(备注1: 为了格式工整, 前面都是废话, 建议直接从11 hello world开始看)
(备注2: 60秒指的是在Linux上, 如果是Android可能要在基础再上加点)
整理自2022/10 (bcc Release v0.25.0)
.
.
Linux内核中运行的虚拟机,
可以在外部向其注入代码执行.
.
.
理解成BFP PLUS++
.
.
BPF虚拟机只运行BPF指令, 直接敲BPF指令比较恶心.
BCC可以理解成辅助写BPF指令的工具包,
用python和c语言间接生成EBPF指令.
.
.
指的是开源项目&&开发者社区,
BCC是IOVisor项目下的编译器工具集.
.
.
.
.
参考官方文档
https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md
.
查看自己Linux 内核版本 (ubuntu)
.
.
Brendan Gregg出品教程
https://www.brendangregg.com/ebpf.html
.
linux内核调试追踪技术20讲
https://space.bilibili.com/646178510/channel/collectiondetail?sid=468091
.
使用ebpf跟踪rpcx微服务
https://colobu.com/2022/05/22/use-ebpf-to-trace-rpcx-microservices/
.
.
具体参考官方文档
https://github.com/iovisor/bcc/blob/master/INSTALL.md
.
iovisor版 (官网说这个比较旧)
.
.
.
.
.
.
.
.
运行hello_world.py
进入bcc/examples目录,
运行脚本sudo python3 hello_world.py,
它的逻辑是, hook了某个syscall, 每当运行该syscall, 就输出helloworld.
你随便点点鼠标, 就能触发它显示日志了.
.
运行hello_fields.py
这个脚本是一样的逻辑, 不过输出格式对齐了,
.
.
进入bcc/tools/目录,运行opensoop.py脚本.
然后自己开clion编一个demo,
调用open触发eBFP的callback.
.
.
opensoop.py的实现
ok, 上面这样eBPF就算跑起来了,
然后, 直奔主题, 就说上面那个脚本是怎么hook的open?
.
我打开那个脚本看了一下, 一大堆基本都在处理兼容和格式.
把不关心的东西都删了, 留下核心的代码, 写好注释放这里了.
.
.
如何任意的hook syscall?
只关心4点:
(1)怎么写before?
(2)怎么写after?
(3)怎么注册hook?
(4)怎么输出日志?
(跟xposed差不多的叙事结构)
.
.
60秒学会用eBPF-BCC hook系统调用 ( 2 ) hook安卓所有syscall
.
.
xxx@ubuntu:~
/
Desktop
/
bcc
/
build$ uname
-
a
Linux ubuntu
5.15
.
0
-
52
-
generic
xxx@ubuntu:~
/
Desktop
/
bcc
/
build$ uname
-
a
Linux ubuntu
5.15
.
0
-
52
-
generic
sudo apt
-
key adv
-
-
keyserver keyserver.ubuntu.com
-
-
recv
-
keys
4052245BD4284CDD
echo
"deb https://repo.iovisor.org/apt/$(lsb_release -cs) $(lsb_release -cs) main"
| sudo tee
/
etc
/
apt
/
sources.
list
.d
/
iovisor.
list
sudo apt
-
get update
sudo apt
-
get install bcc
-
tools libbcc
-
examples linux
-
headers
-
$(uname
-
r)
sudo apt
-
key adv
-
-
keyserver keyserver.ubuntu.com
-
-
recv
-
keys
4052245BD4284CDD
echo
"deb https://repo.iovisor.org/apt/$(lsb_release -cs) $(lsb_release -cs) main"
| sudo tee
/
etc
/
apt
/
sources.
list
.d
/
iovisor.
list
sudo apt
-
get update
sudo apt
-
get install bcc
-
tools libbcc
-
examples linux
-
headers
-
$(uname
-
r)
echo
"deb [trusted=yes] https://repo.iovisor.org/apt/xenial xenial-nightly main"
| sudo tee
/
etc
/
apt
/
sources.
list
.d
/
iovisor.
list
sudo apt
-
get update
sudo apt
-
get install bcc
-
tools libbcc
-
examples linux
-
headers
-
$(uname
-
r)
echo
"deb [trusted=yes] https://repo.iovisor.org/apt/xenial xenial-nightly main"
| sudo tee
/
etc
/
apt
/
sources.
list
.d
/
iovisor.
list
sudo apt
-
get update
sudo apt
-
get install bcc
-
tools libbcc
-
examples linux
-
headers
-
$(uname
-
r)
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.5 LTS
Release: 20.04
Codename: focal
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.5 LTS
Release: 20.04
Codename: focal
sudo apt install
-
y bison build
-
essential cmake flex git libedit
-
dev \
libllvm12 llvm
-
12
-
dev libclang
-
12
-
dev python zlib1g
-
dev libelf
-
dev libfl
-
dev python3
-
distutils
sudo apt install
-
y bison build
-
essential cmake flex git libedit
-
dev \
libllvm12 llvm
-
12
-
dev libclang
-
12
-
dev python zlib1g
-
dev libelf
-
dev libfl
-
dev python3
-
distutils
git clone https:
/
/
github.com
/
iovisor
/
bcc.git
mkdir bcc
/
build; cd bcc
/
build
cmake ..
make
sudo make install
cmake
-
DPYTHON_CMD
=
python3 ..
pushd src
/
python
/
make
sudo make install
popd
git clone https:
/
/
github.com
/
iovisor
/
bcc.git
mkdir bcc
/
build; cd bcc
/
build
cmake ..
make
sudo make install
cmake
-
DPYTHON_CMD
=
python3 ..
pushd src
/
python
/
make
sudo make install
popd
from
__future__
import
print_function
from
bcc
import
ArgString, BPF
from
bcc.containers
import
filter_by_containers
from
bcc.utils
import
printb
import
argparse
from
collections
import
defaultdict
from
datetime
import
datetime, timedelta
import
os
bpf_text
=
b
=
BPF(text
=
bpf_text)
b.attach_kprobe(event
=
"__x64_sys_openat"
, fn_name
=
"syscall__before_openat"
)
b.attach_kretprobe(event
=
"__x64_sys_openat"
, fn_name
=
"after_openat"
)
def
my_callback(cpu, data, size):
temp
=
b[
"events"
].event(data)
if
temp.
id
is
not
None
:
print
(
"[pid]"
,temp.
id
&
0xffffffff
, end
=
" "
)
if
temp.name
is
not
None
:
print
(
"[path]"
,temp.name, end
=
" "
)
if
temp.ret
is
not
None
:
print
(
"[ret]"
,temp.ret, end
=
" "
)
if
temp.comm
is
not
None
:
print
(
"[comm]"
,temp.comm, end
=
" "
)
print
("")
b[
"events"
].open_perf_buffer(my_callback, page_cnt
=
64
)
while
True
:
try
:
b.perf_buffer_poll()
except
KeyboardInterrupt:
exit()
pass
from
__future__
import
print_function
from
bcc
import
ArgString, BPF
from
bcc.containers
import
filter_by_containers
from
bcc.utils
import
printb
import
argparse
from
collections
import
defaultdict
from
datetime
import
datetime, timedelta
import
os
bpf_text
=
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2024-9-6 16:48
被爱吃菠菜编辑
,原因: 精简