Added new probe to read the previously extracted params and overwrite user memory. Still now fully working, just a backup

2025-12-16 23:33:06 +08:00 · 2022-01-14 22:05:08 -05:00
parent 106f141c7e
commit 945e2f2def
8 changed files with 60 additions and 1283 deletions
--- a/src/.output/xdp_filter.bpf.o
+++ b/src/.output/xdp_filter.bpf.o
--- a/src/.output/xdp_filter.o
+++ b/src/.output/xdp_filter.o
--- a/src/.output/xdp_filter.skel.h
+++ b/src/.output/xdp_filter.skel.h
--- a/src/bin/xdp_filter
+++ b/src/bin/xdp_filter
--- a/src/ebpf/include/bpf/fs.h
+++ b/src/ebpf/include/bpf/fs.h
@@ -29,12 +29,16 @@ static __always_inline int handle_sys_read(struct pt_regs *ctx, int fd, char* bu
        .pid = pid
    };
    bpf_map_update_elem(&fs_open, &pid_tgid, &data, BPF_ANY);
-    bpf_printk("PID: %u, FS:%u\n", pid, fd);
+    //bpf_printk("PID: %u, FS:%u\n", pid, fd);
    return 0;
 }

+/**
+ * @brief Receives read event and stores the parameters into internal map
+ * 
+ */
 SEC("kprobe/ksys_read") 
-int kprobe__64_sys_read(struct pt_regs *ctx) { 
+int kprobe_ksys_read(struct pt_regs *ctx) { 
    struct pt_regs *rctx = ctx; 
    if (!rctx) return 0; 
    int fd = (int) PT_REGS_PARM1(ctx); 
@@ -42,4 +46,31 @@ int kprobe__64_sys_read(struct pt_regs *ctx) {
    return handle_sys_read(ctx, fd, buf); 
 } 

+/**
+ * @brief Called AFTER the ksys_read call, checks the internal
+ * map for the tgid+pid used and extracts the parameters.
+ * Uses the user-space buffer reference for overwritting the returned
+ * values. 
+ * 
+ */
+SEC("kretprobe/vfs_read")
+int kretprobe_vfs_read(struct pt_regs *ctx){
+    __u64 pid_tgid = bpf_get_current_pid_tgid();
+    
+    struct fs_open_data *data = (struct fs_open_data*) bpf_map_lookup_elem(&fs_open, &pid_tgid);
+    if (data!=NULL){
+        //Not found
+        return -1;
+    }
+
+    //Overwritting a byte of the buffer
+    char *buf = data->buf;
+    char *msg = "OOOOOOOOOOOOO";
+    bpf_printk("Overwritting at pid %u\n", data->pid);
+    //int err = bpf_probe_write_user((void*)buf, (void*)msg, (__u32)1);
+    
+
+    return 0;
+}
+
 #endif
--- a/src/user/include/modules/fs.h
+++ b/src/user/include/modules/fs.h
@@ -8,18 +8,30 @@
 #include "xdp_filter.skel.h"

 //Connections
-int attach_kprobe__64_sys_read(struct xdp_filter_bpf *skel){
-    skel->links.kprobe__64_sys_read = bpf_program__attach(skel->progs.kprobe__64_sys_read);
-	return libbpf_get_error(skel->links.kprobe__64_sys_read);
+int attach_kprobe_ksys_read(struct xdp_filter_bpf *skel){
+    skel->links.kprobe_ksys_read = bpf_program__attach(skel->progs.kprobe_ksys_read);
+	return libbpf_get_error(skel->links.kprobe_ksys_read);
+}
+int attach_kretprobe_vfs_read(struct xdp_filter_bpf *skel){
+    skel->links.kretprobe_vfs_read = bpf_program__attach(skel->progs.kretprobe_vfs_read);
+	return libbpf_get_error(skel->links.kretprobe_vfs_read);
 }

 int attach_fs_all(struct xdp_filter_bpf *skel){
-    return attach_kprobe__64_sys_read(skel);
+    return attach_kprobe_ksys_read(skel) || attach_kretprobe_vfs_read(skel);
 }


-int detach_kprobe__64_sys_read(struct xdp_filter_bpf *skel){
-    int err = detach_link_generic(skel->links.kprobe__64_sys_read);
+int detach_kprobe_ksys_read(struct xdp_filter_bpf *skel){
+    int err = detach_link_generic(skel->links.kprobe_ksys_read);
+    if(err<0){
+        fprintf(stderr, "Failed to detach fs link\n");
+        return -1;
+    }
+    return 0;
+}
+int detach_kretprobe_vfs_read(struct xdp_filter_bpf *skel){
+    int err = detach_link_generic(skel->links.kretprobe_vfs_read);
    if(err<0){
        fprintf(stderr, "Failed to detach fs link\n");
        return -1;
@@ -28,7 +40,7 @@ int detach_kprobe__64_sys_read(struct xdp_filter_bpf *skel){
 }

 int detach_fs_all(struct xdp_filter_bpf *skel){
-    return detach_kprobe__64_sys_read(skel);
+    return detach_kprobe_ksys_read(skel) || detach_kretprobe_vfs_read(skel);
 }

 #endif
--- a/src/user/include/modules/module_manager.c
+++ b/src/user/include/modules/module_manager.c
@@ -14,8 +14,8 @@ module_config_t module_config = {
    },
    .fs_module = {
        .all = ON,
-        .kprobe__64_compat_sys_read = OFF,
-        .kprobe__64_sys_read = OFF
+        .kprobe_ksys_read = OFF,
+        .kretprobe_vfs_read = OFF
    }

 };
@@ -26,7 +26,8 @@ module_config_attr_t module_config_attr = {
        .ifindex = -1,
        .flags = -1
    },
-    .sched_module = {}
+    .sched_module = {},
+    .fs_module = {}
 };


@@ -56,7 +57,8 @@ int setup_all_modules(){
    if(config.fs_module.all == ON){
        ret = attach_fs_all(attr.skel);
    }else{
-        if(config.fs_module.kprobe__64_sys_read == ON) ret = attach_kprobe__64_sys_read(attr.skel);
+        if(config.fs_module.kprobe_ksys_read == ON) ret = attach_kprobe_ksys_read(attr.skel);
+        if(config.fs_module.kretprobe_vfs_read == ON) ret = attach_kretprobe_vfs_read(attr.skel);
    }
    if(ret!=0) return -1;

--- a/src/user/include/modules/module_manager.h
+++ b/src/user/include/modules/module_manager.h
@@ -25,8 +25,8 @@ typedef struct module_config_t{

    struct fs_module {
        char all;
-        char kprobe__64_compat_sys_read;
-        char kprobe__64_sys_read;
+        char kprobe_ksys_read;
+        char kretprobe_vfs_read;
    }fs_module;

 } module_config_t;