-
-
[原创] 60秒学会用eBPF-BCC hook系统调用
-
发表于: 2022-10-28 08:07
-
(备注1: 为了格式工整, 前面都是废话, 建议直接从11 hello world开始看)
(备注2: 60秒指的是在Linux上, 如果是Android可能要在基础再上加点)
整理自2022/10 (bcc Release v0.25.0)
.
.
Linux内核中运行的虚拟机,
可以在外部向其注入代码执行.
.
.
理解成BFP PLUS++
.
.
BPF虚拟机只运行BPF指令, 直接敲BPF指令比较恶心.
BCC可以理解成辅助写BPF指令的工具包,
用python和c语言间接生成EBPF指令.
.
.
指的是开源项目&&开发者社区,
BCC是IOVisor项目下的编译器工具集.
.
.
.
.
查看自己Linux 内核版本 (ubuntu)
.
.
Brendan Gregg出品教程
ee1K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2T1M7X3g2F1k6r3q4F1k6%4u0W2k6$3N6Q4x3X3g2U0L8$3#2Q4x3V1k6W2j5Y4m8X3i4K6u0W2K9s2c8E0L8l9`.`.
.
iovisor版 (官网说这个比较旧)
.
.
.
.
.
.
.
.
运行hello_world.py
进入bcc/examples目录,
运行脚本sudo python3 hello_world.py,
它的逻辑是, hook了某个syscall, 每当运行该syscall, 就输出helloworld.
你随便点点鼠标, 就能触发它显示日志了.
.
运行hello_fields.py
这个脚本是一样的逻辑, 不过输出格式对齐了,
.
.
进入bcc/tools/目录,运行opensoop.py脚本.
然后自己开clion编一个demo,
调用open触发eBFP的callback.
.
.
opensoop.py的实现
ok, 上面这样eBPF就算跑起来了,
然后, 直奔主题, 就说上面那个脚本是怎么hook的open?
.
我打开那个脚本看了一下, 一大堆基本都在处理兼容和格式.
把不关心的东西都删了, 留下核心的代码, 写好注释放这里了.
.
.
如何任意的hook syscall?
只关心4点:
(1)怎么写before?
(2)怎么写after?
(3)怎么注册hook?
(4)怎么输出日志?
(跟xposed差不多的叙事结构)
.
.
60秒学会用eBPF-BCC hook系统调用 ( 2 ) hook安卓所有syscall
.
.
xxx@ubuntu:~/Desktop/bcc/build$ uname -a
Linux ubuntu 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
xxx@ubuntu:~/Desktop/bcc/build$ uname -a
Linux ubuntu 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4052245BD4284CDD
echo "deb c24K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6J5k6i4m8G2i4K6u0W2K9h3!0$3K9i4y4G2M7W2)9J5k6h3!0J5k6#2)9J5c8X3q4H3N6q4)9J5c8W2)9J5y4q4)9J5z5r3I4K6j5W2)9#2k6Y4u0W2L8r3g2S2M7$3f1`. -cs) $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/iovisor.list
sudo apt-get update
sudo apt-get install bcc-tools libbcc-examples linux-headers-$(uname -r)
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4052245BD4284CDD
echo "deb c9cK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6J5k6i4m8G2i4K6u0W2K9h3!0$3K9i4y4G2M7W2)9J5k6h3!0J5k6#2)9J5c8X3q4H3N6q4)9J5c8W2)9J5y4q4)9J5z5r3I4K6j5W2)9#2k6Y4u0W2L8r3g2S2M7$3f1`. -cs) $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/iovisor.list
sudo apt-get update
sudo apt-get install bcc-tools libbcc-examples linux-headers-$(uname -r)
echo "deb [trusted=yes] c9cK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6J5k6i4m8G2i4K6u0W2K9h3!0$3K9i4y4G2M7W2)9J5k6h3!0J5k6#2)9J5c8X3q4H3N6q4)9J5c8Y4S2W2L8X3W2S2L8l9`.`. xenial-nightly main" | sudo tee /etc/apt/sources.list.d/iovisor.list
sudo apt-get update
sudo apt-get install bcc-tools libbcc-examples linux-headers-$(uname -r)
echo "deb [trusted=yes] 19fK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6J5k6i4m8G2i4K6u0W2K9h3!0$3K9i4y4G2M7W2)9J5k6h3!0J5k6#2)9J5c8X3q4H3N6q4)9J5c8Y4S2W2L8X3W2S2L8l9`.`. xenial-nightly main" | sudo tee /etc/apt/sources.list.d/iovisor.list
sudo apt-get update
sudo apt-get install bcc-tools libbcc-examples linux-headers-$(uname -r)
lsb_release -aNo LSB modules are available.Distributor ID: UbuntuDescription: Ubuntu 20.04.5 LTSRelease: 20.04Codename: focallsb_release -aNo LSB modules are available.Distributor ID: UbuntuDescription: Ubuntu 20.04.5 LTSRelease: 20.04Codename: focal# For Focal (20.04.1 LTS)sudo apt install -y bison build-essential cmake flex git libedit-dev \
libllvm12 llvm-12-dev libclang-12-dev python zlib1g-dev libelf-dev libfl-dev python3-distutils
# For Focal (20.04.1 LTS)sudo apt install -y bison build-essential cmake flex git libedit-dev \
libllvm12 llvm-12-dev libclang-12-dev python zlib1g-dev libelf-dev libfl-dev python3-distutils
git clone https://github.com/iovisor/bcc.git
mkdir bcc/build; cd bcc/build
cmake ..makesudo make installcmake -DPYTHON_CMD=python3 .. # build python3 binding
pushd src/python/
makesudo make installpopdgit clone https://github.com/iovisor/bcc.git
mkdir bcc/build; cd bcc/build
cmake ..makesudo make installcmake -DPYTHON_CMD=python3 .. # build python3 binding
pushd src/python/
makesudo make installpopd#!/usr/bin/env python# 该代码在ubuntu 20环境里运行通过from __future__ import print_function
from bcc import ArgString, BPF
from bcc.containers import filter_by_containers
from bcc.utils import printb
import argparse
from collections import defaultdict
from datetime import datetime, timedelta
import os
# 注入到eBPF虚拟机的代码bpf_text = '''
#include <uapi/linux/ptrace.h>#include <uapi/linux/limits.h>#include <linux/sched.h>// hook到参数和返回值,放在这两个结构里struct val_t { u64 id;
char comm[TASK_COMM_LEN];
const char *fname;
};// 同上struct data_t { u64 id;
int ret;
char comm[TASK_COMM_LEN];
char name[NAME_MAX];
};// 创建一个events (hook到东西后就用它通知python那个callback输出)BPF_PERF_OUTPUT(events);// 这个api是在创建一个map变量,变量名为infotmp// 因为你不能在eBPF里用std::map, 只能用它提供的这种东西.BPF_HASH(infotmp, u64, struct val_t);// after函数int after_openat(struct pt_regs *ctx) { u64 id = bpf_get_current_pid_tgid(); // 获取tid
struct val_t *valp;
struct data_t data = {};
valp = infotmp.lookup(&id); // 在map中查询id
if (valp == 0) {
return 0;
}
// 从map中读取至局部变量
bpf_probe_read_kernel(&data.comm, sizeof(data.comm), valp->comm);
bpf_probe_read_user_str(&data.name, sizeof(data.name), (void *)valp->fname);
data.id = valp->id;
data.ret = PT_REGS_RC(ctx); // before里读取了参数,此时在after里补充返回值
events.perf_submit(ctx, &data, sizeof(data)); // 提交perf poll事件来让perf输出(作用就是,调用它会通知python中那个callback输出日志)
infotmp.delete(&id); // 从map中删除id
return 0;
}int syscall__before_openat(struct pt_regs *ctx, int dfd, const char __user *filename, int flags) {
struct val_t val = {};
u64 id = bpf_get_current_pid_tgid();
u32 pid = id >> 32;
// 获取当前进程名
if (bpf_get_current_comm(&val.comm, sizeof(val.comm)) == 0) {
val.id = id;
val.fname = filename;
infotmp.update(&id, &val); // id插入map
}
return 0;
};'''# 注册hookb = BPF(text=bpf_text)
b.attach_kprobe(event="__x64_sys_openat", fn_name="syscall__before_openat")
b.attach_kretprobe(event="__x64_sys_openat", fn_name="after_openat")
# 回调函数def my_callback(cpu, data, size):
temp = b["events"].event(data)
if temp.id is not None:
print("[pid]",temp.id & 0xffffffff, end=" ")
if temp.name is not None:
print("[path]",temp.name, end=" ")
if temp.ret is not None:
print("[ret]",temp.ret, end=" ")
if temp.comm is not None:
print("[comm]",temp.comm, end=" ")
print("")
b["events"].open_perf_buffer(my_callback, page_cnt=64)
while True:
try:
# 等待数据, 触发open_perf_buffer指定的回调函数
b.perf_buffer_poll()
except KeyboardInterrupt:
exit()
pass#!/usr/bin/env python# 该代码在ubuntu 20环境里运行通过from __future__ import print_function
from bcc import ArgString, BPF
from bcc.containers import filter_by_containers
from bcc.utils import printb
import argparse
from collections import defaultdict
from datetime import datetime, timedelta
import os
# 注入到eBPF虚拟机的代码bpf_text = '''
#include <uapi/linux/ptrace.h>#include <uapi/linux/limits.h>#include <linux/sched.h>// hook到参数和返回值,放在这两个结构里struct val_t { u64 id;
char comm[TASK_COMM_LEN];
const char *fname;
};// 同上struct data_t { u64 id;
int ret;
char comm[TASK_COMM_LEN];
char name[NAME_MAX];
};// 创建一个events (hook到东西后就用它通知python那个callback输出)BPF_PERF_OUTPUT(events);// 这个api是在创建一个map变量,变量名为infotmp// 因为你不能在eBPF里用std::map, 只能用它提供的这种东西.BPF_HASH(infotmp, u64, struct val_t);[培训]科锐软件逆向54期预科班、正式班开始火爆招生报名啦!!!
最后于 2024-9-6 16:48
被爱吃菠菜编辑
,原因: 精简
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
