From 20c45aabf9afc660aa038b18aa1da86a2a79b8cb Mon Sep 17 00:00:00 2001
From: Baitinq <manuelpalenzuelamerino@gmail.com>
Date: Sat, 27 Jan 2024 21:51:11 +0100
Subject: get correct dfd

---
 fs-tracer-ebpf/src/main.rs          |  4 +---
 fs-tracer-ebpf/src/syscalls/open.rs | 31 ++++++++++++++++++++-----------
 2 files changed, 21 insertions(+), 14 deletions(-)

(limited to 'fs-tracer-ebpf')

diff --git a/fs-tracer-ebpf/src/main.rs b/fs-tracer-ebpf/src/main.rs
index f33d42e..d6539cd 100644
--- a/fs-tracer-ebpf/src/main.rs
+++ b/fs-tracer-ebpf/src/main.rs
@@ -40,9 +40,6 @@ enum SyscallType {
     Exit,
 }
 
-//#[map]
-//static mut READ_FROM_USERSPACE_BUFFER: PerCpuArray<[u8;2048]> = PerCpuArray::with_max_entries(1, 0);
-
 #[tracepoint]
 pub fn fs_tracer_enter(ctx: TracePointContext) -> c_long {
     match try_fs_tracer(ctx, SyscallType::Enter) {
@@ -60,6 +57,7 @@ pub fn fs_tracer_exit(ctx: TracePointContext) -> c_long {
     }
 }
 
+
 #[inline(always)]
 fn ptr_at<T>(ctx: &TracePointContext, offset: usize) -> Option<*const T> {
     let start = ctx.as_ptr(); //maybe try using the  bpf_probe_read here to see if we can use result of that to know the type of the syscall
diff --git a/fs-tracer-ebpf/src/syscalls/open.rs b/fs-tracer-ebpf/src/syscalls/open.rs
index c269c63..951314c 100644
--- a/fs-tracer-ebpf/src/syscalls/open.rs
+++ b/fs-tracer-ebpf/src/syscalls/open.rs
@@ -1,7 +1,7 @@
 
 use core::{mem::{self, size_of}, ptr};
 
-use aya_bpf::{helpers::{bpf_d_path, bpf_probe_read, bpf_probe_read_kernel, gen}, cty::{c_void, c_long}, maps::PerCpuArray};
+use aya_bpf::{helpers::{bpf_d_path, bpf_probe_read, bpf_probe_read_kernel, gen}, cty::{c_char, c_int, c_long, c_void}, maps::PerCpuArray};
 
 use crate::{*, vmlinux::files_struct};
 use crate::vmlinux::file;
@@ -36,11 +36,12 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long
         &mut *ptr
     };
 
+    #[repr(C)]
     #[derive(Clone, Copy)]
     struct OpenAtSyscallArgs {
-        dfd: i64,
-        filename: *const u8,
-        flags: u64,
+        dfd: c_int,
+        filename: *const c_char,
+        flags: c_int,
         mode: u64,
     }
 
@@ -50,21 +51,29 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long
 
     if args.dfd == -100 {
         info!(&ctx, "relative call!");
+        //TODO: Get current working dir
+        let fs = bpf_probe_read_kernel(&(*task).fs)?;
+        let pwd = bpf_probe_read_kernel(&(*fs).pwd)?;
+       let rwada = bpf_probe_read_kernel(&pwd.dentry)?;
+        let iname = bpf_probe_read_kernel_str_bytes(&(*rwada).d_iname as *const u8, &mut buf.buf)?;
+        let xaxwaxa = str::from_utf8_unchecked(iname);
+        
+        info!(&ctx, "DEBUGGG: {}", xaxwaxa);
     }
     else {
         info!(&ctx, "not relative call!");
           /*   let files = (*x).files;
         let fdt = (*files).fdt;
         let fdd = (*fdt).fd;*/
-        info!(&ctx, "pid from ctx: {}", ctx.pid());
-        info!(&ctx, "pid from task {}", (*task).pid);
+        //info!(&ctx, "pid from ctx: {}", ctx.pid());
+        //info!(&ctx, "pid from task {}", (*task).pid);
 
         let files = bpf_probe_read_kernel(&(*task).files)?;
         let fdt = bpf_probe_read_kernel(&(*files).fdt)?;
         let fdarr = bpf_probe_read_kernel(&(*fdt).fd)?;
-        info!(&ctx, "wuit: {}", args.dfd as isize);
-        info!(&ctx, "test: {}", ctx.read_at::<u16>(16).unwrap_unchecked());
-        let fd = bpf_probe_read_kernel(&(*fdarr.offset(3)))?; //todo: get good fd here. lets add a progrtam to test. shellcode.
+        info!(&ctx, "wuit: {}", args.dfd);
+        info!(&ctx, "test: {}", ctx.read_at::<c_int>(16).unwrap_unchecked());
+        let fd = bpf_probe_read_kernel(&(*fdarr.offset(3)))?; //todo: get good fd here. conclusion, somehow we are getting the wrong fd. unsigned int?? but its signed idk
         let mut deb = bpf_probe_read_kernel(&(*fd).f_path)?;
         let rwada = bpf_probe_read_kernel(&deb.dentry)?;
         let iname = bpf_probe_read_kernel_str_bytes(&(*rwada).d_iname as *const u8, &mut buf.buf)?;
@@ -91,7 +100,7 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long
     }
 
 
-    /*let filename = unsafe {
+    let filename = unsafe {
         core::str::from_utf8_unchecked(bpf_probe_read_user_str_bytes(
             args.filename as *const u8,
             &mut buf.buf,
@@ -105,7 +114,7 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long
         filename,
         args.dfd
     );
- */
+ 
     Ok(0)
 }
 
-- 
cgit 1.4.1