diff options
| author | Baitinq <manuelpalenzuelamerino@gmail.com> | 2024-01-27 18:18:51 +0100 |
|---|---|---|
| committer | Baitinq <manuelpalenzuelamerino@gmail.com> | 2024-01-27 18:19:19 +0100 |
| commit | 5f6325a5f4db886080948dd5f2cb47bfb030fb63 (patch) | |
| tree | 265a1d2e98bc310882c4a7ac77da44e7ba13ad0e | |
| parent | Add missing files (diff) | |
| download | fs-tracer-5f6325a5f4db886080948dd5f2cb47bfb030fb63.tar.gz fs-tracer-5f6325a5f4db886080948dd5f2cb47bfb030fb63.tar.bz2 fs-tracer-5f6325a5f4db886080948dd5f2cb47bfb030fb63.zip | |
Continue
| -rw-r--r-- | fs-tracer-ebpf/src/main.rs | 2 | ||||
| -rw-r--r-- | fs-tracer-ebpf/src/syscalls/open.rs | 45 | ||||
| -rw-r--r-- | fs-tracer/src/main.rs | 2 |
3 files changed, 33 insertions, 16 deletions
diff --git a/fs-tracer-ebpf/src/main.rs b/fs-tracer-ebpf/src/main.rs index 7960f4e..206fc3b 100644 --- a/fs-tracer-ebpf/src/main.rs +++ b/fs-tracer-ebpf/src/main.rs @@ -52,7 +52,7 @@ pub fn fs_tracer_enter(ctx: TracePointContext) -> u32 { #[tracepoint] pub fn fs_tracer_exit(ctx: TracePointContext) -> u32 { - info!(&ctx, "Hi"); + //info!(&ctx, "Hi"); match try_fs_tracer(ctx, SyscallType::Exit) { Ok(ret) => ret, Err(ret) => ret, diff --git a/fs-tracer-ebpf/src/syscalls/open.rs b/fs-tracer-ebpf/src/syscalls/open.rs index f33a302..4b55400 100644 --- a/fs-tracer-ebpf/src/syscalls/open.rs +++ b/fs-tracer-ebpf/src/syscalls/open.rs @@ -1,8 +1,9 @@ -#![feature(ptr_metadata)] -use aya_bpf::helpers::{bpf_d_path, bpf_probe_read}; +use core::{mem, ptr}; -use crate::*; +use aya_bpf::{helpers::{bpf_d_path, bpf_probe_read, bpf_probe_read_kernel, gen}, cty::c_void}; + +use crate::{*, vmlinux::files_struct}; pub fn handle_sys_open(ctx: TracePointContext, syscall_type: SyscallType) -> Result<u32, u32> { //info!(&ctx, "called"); @@ -19,7 +20,7 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<u32, u32> { let uwu = (*pid).pwd; let ra = uwu.dentry as *const dentry; let ma = str::from_utf8_unchecked(&(*ra).d_iname); - let mut buf = [0u8; 120]; + let mut buf = [0u8; 12]; #[derive(Clone, Copy)] struct OpenAtSyscallArgs { dfd: i64, @@ -33,22 +34,38 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<u32, u32> { let args = *ptr_at::<OpenAtSyscallArgs>(&ctx, 16).unwrap_unchecked(); if args.dfd == -100 { - info!(&ctx, "wat") - } else { - info!(&ctx, "not relative {}", args.dfd); - let files = (*x).files; + info!(&ctx, "relative call!"); + } + else { + info!(&ctx, "not relative call!"); + /* let files = (*x).files; let fdt = (*files).fdt; - let fdd = (*fdt).fd; - let file = (*fdd).add(args.dfd as usize * 8); - let pat = (*file).f_path; - let pathname = pat.dentry; + let fdd = (*fdt).fd;*/ + info!(&ctx, "pid from ctx: {}", ctx.pid()); + info!(&ctx, "pid from task {}", (*x).pid); + //let x_addr = &x as *const _ as usize; + //info!(&ctx, "x_addr: {}", x_addr); + let good_files = bpf_probe_read_kernel(&(*x).files).unwrap_unchecked(); + info!(&ctx, "test: {}", (*good_files).next_fd) + /*let file = (*fdd).add(args.dfd as usize * 8); + let mut pat = (*file).f_path; + //info!(&ctx, "path: {}", &pat) + let aya_bpf_path_ptr: *mut aya_bpf::bindings::path = unsafe { + mem::transmute::<&mut vmlinux::path, *mut aya_bpf::bindings::path>(&mut pat) + }; + + let mut buff = [0i8; 120]; + bpf_d_path( aya_bpf_path_ptr , &mut buff as *mut i8, 120);*/ + + /*let pathname = pat.dentry; let mut huh = [0u8; 64]; let xxxx = (*pathname).d_name.name; let aa = core::slice::from_raw_parts(xxxx, 10); - info!(&ctx, "dawdwa: {}", str::from_utf8_unchecked(aa)) + info!(&ctx, "dawdwa: {}", str::from_utf8_unchecked(aa))*/ //let filename = bpf_probe_read_kernel_str_bytes(xxxx.name, &mut huh); } + let _ = bpf_probe_read_user_str_bytes(args.filename, &mut buf); let xd = &buf; info!( @@ -63,7 +80,7 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<u32, u32> { } unsafe fn handle_sys_open_exit(ctx: TracePointContext) -> Result<u32, u32> { - info!(&ctx, "handle_sys_open_exit start"); + //info!(&ctx, "handle_sys_open_exit start"); let ret = *ptr_at::<i64>(&ctx, 16).unwrap_unchecked(); //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns let tgid = ctx.tgid(); diff --git a/fs-tracer/src/main.rs b/fs-tracer/src/main.rs index 7dfd44a..414a68b 100644 --- a/fs-tracer/src/main.rs +++ b/fs-tracer/src/main.rs @@ -49,7 +49,7 @@ async fn main() -> Result<(), anyhow::Error> { let trace_exits_program: &mut TracePoint = bpf.program_mut("fs_tracer_exit").unwrap().try_into()?; trace_exits_program.load()?; - trace_exits_program.attach("syscalls", "sys_exit_open")?; + trace_exits_program.attach("syscalls", "sys_exit_openat")?; //program2.attach("syscalls", "sys_exit_write")?; println!("Num of cpus: {}", online_cpus()?.len()); |