tentative commit to address bash problem #490

Signed-off-by: ruitianzhong <ruitian-zhong@outlook.com>
gojue · Mar 7, 2024 · 9b4a5ed · 9b4a5ed
1 parent a286703
commit 9b4a5ed
Show file tree

Hide file tree

Showing 4 changed files with 73 additions and 7 deletions.
diff --git a/kern/bash_kern.c b/kern/bash_kern.c
@@ -15,6 +15,7 @@
 #include "ecapture.h"
 
 struct event {
+    u32 type;
     u32 pid;
     u32 uid;
     u8 line[MAX_DATA_SIZE_BASH];
@@ -58,11 +59,14 @@ int uretprobe_bash_readline(struct pt_regs *ctx) {
     struct event event = {};
     event.pid = pid;
     event.uid = uid;
+    event.type = BASH_EVENT_TYPE_READLINE;
     // bpf_printk("!! uretprobe_bash_readline pid:%d",target_pid );
     bpf_probe_read_user(&event.line, sizeof(event.line),
                         (void *)PT_REGS_RC(ctx));
     bpf_get_current_comm(&event.comm, sizeof(event.comm));
     bpf_map_update_elem(&events_t, &pid, &event, BPF_ANY);
+    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event,
+                          sizeof(struct event));
 
     return 0;
 }
@@ -89,13 +93,21 @@ int uretprobe_bash_retval(struct pt_regs *ctx) {
 #ifndef KERNEL_LESS_5_2
     // if target_errno is 128 then we target all
     if (target_errno != BASH_ERRNO_DEFAULT && target_errno != retval) {
-        if (event_p) bpf_map_delete_elem(&events_t, &pid);
+        if (event_p)
+        {   
+            event_p->retval = BASH_ERRNO_DEFAULT;
+            event_p->type = BASH_EVENT_TYPE_RETVAL;
+            bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, event_p,
+                                  sizeof(struct event));
+            bpf_map_delete_elem(&events_t, &pid);
+        }
         return 0;
     }
 #endif
 
     if (event_p) {
         event_p->retval = retval;
+        event_p->type = BASH_EVENT_TYPE_RETVAL;
         //        bpf_map_update_elem(&events_t, &pid, event_p, BPF_ANY);
         bpf_map_delete_elem(&events_t, &pid);
         bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, event_p,

diff --git a/kern/common.h b/kern/common.h
@@ -41,6 +41,8 @@
 #define SA_DATA_LEN 14
 #define BASH_ERRNO_DEFAULT 128
 
+#define BASH_EVENT_TYPE_READLINE 0
+#define BASH_EVENT_TYPE_RETVAL 1
 ///////// for TC & XDP ebpf programs in tc.h
 #define TC_ACT_OK 0
 #define ETH_P_IP 0x0800 /* Internet Protocol packet        */

diff --git a/user/event/event_bash.go b/user/event/event_bash.go
@@ -18,10 +18,13 @@ import (
 	"bytes"
 	"encoding/binary"
 	"fmt"
+	"strings"
 
 	"golang.org/x/sys/unix"
 )
 
+var lineMap map[string]string = make(map[string]string)
+
 /*
  u32 pid;
  u8 line[MAX_DATE_SIZE_BASH];
@@ -30,9 +33,11 @@ import (
 */
 
 const MaxDataSizeBash = 256
+const BASH_ERRNO_DEFAULT = 128
 
 type BashEvent struct {
 	eventType EventType
+	Type      uint32                 `json:"type"`
 	Pid       uint32                 `json:"pid"`
 	Uid       uint32                 `json:"uid"`
 	Line      [MaxDataSizeBash]uint8 `json:"line"`
@@ -42,6 +47,9 @@ type BashEvent struct {
 
 func (be *BashEvent) Decode(payload []byte) (err error) {
 	buf := bytes.NewBuffer(payload)
+	if err = binary.Read(buf, binary.LittleEndian, &be.Type); err != nil {
+		return
+	}
 	if err = binary.Read(buf, binary.LittleEndian, &be.Pid); err != nil {
 		return
 	}
@@ -62,13 +70,49 @@ func (be *BashEvent) Decode(payload []byte) (err error) {
 }
 
 func (be *BashEvent) String() string {
-	s := fmt.Sprintf("PID:%d, UID:%d, \tComm:%s, \tRetvalue:%d, \tLine:\n%s", be.Pid, be.Uid, be.Comm, be.Retval, unix.ByteSliceToString((be.Line[:])))
-	return s
+	return be.handleLine(false)
 }
 
 func (be *BashEvent) StringHex() string {
-	s := fmt.Sprintf("PID:%d, UID:%d, \tComm:%s, \tRetvalue:%d, \tLine:\n%s,", be.Pid, be.Uid, be.Comm, be.Retval, dumpByteSlice([]byte(unix.ByteSliceToString((be.Line[:]))), ""))
-	return s
+	return be.handleLine(true)
+}
+
+func (be *BashEvent) handleLine(isHex bool) string {
+	if be.Type == 0 {
+		// #define BASH_EVENT_TYPE_READLINE 0 in common.h
+		newline := unix.ByteSliceToString((be.Line[:]))
+		trimedline := strings.TrimSpace(newline)
+		line := lineMap[be.GetUUID()]
+		if strings.HasPrefix(trimedline, "exit") || strings.HasPrefix(trimedline, "exec") {
+			line += newline
+			be.Retval = BASH_ERRNO_DEFAULT // unavailable return value
+			return be.printMsg(line, isHex)
+		}
+		if line != "" {
+			line += "\n" + newline
+		} else {
+			line += newline
+		}
+		lineMap[be.GetUUID()] = line
+		return ""
+	} else {
+		// #define BASH_EVENT_TYPE_RETVAL 1 in common.h
+		line, ok := lineMap[be.GetUUID()]
+		delete(lineMap, be.GetUUID())
+		if !ok || line == "" || be.Retval == BASH_ERRNO_DEFAULT {
+			return ""
+		}
+		return be.printMsg(line, isHex)
+	}
+}
+
+func (be *BashEvent) printMsg(line string, isHex bool) string {
+	if isHex {
+		return fmt.Sprintf("PID:%d, UID:%d, \tComm:%s, \tRetvalue:%d, \tLine:\n%s,", be.Pid, be.Uid, be.Comm, be.Retval, dumpByteSlice([]byte(line), ""))
+	} else {
+		return fmt.Sprintf("PID:%d, UID:%d, \tComm:%s, \tRetvalue:%d, \tLine:\n%s", be.Pid, be.Uid, be.Comm, be.Retval, line)
+	}
+
 }
 
 func (be *BashEvent) Clone() IEventStruct {

diff --git a/user/module/imodule.go b/user/module/imodule.go
@@ -292,7 +292,11 @@ func (m *Module) Dispatcher(e event.IEventStruct) {
 	// If Hex mode is enabled, data in hex format is directly printed for event processor and output events
 	if m.conf.GetHex() {
 		if e.EventType() == event.EventTypeEventProcessor || e.EventType() == event.EventTypeOutput {
-			m.logger.Println(e.StringHex())
+			s := e.StringHex()
+			if s == "" {
+				return
+			}
+			m.logger.Println(s)
 			return
 		}
 	}
@@ -301,7 +305,11 @@ func (m *Module) Dispatcher(e event.IEventStruct) {
 	// they will be handled according to multiple branches of the switch
 	switch e.EventType() {
 	case event.EventTypeOutput:
-		m.logger.Println(e.String())
+		s := e.String()
+		if s == "" {
+			return
+		}
+		m.logger.Println(s)
 	case event.EventTypeEventProcessor:
 		m.processor.Write(e)
 	case event.EventTypeModuleData: