-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix https://github.com/gojue/ecapture/issues/513 #514
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to my testing, the problem is not that simple. On ubuntu 22.04 system with x86_64, the traced process crashes.
根据我测试的情况来看,问题不是这么简单。 在x86_64的ubuntu 22.04系统上,被跟踪的进程会崩溃。
this error in rootcause:
The relevant code changed by go pr 366695 solution:
|
@wlingze 感谢你的PR。我在ubuntu 22.04 arm64上测试了docker的符号表读取,读取到的offset依旧是错误的,两个单元测试文件也是失败。 程序读取的offset无效sudo bin/ecapture gotls -m text --elfpath=/usr/bin/docker
tls_2024/04/05 15:15:51 ECAPTURE :: ecapture Version : linux_aarch64:0.7.5-20240303-bfb4a8c:[CORE]
tls_2024/04/05 15:15:51 ECAPTURE :: Pid Info : 346937
tls_2024/04/05 15:15:51 ECAPTURE :: Kernel Info : 5.15.143
tls_2024/04/05 15:15:51 EBPFProbeGoTLS module initialization
tls_2024/04/05 15:15:51 EBPFProbeGoTLS master key keylogger:
tls_2024/04/05 15:15:51 ECAPTURE :: Module.Run()
tls_2024/04/05 15:15:51 EBPFProbeGoTLS Text MODEL
tls_2024/04/05 15:15:51 EBPFProbeGoTLS eBPF Function Name:gotls_write_register, isRegisterABI:true
tls_2024/04/05 15:15:51 EBPFProbeGoTLS Golang buildInfo version:go1.20.3, Params: -buildmode=pie -compiler=gc -ldflags= -X "github.com/docker/cli/cli/version.GitCommit=24.0.5-0ubuntu1~22.04.1" -X "github.com/docker/cli/cli/version.BuildTime=2023-08-21T19:50:14Z" -X "github.com/docker/cli/cli/version.Version=24.0.5" -tags=pkcs11 CGO_ENABLED=1 GOARCH=arm64 GOOS=linux
tls_2024/04/05 15:15:51 EBPFProbeGoTLS Golang elf buildmode with pie
tls_2024/04/05 15:15:51 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x46EF70
tls_2024/04/05 15:15:51 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x46EF98
tls_2024/04/05 15:15:51 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x46EFFC
tls_2024/04/05 15:15:51 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x46F118
tls_2024/04/05 15:15:51 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x46F148
tls_2024/04/05 15:15:51 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x46F1A8
tls_2024/04/05 15:15:51 EBPFProbeGoTLS add uretprobe function :crypto/tls.(*Conn).Read, offset:0x46F1C4
tls_2024/04/05 15:15:51 EBPFProbeGoTLS target all process.
tls_2024/04/05 15:15:51 EBPFProbeGoTLS target all users.
tls_2024/04/05 15:15:51 EBPFProbeGoTLS BPF bytecode filename:user/bytecode/gotls_kern.o
tls_2024/04/05 15:15:52 EBPFProbeGoTLS perfEventReader created. mapSize:4 MB
tls_2024/04/05 15:15:52 EBPFProbeGoTLS module started successfully.
^Ctls_2024/04/05 15:16:40 EBPFProbeGoTLS close.
tls_2024/04/05 15:16:40 EBPFProbeGoTLS close 另一个终端运行docker pull任意资源 单测失败go test ./tests/issue_513/
--- FAIL: TestDockerSymbol_ByElfSymbol (0.00s)
docker_test.go:29: get symbol crypto/tls.(*Conn).Read error: symbol not found
--- FAIL: TestDockerSymbol_BySymbolTable (0.02s)
docker_test.go:55: error symbol address: got[0x0046ed30] vs want[0x00635cb0], dec: 0x001c6f80
--- FAIL: TestDockerSymbolFromPclntab (0.01s)
gosym_test.go:117: error symbol address: got[0x0046ed30] vs want[0x00635cb0]
FAIL
FAIL ecapture/tests/issue_513 0.032s
FAIL |
@cfc4n 这时候只能借助 另外我认为在是否使用pclntab的判断不应该是 |
这个方式不能用于判断是否可以还原这个符号表的依据。
不过,我不赞同 |
在普通的ELF文件中,为了重定向, 程序一般会保留一部分的函数符号,因此可以通过 在Golang编译的二进制文件中,可以使用 因此我其实觉得, |
No description provided.