`
+	GolangCryptoTlsReadExUprobe  *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_read_ex_uprobe"`
-	GolangCryptoTlsWriteUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_write_uprobe"`
+	GolangCryptoTlsReadUprobe    *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_read_uprobe"`
-	SslRead                    *ebpf.ProgramSpec `ebpf:"ssl_read"`
+	GolangCryptoTlsWriteExUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_write_ex_uprobe"`
-	SslReadEx                  *ebpf.ProgramSpec `ebpf:"ssl_read_ex"`
+	GolangCryptoTlsWriteUprobe   *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_write_uprobe"`
-	SslRetRead                 *ebpf.ProgramSpec `ebpf:"ssl_ret_read"`
+	SslRead                      *ebpf.ProgramSpec `ebpf:"ssl_read"`
-	SslRetReadEx               *ebpf.ProgramSpec `ebpf:"ssl_ret_read_ex"`
+	SslReadEx                    *ebpf.ProgramSpec `ebpf:"ssl_read_ex"`
-	SslRetWrite                *ebpf.ProgramSpec `ebpf:"ssl_ret_write"`
+	SslRetRead                   *ebpf.ProgramSpec `ebpf:"ssl_ret_read"`
-	SslRetWriteEx              *ebpf.ProgramSpec `ebpf:"ssl_ret_write_ex"`
+	SslRetReadEx                 *ebpf.ProgramSpec `ebpf:"ssl_ret_read_ex"`
-	SslWrite                   *ebpf.ProgramSpec `ebpf:"ssl_write"`
+	SslRetWrite                  *ebpf.ProgramSpec `ebpf:"ssl_ret_write"`
-	SslWriteEx                 *ebpf.ProgramSpec `ebpf:"ssl_write_ex"`
+	SslRetWriteEx                *ebpf.ProgramSpec `ebpf:"ssl_ret_write_ex"`
-	SysEnterAccept4            *ebpf.ProgramSpec `ebpf:"sys_enter_accept4"`
+	SslWrite                     *ebpf.ProgramSpec `ebpf:"ssl_write"`
-	SysEnterConnect            *ebpf.ProgramSpec `ebpf:"sys_enter_connect"`
+	SslWriteEx                   *ebpf.ProgramSpec `ebpf:"ssl_write_ex"`
-	SysEnterRead               *ebpf.ProgramSpec `ebpf:"sys_enter_read"`
+	SysEnterAccept4              *ebpf.ProgramSpec `ebpf:"sys_enter_accept4"`
-	SysEnterWrite              *ebpf.ProgramSpec `ebpf:"sys_enter_write"`
+	SysEnterConnect              *ebpf.ProgramSpec `ebpf:"sys_enter_connect"`
-	SysExitAccept4             *ebpf.ProgramSpec `ebpf:"sys_exit_accept4"`
+	SysEnterRead                 *ebpf.ProgramSpec `ebpf:"sys_enter_read"`
-	SysExitConnect             *ebpf.ProgramSpec `ebpf:"sys_exit_connect"`
+	SysEnterWrite                *ebpf.ProgramSpec `ebpf:"sys_enter_write"`
+	SysExitAccept4               *ebpf.ProgramSpec `ebpf:"sys_exit_accept4"`
+	SysExitConnect               *ebpf.ProgramSpec `ebpf:"sys_exit_connect"`
 }
 
 // tlsTapperMapSpecs contains maps before they are loaded into the kernel.
@@ -147,27 +149,31 @@ func (m *tlsTapperMaps) Close() error {
 //
 // It can be passed to loadTlsTapperObjects or ebpf.CollectionSpec.LoadAndAssign.
 type tlsTapperPrograms struct {
-	GolangCryptoTlsReadUprobe  *ebpf.Program `ebpf:"golang_crypto_tls_read_uprobe"`
+	GolangCryptoTlsReadExUprobe  *ebpf.Program `ebpf:"golang_crypto_tls_read_ex_uprobe"`
-	GolangCryptoTlsWriteUprobe *ebpf.Program `ebpf:"golang_crypto_tls_write_uprobe"`
+	GolangCryptoTlsReadUprobe    *ebpf.Program `ebpf:"golang_crypto_tls_read_uprobe"`
-	SslRead                    *ebpf.Program `ebpf:"ssl_read"`
+	GolangCryptoTlsWriteExUprobe *ebpf.Program `ebpf:"golang_crypto_tls_write_ex_uprobe"`
-	SslReadEx                  *ebpf.Program `ebpf:"ssl_read_ex"`
+	GolangCryptoTlsWriteUprobe   *ebpf.Program `ebpf:"golang_crypto_tls_write_uprobe"`
-	SslRetRead                 *ebpf.Program `ebpf:"ssl_ret_read"`
+	SslRead                      *ebpf.Program `ebpf:"ssl_read"`
-	SslRetReadEx               *ebpf.Program `ebpf:"ssl_ret_read_ex"`
+	SslReadEx                    *ebpf.Program `ebpf:"ssl_read_ex"`
-	SslRetWrite                *ebpf.Program `ebpf:"ssl_ret_write"`
+	SslRetRead                   *ebpf.Program `ebpf:"ssl_ret_read"`
-	SslRetWriteEx              *ebpf.Program `ebpf:"ssl_ret_write_ex"`
+	SslRetReadEx                 *ebpf.Program `ebpf:"ssl_ret_read_ex"`
-	SslWrite                   *ebpf.Program `ebpf:"ssl_write"`
+	SslRetWrite                  *ebpf.Program `ebpf:"ssl_ret_write"`
-	SslWriteEx                 *ebpf.Program `ebpf:"ssl_write_ex"`
+	SslRetWriteEx                *ebpf.Program `ebpf:"ssl_ret_write_ex"`
-	SysEnterAccept4            *ebpf.Program `ebpf:"sys_enter_accept4"`
+	SslWrite                     *ebpf.Program `ebpf:"ssl_write"`
-	SysEnterConnect            *ebpf.Program `ebpf:"sys_enter_connect"`
+	SslWriteEx                   *ebpf.Program `ebpf:"ssl_write_ex"`
-	SysEnterRead               *ebpf.Program `ebpf:"sys_enter_read"`
+	SysEnterAccept4              *ebpf.Program `ebpf:"sys_enter_accept4"`
-	SysEnterWrite              *ebpf.Program `ebpf:"sys_enter_write"`
+	SysEnterConnect              *ebpf.Program `ebpf:"sys_enter_connect"`
-	SysExitAccept4             *ebpf.Program `ebpf:"sys_exit_accept4"`
+	SysEnterRead                 *ebpf.Program `ebpf:"sys_enter_read"`
-	SysExitConnect             *ebpf.Program `ebpf:"sys_exit_connect"`
+	SysEnterWrite                *ebpf.Program `ebpf:"sys_enter_write"`
+	SysExitAccept4               *ebpf.Program `ebpf:"sys_exit_accept4"`
+	SysExitConnect               *ebpf.Program `ebpf:"sys_exit_connect"`
 }
 
 func (p *tlsTapperPrograms) Close() error {
 	return _TlsTapperClose(
+		p.GolangCryptoTlsReadExUprobe,
 		p.GolangCryptoTlsReadUprobe,
+		p.GolangCryptoTlsWriteExUprobe,
 		p.GolangCryptoTlsWriteUprobe,
 		p.SslRead,
 		p.SslReadEx,

tap/tlstapper/tlstapper_bpfel.go

@@ -66,22 +66,24 @@ type tlsTapperSpecs struct {
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type tlsTapperProgramSpecs struct {
-	GolangCryptoTlsReadUprobe  *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_read_uprobe"`
+	GolangCryptoTlsReadExUprobe  *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_read_ex_uprobe"`
-	GolangCryptoTlsWriteUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_write_uprobe"`
+	GolangCryptoTlsReadUprobe    *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_read_uprobe"`
-	SslRead                    *ebpf.ProgramSpec `ebpf:"ssl_read"`
+	GolangCryptoTlsWriteExUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_write_ex_uprobe"`
-	SslReadEx                  *ebpf.ProgramSpec `ebpf:"ssl_read_ex"`
+	GolangCryptoTlsWriteUprobe   *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_write_uprobe"`
-	SslRetRead                 *ebpf.ProgramSpec `ebpf:"ssl_ret_read"`
+	SslRead                      *ebpf.ProgramSpec `ebpf:"ssl_read"`
-	SslRetReadEx               *ebpf.ProgramSpec `ebpf:"ssl_ret_read_ex"`
+	SslReadEx                    *ebpf.ProgramSpec `ebpf:"ssl_read_ex"`
-	SslRetWrite                *ebpf.ProgramSpec `ebpf:"ssl_ret_write"`
+	SslRetRead                   *ebpf.ProgramSpec `ebpf:"ssl_ret_read"`
-	SslRetWriteEx              *ebpf.ProgramSpec `ebpf:"ssl_ret_write_ex"`
+	SslRetReadEx                 *ebpf.ProgramSpec `ebpf:"ssl_ret_read_ex"`
-	SslWrite                   *ebpf.ProgramSpec `ebpf:"ssl_write"`
+	SslRetWrite                  *ebpf.ProgramSpec `ebpf:"ssl_ret_write"`
-	SslWriteEx                 *ebpf.ProgramSpec `ebpf:"ssl_write_ex"`
+	SslRetWriteEx                *ebpf.ProgramSpec `ebpf:"ssl_ret_write_ex"`
-	SysEnterAccept4            *ebpf.ProgramSpec `ebpf:"sys_enter_accept4"`
+	SslWrite                     *ebpf.ProgramSpec `ebpf:"ssl_write"`
-	SysEnterConnect            *ebpf.ProgramSpec `ebpf:"sys_enter_connect"`
+	SslWriteEx                   *ebpf.ProgramSpec `ebpf:"ssl_write_ex"`
-	SysEnterRead               *ebpf.ProgramSpec `ebpf:"sys_enter_read"`
+	SysEnterAccept4              *ebpf.ProgramSpec `ebpf:"sys_enter_accept4"`
-	SysEnterWrite              *ebpf.ProgramSpec `ebpf:"sys_enter_write"`
+	SysEnterConnect              *ebpf.ProgramSpec `ebpf:"sys_enter_connect"`
-	SysExitAccept4             *ebpf.ProgramSpec `ebpf:"sys_exit_accept4"`
+	SysEnterRead                 *ebpf.ProgramSpec `ebpf:"sys_enter_read"`
-	SysExitConnect             *ebpf.ProgramSpec `ebpf:"sys_exit_connect"`
+	SysEnterWrite                *ebpf.ProgramSpec `ebpf:"sys_enter_write"`
+	SysExitAccept4               *ebpf.ProgramSpec `ebpf:"sys_exit_accept4"`
+	SysExitConnect               *ebpf.ProgramSpec `ebpf:"sys_exit_connect"`
 }
 
 // tlsTapperMapSpecs contains maps before they are loaded into the kernel.
@@ -147,27 +149,31 @@ func (m *tlsTapperMaps) Close() error {
 //
 // It can be passed to loadTlsTapperObjects or ebpf.CollectionSpec.LoadAndAssign.
 type tlsTapperPrograms struct {
-	GolangCryptoTlsReadUprobe  *ebpf.Program `ebpf:"golang_crypto_tls_read_uprobe"`
+	GolangCryptoTlsReadExUprobe  *ebpf.Program `ebpf:"golang_crypto_tls_read_ex_uprobe"`
-	GolangCryptoTlsWriteUprobe *ebpf.Program `ebpf:"golang_crypto_tls_write_uprobe"`
+	GolangCryptoTlsReadUprobe    *ebpf.Program `ebpf:"golang_crypto_tls_read_uprobe"`
-	SslRead                    *ebpf.Program `ebpf:"ssl_read"`
+	GolangCryptoTlsWriteExUprobe *ebpf.Program `ebpf:"golang_crypto_tls_write_ex_uprobe"`
-	SslReadEx                  *ebpf.Program `ebpf:"ssl_read_ex"`
+	GolangCryptoTlsWriteUprobe   *ebpf.Program `ebpf:"golang_crypto_tls_write_uprobe"`
-	SslRetRead                 *ebpf.Program `ebpf:"ssl_ret_read"`
+	SslRead                      *ebpf.Program `ebpf:"ssl_read"`
-	SslRetReadEx               *ebpf.Program `ebpf:"ssl_ret_read_ex"`
+	SslReadEx                    *ebpf.Program `ebpf:"ssl_read_ex"`
-	SslRetWrite                *ebpf.Program `ebpf:"ssl_ret_write"`
+	SslRetRead                   *ebpf.Program `ebpf:"ssl_ret_read"`
-	SslRetWriteEx              *ebpf.Program `ebpf:"ssl_ret_write_ex"`
+	SslRetReadEx                 *ebpf.Program `ebpf:"ssl_ret_read_ex"`
-	SslWrite                   *ebpf.Program `ebpf:"ssl_write"`
+	SslRetWrite                  *ebpf.Program `ebpf:"ssl_ret_write"`
-	SslWriteEx                 *ebpf.Program `ebpf:"ssl_write_ex"`
+	SslRetWriteEx                *ebpf.Program `ebpf:"ssl_ret_write_ex"`
-	SysEnterAccept4            *ebpf.Program `ebpf:"sys_enter_accept4"`
+	SslWrite                     *ebpf.Program `ebpf:"ssl_write"`
-	SysEnterConnect            *ebpf.Program `ebpf:"sys_enter_connect"`
+	SslWriteEx                   *ebpf.Program `ebpf:"ssl_write_ex"`
-	SysEnterRead               *ebpf.Program `ebpf:"sys_enter_read"`
+	SysEnterAccept4              *ebpf.Program `ebpf:"sys_enter_accept4"`
-	SysEnterWrite              *ebpf.Program `ebpf:"sys_enter_write"`
+	SysEnterConnect              *ebpf.Program `ebpf:"sys_enter_connect"`
-	SysExitAccept4             *ebpf.Program `ebpf:"sys_exit_accept4"`
+	SysEnterRead                 *ebpf.Program `ebpf:"sys_enter_read"`
-	SysExitConnect             *ebpf.Program `ebpf:"sys_exit_connect"`
+	SysEnterWrite                *ebpf.Program `ebpf:"sys_enter_write"`
+	SysExitAccept4               *ebpf.Program `ebpf:"sys_exit_accept4"`
+	SysExitConnect               *ebpf.Program `ebpf:"sys_exit_connect"`
 }
 
 func (p *tlsTapperPrograms) Close() error {
 	return _TlsTapperClose(
+		p.GolangCryptoTlsReadExUprobe,
 		p.GolangCryptoTlsReadUprobe,
+		p.GolangCryptoTlsWriteExUprobe,
 		p.GolangCryptoTlsWriteUprobe,
 		p.SslRead,
 		p.SslReadEx,