github/kubeshark
1
0
Fork 0
mirror of https://github.com/kubeshark/kubeshark.git synced 2025-08-13 22:27:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Change the read symbol from net/http.(*persistConn).Read to crypto/tls.(*Conn).Read

Browse Source
This commit is contained in:
M. Mert Yildiran 2022-05-31 00:49:57 +03:00
parent 3b27c5c704
commit fbdbe1a9f1
No known key found for this signature in database
GPG Key ID: D42ADB236521BF7A
7 changed files with 17 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
tap/tlstapper/bpf/golang_uprobes.c
View File

@ -51,7 +51,7 @@ static __always_inline int golang_crypto_tls_write_uprobe(struct pt_regs *ctx) {
__u64 pid_tgid = bpf_get_current_pid_tgid(); __u64 pid_tgid = bpf_get_current_pid_tgid();
b->pid = pid_tgid >> 32; b->pid = pid_tgid >> 32;
b->fd = s->fd; b->fd = s->fd;
// ctx->rsi is common between golang_crypto_tls_write_uprobe and golang_net_http_read_uprobe // ctx->rsi is common between golang_crypto_tls_write_uprobe and golang_crypto_tls_read_uprobe
b->conn_addr = ctx->rsi; // go.itab.*net.TCPConn,net.Conn address b->conn_addr = ctx->rsi; // go.itab.*net.TCPConn,net.Conn address
b->is_request = true; b->is_request = true;
b->len = ctx->rcx; b->len = ctx->rcx;
@ -69,8 +69,8 @@ static __always_inline int golang_crypto_tls_write_uprobe(struct pt_regs *ctx) {
return 0; return 0;
} }
SEC("uprobe/golang_net_http_read") SEC("uprobe/golang_crypto_tls_read")
static __always_inline int golang_net_http_read_uprobe(struct pt_regs *ctx) { static __always_inline int golang_crypto_tls_read_uprobe(struct pt_regs *ctx) {
struct golang_read_write *b = NULL; struct golang_read_write *b = NULL;
b = bpf_ringbuf_reserve(&golang_read_writes, sizeof(struct golang_read_write), 0); b = bpf_ringbuf_reserve(&golang_read_writes, sizeof(struct golang_read_write), 0);
if (!b) { if (!b) {
@ -79,15 +79,16 @@ static __always_inline int golang_net_http_read_uprobe(struct pt_regs *ctx) {
__u64 pid_tgid = bpf_get_current_pid_tgid(); __u64 pid_tgid = bpf_get_current_pid_tgid();
b->pid = pid_tgid >> 32; b->pid = pid_tgid >> 32;
// ctx->rsi is common between golang_crypto_tls_write_uprobe and golang_net_http_read_uprobe // ctx->rsi is common between golang_crypto_tls_write_uprobe and golang_crypto_tls_read_uprobe
b->conn_addr = ctx->rsi; // go.itab.*net.TCPConn,net.Conn address b->conn_addr = ctx->rsi; // go.itab.*net.TCPConn,net.Conn address
b->is_request = false; b->is_request = false;
b->len = ctx->rax; b->len = ctx->rax;
b->cap = ctx->r10; b->cap = ctx->r10;
__u32 status = bpf_probe_read_str(&b->data, sizeof(b->data), (void*)ctx->r8); // Address at ctx->rbx - 0x2bf holds the data
__u32 status = bpf_probe_read_str(&b->data, sizeof(b->data), (void*)(ctx->rbx - 0x2bf));
if (status < 0) { if (status < 0) {
bpf_printk("[golang_net_http_read_uprobe] error reading data: %d", status); bpf_printk("[golang_crypto_tls_read_uprobe] error reading data: %d", status);
bpf_ringbuf_discard(b, BPF_RB_FORCE_WAKEUP); bpf_ringbuf_discard(b, BPF_RB_FORCE_WAKEUP);
return 0; return 0;
} }

6
tap/tlstapper/golang_hooks.go
View File

@ -62,9 +62,9 @@ func (s *golangHooks) installHooks(bpfObjects *tlsTapperObjects, ex *link.Execut
} }
// Relative offset points to // Relative offset points to
// [`net/http.(*persistConn).Read+92`](https://github.com/golang/go/blob/fe4de36198794c447fbd9d7cc2d7199a506c76a5/src/net/http/transport.go#L1929) // [`crypto/tls.(*Conn).Read+559`](https://github.com/golang/go/blob/fe4de36198794c447fbd9d7cc2d7199a506c76a5/src/crypto/tls/conn.go#L1306)
s.golangReadProbe, err = ex.Uprobe(golangReadSymbol, bpfObjects.GolangNetHttpReadUprobe, &link.UprobeOptions{ s.golangReadProbe, err = ex.Uprobe(golangReadSymbol, bpfObjects.GolangCryptoTlsReadUprobe, &link.UprobeOptions{
Offset: offsets.GolangReadOffset + 0x5c, Offset: offsets.GolangReadOffset + 0x22f,
}) })
if err != nil { if err != nil {

2
tap/tlstapper/golang_offsets.go
View File

@ -21,7 +21,7 @@ const (
minimumSupportedGoVersion = "1.17.0" minimumSupportedGoVersion = "1.17.0"
golangVersionSymbol = "runtime.buildVersion.str" golangVersionSymbol = "runtime.buildVersion.str"
golangWriteSymbol = "crypto/tls.(*Conn).Write" golangWriteSymbol = "crypto/tls.(*Conn).Write"
golangReadSymbol = "net/http.(*persistConn).Read" golangReadSymbol = "crypto/tls.(*Conn).Read"
golangSocketSymbol = "net.socket" golangSocketSymbol = "net.socket"
golangDialSymbol = "net/http.(*Transport).dialConn" golangDialSymbol = "net/http.(*Transport).dialConn"
) )

6
tap/tlstapper/tlstapper_bpfeb.go
View File

@ -77,9 +77,9 @@ type tlsTapperSpecs struct {
// //
// It can be passed ebpf.CollectionSpec.Assign. // It can be passed ebpf.CollectionSpec.Assign.
type tlsTapperProgramSpecs struct { type tlsTapperProgramSpecs struct {
GolangCryptoTlsReadUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_read_uprobe"`
GolangCryptoTlsWriteUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_write_uprobe"` GolangCryptoTlsWriteUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_write_uprobe"`
GolangNetHttpDialconnUprobe *ebpf.ProgramSpec `ebpf:"golang_net_http_dialconn_uprobe"` GolangNetHttpDialconnUprobe *ebpf.ProgramSpec `ebpf:"golang_net_http_dialconn_uprobe"`
GolangNetHttpReadUprobe *ebpf.ProgramSpec `ebpf:"golang_net_http_read_uprobe"`
GolangNetSocketUprobe *ebpf.ProgramSpec `ebpf:"golang_net_socket_uprobe"` GolangNetSocketUprobe *ebpf.ProgramSpec `ebpf:"golang_net_socket_uprobe"`
SslRead *ebpf.ProgramSpec `ebpf:"ssl_read"` SslRead *ebpf.ProgramSpec `ebpf:"ssl_read"`
SslReadEx *ebpf.ProgramSpec `ebpf:"ssl_read_ex"` SslReadEx *ebpf.ProgramSpec `ebpf:"ssl_read_ex"`
@ -169,9 +169,9 @@ func (m *tlsTapperMaps) Close() error {
// //
// It can be passed to loadTlsTapperObjects or ebpf.CollectionSpec.LoadAndAssign. // It can be passed to loadTlsTapperObjects or ebpf.CollectionSpec.LoadAndAssign.
type tlsTapperPrograms struct { type tlsTapperPrograms struct {
GolangCryptoTlsReadUprobe *ebpf.Program `ebpf:"golang_crypto_tls_read_uprobe"`
GolangCryptoTlsWriteUprobe *ebpf.Program `ebpf:"golang_crypto_tls_write_uprobe"` GolangCryptoTlsWriteUprobe *ebpf.Program `ebpf:"golang_crypto_tls_write_uprobe"`
GolangNetHttpDialconnUprobe *ebpf.Program `ebpf:"golang_net_http_dialconn_uprobe"` GolangNetHttpDialconnUprobe *ebpf.Program `ebpf:"golang_net_http_dialconn_uprobe"`
GolangNetHttpReadUprobe *ebpf.Program `ebpf:"golang_net_http_read_uprobe"`
GolangNetSocketUprobe *ebpf.Program `ebpf:"golang_net_socket_uprobe"` GolangNetSocketUprobe *ebpf.Program `ebpf:"golang_net_socket_uprobe"`
SslRead *ebpf.Program `ebpf:"ssl_read"` SslRead *ebpf.Program `ebpf:"ssl_read"`
SslReadEx *ebpf.Program `ebpf:"ssl_read_ex"` SslReadEx *ebpf.Program `ebpf:"ssl_read_ex"`
@ -191,9 +191,9 @@ type tlsTapperPrograms struct {
func (p *tlsTapperPrograms) Close() error { func (p *tlsTapperPrograms) Close() error {
return _TlsTapperClose( return _TlsTapperClose(
p.GolangCryptoTlsReadUprobe,
p.GolangCryptoTlsWriteUprobe, p.GolangCryptoTlsWriteUprobe,
p.GolangNetHttpDialconnUprobe, p.GolangNetHttpDialconnUprobe,
p.GolangNetHttpReadUprobe,
p.GolangNetSocketUprobe, p.GolangNetSocketUprobe,
p.SslRead, p.SslRead,
p.SslReadEx, p.SslReadEx,

BIN
tap/tlstapper/tlstapper_bpfeb.o
View File

Binary file not shown.

6
tap/tlstapper/tlstapper_bpfel.go
View File

@ -77,9 +77,9 @@ type tlsTapperSpecs struct {
// //
// It can be passed ebpf.CollectionSpec.Assign. // It can be passed ebpf.CollectionSpec.Assign.
type tlsTapperProgramSpecs struct { type tlsTapperProgramSpecs struct {
GolangCryptoTlsReadUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_read_uprobe"`
GolangCryptoTlsWriteUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_write_uprobe"` GolangCryptoTlsWriteUprobe *ebpf.ProgramSpec `ebpf:"golang_crypto_tls_write_uprobe"`
GolangNetHttpDialconnUprobe *ebpf.ProgramSpec `ebpf:"golang_net_http_dialconn_uprobe"` GolangNetHttpDialconnUprobe *ebpf.ProgramSpec `ebpf:"golang_net_http_dialconn_uprobe"`
GolangNetHttpReadUprobe *ebpf.ProgramSpec `ebpf:"golang_net_http_read_uprobe"`
GolangNetSocketUprobe *ebpf.ProgramSpec `ebpf:"golang_net_socket_uprobe"` GolangNetSocketUprobe *ebpf.ProgramSpec `ebpf:"golang_net_socket_uprobe"`
SslRead *ebpf.ProgramSpec `ebpf:"ssl_read"` SslRead *ebpf.ProgramSpec `ebpf:"ssl_read"`
SslReadEx *ebpf.ProgramSpec `ebpf:"ssl_read_ex"` SslReadEx *ebpf.ProgramSpec `ebpf:"ssl_read_ex"`
@ -169,9 +169,9 @@ func (m *tlsTapperMaps) Close() error {
// //
// It can be passed to loadTlsTapperObjects or ebpf.CollectionSpec.LoadAndAssign. // It can be passed to loadTlsTapperObjects or ebpf.CollectionSpec.LoadAndAssign.
type tlsTapperPrograms struct { type tlsTapperPrograms struct {
GolangCryptoTlsReadUprobe *ebpf.Program `ebpf:"golang_crypto_tls_read_uprobe"`
GolangCryptoTlsWriteUprobe *ebpf.Program `ebpf:"golang_crypto_tls_write_uprobe"` GolangCryptoTlsWriteUprobe *ebpf.Program `ebpf:"golang_crypto_tls_write_uprobe"`
GolangNetHttpDialconnUprobe *ebpf.Program `ebpf:"golang_net_http_dialconn_uprobe"` GolangNetHttpDialconnUprobe *ebpf.Program `ebpf:"golang_net_http_dialconn_uprobe"`
GolangNetHttpReadUprobe *ebpf.Program `ebpf:"golang_net_http_read_uprobe"`
GolangNetSocketUprobe *ebpf.Program `ebpf:"golang_net_socket_uprobe"` GolangNetSocketUprobe *ebpf.Program `ebpf:"golang_net_socket_uprobe"`
SslRead *ebpf.Program `ebpf:"ssl_read"` SslRead *ebpf.Program `ebpf:"ssl_read"`
SslReadEx *ebpf.Program `ebpf:"ssl_read_ex"` SslReadEx *ebpf.Program `ebpf:"ssl_read_ex"`
@ -191,9 +191,9 @@ type tlsTapperPrograms struct {
func (p *tlsTapperPrograms) Close() error { func (p *tlsTapperPrograms) Close() error {
return _TlsTapperClose( return _TlsTapperClose(
p.GolangCryptoTlsReadUprobe,
p.GolangCryptoTlsWriteUprobe, p.GolangCryptoTlsWriteUprobe,
p.GolangNetHttpDialconnUprobe, p.GolangNetHttpDialconnUprobe,
p.GolangNetHttpReadUprobe,
p.GolangNetSocketUprobe, p.GolangNetSocketUprobe,
p.SslRead, p.SslRead,
p.SslReadEx, p.SslReadEx,

BIN
tap/tlstapper/tlstapper_bpfel.o
View File

Binary file not shown.