首页
社区
课程
招聘
[原创] 60秒学会用eBPF-BCC hook系统调用
发表于: 2022-10-28 08:07 25939

[原创] 60秒学会用eBPF-BCC hook系统调用

2022-10-28 08:07
25939

(备注1: 为了格式工整, 前面都是废话, 建议直接从11 hello world开始看)
(备注2: 60秒指的是在Linux上, 如果是Android可能要在基础再上加点)

整理自2022/10 (bcc Release v0.25.0)

.
.

Linux内核中运行的虚拟机,
可以在外部向其注入代码执行.
.
.

理解成BFP PLUS++
.
.

BPF虚拟机只运行BPF指令, 直接敲BPF指令比较恶心.
BCC可以理解成辅助写BPF指令的工具包,
用python和c语言间接生成EBPF指令.
.
.

指的是开源项目&&开发者社区,
BCC是IOVisor项目下的编译器工具集.
.
.


.
.

参考官方文档
277K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6A6L8%4k6A6M7$3!0J5i4K6u0r3j5X3y4U0i4K6u0r3j5X3I4G2j5W2)9J5c8X3#2S2M7%4c8W2M7W2)9J5c8X3c8G2j5%4y4Q4x3V1k6C8k6i4u0F1k6h3I4Q4x3X3c8$3k6i4u0K6K9h3!0F1M7#2)9J5k6h3#2V1
.

查看自己Linux 内核版本 (ubuntu)

.
.

Brendan Gregg出品教程
41aK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2T1M7X3g2F1k6r3q4F1k6%4u0W2k6$3N6Q4x3X3g2U0L8$3#2Q4x3V1k6W2j5Y4m8X3i4K6u0W2K9s2c8E0L8l9`.`.
.

linux内核调试追踪技术20讲
5ffK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6K6M7r3q4U0k6g2)9J5k6h3u0A6L8r3W2T1K9h3I4A6i4K6u0W2j5$3!0E0i4K6u0r3y4U0b7$3x3e0M7^5y4e0p5H3i4K6u0r3j5$3S2S2L8X3&6W2L8q4)9J5c8X3y4G2L8r3I4W2j5%4c8A6L8$3&6V1k6i4c8S2K9h3I4Q4x3@1k6K6K9h3c8Q4x3@1b7@1y4U0R3H3z5e0p5`.
.

使用ebpf跟踪rpcx微服务
368K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6U0L8$3I4G2j5Y4g2Q4x3X3g2U0L8$3#2Q4x3V1j5J5x3o6t1J5i4K6u0r3x3o6g2Q4x3V1j5J5x3W2)9J5c8Y4g2K6k6g2)9J5k6r3g2T1M7r3k6Q4x3X3c8@1L8#2)9J5k6s2c8J5j5h3y4W2i4K6u0V1M7Y4m8U0P5q4)9J5k6r3#2A6j5%4u0G2M7$3g2J5N6X3W2U0k6i4y4Q4x3V1j5`.
.
.

具体参考官方文档
694K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6A6L8%4k6A6M7$3!0J5i4K6u0r3j5X3y4U0i4K6u0r3j5X3I4G2j5W2)9J5c8X3#2S2M7%4c8W2M7W2)9J5c8V1W2z5f1#2c8m8e0p5I4Q4x3X3g2E0k6l9`.`.
.

iovisor版 (官网说这个比较旧)

.

.


.
.

.

.

.
.

运行hello_world.py
进入bcc/examples目录,
运行脚本sudo python3 hello_world.py,
它的逻辑是, hook了某个syscall, 每当运行该syscall, 就输出helloworld.
你随便点点鼠标, 就能触发它显示日志了.

.

运行hello_fields.py
这个脚本是一样的逻辑, 不过输出格式对齐了,

.
.

进入bcc/tools/目录,运行opensoop.py脚本.
然后自己开clion编一个demo,
调用open触发eBFP的callback.

.
.

opensoop.py的实现
ok, 上面这样eBPF就算跑起来了,
然后, 直奔主题, 就说上面那个脚本是怎么hook的open?
.
我打开那个脚本看了一下, 一大堆基本都在处理兼容和格式.
把不关心的东西都删了, 留下核心的代码, 写好注释放这里了.
.
.

如何任意的hook syscall?
只关心4点:
(1)怎么写before?
(2)怎么写after?
(3)怎么注册hook?
(4)怎么输出日志?
(跟xposed差不多的叙事结构)

.
.

60秒学会用eBPF-BCC hook系统调用 ( 2 ) hook安卓所有syscall
.
.

xxx@ubuntu:~/Desktop/bcc/build$ uname -a
Linux ubuntu 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
xxx@ubuntu:~/Desktop/bcc/build$ uname -a
Linux ubuntu 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4052245BD4284CDD
echo "deb effK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6J5k6i4m8G2i4K6u0W2K9h3!0$3K9i4y4G2M7W2)9J5k6h3!0J5k6#2)9J5c8X3q4H3N6q4)9J5c8W2)9J5y4q4)9J5z5r3I4K6j5W2)9#2k6Y4u0W2L8r3g2S2M7$3f1`. -cs) $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/iovisor.list
sudo apt-get update
sudo apt-get install bcc-tools libbcc-examples linux-headers-$(uname -r)
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4052245BD4284CDD
echo "deb effK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6J5k6i4m8G2i4K6u0W2K9h3!0$3K9i4y4G2M7W2)9J5k6h3!0J5k6#2)9J5c8X3q4H3N6q4)9J5c8W2)9J5y4q4)9J5z5r3I4K6j5W2)9#2k6Y4u0W2L8r3g2S2M7$3f1`. -cs) $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/iovisor.list
sudo apt-get update
sudo apt-get install bcc-tools libbcc-examples linux-headers-$(uname -r)
echo "deb [trusted=yes] c8bK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6J5k6i4m8G2i4K6u0W2K9h3!0$3K9i4y4G2M7W2)9J5k6h3!0J5k6#2)9J5c8X3q4H3N6q4)9J5c8Y4S2W2L8X3W2S2L8l9`.`. xenial-nightly main" | sudo tee /etc/apt/sources.list.d/iovisor.list
sudo apt-get update
sudo apt-get install bcc-tools libbcc-examples linux-headers-$(uname -r)
echo "deb [trusted=yes] c8bK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6J5k6i4m8G2i4K6u0W2K9h3!0$3K9i4y4G2M7W2)9J5k6h3!0J5k6#2)9J5c8X3q4H3N6q4)9J5c8Y4S2W2L8X3W2S2L8l9`.`. xenial-nightly main" | sudo tee /etc/apt/sources.list.d/iovisor.list
sudo apt-get update
sudo apt-get install bcc-tools libbcc-examples linux-headers-$(uname -r)
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.5 LTS
Release:    20.04
Codename:   focal
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.5 LTS
Release:    20.04
Codename:   focal
# For Focal (20.04.1 LTS)
sudo apt install -y bison build-essential cmake flex git libedit-dev \
  libllvm12 llvm-12-dev libclang-12-dev python zlib1g-dev libelf-dev libfl-dev python3-distutils
# For Focal (20.04.1 LTS)
sudo apt install -y bison build-essential cmake flex git libedit-dev \
  libllvm12 llvm-12-dev libclang-12-dev python zlib1g-dev libelf-dev libfl-dev python3-distutils
git clone https://github.com/iovisor/bcc.git
mkdir bcc/build; cd bcc/build
cmake ..
make
sudo make install
cmake -DPYTHON_CMD=python3 .. # build python3 binding
pushd src/python/
make
sudo make install
popd
git clone https://github.com/iovisor/bcc.git
mkdir bcc/build; cd bcc/build
cmake ..
make
sudo make install
cmake -DPYTHON_CMD=python3 .. # build python3 binding
pushd src/python/
make
sudo make install
popd
#!/usr/bin/env python
# 该代码在ubuntu 20环境里运行通过
from __future__ import print_function
from bcc import ArgString, BPF
from bcc.containers import filter_by_containers
from bcc.utils import printb
import argparse
from collections import defaultdict
from datetime import datetime, timedelta
import os
 
# 注入到eBPF虚拟机的代码
bpf_text = '''
#include <uapi/linux/ptrace.h>
#include <uapi/linux/limits.h>
#include <linux/sched.h>
 
// hook到参数和返回值,放在这两个结构里
struct val_t {
  u64 id;
  char comm[TASK_COMM_LEN];
  const char *fname;
};
 
// 同上
struct data_t {
  u64 id;
  int ret;
  char comm[TASK_COMM_LEN];
  char name[NAME_MAX];
};
 
 
// 创建一个events (hook到东西后就用它通知python那个callback输出)
BPF_PERF_OUTPUT(events);
 
 
// 这个api是在创建一个map变量,变量名为infotmp
// 因为你不能在eBPF里用std::map, 只能用它提供的这种东西.
BPF_HASH(infotmp, u64, struct val_t);
 
 
// after函数
int after_openat(struct pt_regs *ctx) {
  u64 id = bpf_get_current_pid_tgid(); // 获取tid
  struct val_t *valp;
  struct data_t data = {};
  valp = infotmp.lookup(&id); // 在map中查询id
  if (valp == 0) {
    return 0;
  }
  // 从map中读取至局部变量
  bpf_probe_read_kernel(&data.comm, sizeof(data.comm), valp->comm);
  bpf_probe_read_user_str(&data.name, sizeof(data.name), (void *)valp->fname);
  data.id = valp->id;
  data.ret = PT_REGS_RC(ctx); // before里读取了参数,此时在after里补充返回值
  events.perf_submit(ctx, &data, sizeof(data)); // 提交perf poll事件来让perf输出(作用就是,调用它会通知python中那个callback输出日志)
  infotmp.delete(&id); // 从map中删除id
  return 0;
}
 
 
int syscall__before_openat(struct pt_regs *ctx, int dfd,
                                const char __user *filename, int flags) {
  struct val_t val = {};
  u64 id = bpf_get_current_pid_tgid();
  u32 pid = id >> 32;
  // 获取当前进程名
  if (bpf_get_current_comm(&val.comm, sizeof(val.comm)) == 0) {
    val.id = id;
    val.fname = filename;
    infotmp.update(&id, &val); // id插入map
  }
  return 0;
};
'''
 
# 注册hook
b = BPF(text=bpf_text)
b.attach_kprobe(event="__x64_sys_openat", fn_name="syscall__before_openat")
b.attach_kretprobe(event="__x64_sys_openat", fn_name="after_openat")
 
# 回调函数
def my_callback(cpu, data, size):
    temp = b["events"].event(data)
    if temp.id is not None:
        print("[pid]",temp.id & 0xffffffff, end=" ")
    if temp.name is not None:
        print("[path]",temp.name, end=" ")
    if temp.ret is not None:
        print("[ret]",temp.ret, end=" ")
    if temp.comm is not None:
        print("[comm]",temp.comm, end=" ")
    print("")
 
b["events"].open_perf_buffer(my_callback, page_cnt=64)
while True:
    try:
        # 等待数据, 触发open_perf_buffer指定的回调函数
        b.perf_buffer_poll()
    except KeyboardInterrupt:
        exit()
pass
#!/usr/bin/env python
# 该代码在ubuntu 20环境里运行通过
from __future__ import print_function
from bcc import ArgString, BPF
from bcc.containers import filter_by_containers
from bcc.utils import printb
import argparse
from collections import defaultdict
from datetime import datetime, timedelta
import os
 
# 注入到eBPF虚拟机的代码
bpf_text = '''
#include <uapi/linux/ptrace.h>
#include <uapi/linux/limits.h>
#include <linux/sched.h>
 
// hook到参数和返回值,放在这两个结构里
struct val_t {
  u64 id;
  char comm[TASK_COMM_LEN];
  const char *fname;
};
 
// 同上
struct data_t {
  u64 id;
  int ret;
  char comm[TASK_COMM_LEN];
  char name[NAME_MAX];
};
 
 
// 创建一个events (hook到东西后就用它通知python那个callback输出)
BPF_PERF_OUTPUT(events);
 
 
// 这个api是在创建一个map变量,变量名为infotmp
// 因为你不能在eBPF里用std::map, 只能用它提供的这种东西.
BPF_HASH(infotmp, u64, struct val_t);

[注意]看雪招聘,专注安全领域的专业人才平台!

最后于 2024-9-6 16:48 被爱吃菠菜编辑 ,原因: 精简
收藏
免费 22
支持
分享
最新回复 (9)
雪    币: 4041
活跃值: (2298)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
2
表哥NB
2022-10-28 09:28
0
雪    币: 2141
活跃值: (7266)
能力值: ( LV11,RANK:180 )
在线值:
发帖
回帖
粉丝
3
Umiade 表哥NB
2022-10-28 09:53
0
雪    币: 2612
活跃值: (4871)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
感谢分享
2022-10-28 11:53
0
雪    币: 3144
活跃值: (1624)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
表哥,我还是不会
2022-10-28 13:29
0
雪    币: 196
活跃值: (6176)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
6
射射老师,已经学会了。
2022-10-28 16:06
0
雪    币: 33
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
7

666666

最后于 2022-11-17 15:32 被Bingo_player编辑 ,原因:
2022-10-28 16:59
0
雪    币: 5308
活跃值: (5584)
能力值: ( LV9,RANK:170 )
在线值:
发帖
回帖
粉丝
8
666
2022-11-14 11:11
0
雪    币: 685
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
9
666
2023-3-17 17:48
0
雪    币: 126
活跃值: (1067)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
10
666
2023-10-30 15:23
0
游客
登录 | 注册 方可回帖
返回