[FEATURE] Add ARM64 support to the Frida uprobe attach manager

eunomia-bpf / bpftime

Userspace eBPF runtime for fast Uprobe & Syscall hook & Extensions with LLVM JIT

https://eunomia.dev/bpftime/

MIT License

687 stars 68 forks source link

[FEATURE] Add ARM64 support to the Frida uprobe attach manager #304

Open viniciusd opened 3 weeks ago

viniciusd commented 3 weeks ago

Is your feature request related to a problem? Please describe. As part of supporting MacOS (#145), we should support ARM64 as Apple has migrated from x86.

Describe the solution you'd like x86-specific code supports ARM64

Provide usage examples The bpftime components should be able to run on arm64

viniciusd commented 3 weeks ago

@Officeyutong I understand the Frida uprobe attach manager is at bpftime/attach/frida_uprobe_attach_impl. How can I run the unit tests for this directory only?

Officeyutong commented 3 weeks ago

@Officeyutong I understand the Frida uprobe attach manager is at bpftime/attach/frida_uprobe_attach_impl. How can I run the unit tests for this directory only?

Build and run target bpftime_frida_uprobe_attach_tests

viniciusd commented 3 weeks ago

@Officeyutong I am going over the entire attach impl code to try to understand what is happening (super cool btw, great idea y'all had for implementing it with frida/gum).

In the uprobe_listener_on_enter: (frida_internal_attach_entry.cpp)

static void uprobe_listener_on_enter(GumInvocationListener *listener,
                     GumInvocationContext *ic)
{
    UprobeListener *self = EXAMPLE_LISTENER(listener);
    auto *hook_entry = (frida_internal_attach_entry *)
        gum_invocation_context_get_listener_function_data(ic);
    SPDLOG_TRACE("Handle uprobe at uprobe_listener_on_enter");
    GumInvocationContext *ctx;
    bpftime::pt_regs regs;
    ctx = gum_interceptor_get_current_invocation();
    convert_gum_cpu_context_to_pt_regs(*ctx->cpu_context, regs);
    hook_entry->iterate_uprobe_callbacks(regs);
}

Is this EXAMPLE_LISTENER used for anything or is it just leftover from the initial implementation?

Officeyutong commented 3 weeks ago

EXAMPLE_LISTENER

A listener object is required by frida if we want to monitor invocation of a function. The expansion of macro G_DECLARE_FINAL_TYPE defined EXAMPLE_LISTENER and G_DEFINE_TYPE_EXTENDED defines the initializer uprobe_listener_iface_init where it specified uprobe_listener_on_enter and uprobe_listener_on_leave as the listener function. The name EXAMPLE was copied from our POC, I forgot to rename it to a suitable name

Officeyutong commented 6 days ago

Implementation of uprobe is in attach/frida_uprobe_attach_impl/src/*.cpp. Most code here are platform independent which directly calls functions provided by frida. The first thing we do should be making target bpftime_frida_uprobe_attach_tests, the unit tests of uprobe implementation, work on macos. It doesn't involve anythings related to eBPF

Here is a brief introduction to the attach part https://eunomia.dev/bpftime/documents/attach/

@hp77-creator