github/kubeshark
1
0
Fork 0
mirror of https://github.com/kubeshark/kubeshark.git synced 2025-08-09 04:19:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Call should_tap in Golang uprobes

Browse Source
This commit is contained in:
M. Mert Yildiran 2022-06-02 08:24:50 +03:00
parent 6e88922f14
commit f0f357af8c
No known key found for this signature in database
GPG Key ID: D42ADB236521BF7A
3 changed files with 20 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
tap/tlstapper/bpf/golang_uprobes.c
View File

@ -6,12 +6,17 @@ Copyright (C) UP9 Inc.
#include "include/headers.h" #include "include/headers.h"
#include "include/maps.h" #include "include/maps.h"
#include "include/pids.h"
SEC("uprobe/golang_crypto_tls_write") SEC("uprobe/golang_crypto_tls_write")
static __always_inline int golang_crypto_tls_write_uprobe(struct pt_regs *ctx) { static __always_inline int golang_crypto_tls_write_uprobe(struct pt_regs *ctx) {
void* stack_addr = (void*)ctx->rsp;
__u64 pid_tgid = bpf_get_current_pid_tgid(); __u64 pid_tgid = bpf_get_current_pid_tgid();
if (!should_tap(pid_tgid >> 32)) {
return 0;
}
void* stack_addr = (void*)ctx->rsp;
__u64 pid = pid_tgid >> 32; __u64 pid = pid_tgid >> 32;
__u32 key_dial; __u32 key_dial;
// Address at ctx->rsp + 0x20 is common between golang_crypto_tls_write_uprobe and golang_net_http_dialconn_uprobe // Address at ctx->rsp + 0x20 is common between golang_crypto_tls_write_uprobe and golang_net_http_dialconn_uprobe
@ -56,6 +61,11 @@ static __always_inline int golang_crypto_tls_write_uprobe(struct pt_regs *ctx) {
SEC("uprobe/golang_crypto_tls_read") SEC("uprobe/golang_crypto_tls_read")
static __always_inline int golang_crypto_tls_read_uprobe(struct pt_regs *ctx) { static __always_inline int golang_crypto_tls_read_uprobe(struct pt_regs *ctx) {
__u64 pid_tgid = bpf_get_current_pid_tgid();
if (!should_tap(pid_tgid >> 32)) {
return 0;
}
void* stack_addr = (void*)ctx->rsp; void* stack_addr = (void*)ctx->rsp;
__u64 data_p; __u64 data_p;
// Address at ctx->rsp + 0xd8 holds the data // Address at ctx->rsp + 0xd8 holds the data
@ -71,7 +81,6 @@ static __always_inline int golang_crypto_tls_read_uprobe(struct pt_regs *ctx) {
return 0; return 0;
} }
__u64 pid_tgid = bpf_get_current_pid_tgid();
b->pid = pid_tgid >> 32; b->pid = pid_tgid >> 32;
// ctx->rsi is common between golang_crypto_tls_write_uprobe and golang_crypto_tls_read_uprobe // ctx->rsi is common between golang_crypto_tls_write_uprobe and golang_crypto_tls_read_uprobe
b->conn_addr = ctx->rsi; // go.itab.*net.TCPConn,net.Conn address b->conn_addr = ctx->rsi; // go.itab.*net.TCPConn,net.Conn address
@ -87,13 +96,16 @@ static __always_inline int golang_crypto_tls_read_uprobe(struct pt_regs *ctx) {
} }
bpf_ringbuf_submit(b, 0); bpf_ringbuf_submit(b, 0);
return 0; return 0;
} }
SEC("uprobe/golang_net_socket") SEC("uprobe/golang_net_socket")
static __always_inline int golang_net_socket_uprobe(struct pt_regs *ctx) { static __always_inline int golang_net_socket_uprobe(struct pt_regs *ctx) {
__u64 pid_tgid = bpf_get_current_pid_tgid(); __u64 pid_tgid = bpf_get_current_pid_tgid();
if (!should_tap(pid_tgid >> 32)) {
return 0;
}
__u64 pid = pid_tgid >> 32; __u64 pid = pid_tgid >> 32;
// ctx->r14 is common between golang_net_socket_uprobe and golang_net_http_dialconn_uprobe // ctx->r14 is common between golang_net_socket_uprobe and golang_net_http_dialconn_uprobe
__u64 key_socket = (pid << 32) + ctx->r14; __u64 key_socket = (pid << 32) + ctx->r14;
@ -120,6 +132,11 @@ static __always_inline int golang_net_socket_uprobe(struct pt_regs *ctx) {
SEC("uprobe/golang_net_http_dialconn") SEC("uprobe/golang_net_http_dialconn")
static __always_inline int golang_net_http_dialconn_uprobe(struct pt_regs *ctx) { static __always_inline int golang_net_http_dialconn_uprobe(struct pt_regs *ctx) {
__u64 pid_tgid = bpf_get_current_pid_tgid();
if (!should_tap(pid_tgid >> 32)) {
return 0;
}
void* stack_addr = (void*)ctx->rsp; void* stack_addr = (void*)ctx->rsp;
__u32 key_dial; __u32 key_dial;
// Address at ctx->rsp + 0x250 is common between golang_crypto_tls_write_uprobe and golang_net_http_dialconn_uprobe // Address at ctx->rsp + 0x250 is common between golang_crypto_tls_write_uprobe and golang_net_http_dialconn_uprobe
@ -129,7 +146,6 @@ static __always_inline int golang_net_http_dialconn_uprobe(struct pt_regs *ctx)
return 0; return 0;
} }
__u64 pid_tgid = bpf_get_current_pid_tgid();
struct golang_socket b = { struct golang_socket b = {
.pid = pid_tgid >> 32, .pid = pid_tgid >> 32,
.fd = 0, .fd = 0,

BIN
tap/tlstapper/tlstapper_bpfeb.o
View File

Binary file not shown.

BIN
tap/tlstapper/tlstapper_bpfel.o
View File

Binary file not shown.