Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
a
Andrea
04/21/2023, 9:59 AMHello everyone, I am playing with BPF these days and I see we can trace kernel’s function calls via
kprobekretprobetcp_v4_connectbcc/tools/tcpconnecta
alessandrogario
04/21/2023, 10:40 AMYou can, provided you can correctly specify a prototype for that function according to the simple DSL that the library supports
I have experimental branches for those features, but they are mostly a spare time project as of now
With the current ebpfpub code, it should however be possible to trace it
The prototype is simple enough:
int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len);tob::ebpfpub::IFunctionTracer::ParameterList parameter_list = {
{
"sk",
tob::ebpfpub::IFunctionTracer::Parameter::Type::Integer,
tob::ebpfpub::IFunctionTracer::Parameter::Mode::In,
8U
},
{
"uaddr",
tob::ebpfpub::IFunctionTracer::Parameter::Type::Buffer,
tob::ebpfpub::IFunctionTracer::Parameter::Mode::In,
"addr_len"
},
{
"addr_len",
tob::ebpfpub::IFunctionTracer::Parameter::Type::Integer,
tob::ebpfpub::IFunctionTracer::Parameter::Mode::In,
8U
}
};I guess the biggest problem here is that we do not have the definition for
struct sockYou could attempt to capture it as a raw buffer with
{
"sk",
tob::ebpfpub::IFunctionTracer::Parameter::Type::Buffer,
tob::ebpfpub::IFunctionTracer::Parameter::Mode::In,
1U // <- buffer size here
},The library was mainly written to generate probes for syscalls, where this problem never present itself
a
Andrea
04/21/2023, 12:01 PMInteresting. That would have been my next step as I saw one of your draft PRs about getting capabilities events. I am not sure I understand where the
kretprobea
alessandrogario
04/21/2023, 12:33 PMI think it's better to use both the kprobe and kretprobe
the addr_len is available when you are in the kprobe
if you only trace kretprobe you'll miss some parameters
More about that: from our code we can't really inspect much state in the kernel, and we have to rely on what we can capture through the function signature
a
Andrea
04/21/2023, 12:39 PMsorry I wasn’t clear. I mean I can see there is a
tob::ebpfpub::IFunctionTracer::createFromKprobekretprobeMore about that: from our code we can’t really inspect much state in the kernel, and we have to rely on what we can capture through the function signatureyeah that’s why I reckon tracing kretprobe for that specific call is necessary 🤔
a
alessandrogario
04/21/2023, 12:40 PMthe function tracer will automatically trace both the kprobe and the kretprobe
I did not understand the question, thought you were asking to just trace the kretprobe and avoid the kprobe
a
Andrea
04/21/2023, 12:41 PMgotcha
thank you
a
alessandrogario
04/21/2023, 12:43 PMhttps://github.com/trailofbits/ebpfpub/blob/main/ebpfpub/src/ifunctiontracer.cpp#L106-L121
EDIT: could not get selection to work, ended up editing the link manually 😄
a
Andrea
04/21/2023, 12:45 PMlol it worked ok actually 🙂
thank you that was the bit I missed