Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New feature: capture openssl masterkey #27 #140

Merged
merged 4 commits into from
Jul 20, 2022
Merged

New feature: capture openssl masterkey #27 #140

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
018abc0
support : #27 capture openssl master key .
cfc4n Jul 19, 2022
1f0239f
make format
cfc4n Jul 19, 2022
508a0ba
go tidy , remove unused packages.
cfc4n Jul 19, 2022
0fd4317
save master key to file ecapture_masterkey_[%d].log
cfc4n Jul 20, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -352,6 +352,7 @@ format:
@echo " -> Formatting code"
@clang-format -i -style=$(STYLE) kern/*.c
@clang-format -i -style=$(STYLE) kern/common.h
@clang-format -i -style=$(STYLE) kern/masterkey_kern.h

autogen: .checkver_$(CMD_BPFTOOL)
$(AUTOGENCMD)
4 changes: 0 additions & 4 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ go 1.17
require (
github.com/cilium/ebpf v0.9.0
github.com/ehids/ebpfmanager v0.3.0
github.com/pkg/errors v0.9.1
github.com/spf13/cobra v1.4.0
github.com/spf13/pflag v1.0.5
golang.org/x/sys v0.0.0-20211210111614-af8b64212486
Expand All @@ -25,8 +24,5 @@ require (
github.com/stretchr/testify v1.7.0 // indirect
github.com/vishvananda/netlink v1.1.0 // indirect
github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df // indirect
go.uber.org/atomic v1.9.0 // indirect
go.uber.org/multierr v1.8.0 // indirect
go.uber.org/zap v1.21.0 // indirect
golang.org/x/net v0.0.0-20210525063256-abc453219eb5 // indirect
)
35 changes: 1 addition & 34 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,13 @@
github.com/avast/retry-go v3.0.0+incompatible h1:4SOWQ7Qs+oroOTQOYnAHqelpCO0biHSxpiH9JdtuBj0=
github.com/avast/retry-go v3.0.0+incompatible/go.mod h1:XtSnn+n/sHqQIpZ10K1qAevBhOOCWBLXXy3hyiqqBrY=
github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
github.com/cilium/ebpf v0.5.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
github.com/cilium/ebpf v0.8.1 h1:bLSSEbBLqGPXxls55pGr5qWZaTqcmfDJHhou7t254ao=
github.com/cilium/ebpf v0.8.1/go.mod h1:f5zLIM0FSNuAkSyLAN7X+Hy6yznlF1mNiWUMfxMtrgk=
github.com/cilium/ebpf v0.9.0 h1:ldiV+FscPCQ/p3mNEV4O02EPbUZJFsoEtHvIr9xLTvk=
github.com/cilium/ebpf v0.9.0/go.mod h1:+OhNOIXx/Fnu1IE8bJz2dzOA+VSfyTfdNUVdlQnxUFY=
github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/ehids/ebpfmanager v0.2.2 h1:pvbqWqP0I5gEpu8eXloYAePfJQOBOZYQrkHZCREA2sE=
github.com/ehids/ebpfmanager v0.2.2/go.mod h1:Na79A/VRPSpzQTvjsz5ui4WoZZufPG/oRIDpjKEjQvE=
github.com/ehids/ebpfmanager v0.3.0 h1:unYTs/EtOF6O9VJzjMHGATSchl8CNf6ctC+FmpZFSYE=
github.com/ehids/ebpfmanager v0.3.0/go.mod h1:Jwz0oZf5h3EtEarz32vx5gChAfUNwDxzqw80DstbQzM=
github.com/florianl/go-tc v0.4.0 h1:/g8oCl4OUWt1H4pnThn4iz8SJqV78O5VxAh7ykBN09c=
Expand Down Expand Up @@ -70,9 +65,6 @@ github.com/mdlayher/netlink v1.4.1 h1:I154BCU+mKlIf7BgcAJB2r7QjveNPty6uNY1g9ChVf
github.com/mdlayher/netlink v1.4.1/go.mod h1:e4/KuJ+s8UhfUpO9z00/fDZZmhSrs+oxyqAS9cNgn6Q=
github.com/mdlayher/socket v0.0.0-20210307095302-262dc9984e00 h1:qEtkL8n1DAHpi5/AOgAckwGQUlMe4+jhL/GMt+GKIks=
github.com/mdlayher/socket v0.0.0-20210307095302-262dc9984e00/go.mod h1:GAFlyu4/XV68LkQKYzKhIo/WW7j3Zi0YRAz/BOoanUc=
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/rogpeppe/go-internal v1.6.1 h1:/FiVV8dS/e+YqF2JvO3yXRFbBLTIuSDkuC7aBOAvL+k=
Expand All @@ -94,24 +86,10 @@ github.com/vishvananda/netlink v1.1.0 h1:1iyaYNBLmP6L0220aDnYQpo1QEV4t4hJ+xEEhhJ
github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df h1:OviZH7qLw/7ZovXvuNyL3XQl8UFofeikI1NW1Gypu7k=
github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
go.uber.org/multierr v1.8.0 h1:dg6GjLku4EH+249NNmoIciG9N/jURbDG+pFlTkhzIC8=
go.uber.org/multierr v1.8.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak=
go.uber.org/zap v1.21.0 h1:WefMeulhovoZ2sYXz7st6K0sLj7bBhpiFaud4r4zST8=
go.uber.org/zap v1.21.0/go.mod h1:wjWOCqI0f2ZZrJF/UufIOkiC8ii6tm1iqIsLo76RfJw=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20191007182048-72f939374954/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
Expand All @@ -121,11 +99,8 @@ golang.org/x/net v0.0.0-20201216054612-986b41b23924/go.mod h1:m0MpNAwzfU5UDzcl9v
golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
golang.org/x/net v0.0.0-20210525063256-abc453219eb5 h1:wjuX4b5yYQnEQHzd+CBcrcC6OVR2J1CN6mUy0oSxIPo=
golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190411185658-b44545bcd369/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
Expand All @@ -145,9 +120,7 @@ golang.org/x/sys v0.0.0-20210123111255-9b0068b26619/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210216163648-f7da38b97c65/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210525143221-35b2ab0089ea/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20211210111614-af8b64212486 h1:5hpz5aRr+W1erYCL5JRhSUBJRph7l9XkNveoExlrKYk=
Expand All @@ -157,19 +130,13 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c h1:dUUwHk2QECo/6vqA44rthZ8ie2QXMNeKRTHCNY2nXvo=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
5 changes: 3 additions & 2 deletions kern/bash_kern.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,8 @@ int uretprobe_bash_readline(struct pt_regs *ctx) {
event.pid = pid;
event.uid = uid;
// bpf_printk("!! uretprobe_bash_readline pid:%d",target_pid );
bpf_probe_read_user(&event.line, sizeof(event.line), (void *)PT_REGS_RC(ctx));
bpf_probe_read_user(&event.line, sizeof(event.line),
(void *)PT_REGS_RC(ctx));
bpf_get_current_comm(&event.comm, sizeof(event.comm));
bpf_map_update_elem(&events_t, &pid, &event, BPF_ANY);

Expand Down Expand Up @@ -78,7 +79,7 @@ int uretprobe_bash_retval(struct pt_regs *ctx) {

if (event_p) {
event_p->retval = retval;
// bpf_map_update_elem(&events_t, &pid, event_p, BPF_ANY);
// bpf_map_update_elem(&events_t, &pid, event_p, BPF_ANY);
bpf_map_delete_elem(&events_t, &pid);
bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, event_p,
sizeof(struct event));
Expand Down
144 changes: 69 additions & 75 deletions kern/gossl_kern.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,23 +2,23 @@
#include "ecapture.h"

struct go_ssl_event {
__u64 ts_ns;
__u32 pid;
__u32 tid;
int data_len;
char comm[TASK_COMM_LEN];
char data[MAX_DATA_SIZE_OPENSSL];
__u64 ts_ns;
__u32 pid;
__u32 tid;
int data_len;
char comm[TASK_COMM_LEN];
char data[MAX_DATA_SIZE_OPENSSL];
};

struct {
__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
} events SEC(".maps");

struct {
__uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
__type(key, __u32);
__type(value, struct go_ssl_event);
__uint(max_entries, 1);
__uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
__type(key, __u32);
__type(value, struct go_ssl_event);
__uint(max_entries, 1);
} heap SEC(".maps");

#ifndef NOCORE
Expand All @@ -28,13 +28,13 @@ struct {
#define GO_REG2(x) BPF_CORE_READ((x), bx)
#define GO_REG3(x) BPF_CORE_READ((x), cx)
#define GO_REG4(x) BPF_CORE_READ((x), di)
#define GO_SP(x) BPF_CORE_READ((x), sp)
#define GO_SP(x) BPF_CORE_READ((x), sp)
#elif defined(__TARGET_ARCH_arm64)
#define GO_REG1(x) PT_REGS_PARM1_CORE(x)
#define GO_REG2(x) PT_REGS_PARM2_CORE(x)
#define GO_REG3(x) PT_REGS_PARM3_CORE(x)
#define GO_REG4(x) PT_REGS_PARM4_CORE(x)
#define GO_SP(x) PT_REGS_SP_CORE(x)
#define GO_SP(x) PT_REGS_SP_CORE(x)
#endif

#else
Expand All @@ -44,81 +44,75 @@ struct {
#define GO_REG2(x) ((x)->bx)
#define GO_REG3(x) ((x)->cx)
#define GO_REG4(x) ((x)->di)
#define GO_SP(x) ((x)->sp)
#define GO_SP(x) ((x)->sp)
#elif defined(__aarch64__)
#define GO_REG1(x) PT_REGS_PARM1(x)
#define GO_REG2(x) PT_REGS_PARM2(x)
#define GO_REG3(x) PT_REGS_PARM3(x)
#define GO_REG4(x) PT_REGS_PARM4(x)
#define GO_SP(x) PT_REGS_SP(x)
#define GO_SP(x) PT_REGS_SP(x)
#endif

#endif

static struct go_ssl_event *get_event()
{
static const int zero = 0;
struct go_ssl_event *event;
__u64 id;

event = bpf_map_lookup_elem(&heap, &zero);
if (!event)
return NULL;

id = bpf_get_current_pid_tgid();
event->ts_ns = bpf_ktime_get_ns();
event->pid = id >> 32;
event->tid = (__u32)id;
bpf_get_current_comm(event->comm, sizeof(event->comm));
return event;
static struct go_ssl_event *get_event() {
static const int zero = 0;
struct go_ssl_event *event;
__u64 id;

event = bpf_map_lookup_elem(&heap, &zero);
if (!event) return NULL;

id = bpf_get_current_pid_tgid();
event->ts_ns = bpf_ktime_get_ns();
event->pid = id >> 32;
event->tid = (__u32)id;
bpf_get_current_comm(event->comm, sizeof(event->comm));
return event;
}

SEC("uprobe/abi_stack")
int BPF_KPROBE(probe_stack)
{
struct go_ssl_event *event;
__u64 *sp = (void *)GO_SP(ctx), addr;
int len, record_type;
const char *str;

bpf_probe_read_user(&record_type, sizeof(record_type), sp + 2);
if (record_type != 23)
return 0;

bpf_probe_read_user(&addr, sizeof(addr), sp + 3);
bpf_probe_read_user(&len, sizeof(len), sp + 4);

event = get_event();
if (!event)
return 0;

str = (void *)addr;
bpf_probe_read_user_str(event->data, sizeof(event->data), str);
event->data_len = len;
bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, event, sizeof(*event));
return 0;
int BPF_KPROBE(probe_stack) {
struct go_ssl_event *event;
__u64 *sp = (void *)GO_SP(ctx), addr;
int len, record_type;
const char *str;

bpf_probe_read_user(&record_type, sizeof(record_type), sp + 2);
if (record_type != 23) return 0;

bpf_probe_read_user(&addr, sizeof(addr), sp + 3);
bpf_probe_read_user(&len, sizeof(len), sp + 4);

event = get_event();
if (!event) return 0;

str = (void *)addr;
bpf_probe_read_user_str(event->data, sizeof(event->data), str);
event->data_len = len;
bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, event,
sizeof(*event));
return 0;
}

SEC("uprobe/abi_register")
int BPF_KPROBE(probe_register)
{
struct go_ssl_event *event;
int len, record_type;
const char *str;

record_type = GO_REG2(ctx);
str = (void *)GO_REG3(ctx);
len = GO_REG4(ctx);

if (record_type != 23)
return 0;

event = get_event();
if (!event)
return 0;

bpf_probe_read_user_str(event->data, sizeof(event->data), str);
event->data_len = len;
bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, event, sizeof(*event));
return 0;
int BPF_KPROBE(probe_register) {
struct go_ssl_event *event;
int len, record_type;
const char *str;

record_type = GO_REG2(ctx);
str = (void *)GO_REG3(ctx);
len = GO_REG4(ctx);

if (record_type != 23) return 0;

event = get_event();
if (!event) return 0;

bpf_probe_read_user_str(event->data, sizeof(event->data), str);
event->data_len = len;
bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, event,
sizeof(*event));
return 0;
}
Loading