search

eunomia-bpf / bpf-developer-tutorial

eBPF Developer Tutorial: Learning eBPF Step by Step with Examples
https://eunomia.dev/tutorials/
MIT License
2.45k stars 349 forks source link

24-hide 程序在ps命令执行时不能获取到所有的pid #85

Closed bfengj closed 9 months ago

bfengj commented 9 months ago

Describe the bug hidepid的程序在int handle_getdents_enter(struct trace_event_raw_sys_enter *ctx) { 函数这里理论上应该ps命令显示的所有pid都可以捕获,我加了一些调试代码

int handle_getdents_enter(struct trace_event_raw_sys_enter *ctx) {
    size_t pid_tgid = bpf_get_current_pid_tgid();
    u8 commond[TASK_COMM_LEN];

    // Check if we're a process thread of interest
    // if target_ppid is 0 then we target all pids
    if (target_ppid != 0) {
        struct task_struct *task = (struct task_struct *) bpf_get_current_task();
        int ppid = BPF_CORE_READ(task, real_parent, tgid);

        bpf_get_current_comm(&commond, sizeof(commond));
        if (commond[0] == 'p' && commond[1] == 's') {
            bpf_printk("[PID_HIDE] current command:%s", commond);
            bpf_printk("[PID_HIDE] current pid:%d", pid_tgid);
            bpf_printk("[PID_HIDE] parent pid:%d", ppid);
        }

        if (ppid != target_ppid) {
            return 0;
        }
    }

    bpf_printk("[PID_HIDE] get target_ppid %d", target_ppid);
    // Store params in map for exit function
    struct linux_dirent64 *dirp = (struct linux_dirent64 *) ctx->args[1];
    bpf_map_update_elem(&map_buffs, &pid_tgid, &dirp, BPF_ANY);

    return 0;
}

每当我执行ps -aux的时候,打印出的结果如下:

              ps-322790  [002] ...21 75106.177901: bpf_trace_printk: [PID_HIDE] current command:ps
              ps-322790  [002] ...21 75106.177918: bpf_trace_printk: [PID_HIDE] current pid:322790
              ps-322790  [002] ...21 75106.177919: bpf_trace_printk: [PID_HIDE] parent pid:322776
           <...>-322805  [003] ...21 75111.319231: bpf_trace_printk: [PID_HIDE] current command:ps
           <...>-322805  [003] ...21 75111.319255: bpf_trace_printk: [PID_HIDE] current pid:322805
           <...>-322805  [003] ...21 75111.319256: bpf_trace_printk: [PID_HIDE] parent pid:322792
              ps-322805  [000] ...21 75111.331727: bpf_trace_printk: [PID_HIDE] current command:ps
              ps-322805  [000] ...21 75111.331747: bpf_trace_printk: [PID_HIDE] current pid:322805
              ps-322805  [000] ...21 75111.331747: bpf_trace_printk: [PID_HIDE] parent pid:322792

每次的current pid都是ps命令的pid,parent pid是执行ps 的bash的pid,通过echo $$可以获取。

这样理解的话就是实际上并不能知道什么时候是目标pid,因为只能得到ps和bash的pid。 不知道我的理解是否准确,但代码确实无法在我的系统上运行成功。

Desktop (please complete the following information):

uname -a
Linux ubuntu-linux-22-04-02-desktop 6.5.13-060513-generic #202311281736 SMP PREEMPT_DYNAMIC Tue Nov 28 18:10:14 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux
bfengj commented 9 months ago

抱歉我理解错了东西,我一直以为target_ppid就是要隐藏的pid,原来不是,问题已经解决。