(备注1: 为了格式工整, 前面都是废话, 建议直接从11 hello world开始看)
(备注2: 60秒指的是在Linux上, 如果是Android可能要在基础再上加点)
整理自2022/10 (bcc Release v0.25.0)
.
.
Linux内核中运行的虚拟机,
可以在外部向其注入代码执行.
.
.
理解成BFP PLUS++
.
.
BPF虚拟机只运行BPF指令, 直接敲BPF指令比较恶心.
BCC可以理解成辅助写BPF指令的工具包,
用python和c语言间接生成EBPF指令.
.
.
指的是开源项目&&开发者社区,
BCC是IOVisor项目下的编译器工具集.
.
.

.
.
参考官方文档
277K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6A6L8%4k6A6M7$3!0J5i4K6u0r3j5X3y4U0i4K6u0r3j5X3I4G2j5W2)9J5c8X3#2S2M7%4c8W2M7W2)9J5c8X3c8G2j5%4y4Q4x3V1k6C8k6i4u0F1k6h3I4Q4x3X3c8$3k6i4u0K6K9h3!0F1M7#2)9J5k6h3#2V1
.
查看自己Linux 内核版本 (ubuntu)
.
.
Brendan Gregg出品教程
41aK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2T1M7X3g2F1k6r3q4F1k6%4u0W2k6$3N6Q4x3X3g2U0L8$3#2Q4x3V1k6W2j5Y4m8X3i4K6u0W2K9s2c8E0L8l9`.`.
.
linux内核调试追踪技术20讲
5ffK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6K6M7r3q4U0k6g2)9J5k6h3u0A6L8r3W2T1K9h3I4A6i4K6u0W2j5$3!0E0i4K6u0r3y4U0b7$3x3e0M7^5y4e0p5H3i4K6u0r3j5$3S2S2L8X3&6W2L8q4)9J5c8X3y4G2L8r3I4W2j5%4c8A6L8$3&6V1k6i4c8S2K9h3I4Q4x3@1k6K6K9h3c8Q4x3@1b7@1y4U0R3H3z5e0p5`.
.
使用ebpf跟踪rpcx微服务
368K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0L8$3I4G2j5Y4g2Q4x3X3g2U0L8$3#2Q4x3V1j5J5x3o6t1J5i4K6u0r3x3o6g2Q4x3V1j5J5x3W2)9J5c8Y4g2K6k6g2)9J5k6r3g2T1M7r3k6Q4x3X3c8@1L8#2)9J5k6s2c8J5j5h3y4W2i4K6u0V1M7Y4m8U0P5q4)9J5k6r3#2A6j5%4u0G2M7$3g2J5N6X3W2U0k6i4y4Q4x3V1j5`.
.
.
具体参考官方文档
694K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6A6L8%4k6A6M7$3!0J5i4K6u0r3j5X3y4U0i4K6u0r3j5X3I4G2j5W2)9J5c8X3#2S2M7%4c8W2M7W2)9J5c8V1W2z5f1#2c8m8e0p5I4Q4x3X3g2E0k6l9`.`.
.
iovisor版 (官网说这个比较旧)
.
.

.
.
.
.
.
.
运行hello_world.py
进入bcc/examples目录,
运行脚本sudo python3 hello_world.py,
它的逻辑是, hook了某个syscall, 每当运行该syscall, 就输出helloworld.
你随便点点鼠标, 就能触发它显示日志了.

.
运行hello_fields.py
这个脚本是一样的逻辑, 不过输出格式对齐了,

.
.
进入bcc/tools/目录,运行opensoop.py脚本.
然后自己开clion编一个demo,
调用open触发eBFP的callback.

.
.
opensoop.py的实现
ok, 上面这样eBPF就算跑起来了,
然后, 直奔主题, 就说上面那个脚本是怎么hook的open?
.
我打开那个脚本看了一下, 一大堆基本都在处理兼容和格式.
把不关心的东西都删了, 留下核心的代码, 写好注释放这里了.
.
.
如何任意的hook syscall?
只关心4点:
(1)怎么写before?
(2)怎么写after?
(3)怎么注册hook?
(4)怎么输出日志?
(跟xposed差不多的叙事结构)
.
.
60秒学会用eBPF-BCC hook系统调用 ( 2 ) hook安卓所有syscall
.
.
xxx@ubuntu:~
/
Desktop
/
bcc
/
build$ uname
-
a
Linux ubuntu
5.15
.
0
-
52
-
generic
xxx@ubuntu:~
/
Desktop
/
bcc
/
build$ uname
-
a
Linux ubuntu
5.15
.
0
-
52
-
generic
sudo apt
-
key adv
-
-
keyserver keyserver.ubuntu.com
-
-
recv
-
keys
4052245BD4284CDD
echo
"deb effK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6J5k6i4m8G2i4K6u0W2K9h3!0$3K9i4y4G2M7W2)9J5k6h3!0J5k6#2)9J5c8X3q4H3N6q4)9J5c8W2)9J5y4q4)9J5z5r3I4K6j5W2)9#2k6Y4u0W2L8r3g2S2M7$3f1`. -cs) $(lsb_release -cs) main"
| sudo tee
/
etc
/
apt
/
sources.
list
.d
/
iovisor.
list
sudo apt
-
get update
sudo apt
-
get install bcc
-
tools libbcc
-
examples linux
-
headers
-
$(uname
-
r)
sudo apt
-
key adv
-
-
keyserver keyserver.ubuntu.com
-
-
recv
-
keys
4052245BD4284CDD
echo
"deb effK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6J5k6i4m8G2i4K6u0W2K9h3!0$3K9i4y4G2M7W2)9J5k6h3!0J5k6#2)9J5c8X3q4H3N6q4)9J5c8W2)9J5y4q4)9J5z5r3I4K6j5W2)9#2k6Y4u0W2L8r3g2S2M7$3f1`. -cs) $(lsb_release -cs) main"
| sudo tee
/
etc
/
apt
/
sources.
list
.d
/
iovisor.
list
sudo apt
-
get update
sudo apt
-
get install bcc
-
tools libbcc
-
examples linux
-
headers
-
$(uname
-
r)
echo
"deb [trusted=yes] c8bK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6J5k6i4m8G2i4K6u0W2K9h3!0$3K9i4y4G2M7W2)9J5k6h3!0J5k6#2)9J5c8X3q4H3N6q4)9J5c8Y4S2W2L8X3W2S2L8l9`.`. xenial-nightly main"
| sudo tee
/
etc
/
apt
/
sources.
list
.d
/
iovisor.
list
sudo apt
-
get update
sudo apt
-
get install bcc
-
tools libbcc
-
examples linux
-
headers
-
$(uname
-
r)
echo
"deb [trusted=yes] c8bK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6J5k6i4m8G2i4K6u0W2K9h3!0$3K9i4y4G2M7W2)9J5k6h3!0J5k6#2)9J5c8X3q4H3N6q4)9J5c8Y4S2W2L8X3W2S2L8l9`.`. xenial-nightly main"
| sudo tee
/
etc
/
apt
/
sources.
list
.d
/
iovisor.
list
sudo apt
-
get update
sudo apt
-
get install bcc
-
tools libbcc
-
examples linux
-
headers
-
$(uname
-
r)
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.5 LTS
Release: 20.04
Codename: focal
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.5 LTS
Release: 20.04
Codename: focal
sudo apt install
-
y bison build
-
essential cmake flex git libedit
-
dev \
libllvm12 llvm
-
12
-
dev libclang
-
12
-
dev python zlib1g
-
dev libelf
-
dev libfl
-
dev python3
-
distutils
sudo apt install
-
y bison build
-
essential cmake flex git libedit
-
dev \
libllvm12 llvm
-
12
-
dev libclang
-
12
-
dev python zlib1g
-
dev libelf
-
dev libfl
-
dev python3
-
distutils
git clone https:
/
/
github.com
/
iovisor
/
bcc.git
mkdir bcc
/
build; cd bcc
/
build
cmake ..
make
sudo make install
cmake
-
DPYTHON_CMD
=
python3 ..
pushd src
/
python
/
make
sudo make install
popd
git clone https:
/
/
github.com
/
iovisor
/
bcc.git
mkdir bcc
/
build; cd bcc
/
build
cmake ..
make
sudo make install
cmake
-
DPYTHON_CMD
=
python3 ..
pushd src
/
python
/
make
sudo make install
popd
from
__future__
import
print_function
from
bcc
import
ArgString, BPF
from
bcc.containers
import
filter_by_containers
from
bcc.utils
import
printb
import
argparse
from
collections
import
defaultdict
from
datetime
import
datetime, timedelta
import
os
bpf_text
=
b
=
BPF(text
=
bpf_text)
b.attach_kprobe(event
=
"__x64_sys_openat"
, fn_name
=
"syscall__before_openat"
)
b.attach_kretprobe(event
=
"__x64_sys_openat"
, fn_name
=
"after_openat"
)
def
my_callback(cpu, data, size):
temp
=
b[
"events"
].event(data)
if
temp.
id
is
not
None
:
print
(
"[pid]"
,temp.
id
&
0xffffffff
, end
=
" "
)
if
temp.name
is
not
None
:
print
(
"[path]"
,temp.name, end
=
" "
)
if
temp.ret
is
not
None
:
print
(
"[ret]"
,temp.ret, end
=
" "
)
if
temp.comm
is
not
None
:
print
(
"[comm]"
,temp.comm, end
=
" "
)
print
("")
b[
"events"
].open_perf_buffer(my_callback, page_cnt
=
64
)
while
True
:
try
:
b.perf_buffer_poll()
except
KeyboardInterrupt:
exit()
pass
from
__future__
import
print_function
from
bcc
import
ArgString, BPF
from
bcc.containers
import
filter_by_containers
from
bcc.utils
import
printb
import
argparse
from
collections
import
defaultdict
from
datetime
import
datetime, timedelta
import
os
bpf_text
=
[注意]看雪招聘,专注安全领域的专业人才平台!
最后于 2024-9-6 16:48
被爱吃菠菜编辑
,原因: 精简