cfc4n
commented
1 year ago Take a closer look at the compile log; it appears that there was a compilation error, and the BPF bytecode file is empty.
Closed revercc closed 1 year ago
cfc4n
commented
1 year ago Take a closer look at the compile log; it appears that there was a compilation error, and the BPF bytecode file is empty.
revercc
commented
1 year ago Take a closer look at the compile log; it appears that there was a compilation error, and the BPF bytecode file is empty.
对于有符号的openssl自编译后其可以正常运行,对于无符号的来说增加UprobeOffset 是无效的。编译信息如下,并未发现错误:
编译生成的文件也并未发现为空:
cfc4n
commented
1 year ago 能给一个demo的源码吗? Can U give me a demo?
cfc4n
commented
1 year ago Is the file upload incomplete?
unzip LoginTest.zip
Archive: LoginTest.zip
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
unzip: cannot find zipfile directory in one of LoginTest.zip or
LoginTest.zip.zip, and cannot find LoginTest.zip.ZIP, period.
md5 LoginTest.zip
MD5 (LoginTest.zip) = b6e65a5bca72f745047e1b6768994b2e能给一个demo的源码吗? Can U give me a demo?
cfc4n
commented
1 year ago 项目太大,环境太复杂,我就不编译了。
上面你测试的地方,好像是offset的赋值有问题,可以改成这个
{
Section: "uprobe/SSL_write_key",
EbpfFuncName: "probe_ssl_master_key",
AttachToFuncName: m.masterHookFunc,
BinaryPath: binaryPath,
UAddress: 0x1ADE3C,
},在ebpfmanager类库里,UprobeOffset跟UAddress的含义有区别。
// UprobeOffset - this field changed from being an absolute offset to being relative to Address.
// Now, It's a relative value
UprobeOffset uint64
// UAddress Symbol address. Must be provided in case of external symbols (shared libs).
// same as UprobeOptions.Address in cilium/ebpf
// offset的含义变为相对偏移量,会自动跟symbol name的地址相加,作为真正hook的地址。
// address参数也就是不需要类库再计算的绝对地址,即等于上面二者只和。 优先级最高。
UAddress uint64项目太大,环境太复杂,我就不编译了。
上面你测试的地方,好像是offset的赋值有问题,可以改成这个
{ Section: "uprobe/SSL_write_key", EbpfFuncName: "probe_ssl_master_key", AttachToFuncName: m.masterHookFunc, BinaryPath: binaryPath, UAddress: 0x1ADE3C, },在ebpfmanager类库里,
UprobeOffset跟UAddress的含义有区别。// UprobeOffset - this field changed from being an absolute offset to being relative to Address. // Now, It's a relative value UprobeOffset uint64 // UAddress Symbol address. Must be provided in case of external symbols (shared libs). // same as UprobeOptions.Address in cilium/ebpf // offset的含义变为相对偏移量,会自动跟symbol name的地址相加,作为真正hook的地址。 // address参数也就是不需要类库再计算的绝对地址,即等于上面二者只和。 优先级最高。 UAddress uint64
我刚试了一下将UprobeOffset 换成了UAddress 就可以正常找到对应的函数地址,之前看到了这两个信息,但是他们的名字给人了误导,按道理说UAddress应该是指定的绝对地址,UprobeOffset 是指定的相对地址
cfc4n
commented
1 year ago 字段命名、含义没问题。是使用上没用对。或者说,字段注释上,我没写清楚吧。
UprobeOffset可以理解为,是先找AttachToFuncName符号对应的地址,再加上UprobeOffset的偏移量,作为最终的挂钩地址。
比如
图中,期望挂钩在第6行
if这个汇编指令上,假设他相对于函数入口偏移量是4,也就是说,配置时,UprobeOffset的值设定为4。
revercc
commented
1 year ago 字段命名、含义没问题。是使用上没用对。或者说,字段注释上,我没写清楚吧。
UprobeOffset可以理解为,是先找AttachToFuncName符号对应的地址,再加上UprobeOffset的偏移量,作为最终的挂钩地址。比如
图中,期望挂钩在第6行
if这个汇编指令上,假设他相对于函数入口偏移量是4,也就是说,配置时,UprobeOffset的值设定为4。
多谢,明白了
I self-compiled an apk using the openssl static library, and I removed the symbols to locate the offset of the SSL_write and SSL_read functions
Then modify the UprobeOffset of SSL_write and SSL_read in /user/module/probe_openssl.go
Recompiled to catch tls display not found symbol