diff options
| author | Baitinq <manuelpalenzuelamerino@gmail.com> | 2024-01-27 21:51:11 +0100 |
|---|---|---|
| committer | Baitinq <manuelpalenzuelamerino@gmail.com> | 2024-01-27 22:01:39 +0100 |
| commit | 20c45aabf9afc660aa038b18aa1da86a2a79b8cb (patch) | |
| tree | 19762b65904c9742d459b2419b7500101a84b5b1 | |
| parent | Read fd partial path (diff) | |
| download | fs-tracer-20c45aabf9afc660aa038b18aa1da86a2a79b8cb.tar.gz fs-tracer-20c45aabf9afc660aa038b18aa1da86a2a79b8cb.tar.bz2 fs-tracer-20c45aabf9afc660aa038b18aa1da86a2a79b8cb.zip | |
get correct dfd
| -rw-r--r-- | flake.nix | 1 | ||||
| -rw-r--r-- | fs-tracer-ebpf/src/main.rs | 4 | ||||
| -rw-r--r-- | fs-tracer-ebpf/src/syscalls/open.rs | 31 | ||||
| -rw-r--r-- | fs-tracer/Cargo.toml | 2 | ||||
| -rw-r--r-- | fs-tracer/src/main.rs | 2 |
5 files changed, 24 insertions, 16 deletions
diff --git a/flake.nix b/flake.nix index ca8ccfe..6d6e801 100644 --- a/flake.nix +++ b/flake.nix @@ -28,6 +28,7 @@ }) trunk bpftools + bpftrace llvmPackages_11.libclang.lib ]; shellHook = '' diff --git a/fs-tracer-ebpf/src/main.rs b/fs-tracer-ebpf/src/main.rs index f33d42e..d6539cd 100644 --- a/fs-tracer-ebpf/src/main.rs +++ b/fs-tracer-ebpf/src/main.rs @@ -40,9 +40,6 @@ enum SyscallType { Exit, } -//#[map] -//static mut READ_FROM_USERSPACE_BUFFER: PerCpuArray<[u8;2048]> = PerCpuArray::with_max_entries(1, 0); - #[tracepoint] pub fn fs_tracer_enter(ctx: TracePointContext) -> c_long { match try_fs_tracer(ctx, SyscallType::Enter) { @@ -60,6 +57,7 @@ pub fn fs_tracer_exit(ctx: TracePointContext) -> c_long { } } + #[inline(always)] fn ptr_at<T>(ctx: &TracePointContext, offset: usize) -> Option<*const T> { let start = ctx.as_ptr(); //maybe try using the bpf_probe_read here to see if we can use result of that to know the type of the syscall diff --git a/fs-tracer-ebpf/src/syscalls/open.rs b/fs-tracer-ebpf/src/syscalls/open.rs index c269c63..951314c 100644 --- a/fs-tracer-ebpf/src/syscalls/open.rs +++ b/fs-tracer-ebpf/src/syscalls/open.rs @@ -1,7 +1,7 @@ use core::{mem::{self, size_of}, ptr}; -use aya_bpf::{helpers::{bpf_d_path, bpf_probe_read, bpf_probe_read_kernel, gen}, cty::{c_void, c_long}, maps::PerCpuArray}; +use aya_bpf::{helpers::{bpf_d_path, bpf_probe_read, bpf_probe_read_kernel, gen}, cty::{c_char, c_int, c_long, c_void}, maps::PerCpuArray}; use crate::{*, vmlinux::files_struct}; use crate::vmlinux::file; @@ -36,11 +36,12 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long &mut *ptr }; + #[repr(C)] #[derive(Clone, Copy)] struct OpenAtSyscallArgs { - dfd: i64, - filename: *const u8, - flags: u64, + dfd: c_int, + filename: *const c_char, + flags: c_int, mode: u64, } @@ -50,21 +51,29 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long if args.dfd == -100 { info!(&ctx, "relative call!"); + //TODO: Get current working dir + let fs = bpf_probe_read_kernel(&(*task).fs)?; + let pwd = bpf_probe_read_kernel(&(*fs).pwd)?; + let rwada = bpf_probe_read_kernel(&pwd.dentry)?; + let iname = bpf_probe_read_kernel_str_bytes(&(*rwada).d_iname as *const u8, &mut buf.buf)?; + let xaxwaxa = str::from_utf8_unchecked(iname); + + info!(&ctx, "DEBUGGG: {}", xaxwaxa); } else { info!(&ctx, "not relative call!"); /* let files = (*x).files; let fdt = (*files).fdt; let fdd = (*fdt).fd;*/ - info!(&ctx, "pid from ctx: {}", ctx.pid()); - info!(&ctx, "pid from task {}", (*task).pid); + //info!(&ctx, "pid from ctx: {}", ctx.pid()); + //info!(&ctx, "pid from task {}", (*task).pid); let files = bpf_probe_read_kernel(&(*task).files)?; let fdt = bpf_probe_read_kernel(&(*files).fdt)?; let fdarr = bpf_probe_read_kernel(&(*fdt).fd)?; - info!(&ctx, "wuit: {}", args.dfd as isize); - info!(&ctx, "test: {}", ctx.read_at::<u16>(16).unwrap_unchecked()); - let fd = bpf_probe_read_kernel(&(*fdarr.offset(3)))?; //todo: get good fd here. lets add a progrtam to test. shellcode. + info!(&ctx, "wuit: {}", args.dfd); + info!(&ctx, "test: {}", ctx.read_at::<c_int>(16).unwrap_unchecked()); + let fd = bpf_probe_read_kernel(&(*fdarr.offset(3)))?; //todo: get good fd here. conclusion, somehow we are getting the wrong fd. unsigned int?? but its signed idk let mut deb = bpf_probe_read_kernel(&(*fd).f_path)?; let rwada = bpf_probe_read_kernel(&deb.dentry)?; let iname = bpf_probe_read_kernel_str_bytes(&(*rwada).d_iname as *const u8, &mut buf.buf)?; @@ -91,7 +100,7 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long } - /*let filename = unsafe { + let filename = unsafe { core::str::from_utf8_unchecked(bpf_probe_read_user_str_bytes( args.filename as *const u8, &mut buf.buf, @@ -105,7 +114,7 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long filename, args.dfd ); - */ + Ok(0) } diff --git a/fs-tracer/Cargo.toml b/fs-tracer/Cargo.toml index ea9021d..b452bc5 100644 --- a/fs-tracer/Cargo.toml +++ b/fs-tracer/Cargo.toml @@ -17,4 +17,4 @@ tokio = { version = "1.25", features = ["macros", "rt", "rt-multi-thread", "net" [[bin]] name = "fs-tracer" -path = "src/main.rs" +path = "src/main.rs" \ No newline at end of file diff --git a/fs-tracer/src/main.rs b/fs-tracer/src/main.rs index 414a68b..0453e80 100644 --- a/fs-tracer/src/main.rs +++ b/fs-tracer/src/main.rs @@ -82,4 +82,4 @@ async fn main() -> Result<(), anyhow::Error> { info!("Exiting..."); Ok(()) -} +} \ No newline at end of file |