Open fr0m-scratch opened 1 month ago
Could you please check if pread
and read
was actually hooked (i.e hooks will be triggered when these functions were called)
Thank you for your help! I think read
and pread
are indeed hooked.
I modify the bpf program to be as simple as
SEC("uprobe/libc.so.6:write")
int bpf_write_patch(struct pt_regs *ctx) {
bpf_printk("write called\n");
bpf_override_return(ctx, 9999);
return 0;
}
SEC("uprobe/libc.so.6:read")
int bpf_read_patch(struct pt_regs *ctx) {
bpf_printk("read called\n");
bpf_override_return(ctx, 9999);
return 0;
}
And victim.c to be
int main() {
int sourceFile, destFile;
char buffer[BUFFER_SIZE];
int bytesRead, bytesWritten;
sourceFile = open("./1mb.txt", O_RDONLY);
if (sourceFile == -1) {
perror("Error opening source file");
return EXIT_FAILURE;
}
destFile =
open("./temp.txt", O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR);
if (destFile == -1) {
perror("Error opening destination file");
return EXIT_FAILURE;
}
clock_t start = clock();
int count = 0;
struct stat file_stat;
if (fstat(sourceFile, &file_stat) == -1) {
perror("Error getting file stats");
return -1;
}
int remaining_bytes = file_stat.st_size;
printf("File size: %d\n", remaining_bytes);
while (remaining_bytes > 0) {
bytesRead = BUFFER_SIZE;
if (remaining_bytes < BUFFER_SIZE) {
bytesRead = remaining_bytes;
}
bytesRead = read(sourceFile, buffer, bytesRead);
printf("Bytes read: %d\n", bytesRead);
remaining_bytes -= bytesRead;
bytesWritten = write(destFile, buffer, bytesRead);
printf("Bytes written: %d\n", bytesWritten);
if (bytesWritten == -1) {
perror("Error writing to destination file");
return EXIT_FAILURE;
}
count++;
}
clock_t end = clock();
close(destFile);
close(sourceFile);
printf("File copied successfully in %f seconds\n",
(double)(end - start) / CLOCKS_PER_SEC);
return EXIT_SUCCESS;
}
The output is shown below, where write
is successfully overridden and read
is not:
Same applies to pread
as well
Additionally, when I added a wrapper to read, everything works fine, so I am just curious of the cause to this problem.
Thank you for your help! I think
read
andpread
are indeed hooked.I modify the bpf program to be as simple as
SEC("uprobe/libc.so.6:write") int bpf_write_patch(struct pt_regs *ctx) { bpf_printk("write called\n"); bpf_override_return(ctx, 9999); return 0; } SEC("uprobe/libc.so.6:read") int bpf_read_patch(struct pt_regs *ctx) { bpf_printk("read called\n"); bpf_override_return(ctx, 9999); return 0; }
And victim.c to be
int main() { int sourceFile, destFile; char buffer[BUFFER_SIZE]; int bytesRead, bytesWritten; sourceFile = open("./1mb.txt", O_RDONLY); if (sourceFile == -1) { perror("Error opening source file"); return EXIT_FAILURE; } destFile = open("./temp.txt", O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR); if (destFile == -1) { perror("Error opening destination file"); return EXIT_FAILURE; } clock_t start = clock(); int count = 0; struct stat file_stat; if (fstat(sourceFile, &file_stat) == -1) { perror("Error getting file stats"); return -1; } int remaining_bytes = file_stat.st_size; printf("File size: %d\n", remaining_bytes); while (remaining_bytes > 0) { bytesRead = BUFFER_SIZE; if (remaining_bytes < BUFFER_SIZE) { bytesRead = remaining_bytes; } bytesRead = read(sourceFile, buffer, bytesRead); printf("Bytes read: %d\n", bytesRead); remaining_bytes -= bytesRead; bytesWritten = write(destFile, buffer, bytesRead); printf("Bytes written: %d\n", bytesWritten); if (bytesWritten == -1) { perror("Error writing to destination file"); return EXIT_FAILURE; } count++; } clock_t end = clock(); close(destFile); close(sourceFile); printf("File copied successfully in %f seconds\n", (double)(end - start) / CLOCKS_PER_SEC); return EXIT_SUCCESS; }
The output is shown below, where
write
is successfully overridden andread
is not: Same applies topread
as wellAdditionally, when I added a wrapper to read, everything works fine, so I am just curious of the cause to this problem.
Thanks for your reply! I'll investigate into it and try to reproduce it first
I'm not able to reproduce it on my machine..Could please help me create a docker image to reproduce it? (at least overriding to read works)
I was unable to override symbol
pread
orread
in '/lib/x86_64-linux-gnu/libc.so.6'. It works perfectly fine forwrite
, both using bpf_override_return to override the return value of the client program and replacing the original write syscall by returning non-zero value in bpf program. However, override does not work for eitherpread
orread
.Both related configs were set as
Initially, I thought the problem is related to the global symbols. However, override does not with the weak symbol
pread
either.Part of my BPF program:
Part of my user-space code:
Any help and suggestion is appreciated! Thanks!