gojue · cfc4n · Aug 18, 2024 · Aug 17, 2024 · Aug 18, 2024 · Aug 18, 2024
diff --git a/.github/codecov.yml b/.github/codecov.yml
@@ -0,0 +1,20 @@
+ignore:
+  - tests/**
+
+beta_groups:
+  - "labels"
+
+flag_management:
+  individual_flags:
+    - name: "smart-labels"
+      carryforward: true
+      carryforward_mode: "labels"
+flags:
+  unittests-Solution:
+    carryforward: true
+    paths:
+      - ./**
+cli:
+  plugins:
+    pycoverage:
+      report_type: "json"
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -90,7 +90,16 @@ jobs:
           make nocore -j4
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v2
+      - name: Setup Python
+        uses: actions/setup-python@main
+        with:
+          python-version: 3.12.5
+      - name: Generate coverage report
+        run: |
+          pip install pytest
+          pip install pytest-cov
+          pytest --cov=./ --cov-report=xml
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@v4.0.1
+        uses: codecov/codecov-action@v4
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
diff --git a/.github/workflows/go-c-cpp.yml b/.github/workflows/go-c-cpp.yml
@@ -40,8 +40,6 @@ jobs:
         with:
           args: --disable-all -E errcheck -E staticcheck
           skip-cache: true
-          skip-pkg-cache: true
-          skip-build-cache: true
           problem-matchers: true
       - name: Build NOCORE
         run: |
@@ -87,12 +85,11 @@ jobs:
           cd ./lib/libpcap/ && sudo make install
           cd $GITHUB_WORKSPACE
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v4
+        uses: golangci/golangci-lint-action@v6
         with:
           args: --disable-all -E errcheck -E staticcheck
           skip-cache: true
-          skip-pkg-cache: true
-          skip-build-cache: true
+          problem-matchers: true
       - name: Build non-CO-RE
         run: |
           make clean

diff --git a/cli/cmd/root.go b/cli/cmd/root.go
@@ -121,10 +121,20 @@ func init() {
 	rootCmd.PersistentFlags().IntVar(&globalConf.PerCpuMapSize, "mapsize", 1024, "eBPF map size per CPU,for events buffer. default:1024 * PAGESIZE. (KB)")
 	rootCmd.PersistentFlags().Uint64VarP(&globalConf.Pid, "pid", "p", defaultPid, "if pid is 0 then we target all pids")
 	rootCmd.PersistentFlags().Uint64VarP(&globalConf.Uid, "uid", "u", defaultUid, "if uid is 0 then we target all users")
-	rootCmd.PersistentFlags().StringVarP(&globalConf.LoggerAddr, "logaddr", "l", "", "send logs to this server.-l /tmp/ecapture.log or -l tcp://127.0.0.1:8080")
+	rootCmd.PersistentFlags().StringVarP(&globalConf.LoggerAddr, "logaddr", "l", "", "send logs to this server. -l /tmp/ecapture.log or -l tcp://127.0.0.1:8080")
+	rootCmd.PersistentFlags().StringVar(&globalConf.EventCollectorAddr, "eventaddr", "", "the server address that receives the captured event. --eventaddr tcp://127.0.0.1:8090, default: same as logaddr")
 	rootCmd.PersistentFlags().StringVar(&globalConf.Listen, "listen", eCaptureListenAddr, "listen on this address for http server, default: 127.0.0.1:28256")
 }
 
+// eventCollector
+type eventCollectorWriter struct {
+	logger *zerolog.Logger
+}
+
+func (e eventCollectorWriter) Write(p []byte) (n int, err error) {
+	return e.logger.Write(p)
+}
+
 // setModConfig set module config
 func setModConfig(globalConf config.BaseConfig, modConf config.IConfig) {
 	modConf.SetPid(globalConf.Pid)
@@ -154,13 +164,13 @@ func initLogger(addr string, modConfig config.IConfig) zerolog.Logger {
 			var conn net.Conn
 			conn, err = net.Dial("tcp", address)
 			modConfig.SetAddrType(loggerTypeTcp)
-			modConfig.SetLoggerTCPAddr(address)
+			//modConfig.SetLoggerTCPAddr(address)
 			writer = conn
 		} else {
 			var f *os.File
 			f, err = os.Create(addr)
 			modConfig.SetAddrType(loggerTypeFile)
-			modConfig.SetLoggerTCPAddr("")
+			//modConfig.SetLoggerTCPAddr("")
 			writer = f
 		}
 		if err == nil && writer != nil {
@@ -178,16 +188,24 @@ func runModule(modName string, modConfig config.IConfig) {
 	var err error
 	setModConfig(globalConf, modConfig)
 	var logger = initLogger(globalConf.LoggerAddr, modConfig)
+	var eventCollector zerolog.Logger
+	if globalConf.EventCollectorAddr == "" {
+		eventCollector = logger
+	} else {
+		eventCollector = initLogger(globalConf.EventCollectorAddr, modConfig)
+	}
+	var ecw = eventCollectorWriter{logger: &eventCollector}
 	// init eCapture
 	logger.Info().Str("AppName", fmt.Sprintf("%s(%s)", CliName, CliNameZh)).Send()
 	logger.Info().Str("HomePage", CliHomepage).Send()
 	logger.Info().Str("Repository", CliRepo).Send()
 	logger.Info().Str("Author", CliAuthor).Send()
 	logger.Info().Str("Description", CliDescription).Send()
 	logger.Info().Str("Version", GitVersion).Send()
-	if modConfig.GetLoggerTCPAddr() != "" {
-		logger.Info().Str("LoggerTCPAddress", modConfig.GetLoggerTCPAddr()).Send()
-	}
+
+	logger.Info().Str("Listen", globalConf.Listen).Send()
+	logger.Info().Str("logger", globalConf.LoggerAddr).Msg("eCapture running logs")
+	logger.Info().Str("eventCollector", globalConf.EventCollectorAddr).Msg("the file handler that receives the captured event")
 
 	var isReload bool
 	var reRloadConfig = make(chan config.IConfig, 10)
@@ -221,7 +239,7 @@ func runModule(modName string, modConfig config.IConfig) {
 		logger.Warn().Msg("========== module starting. ==========")
 		mod := modFunc()
 		ctx, cancelFun := context.WithCancel(context.TODO())
-		err = mod.Init(ctx, &logger, modConfig)
+		err = mod.Init(ctx, &logger, modConfig, ecw)
 		if err != nil {
 			logger.Fatal().Err(err).Bool("isReload", isReload).Msg("module initialization failed")
 		}

diff --git a/user/config/iconfig.go b/user/config/iconfig.go
@@ -33,8 +33,8 @@ type IConfig interface {
 	SetBTF(uint8)
 	SetDebug(bool)
 	SetAddrType(uint8)
-	SetLoggerTCPAddr(string)
-	GetLoggerTCPAddr() string
+	SetEventCollectorAddr(string)
+	GetEventCollectorAddr() string
 	GetPerCpuMapSize() int
 	SetPerCpuMapSize(int)
 	EnableGlobalVar() bool //
@@ -61,13 +61,13 @@ type BaseConfig struct {
 	Listen string `json:"listen"` // listen address, default: 127.0.0.1:28256
 
 	// mapSizeKB
-	PerCpuMapSize int    `json:"per_cpu_map_size"` // ebpf map size for per Cpu.   see https://github.com/gojue/ecapture/issues/433 .
-	IsHex         bool   `json:"is_hex"`
-	Debug         bool   `json:"debug"`
-	BtfMode       uint8  `json:"btf_mode"`
-	LoggerAddr    string `json:"logger_addr"` // save file
-	LoggerType    uint8  `json:"logger_type"` // 0:stdout, 1:file, 2:tcp
-	LoggerTCPAddr string `json:"logger_tcp_addr"`
+	PerCpuMapSize      int    `json:"per_cpu_map_size"` // ebpf map size for per Cpu.   see https://github.com/gojue/ecapture/issues/433 .
+	IsHex              bool   `json:"is_hex"`
+	Debug              bool   `json:"debug"`
+	BtfMode            uint8  `json:"btf_mode"`
+	LoggerAddr         string `json:"logger_addr"`          // logger address
+	LoggerType         uint8  `json:"logger_type"`          // 0:stdout, 1:file, 2:tcp
+	EventCollectorAddr string `json:"event_collector_addr"` // the server address that receives the captured event
 }
 
 func (c *BaseConfig) GetPid() uint64 {
@@ -94,12 +94,12 @@ func (c *BaseConfig) SetUid(uid uint64) {
 	c.Uid = uid
 }
 
-func (c *BaseConfig) SetLoggerTCPAddr(addr string) {
-	c.LoggerTCPAddr = addr
+func (c *BaseConfig) SetEventCollectorAddr(addr string) {
+	c.EventCollectorAddr = addr
 }
 
-func (c *BaseConfig) GetLoggerTCPAddr() string {
-	return c.LoggerTCPAddr
+func (c *BaseConfig) GetEventCollectorAddr() string {
+	return c.EventCollectorAddr
 }
 
 func (c *BaseConfig) SetAddrType(t uint8) {

diff --git a/user/module/imodule.go b/user/module/imodule.go
@@ -18,6 +18,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"io"
 	"os"
 	"strings"
 	"sync/atomic"
@@ -35,7 +36,7 @@ import (
 
 type IModule interface {
 	// Init 初始化
-	Init(context.Context, *zerolog.Logger, config.IConfig) error
+	Init(context.Context, *zerolog.Logger, config.IConfig, io.Writer) error
 
 	// Name 获取当前module的名字
 	Name() string
@@ -69,23 +70,14 @@ const (
 	BtfModeSwitch      = "If eCapture fails to run, try specifying the BTF mode. use `-b 2` to specify non-CORE mode."
 )
 
-// eventProcesser Logger
-type epLogger struct {
-	logger *zerolog.Logger
-}
-
-func (e epLogger) Write(p []byte) (n int, err error) {
-	e.logger.Info().Msg(string(p))
-	return len(p), nil
-}
-
 type Module struct {
-	isClosed atomic.Bool
-	opts     *ebpf.CollectionOptions
-	reader   []IClose
-	ctx      context.Context
-	logger   *zerolog.Logger
-	child    IModule
+	isClosed       atomic.Bool
+	opts           *ebpf.CollectionOptions
+	reader         []IClose
+	ctx            context.Context
+	logger         *zerolog.Logger
+	eventCollector io.Writer
+	child          IModule
 	// probe的名字
 	name string
 
@@ -101,14 +93,15 @@ type Module struct {
 }
 
 // Init 对象初始化
-func (m *Module) Init(ctx context.Context, logger *zerolog.Logger, conf config.IConfig) {
+func (m *Module) Init(ctx context.Context, logger *zerolog.Logger, conf config.IConfig, eventCollector io.Writer) error {
 	m.isClosed.Store(false)
 	m.ctx = ctx
 	m.logger = logger
 	m.errChan = make(chan error)
 	m.isKernelLess5_2 = false //set false default
-	var epl = epLogger{logger: logger}
-	m.processor = event_processor.NewEventProcessor(epl, conf.GetHex())
+	m.eventCollector = eventCollector
+	//var epl = epLogger{logger: logger}
+	m.processor = event_processor.NewEventProcessor(eventCollector, conf.GetHex())
 	kv, err := kernel.HostVersion()
 	if err != nil {
 		m.logger.Warn().Err(err).Msg("Unable to detect kernel version due to an error:%v.used non-Less5_2 bytecode.")
@@ -138,6 +131,7 @@ func (m *Module) Init(ctx context.Context, logger *zerolog.Logger, conf config.I
 	} else {
 		m.logger.Info().Uint8("btfMode", conf.GetBTF()).Msg("BTF bytecode mode: non-CORE.")
 	}
+	return nil
 }
 
 func (m *Module) autoDetectBTF() {
@@ -383,7 +377,8 @@ func (m *Module) Dispatcher(e event.IEventStruct) {
 			if s == "" {
 				return
 			}
-			m.logger.Info().Msg(s)
+			//m.logger.Info().Msg(s)
+			_, _ = m.eventCollector.Write([]byte(s))
 			return
 		}
 	}
@@ -396,7 +391,8 @@ func (m *Module) Dispatcher(e event.IEventStruct) {
 		if s == "" {
 			return
 		}
-		m.logger.Info().Msg(s)
+		//m.logger.Info().Msg(s)
+		_, _ = m.eventCollector.Write([]byte(s))
 	case event.EventTypeEventProcessor:
 		m.processor.Write(e)
 	case event.EventTypeModuleData:

diff --git a/user/module/probe_bash.go b/user/module/probe_bash.go
@@ -23,6 +23,7 @@ import (
 	"github.com/gojue/ecapture/user/config"
 	"github.com/gojue/ecapture/user/event"
 	"github.com/rs/zerolog"
+	"io"
 	"math"
 
 	"github.com/cilium/ebpf"
@@ -46,8 +47,11 @@ type MBashProbe struct {
 }
 
 // 对象初始化
-func (b *MBashProbe) Init(ctx context.Context, logger *zerolog.Logger, conf config.IConfig) error {
-	b.Module.Init(ctx, logger, conf)
+func (b *MBashProbe) Init(ctx context.Context, logger *zerolog.Logger, conf config.IConfig, ecw io.Writer) error {
+	err := b.Module.Init(ctx, logger, conf, ecw)
+	if err != nil {
+		return err
+	}
 	b.conf = conf
 	b.Module.SetChild(b)
 	b.eventMaps = make([]*ebpf.Map, 0, 2)
@@ -278,9 +282,11 @@ func (b *MBashProbe) handleLine(be *event.BashEvent) {
 		return
 	}
 	if b.conf.GetHex() {
-		b.logger.Println(be.StringHex())
+		//b.logger.Println(be.StringHex())
+		_, _ = b.eventCollector.Write([]byte(be.StringHex()))
 	} else {
-		b.logger.Println(be.String())
+		//b.logger.Println(be.String())
+		_, _ = b.eventCollector.Write([]byte(be.String()))
 	}
 }
 

diff --git a/user/module/probe_gnutls.go b/user/module/probe_gnutls.go
@@ -26,6 +26,7 @@ import (
 	"github.com/gojue/ecapture/user/event"
 	"github.com/rs/zerolog"
 	"golang.org/x/sys/unix"
+	"io"
 	"math"
 	"os"
 	"path"
@@ -40,8 +41,11 @@ type MGnutlsProbe struct {
 }
 
 // 对象初始化
-func (g *MGnutlsProbe) Init(ctx context.Context, logger *zerolog.Logger, conf config.IConfig) error {
-	g.Module.Init(ctx, logger, conf)
+func (g *MGnutlsProbe) Init(ctx context.Context, logger *zerolog.Logger, conf config.IConfig, ecw io.Writer) error {
+	err := g.Module.Init(ctx, logger, conf, ecw)
+	if err != nil {
+		return err
+	}
 	g.conf = conf
 	g.Module.SetChild(g)
 	g.eventMaps = make([]*ebpf.Map, 0, 2)

diff --git a/user/module/probe_gotls.go b/user/module/probe_gotls.go
@@ -20,6 +20,7 @@ import (
 	"errors"
 	"fmt"
 	"github.com/rs/zerolog"
+	"io"
 	"os"
 	"path/filepath"
 	"sync"
@@ -53,8 +54,11 @@ type GoTLSProbe struct {
 	isRegisterABI     bool
 }
 
-func (g *GoTLSProbe) Init(ctx context.Context, l *zerolog.Logger, cfg config.IConfig) error {
-	g.Module.Init(ctx, l, cfg)
+func (g *GoTLSProbe) Init(ctx context.Context, l *zerolog.Logger, cfg config.IConfig, ecw io.Writer) error {
+	e := g.Module.Init(ctx, l, cfg, ecw)
+	if e != nil {
+		return e
+	}
 	g.conf = cfg
 	g.Module.SetChild(g)
 

diff --git a/user/module/probe_gotls_keylog.go b/user/module/probe_gotls_keylog.go
@@ -46,7 +46,7 @@ func (g *GoTLSProbe) setupManagersKeylog() error {
 		g.logger.Warn().Msg("Golang elf buildmode with pie")
 	}
 	g.logger.Info().Str("Function", config.GoTlsMasterSecretFunc).
-		Str("LoggerTCPAddr", fmt.Sprintf("%X", gotlsConf.GoTlsMasterSecretAddr)).Msg("Hook masterKey function")
+		Str("EventCollectorAddr", fmt.Sprintf("%X", gotlsConf.GoTlsMasterSecretAddr)).Msg("Hook masterKey function")
 	var (
 		sec string
 		fn  string

diff --git a/user/module/probe_gotls_pcap.go b/user/module/probe_gotls_pcap.go
@@ -55,7 +55,7 @@ func (g *GoTLSProbe) setupManagersPcap() error {
 	g.logger.Info().Str("binrayPath", g.path).Str("IFname", g.ifName).Int("IFindex", g.ifIdex).
 		Str("PcapFilter", pcapFilter).Msg("HOOK type:Golang elf")
 	g.logger.Info().Str("Function", config.GoTlsMasterSecretFunc).
-		Str("LoggerTCPAddr", fmt.Sprintf("%X", g.conf.(*config.GoTLSConfig).GoTlsMasterSecretAddr)).Msg("Hook masterKey function")
+		Str("EventCollectorAddr", fmt.Sprintf("%X", g.conf.(*config.GoTLSConfig).GoTlsMasterSecretAddr)).Msg("Hook masterKey function")
 
 	// create pcapng writer
 	netIfs, err := net.Interfaces()