0001
0002
0003
0004 #include "vmlinux.h"
0005 #include <bpf/bpf_helpers.h>
0006 #include <bpf/bpf_tracing.h>
0007 #include <bpf/bpf_core_read.h>
0008
0009 #define MAX_LEN 256
0010
0011 char buf_in1[MAX_LEN] = {};
0012 char buf_in2[MAX_LEN] = {};
0013
0014 int test_pid = 0;
0015 bool capture = false;
0016
0017
0018 __u64 payload1_len1 = 0;
0019 __u64 payload1_len2 = 0;
0020 __u64 total1 = 0;
0021 char payload1[MAX_LEN + MAX_LEN] = {};
0022
0023
0024 int payload2_len1 = -1;
0025 int payload2_len2 = -1;
0026 int total2 = -1;
0027 char payload2[MAX_LEN + MAX_LEN] = { 1 };
0028
0029 int payload3_len1 = -1;
0030 int payload3_len2 = -1;
0031 int total3= -1;
0032 char payload3[MAX_LEN + MAX_LEN] = { 1 };
0033
0034 int payload4_len1 = -1;
0035 int payload4_len2 = -1;
0036 int total4= -1;
0037 char payload4[MAX_LEN + MAX_LEN] = { 1 };
0038
0039 SEC("raw_tp/sys_enter")
0040 int handler64_unsigned(void *regs)
0041 {
0042 int pid = bpf_get_current_pid_tgid() >> 32;
0043 void *payload = payload1;
0044 long len;
0045
0046
0047 if (test_pid != pid || !capture)
0048 return 0;
0049
0050 len = bpf_probe_read_kernel_str(payload, MAX_LEN, &buf_in1[0]);
0051 if (len >= 0) {
0052 payload += len;
0053 payload1_len1 = len;
0054 }
0055
0056 len = bpf_probe_read_kernel_str(payload, MAX_LEN, &buf_in2[0]);
0057 if (len >= 0) {
0058 payload += len;
0059 payload1_len2 = len;
0060 }
0061
0062 total1 = payload - (void *)payload1;
0063
0064 return 0;
0065 }
0066
0067 SEC("raw_tp/sys_exit")
0068 int handler64_signed(void *regs)
0069 {
0070 int pid = bpf_get_current_pid_tgid() >> 32;
0071 void *payload = payload3;
0072 long len;
0073
0074
0075 if (test_pid != pid || !capture)
0076 return 0;
0077
0078 len = bpf_probe_read_kernel_str(payload, MAX_LEN, &buf_in1[0]);
0079 if (len >= 0) {
0080 payload += len;
0081 payload3_len1 = len;
0082 }
0083 len = bpf_probe_read_kernel_str(payload, MAX_LEN, &buf_in2[0]);
0084 if (len >= 0) {
0085 payload += len;
0086 payload3_len2 = len;
0087 }
0088 total3 = payload - (void *)payload3;
0089
0090 return 0;
0091 }
0092
0093 SEC("tp/raw_syscalls/sys_enter")
0094 int handler32_unsigned(void *regs)
0095 {
0096 int pid = bpf_get_current_pid_tgid() >> 32;
0097 void *payload = payload2;
0098 u32 len;
0099
0100
0101 if (test_pid != pid || !capture)
0102 return 0;
0103
0104 len = bpf_probe_read_kernel_str(payload, MAX_LEN, &buf_in1[0]);
0105 if (len <= MAX_LEN) {
0106 payload += len;
0107 payload2_len1 = len;
0108 }
0109
0110 len = bpf_probe_read_kernel_str(payload, MAX_LEN, &buf_in2[0]);
0111 if (len <= MAX_LEN) {
0112 payload += len;
0113 payload2_len2 = len;
0114 }
0115
0116 total2 = payload - (void *)payload2;
0117
0118 return 0;
0119 }
0120
0121 SEC("tp/raw_syscalls/sys_exit")
0122 int handler32_signed(void *regs)
0123 {
0124 int pid = bpf_get_current_pid_tgid() >> 32;
0125 void *payload = payload4;
0126 long len;
0127
0128
0129 if (test_pid != pid || !capture)
0130 return 0;
0131
0132 len = bpf_probe_read_kernel_str(payload, MAX_LEN, &buf_in1[0]);
0133 if (len >= 0) {
0134 payload += len;
0135 payload4_len1 = len;
0136 }
0137 len = bpf_probe_read_kernel_str(payload, MAX_LEN, &buf_in2[0]);
0138 if (len >= 0) {
0139 payload += len;
0140 payload4_len2 = len;
0141 }
0142 total4 = payload - (void *)payload4;
0143
0144 return 0;
0145 }
0146
0147 SEC("tp/syscalls/sys_exit_getpid")
0148 int handler_exit(void *regs)
0149 {
0150 long bla;
0151
0152 if (bpf_probe_read_kernel(&bla, sizeof(bla), 0))
0153 return 1;
0154 else
0155 return 0;
0156 }
0157
0158 char LICENSE[] SEC("license") = "GPL";
