From 51a41f9137ee8c8af29961d6fab8a3de798eef47 Mon Sep 17 00:00:00 2001 From: cfc4n Date: Sat, 10 Jun 2023 00:46:25 +0800 Subject: [PATCH] code refactoring --- user/config/config_bash.go | 24 +- user/config/config_gnutls_androidgki.go | 12 +- user/config/config_gnutls_linux.go | 30 +-- user/config/config_gotls.go | 30 +-- user/config/config_mysqld.go | 28 +-- user/config/config_nspr_androidgki.go | 12 +- user/config/config_nspr_linux.go | 32 +-- user/config/config_openssl_androidgki.go | 18 +- user/config/config_openssl_linux.go | 40 ++-- user/config/config_postgres.go | 8 +- user/config/iconfig.go | 42 ++-- user/event/event_bash.go | 52 ++--- user/event/event_gnutls.go | 72 +++--- user/event/event_gotls.go | 36 +-- user/event/event_masterkey.go | 58 ++--- user/event/event_mastersecret_gotls.go | 58 ++--- user/event/event_mysqld.go | 64 +++--- user/event/event_nspr.go | 78 +++---- user/event/event_openssl.go | 144 ++++++------ user/event/event_openssl_tc.go | 60 ++--- user/event/event_postgres.go | 48 ++-- user/module/imodule.go | 128 +++++------ user/module/probe_bash.go | 94 ++++---- user/module/probe_gnutls.go | 80 +++---- user/module/probe_gotls.go | 196 ++++++++-------- user/module/probe_gotls_tc.go | 56 ++--- user/module/probe_mysqld.go | 72 +++--- user/module/probe_nspr.go | 80 +++---- user/module/probe_openssl.go | 280 +++++++++++------------ user/module/probe_openssl_lib.go | 44 ++-- user/module/probe_openssl_tc.go | 66 +++--- user/module/probe_postgres.go | 64 +++--- user/module/probe_tc.go | 36 +-- 33 files changed, 1071 insertions(+), 1071 deletions(-) diff --git a/user/config/config_bash.go b/user/config/config_bash.go index 2d9e07800..266a2d114 100644 --- a/user/config/config_bash.go +++ b/user/config/config_bash.go @@ -34,25 +34,25 @@ func NewBashConfig() *BashConfig { return config } -func (this *BashConfig) Check() error { +func (bc *BashConfig) Check() error { // 如果readline 配置,且存在,则直接返回。 - if this.Readline != "" || len(strings.TrimSpace(this.Readline)) > 0 { - _, e := os.Stat(this.Readline) + if bc.Readline != "" || len(strings.TrimSpace(bc.Readline)) > 0 { + _, e := os.Stat(bc.Readline) if e != nil { return e } - this.ElfType = ElfTypeSo + bc.ElfType = ElfTypeSo return nil } //如果配置 bash的地址,且存在,则直接返回 - if this.Bashpath != "" || len(strings.TrimSpace(this.Bashpath)) > 0 { - _, e := os.Stat(this.Bashpath) + if bc.Bashpath != "" || len(strings.TrimSpace(bc.Bashpath)) > 0 { + _, e := os.Stat(bc.Bashpath) if e != nil { return e } - this.ElfType = ElfTypeBin + bc.ElfType = ElfTypeBin return nil } @@ -61,12 +61,12 @@ func (this *BashConfig) Check() error { if b { soPath, e := getDynPathByElf(bash, "libreadline.so") if e != nil { - //this.logger.Printf("get bash:%s dynamic library error:%v.\n", bash, e) - this.Bashpath = bash - this.ElfType = ElfTypeBin + //bc.logger.Printf("get bash:%s dynamic library error:%v.\n", bash, e) + bc.Bashpath = bash + bc.ElfType = ElfTypeBin } else { - this.Bashpath = soPath - this.ElfType = ElfTypeSo + bc.Bashpath = soPath + bc.ElfType = ElfTypeSo } } else { diff --git a/user/config/config_gnutls_androidgki.go b/user/config/config_gnutls_androidgki.go index 3987972f9..f9d908303 100644 --- a/user/config/config_gnutls_androidgki.go +++ b/user/config/config_gnutls_androidgki.go @@ -24,20 +24,20 @@ import ( const DefaultGnutlsPath = "/apex/com.android.conscrypt/lib64/libgnutls" -func (this *GnutlsConfig) Check() error { +func (gc *GnutlsConfig) Check() error { // 如果readline 配置,且存在,则直接返回。 - if this.Gnutls != "" || len(strings.TrimSpace(this.Gnutls)) > 0 { - _, e := os.Stat(this.Gnutls) + if gc.Gnutls != "" || len(strings.TrimSpace(gc.Gnutls)) > 0 { + _, e := os.Stat(gc.Gnutls) if e != nil { return e } - this.ElfType = ElfTypeSo + gc.ElfType = ElfTypeSo return nil } - this.Gnutls = DefaultGnutlsPath - this.ElfType = ElfTypeSo + gc.Gnutls = DefaultGnutlsPath + gc.ElfType = ElfTypeSo return nil } diff --git a/user/config/config_gnutls_linux.go b/user/config/config_gnutls_linux.go index 63f1cdba8..b8f4d60f3 100644 --- a/user/config/config_gnutls_linux.go +++ b/user/config/config_gnutls_linux.go @@ -25,52 +25,52 @@ import ( "errors" ) -func (this *GnutlsConfig) Check() error { +func (gc *GnutlsConfig) Check() error { // 如果readline 配置,且存在,则直接返回。 - if this.Gnutls != "" || len(strings.TrimSpace(this.Gnutls)) > 0 { - _, e := os.Stat(this.Gnutls) + if gc.Gnutls != "" || len(strings.TrimSpace(gc.Gnutls)) > 0 { + _, e := os.Stat(gc.Gnutls) if e != nil { return e } - this.ElfType = ElfTypeSo + gc.ElfType = ElfTypeSo return nil } - if this.NoSearch { + if gc.NoSearch { return errors.New("NoSearch requires specifying lib path") } //如果配置 Curlpath的地址,判断文件是否存在,不存在则直接返回 - if this.Curlpath != "" || len(strings.TrimSpace(this.Curlpath)) > 0 { - _, e := os.Stat(this.Curlpath) + if gc.Curlpath != "" || len(strings.TrimSpace(gc.Curlpath)) > 0 { + _, e := os.Stat(gc.Curlpath) if e != nil { return e } } else { //如果没配置,则直接指定。 - this.Curlpath = "/usr/bin/wget" + gc.Curlpath = "/usr/bin/wget" } - soPath, e := getDynPathByElf(this.Curlpath, "libgnutls.so") + soPath, e := getDynPathByElf(gc.Curlpath, "libgnutls.so") if e != nil { - //this.logger.Printf("get bash:%s dynamic library error:%v.\n", bash, e) + //gc.logger.Printf("get bash:%s dynamic library error:%v.\n", bash, e) _, e = os.Stat(X86BinaryPrefix) prefix := X86BinaryPrefix if e != nil { prefix = OthersBinaryPrefix } - this.Gnutls = filepath.Join(prefix, "libgnutls.so.30") - this.ElfType = ElfTypeSo - _, e = os.Stat(this.Gnutls) + gc.Gnutls = filepath.Join(prefix, "libgnutls.so.30") + gc.ElfType = ElfTypeSo + _, e = os.Stat(gc.Gnutls) if e != nil { return e } return nil } - this.Gnutls = soPath - this.ElfType = ElfTypeSo + gc.Gnutls = soPath + gc.ElfType = ElfTypeSo return nil } diff --git a/user/config/config_gotls.go b/user/config/config_gotls.go index 2d1364cd4..5606173e5 100644 --- a/user/config/config_gotls.go +++ b/user/config/config_gotls.go @@ -51,22 +51,22 @@ func NewGoTLSConfig() *GoTLSConfig { return &GoTLSConfig{} } -func (c *GoTLSConfig) Check() error { - if c.Path == "" { +func (gc *GoTLSConfig) Check() error { + if gc.Path == "" { return ErrorGoBINNotFound } - if c.Ifname == "" || len(c.Ifname) == 0 { - c.Ifname = DefaultIfname + if gc.Ifname == "" || len(gc.Ifname) == 0 { + gc.Ifname = DefaultIfname } - _, err := os.Stat(c.Path) + _, err := os.Stat(gc.Path) if err != nil { return err } var goElf *elf.File - goElf, err = elf.Open(c.Path) + goElf, err = elf.Open(gc.Path) if err != nil { return err } @@ -91,9 +91,9 @@ func (c *GoTLSConfig) Check() error { default: err = fmt.Errorf("unsupport CPU arch :%s", goElfArch) } - c.goElfArch = goElfArch - c.goElf = goElf - c.ReadTlsAddrs, err = c.findRetOffsets(GoTlsReadFunc) + gc.goElfArch = goElfArch + gc.goElf = goElf + gc.ReadTlsAddrs, err = gc.findRetOffsets(GoTlsReadFunc) return err } @@ -101,10 +101,10 @@ func (c *GoTLSConfig) Check() error { // the instruction set associated with the specified symbol in an ELF program. // It is used for mounting uretprobe programs for Golang programs, // which are actually mounted via uprobe on these addresses. -func (c *GoTLSConfig) findRetOffsets(symbolName string) ([]int, error) { +func (gc *GoTLSConfig) findRetOffsets(symbolName string) ([]int, error) { var err error var goSymbs []elf.Symbol - goSymbs, err = c.goElf.Symbols() + goSymbs, err = gc.goElf.Symbols() if err != nil { return nil, err } @@ -123,7 +123,7 @@ func (c *GoTLSConfig) findRetOffsets(symbolName string) ([]int, error) { return nil, ErrorSymbolNotFound } - section := c.goElf.Sections[symbol.Section] + section := gc.goElf.Sections[symbol.Section] var elfText []byte elfText, err = section.Data() @@ -137,7 +137,7 @@ func (c *GoTLSConfig) findRetOffsets(symbolName string) ([]int, error) { var offsets []int var instHex []byte instHex = elfText[start:end] - offsets, err = c.decodeInstruction(instHex) + offsets, err = gc.decodeInstruction(instHex) if len(offsets) == 0 { return offsets, ErrorNoRetFound } @@ -145,10 +145,10 @@ func (c *GoTLSConfig) findRetOffsets(symbolName string) ([]int, error) { } // decodeInstruction Decode into assembly instructions and identify the RET instruction to return the offset. -func (c *GoTLSConfig) decodeInstruction(instHex []byte) ([]int, error) { +func (gc *GoTLSConfig) decodeInstruction(instHex []byte) ([]int, error) { var offsets []int for i := 0; i < len(instHex); { - if c.goElfArch == "amd64" { + if gc.goElfArch == "amd64" { inst, err := x86asm.Decode(instHex[i:], 64) if err != nil { return nil, err diff --git a/user/config/config_mysqld.go b/user/config/config_mysqld.go index 253f8b404..9e798f302 100644 --- a/user/config/config_mysqld.go +++ b/user/config/config_mysqld.go @@ -52,32 +52,32 @@ func NewMysqldConfig() *MysqldConfig { return config } -func (this *MysqldConfig) Check() error { +func (mc *MysqldConfig) Check() error { // 如果readline 配置,且存在,则直接返回。 - if this.Mysqldpath == "" || len(strings.TrimSpace(this.Mysqldpath)) <= 0 { + if mc.Mysqldpath == "" || len(strings.TrimSpace(mc.Mysqldpath)) <= 0 { return errors.New("Mysqld path cant be null.") } - _, e := os.Stat(this.Mysqldpath) + _, e := os.Stat(mc.Mysqldpath) if e != nil { return e } - this.ElfType = ElfTypeBin + mc.ElfType = ElfTypeBin //如果配置 funcname ,则使用用户指定的函数名 - if this.FuncName != "" || len(strings.TrimSpace(this.FuncName)) > 0 { + if mc.FuncName != "" || len(strings.TrimSpace(mc.FuncName)) > 0 { return nil } //如果配置 Offset ,则使用用户指定的Offset - if this.Offset > 0 { - this.FuncName = "[_IGNORE_]" + if mc.Offset > 0 { + mc.FuncName = "[_IGNORE_]" return nil } //r, _ := regexp.Compile("^(?:# *)?(CONFIG_\\w*)(?:=| )(y|n|m|is not set|\\d+|0x.+|\".*\")$") - _elf, e := elf.Open(this.Mysqldpath) + _elf, e := elf.Open(mc.Mysqldpath) if e != nil { return e } @@ -103,11 +103,11 @@ func (this *MysqldConfig) Check() error { //如果没找到,则报错。 if funcName == "" { - return errors.New(fmt.Sprintf("cant match mysql query function to hook with mysqld file::%s", this.Mysqldpath)) + return errors.New(fmt.Sprintf("cant match mysql query function to hook with mysqld file::%s", mc.Mysqldpath)) } - this.Version = MysqldType56 - this.VersionInfo = "mysqld-5.6" + mc.Version = MysqldType56 + mc.VersionInfo = "mysqld-5.6" // 判断mysqld 版本 found := strings.Contains(funcName, "COM_DATA") @@ -120,11 +120,11 @@ func (this *MysqldConfig) Check() error { if e == nil { ver, verInfo = getMysqlVer(buf) } - this.Version = ver - this.VersionInfo = verInfo + mc.Version = ver + mc.VersionInfo = verInfo } - this.FuncName = funcName + mc.FuncName = funcName return nil } diff --git a/user/config/config_nspr_androidgki.go b/user/config/config_nspr_androidgki.go index fa736c929..245430ae4 100644 --- a/user/config/config_nspr_androidgki.go +++ b/user/config/config_nspr_androidgki.go @@ -24,20 +24,20 @@ import ( const DefaultNsprNssPath = "/apex/com.android.conscrypt/lib64/libnspr4.so" -func (this *NsprConfig) Check() error { +func (nc *NsprConfig) Check() error { // 如果readline 配置,且存在,则直接返回。 - if this.Nsprpath != "" || len(strings.TrimSpace(this.Nsprpath)) > 0 { - _, e := os.Stat(this.Nsprpath) + if nc.Nsprpath != "" || len(strings.TrimSpace(nc.Nsprpath)) > 0 { + _, e := os.Stat(nc.Nsprpath) if e != nil { return e } - this.ElfType = ElfTypeSo + nc.ElfType = ElfTypeSo return nil } - this.Nsprpath = DefaultNsprNssPath - this.ElfType = ElfTypeSo + nc.Nsprpath = DefaultNsprNssPath + nc.ElfType = ElfTypeSo return nil } diff --git a/user/config/config_nspr_linux.go b/user/config/config_nspr_linux.go index 5386c0c44..0bc0c8e17 100644 --- a/user/config/config_nspr_linux.go +++ b/user/config/config_nspr_linux.go @@ -25,54 +25,54 @@ import ( "errors" ) -func (this *NsprConfig) Check() error { +func (nc *NsprConfig) Check() error { // 如果readline 配置,且存在,则直接返回。 - if this.Nsprpath != "" || len(strings.TrimSpace(this.Nsprpath)) > 0 { - _, e := os.Stat(this.Nsprpath) + if nc.Nsprpath != "" || len(strings.TrimSpace(nc.Nsprpath)) > 0 { + _, e := os.Stat(nc.Nsprpath) if e != nil { return e } - this.ElfType = ElfTypeSo + nc.ElfType = ElfTypeSo return nil } - if this.NoSearch { + if nc.NoSearch { return errors.New("NoSearch requires specifying lib path") } //如果配置 Curlpath的地址,判断文件是否存在,不存在则直接返回 - if this.Firefoxpath != "" || len(strings.TrimSpace(this.Firefoxpath)) > 0 { - _, e := os.Stat(this.Firefoxpath) + if nc.Firefoxpath != "" || len(strings.TrimSpace(nc.Firefoxpath)) > 0 { + _, e := os.Stat(nc.Firefoxpath) if e != nil { return e } } else { //如果没配置,则直接指定。 - this.Firefoxpath = "/usr/lib/firefox/firefox" + nc.Firefoxpath = "/usr/lib/firefox/firefox" } - soPath, e := getDynPathByElf(this.Firefoxpath, "libnspr4.so") + soPath, e := getDynPathByElf(nc.Firefoxpath, "libnspr4.so") if e != nil { - //this.logger.Printf("get bash:%s dynamic library error:%v.\n", bash, e) + //nc.logger.Printf("get bash:%s dynamic library error:%v.\n", bash, e) _, e = os.Stat(X86BinaryPrefix) prefix := X86BinaryPrefix if e != nil { prefix = OthersBinaryPrefix } - this.Nsprpath = filepath.Join(prefix, "libnspr4.so") - //this.Gnutls = "/usr/lib/firefox/libnss3.so" + nc.Nsprpath = filepath.Join(prefix, "libnspr4.so") + //nc.Gnutls = "/usr/lib/firefox/libnss3.so" //"/usr/lib/firefox/libnspr4.so" - this.ElfType = ElfTypeSo - _, e = os.Stat(this.Nsprpath) + nc.ElfType = ElfTypeSo + _, e = os.Stat(nc.Nsprpath) if e != nil { return e } return nil } - this.Nsprpath = soPath - this.ElfType = ElfTypeSo + nc.Nsprpath = soPath + nc.ElfType = ElfTypeSo return nil } diff --git a/user/config/config_openssl_androidgki.go b/user/config/config_openssl_androidgki.go index 22a896e84..45d0b42e4 100644 --- a/user/config/config_openssl_androidgki.go +++ b/user/config/config_openssl_androidgki.go @@ -29,22 +29,22 @@ const ( DefaultIfname = "wlan0" ) -func (this *OpensslConfig) Check() error { - this.IsAndroid = true +func (oc *OpensslConfig) Check() error { + oc.IsAndroid = true // 如果readline 配置,且存在,则直接返回。 - if this.Openssl != "" || len(strings.TrimSpace(this.Openssl)) > 0 { - _, e := os.Stat(this.Openssl) + if oc.Openssl != "" || len(strings.TrimSpace(oc.Openssl)) > 0 { + _, e := os.Stat(oc.Openssl) if e != nil { return e } - this.ElfType = ElfTypeSo + oc.ElfType = ElfTypeSo } else { - this.ElfType = ElfTypeSo - this.Openssl = DefaultOpensslPath + oc.ElfType = ElfTypeSo + oc.Openssl = DefaultOpensslPath } - if this.Ifname == "" || len(strings.TrimSpace(this.Ifname)) == 0 { - this.Ifname = DefaultIfname + if oc.Ifname == "" || len(strings.TrimSpace(oc.Ifname)) == 0 { + oc.Ifname = DefaultIfname } return nil } diff --git a/user/config/config_openssl_linux.go b/user/config/config_openssl_linux.go index 95da52b04..7f8a16031 100644 --- a/user/config/config_openssl_linux.go +++ b/user/config/config_openssl_linux.go @@ -28,10 +28,10 @@ const ( DefaultIfname = "eth0" ) -func (this *OpensslConfig) checkOpenssl() error { - soPath, e := getDynPathByElf(this.Curlpath, "libssl.so") +func (oc *OpensslConfig) checkOpenssl() error { + soPath, e := getDynPathByElf(oc.Curlpath, "libssl.so") if e != nil { - //this.logger.Printf("get bash:%s dynamic library error:%v.\n", bash, e) + //oc.logger.Printf("get bash:%s dynamic library error:%v.\n", bash, e) _, e = os.Stat(X86BinaryPrefix) prefix := X86BinaryPrefix if e != nil { @@ -39,57 +39,57 @@ func (this *OpensslConfig) checkOpenssl() error { } // ubuntu 21.04 libssl.so.1.1 default - this.Openssl = filepath.Join(prefix, "libssl.so.1.1") - this.ElfType = ElfTypeSo - _, e = os.Stat(this.Openssl) + oc.Openssl = filepath.Join(prefix, "libssl.so.1.1") + oc.ElfType = ElfTypeSo + _, e = os.Stat(oc.Openssl) if e != nil { return e } } else { - this.Openssl = soPath - this.ElfType = ElfTypeSo + oc.Openssl = soPath + oc.ElfType = ElfTypeSo } return nil } -func (this *OpensslConfig) Check() error { - this.IsAndroid = false +func (oc *OpensslConfig) Check() error { + oc.IsAndroid = false var checkedOpenssl bool // 如果readline 配置,且存在,则直接返回。 - if this.Openssl != "" || len(strings.TrimSpace(this.Openssl)) > 0 { - _, e := os.Stat(this.Openssl) + if oc.Openssl != "" || len(strings.TrimSpace(oc.Openssl)) > 0 { + _, e := os.Stat(oc.Openssl) if e != nil { return e } - this.ElfType = ElfTypeSo + oc.ElfType = ElfTypeSo checkedOpenssl = true } //如果配置 Curlpath的地址,判断文件是否存在,不存在则直接返回 - if this.Curlpath != "" || len(strings.TrimSpace(this.Curlpath)) > 0 { - _, e := os.Stat(this.Curlpath) + if oc.Curlpath != "" || len(strings.TrimSpace(oc.Curlpath)) > 0 { + _, e := os.Stat(oc.Curlpath) if e != nil { return e } } else { //如果没配置,则直接指定。 - this.Curlpath = "/usr/bin/curl" + oc.Curlpath = "/usr/bin/curl" } - if this.Ifname == "" || len(strings.TrimSpace(this.Ifname)) == 0 { - this.Ifname = DefaultIfname + if oc.Ifname == "" || len(strings.TrimSpace(oc.Ifname)) == 0 { + oc.Ifname = DefaultIfname } if checkedOpenssl { return nil } - if this.NoSearch { + if oc.NoSearch { return errors.New("NoSearch requires specifying lib path") } if !checkedOpenssl { - e := this.checkOpenssl() + e := oc.checkOpenssl() if e != nil { return e } diff --git a/user/config/config_postgres.go b/user/config/config_postgres.go index 374d0a943..f3a585ecf 100644 --- a/user/config/config_postgres.go +++ b/user/config/config_postgres.go @@ -35,17 +35,17 @@ func NewPostgresConfig() *PostgresConfig { return config } -func (this *PostgresConfig) Check() error { +func (pc *PostgresConfig) Check() error { - if this.PostgresPath == "" || len(strings.TrimSpace(this.PostgresPath)) <= 0 { + if pc.PostgresPath == "" || len(strings.TrimSpace(pc.PostgresPath)) <= 0 { return errors.New("Postgres path cant be null.") } - _, e := os.Stat(this.PostgresPath) + _, e := os.Stat(pc.PostgresPath) if e != nil { return e } - this.FuncName = "exec_simple_query" + pc.FuncName = "exec_simple_query" return nil } diff --git a/user/config/iconfig.go b/user/config/iconfig.go index 77492b7ed..3ecd68406 100644 --- a/user/config/iconfig.go +++ b/user/config/iconfig.go @@ -39,47 +39,47 @@ type eConfig struct { NoSearch bool } -func (this *eConfig) GetPid() uint64 { - return this.Pid +func (c *eConfig) GetPid() uint64 { + return c.Pid } -func (this *eConfig) GetUid() uint64 { - return this.Uid +func (c *eConfig) GetUid() uint64 { + return c.Uid } -func (this *eConfig) GetDebug() bool { - return this.Debug +func (c *eConfig) GetDebug() bool { + return c.Debug } -func (this *eConfig) GetHex() bool { - return this.IsHex +func (c *eConfig) GetHex() bool { + return c.IsHex } -func (this *eConfig) GetNoSearch() bool { - return this.NoSearch +func (c *eConfig) GetNoSearch() bool { + return c.NoSearch } -func (this *eConfig) SetPid(pid uint64) { - this.Pid = pid +func (c *eConfig) SetPid(pid uint64) { + c.Pid = pid } -func (this *eConfig) SetUid(uid uint64) { - this.Uid = uid +func (c *eConfig) SetUid(uid uint64) { + c.Uid = uid } -func (this *eConfig) SetDebug(b bool) { - this.Debug = b +func (c *eConfig) SetDebug(b bool) { + c.Debug = b } -func (this *eConfig) SetHex(isHex bool) { - this.IsHex = isHex +func (c *eConfig) SetHex(isHex bool) { + c.IsHex = isHex } -func (this *eConfig) SetNoSearch(noSearch bool) { - this.NoSearch = noSearch +func (c *eConfig) SetNoSearch(noSearch bool) { + c.NoSearch = noSearch } -func (this *eConfig) EnableGlobalVar() bool { +func (c *eConfig) EnableGlobalVar() bool { kv, err := kernel.HostVersion() if err != nil { //log.Fatal(err) diff --git a/user/event/event_bash.go b/user/event/event_bash.go index 8a6e898b2..5f71ed315 100644 --- a/user/event/event_bash.go +++ b/user/event/event_bash.go @@ -32,63 +32,63 @@ import ( const MaxDataSizeBash = 256 type BashEvent struct { - event_type EventType - Pid uint32 `json:"pid"` - Uid uint32 `json:"uid"` - Line [MaxDataSizeBash]uint8 `json:"line"` - Retval uint32 `json:"Retval"` - Comm [16]byte `json:"Comm"` + eventType EventType + Pid uint32 `json:"pid"` + Uid uint32 `json:"uid"` + Line [MaxDataSizeBash]uint8 `json:"line"` + Retval uint32 `json:"Retval"` + Comm [16]byte `json:"Comm"` } -func (this *BashEvent) Decode(payload []byte) (err error) { +func (be *BashEvent) Decode(payload []byte) (err error) { buf := bytes.NewBuffer(payload) - if err = binary.Read(buf, binary.LittleEndian, &this.Pid); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &be.Pid); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Uid); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &be.Uid); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Line); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &be.Line); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Retval); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &be.Retval); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Comm); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &be.Comm); err != nil { return } return nil } -func (this *BashEvent) String() string { - s := fmt.Sprintf(fmt.Sprintf("PID:%d, UID:%d, \tComm:%s, \tRetvalue:%d, \tLine:\n%s", this.Pid, this.Uid, this.Comm, this.Retval, unix.ByteSliceToString((this.Line[:])))) +func (be *BashEvent) String() string { + s := fmt.Sprintf(fmt.Sprintf("PID:%d, UID:%d, \tComm:%s, \tRetvalue:%d, \tLine:\n%s", be.Pid, be.Uid, be.Comm, be.Retval, unix.ByteSliceToString((be.Line[:])))) return s } -func (this *BashEvent) StringHex() string { - s := fmt.Sprintf(fmt.Sprintf("PID:%d, UID:%d, \tComm:%s, \tRetvalue:%d, \tLine:\n%s,", this.Pid, this.Uid, this.Comm, this.Retval, dumpByteSlice([]byte(unix.ByteSliceToString((this.Line[:]))), ""))) +func (be *BashEvent) StringHex() string { + s := fmt.Sprintf(fmt.Sprintf("PID:%d, UID:%d, \tComm:%s, \tRetvalue:%d, \tLine:\n%s,", be.Pid, be.Uid, be.Comm, be.Retval, dumpByteSlice([]byte(unix.ByteSliceToString((be.Line[:]))), ""))) return s } -func (this *BashEvent) Clone() IEventStruct { +func (be *BashEvent) Clone() IEventStruct { event := new(BashEvent) - event.event_type = EventTypeOutput + event.eventType = EventTypeOutput return event } -func (this *BashEvent) EventType() EventType { - return this.event_type +func (be *BashEvent) EventType() EventType { + return be.eventType } -func (this *BashEvent) GetUUID() string { - return fmt.Sprintf("%d_%d_%s", this.Pid, this.Uid, this.Comm) +func (be *BashEvent) GetUUID() string { + return fmt.Sprintf("%d_%d_%s", be.Pid, be.Uid, be.Comm) } -func (this *BashEvent) Payload() []byte { - return this.Line[:] +func (be *BashEvent) Payload() []byte { + return be.Line[:] } -func (this *BashEvent) PayloadLen() int { - return len(this.Line) +func (be *BashEvent) PayloadLen() int { + return len(be.Line) } diff --git a/user/event/event_gnutls.go b/user/event/event_gnutls.go index 17fdfb261..d52abed1e 100644 --- a/user/event/event_gnutls.go +++ b/user/event/event_gnutls.go @@ -21,45 +21,45 @@ import ( ) type GnutlsDataEvent struct { - event_type EventType - DataType int64 `json:"dataType"` - Timestamp uint64 `json:"timestamp"` - Pid uint32 `json:"pid"` - Tid uint32 `json:"tid"` - Data [MaxDataSize]byte `json:"data"` - Data_len int32 `json:"data_len"` - Comm [16]byte `json:"Comm"` + eventType EventType + DataType int64 `json:"dataType"` + Timestamp uint64 `json:"timestamp"` + Pid uint32 `json:"pid"` + Tid uint32 `json:"tid"` + Data [MaxDataSize]byte `json:"data"` + DataLen int32 `json:"data_len"` + Comm [16]byte `json:"Comm"` } -func (this *GnutlsDataEvent) Decode(payload []byte) (err error) { +func (ge *GnutlsDataEvent) Decode(payload []byte) (err error) { buf := bytes.NewBuffer(payload) - if err = binary.Read(buf, binary.LittleEndian, &this.DataType); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &ge.DataType); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Timestamp); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &ge.Timestamp); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Pid); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &ge.Pid); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Tid); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &ge.Tid); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Data); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &ge.Data); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Data_len); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &ge.DataLen); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Comm); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &ge.Comm); err != nil { return } return nil } -func (this *GnutlsDataEvent) StringHex() string { +func (ge *GnutlsDataEvent) StringHex() string { var perfix, packetType string - switch AttachType(this.DataType) { + switch AttachType(ge.DataType) { case ProbeEntry: packetType = fmt.Sprintf("%sRecived%s", COLORGREEN, COLORRESET) perfix = COLORGREEN @@ -67,18 +67,18 @@ func (this *GnutlsDataEvent) StringHex() string { packetType = fmt.Sprintf("%sSend%s", COLORPURPLE, COLORRESET) perfix = fmt.Sprintf("%s\t", COLORPURPLE) default: - perfix = fmt.Sprintf("UNKNOW_%d", this.DataType) + perfix = fmt.Sprintf("UNKNOW_%d", ge.DataType) } - b := dumpByteSlice(this.Data[:this.Data_len], perfix) + b := dumpByteSlice(ge.Data[:ge.DataLen], perfix) b.WriteString(COLORRESET) - s := fmt.Sprintf("PID:%d, Comm:%s, Type:%s, TID:%d, DataLen:%d bytes, Payload:\n%s", this.Pid, this.Comm, packetType, this.Tid, this.Data_len, b.String()) + s := fmt.Sprintf("PID:%d, Comm:%s, Type:%s, TID:%d, DataLen:%d bytes, Payload:\n%s", ge.Pid, ge.Comm, packetType, ge.Tid, ge.DataLen, b.String()) return s } -func (this *GnutlsDataEvent) String() string { +func (ge *GnutlsDataEvent) String() string { var perfix, packetType string - switch AttachType(this.DataType) { + switch AttachType(ge.DataType) { case ProbeEntry: packetType = fmt.Sprintf("%sRecived%s", COLORGREEN, COLORRESET) perfix = COLORGREEN @@ -86,31 +86,31 @@ func (this *GnutlsDataEvent) String() string { packetType = fmt.Sprintf("%sSend%s", COLORPURPLE, COLORRESET) perfix = COLORPURPLE default: - packetType = fmt.Sprintf("%sUNKNOW_%d%s", COLORRED, this.DataType, COLORRESET) + packetType = fmt.Sprintf("%sUNKNOW_%d%s", COLORRED, ge.DataType, COLORRESET) } - s := fmt.Sprintf(" PID:%d, Comm:%s, TID:%d, TYPE:%s, DataLen:%d bytes, Payload:\n%s%s%s", this.Pid, this.Comm, this.Tid, packetType, this.Data_len, perfix, string(this.Data[:this.Data_len]), COLORRESET) + s := fmt.Sprintf(" PID:%d, Comm:%s, TID:%d, TYPE:%s, DataLen:%d bytes, Payload:\n%s%s%s", ge.Pid, ge.Comm, ge.Tid, packetType, ge.DataLen, perfix, string(ge.Data[:ge.DataLen]), COLORRESET) return s } -func (this *GnutlsDataEvent) Clone() IEventStruct { +func (ge *GnutlsDataEvent) Clone() IEventStruct { event := new(GnutlsDataEvent) - event.event_type = EventTypeEventProcessor + event.eventType = EventTypeEventProcessor return event } -func (this *GnutlsDataEvent) EventType() EventType { - return this.event_type +func (ge *GnutlsDataEvent) EventType() EventType { + return ge.eventType } -func (this *GnutlsDataEvent) GetUUID() string { - //return fmt.Sprintf("%d_%d_%s", this.Pid, this.Tid, this.Comm) - return fmt.Sprintf("%d_%d_%s_%d", this.Pid, this.Tid, this.Comm, this.DataType) +func (ge *GnutlsDataEvent) GetUUID() string { + //return fmt.Sprintf("%d_%d_%s", ge.Pid, ge.Tid, ge.Comm) + return fmt.Sprintf("%d_%d_%s_%d", ge.Pid, ge.Tid, ge.Comm, ge.DataType) } -func (this *GnutlsDataEvent) Payload() []byte { - return this.Data[:this.Data_len] +func (ge *GnutlsDataEvent) Payload() []byte { + return ge.Data[:ge.DataLen] } -func (this *GnutlsDataEvent) PayloadLen() int { - return int(this.Data_len) +func (ge *GnutlsDataEvent) PayloadLen() int { + return int(ge.DataLen) } diff --git a/user/event/event_gotls.go b/user/event/event_gotls.go index 58d681117..1eee99cd7 100644 --- a/user/event/event_gotls.go +++ b/user/event/event_gotls.go @@ -21,49 +21,49 @@ type GoTLSEvent struct { Data []byte `json:"data"` } -func (this *GoTLSEvent) Decode(payload []byte) error { +func (ge *GoTLSEvent) Decode(payload []byte) error { r := bytes.NewBuffer(payload) - err := binary.Read(r, binary.LittleEndian, &this.inner) + err := binary.Read(r, binary.LittleEndian, &ge.inner) if err != nil { return err } - if this.Len > 0 { - this.Data = make([]byte, this.Len) - err = binary.Read(r, binary.LittleEndian, &this.Data) + if ge.Len > 0 { + ge.Data = make([]byte, ge.Len) + err = binary.Read(r, binary.LittleEndian, &ge.Data) } return err } -func (this *GoTLSEvent) String() string { - s := fmt.Sprintf("PID: %d, Comm: %s, TID: %d, PayloadType:%d, Payload: %s\n", this.Pid, string(this.Comm[:]), this.Tid, this.inner.PayloadType, string(this.Data[:this.Len])) +func (ge *GoTLSEvent) String() string { + s := fmt.Sprintf("PID: %d, Comm: %s, TID: %d, PayloadType:%d, Payload: %s\n", ge.Pid, string(ge.Comm[:]), ge.Tid, ge.inner.PayloadType, string(ge.Data[:ge.Len])) return s } -func (this *GoTLSEvent) StringHex() string { +func (ge *GoTLSEvent) StringHex() string { perfix := COLORGREEN - b := dumpByteSlice(this.Data[:this.Len], perfix) + b := dumpByteSlice(ge.Data[:ge.Len], perfix) b.WriteString(COLORRESET) - s := fmt.Sprintf("PID: %d, Comm: %s, TID: %d, PayloadType:%d, Payload: \n%s\n", this.Pid, string(this.Comm[:]), this.Tid, this.inner.PayloadType, b.String()) + s := fmt.Sprintf("PID: %d, Comm: %s, TID: %d, PayloadType:%d, Payload: \n%s\n", ge.Pid, string(ge.Comm[:]), ge.Tid, ge.inner.PayloadType, b.String()) return s } -func (this *GoTLSEvent) Clone() IEventStruct { +func (ge *GoTLSEvent) Clone() IEventStruct { return &GoTLSEvent{} } -func (this *GoTLSEvent) EventType() EventType { +func (ge *GoTLSEvent) EventType() EventType { return EventTypeOutput } -func (this *GoTLSEvent) GetUUID() string { - return fmt.Sprintf("%d_%d_%s", this.Pid, this.Tid, this.Comm) +func (ge *GoTLSEvent) GetUUID() string { + return fmt.Sprintf("%d_%d_%s", ge.Pid, ge.Tid, ge.Comm) } -func (this *GoTLSEvent) Payload() []byte { - return this.Data[:this.Len] +func (ge *GoTLSEvent) Payload() []byte { + return ge.Data[:ge.Len] } -func (this *GoTLSEvent) PayloadLen() int { - return int(this.Len) +func (ge *GoTLSEvent) PayloadLen() int { + return int(ge.Len) } diff --git a/user/event/event_masterkey.go b/user/event/event_masterkey.go index a2b350522..6a4e5dbf1 100644 --- a/user/event/event_masterkey.go +++ b/user/event/event_masterkey.go @@ -33,8 +33,8 @@ const ( u8 master_key[MASTER_SECRET_MAX_LEN]; */ type MasterSecretEvent struct { - event_type EventType - Version int32 `json:"version"` // TLS Version + eventType EventType + Version int32 `json:"version"` // TLS Version // TLS 1.2 or older ClientRandom [Ssl3RandomSize]byte `json:"clientRandom"` // Client Random @@ -50,75 +50,75 @@ type MasterSecretEvent struct { payload string } -func (this *MasterSecretEvent) Decode(payload []byte) (err error) { +func (me *MasterSecretEvent) Decode(payload []byte) (err error) { buf := bytes.NewBuffer(payload) - if err = binary.Read(buf, binary.LittleEndian, &this.Version); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &me.Version); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.ClientRandom); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &me.ClientRandom); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.MasterKey); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &me.MasterKey); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.CipherId); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &me.CipherId); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.HandshakeSecret); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &me.HandshakeSecret); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.HandshakeTrafficHash); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &me.HandshakeTrafficHash); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.ClientAppTrafficSecret); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &me.ClientAppTrafficSecret); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.ServerAppTrafficSecret); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &me.ServerAppTrafficSecret); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.ExporterMasterSecret); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &me.ExporterMasterSecret); err != nil { return } - this.payload = fmt.Sprintf("CLIENT_RANDOM %02x %02x", this.ClientRandom, this.MasterKey) + me.payload = fmt.Sprintf("CLIENT_RANDOM %02x %02x", me.ClientRandom, me.MasterKey) return nil } -func (this *MasterSecretEvent) StringHex() string { +func (me *MasterSecretEvent) StringHex() string { v := TlsVersion{ - Version: this.Version, + Version: me.Version, } - s := fmt.Sprintf("TLS Version:%s, ClientRandom:%02x", v.String(), this.ClientRandom) + s := fmt.Sprintf("TLS Version:%s, ClientRandom:%02x", v.String(), me.ClientRandom) return s } -func (this *MasterSecretEvent) String() string { +func (me *MasterSecretEvent) String() string { v := TlsVersion{ - Version: this.Version, + Version: me.Version, } - s := fmt.Sprintf("TLS Version:%s, ClientRandom:%02x", v.String(), this.ClientRandom) + s := fmt.Sprintf("TLS Version:%s, ClientRandom:%02x", v.String(), me.ClientRandom) return s } -func (this *MasterSecretEvent) Clone() IEventStruct { +func (me *MasterSecretEvent) Clone() IEventStruct { event := new(MasterSecretEvent) - event.event_type = EventTypeModuleData + event.eventType = EventTypeModuleData return event } -func (this *MasterSecretEvent) EventType() EventType { - return this.event_type +func (me *MasterSecretEvent) EventType() EventType { + return me.eventType } -func (this *MasterSecretEvent) GetUUID() string { - return fmt.Sprintf("%02X", this.ClientRandom) +func (me *MasterSecretEvent) GetUUID() string { + return fmt.Sprintf("%02X", me.ClientRandom) } -func (this *MasterSecretEvent) Payload() []byte { - return []byte(this.payload) +func (me *MasterSecretEvent) Payload() []byte { + return []byte(me.payload) } -func (this *MasterSecretEvent) PayloadLen() int { - return len(this.payload) +func (me *MasterSecretEvent) PayloadLen() int { + return len(me.payload) } // for BoringSSL TLS 1.3 diff --git a/user/event/event_mastersecret_gotls.go b/user/event/event_mastersecret_gotls.go index 59bc3dab2..da1e4d158 100644 --- a/user/event/event_mastersecret_gotls.go +++ b/user/event/event_mastersecret_gotls.go @@ -28,7 +28,7 @@ const ( ) type MasterSecretGotlsEvent struct { - event_type EventType + eventType EventType Label [MasterSecretKeyLen]byte `json:"label"` // label name LabelLen uint8 `json:"labelLen"` ClientRandom [EvpMaxMdSize]byte `json:"clientRandom"` // Client Random @@ -38,67 +38,67 @@ type MasterSecretGotlsEvent struct { payload string } -func (this *MasterSecretGotlsEvent) Decode(payload []byte) (err error) { +func (mge *MasterSecretGotlsEvent) Decode(payload []byte) (err error) { buf := bytes.NewBuffer(payload) - if err = binary.Read(buf, binary.LittleEndian, &this.Label); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &mge.Label); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.LabelLen); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &mge.LabelLen); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.ClientRandom); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &mge.ClientRandom); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.ClientRandomLen); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &mge.ClientRandomLen); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.MasterSecret); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &mge.MasterSecret); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.MasterSecretLen); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &mge.MasterSecretLen); err != nil { return } - if int(this.LabelLen) > len(this.Label) { - return fmt.Errorf("invalid label length, LablenLen:%d, len(Label):%d", this.LabelLen, len(this.Label)) + if int(mge.LabelLen) > len(mge.Label) { + return fmt.Errorf("invalid label length, LablenLen:%d, len(Label):%d", mge.LabelLen, len(mge.Label)) } - if int(this.ClientRandomLen) > len(this.ClientRandom) { - return fmt.Errorf("invalid label length, ClientRandomLen:%d, len(ClientRandom):%d", this.ClientRandomLen, len(this.ClientRandom)) + if int(mge.ClientRandomLen) > len(mge.ClientRandom) { + return fmt.Errorf("invalid label length, ClientRandomLen:%d, len(ClientRandom):%d", mge.ClientRandomLen, len(mge.ClientRandom)) } - if int(this.MasterSecretLen) > len(this.MasterSecret) { - return fmt.Errorf("invalid label length, MasterSecretLen:%d, len(MasterSecret):%d", this.MasterSecretLen, len(this.MasterSecret)) + if int(mge.MasterSecretLen) > len(mge.MasterSecret) { + return fmt.Errorf("invalid label length, MasterSecretLen:%d, len(MasterSecret):%d", mge.MasterSecretLen, len(mge.MasterSecret)) } - this.payload = fmt.Sprintf("%s %02x %02x", this.Label, this.ClientRandom, this.MasterSecret) + mge.payload = fmt.Sprintf("%s %02x %02x", mge.Label, mge.ClientRandom, mge.MasterSecret) return nil } -func (this *MasterSecretGotlsEvent) StringHex() string { - s := fmt.Sprintf("Label%s, ClientRandom:%02x, secret:%02x", this.Label[0:this.LabelLen], this.ClientRandom[0:this.ClientRandomLen], this.MasterSecret[0:this.MasterSecretLen]) +func (mge *MasterSecretGotlsEvent) StringHex() string { + s := fmt.Sprintf("Label%s, ClientRandom:%02x, secret:%02x", mge.Label[0:mge.LabelLen], mge.ClientRandom[0:mge.ClientRandomLen], mge.MasterSecret[0:mge.MasterSecretLen]) return s } -func (this *MasterSecretGotlsEvent) String() string { - s := fmt.Sprintf("Label:%s, ClientRandom:%02x, secret:%02x", this.Label[0:this.LabelLen], this.ClientRandom[0:this.ClientRandomLen], this.MasterSecret[0:this.MasterSecretLen]) +func (mge *MasterSecretGotlsEvent) String() string { + s := fmt.Sprintf("Label:%s, ClientRandom:%02x, secret:%02x", mge.Label[0:mge.LabelLen], mge.ClientRandom[0:mge.ClientRandomLen], mge.MasterSecret[0:mge.MasterSecretLen]) return s } -func (this *MasterSecretGotlsEvent) Clone() IEventStruct { +func (mge *MasterSecretGotlsEvent) Clone() IEventStruct { event := new(MasterSecretGotlsEvent) - event.event_type = EventTypeModuleData + event.eventType = EventTypeModuleData return event } -func (this *MasterSecretGotlsEvent) EventType() EventType { - return this.event_type +func (mge *MasterSecretGotlsEvent) EventType() EventType { + return mge.eventType } -func (this *MasterSecretGotlsEvent) GetUUID() string { - return fmt.Sprintf("%02X", this.ClientRandom) +func (mge *MasterSecretGotlsEvent) GetUUID() string { + return fmt.Sprintf("%02X", mge.ClientRandom) } -func (this *MasterSecretGotlsEvent) Payload() []byte { - return []byte(this.payload) +func (mge *MasterSecretGotlsEvent) Payload() []byte { + return []byte(mge.payload) } -func (this *MasterSecretGotlsEvent) PayloadLen() int { - return len(this.payload) +func (mge *MasterSecretGotlsEvent) PayloadLen() int { + return len(mge.payload) } diff --git a/user/event/event_mysqld.go b/user/event/event_mysqld.go index e4f8c3a99..bcb396e90 100644 --- a/user/event/event_mysqld.go +++ b/user/event/event_mysqld.go @@ -46,9 +46,9 @@ const ( type dispatch_command_return int8 -func (this dispatch_command_return) String() string { +func (d dispatch_command_return) String() string { var retStr string - switch this { + switch d { case DispatchCommandCloseConnection: retStr = "DISPATCH_COMMAND_CLOSE_CONNECTION" case DispatchCommandSuccess: @@ -64,70 +64,70 @@ func (this dispatch_command_return) String() string { } type MysqldEvent struct { - event_type EventType - Pid uint64 `json:"pid"` - Timestamp uint64 `json:"timestamp"` - Query [MysqldMaxDataSize]uint8 `json:"Query"` - Alllen uint64 `json:"Alllen"` - Len uint64 `json:"Len"` - Comm [16]uint8 `json:"Comm"` - Retval dispatch_command_return `json:"retval"` + eventType EventType + Pid uint64 `json:"pid"` + Timestamp uint64 `json:"timestamp"` + Query [MysqldMaxDataSize]uint8 `json:"Query"` + Alllen uint64 `json:"Alllen"` + Len uint64 `json:"Len"` + Comm [16]uint8 `json:"Comm"` + Retval dispatch_command_return `json:"retval"` } -func (this *MysqldEvent) Decode(payload []byte) (err error) { +func (me *MysqldEvent) Decode(payload []byte) (err error) { buf := bytes.NewBuffer(payload) - if err = binary.Read(buf, binary.LittleEndian, &this.Pid); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &me.Pid); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Timestamp); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &me.Timestamp); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Query); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &me.Query); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Alllen); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &me.Alllen); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Len); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &me.Len); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Comm); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &me.Comm); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Retval); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &me.Retval); err != nil { return } return nil } -func (this *MysqldEvent) String() string { - s := fmt.Sprintf(fmt.Sprintf(" PID:%d, Comm:%s, Time:%d, length:(%d/%d), return:%s, Line:%s", this.Pid, this.Comm, this.Timestamp, this.Len, this.Alllen, this.Retval, unix.ByteSliceToString((this.Query[:])))) +func (me *MysqldEvent) String() string { + s := fmt.Sprintf(fmt.Sprintf(" PID:%d, Comm:%s, Time:%d, length:(%d/%d), return:%s, Line:%s", me.Pid, me.Comm, me.Timestamp, me.Len, me.Alllen, me.Retval, unix.ByteSliceToString((me.Query[:])))) return s } -func (this *MysqldEvent) StringHex() string { - s := fmt.Sprintf(fmt.Sprintf(" PID:%d, Comm:%s, Time:%d, length:(%d/%d), return:%s, Line:%s", this.Pid, this.Comm, this.Timestamp, this.Len, this.Alllen, this.Retval, unix.ByteSliceToString((this.Query[:])))) +func (me *MysqldEvent) StringHex() string { + s := fmt.Sprintf(fmt.Sprintf(" PID:%d, Comm:%s, Time:%d, length:(%d/%d), return:%s, Line:%s", me.Pid, me.Comm, me.Timestamp, me.Len, me.Alllen, me.Retval, unix.ByteSliceToString((me.Query[:])))) return s } -func (this *MysqldEvent) Clone() IEventStruct { +func (me *MysqldEvent) Clone() IEventStruct { event := new(MysqldEvent) - event.event_type = EventTypeOutput + event.eventType = EventTypeOutput return event } -func (this *MysqldEvent) EventType() EventType { - return this.event_type +func (me *MysqldEvent) EventType() EventType { + return me.eventType } -func (this *MysqldEvent) GetUUID() string { - return fmt.Sprintf("%d_%s", this.Pid, this.Comm) +func (me *MysqldEvent) GetUUID() string { + return fmt.Sprintf("%d_%s", me.Pid, me.Comm) } -func (this *MysqldEvent) Payload() []byte { - return this.Query[:this.Len] +func (me *MysqldEvent) Payload() []byte { + return me.Query[:me.Len] } -func (this *MysqldEvent) PayloadLen() int { - return int(this.Len) +func (me *MysqldEvent) PayloadLen() int { + return int(me.Len) } diff --git a/user/event/event_nspr.go b/user/event/event_nspr.go index 32982d7f9..98cda1334 100644 --- a/user/event/event_nspr.go +++ b/user/event/event_nspr.go @@ -22,45 +22,45 @@ import ( ) type NsprDataEvent struct { - event_type EventType - DataType int64 `json:"dataType"` - Timestamp uint64 `json:"timestamp"` - Pid uint32 `json:"pid"` - Tid uint32 `json:"tid"` - Data [MaxDataSize]byte `json:"data"` - DataLen int32 `json:"dataLen"` - Comm [16]byte `json:"Comm"` + eventType EventType + DataType int64 `json:"dataType"` + Timestamp uint64 `json:"timestamp"` + Pid uint32 `json:"pid"` + Tid uint32 `json:"tid"` + Data [MaxDataSize]byte `json:"data"` + DataLen int32 `json:"dataLen"` + Comm [16]byte `json:"Comm"` } -func (this *NsprDataEvent) Decode(payload []byte) (err error) { +func (ne *NsprDataEvent) Decode(payload []byte) (err error) { buf := bytes.NewBuffer(payload) - if err = binary.Read(buf, binary.LittleEndian, &this.DataType); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &ne.DataType); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Timestamp); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &ne.Timestamp); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Pid); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &ne.Pid); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Tid); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &ne.Tid); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Data); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &ne.Data); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.DataLen); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &ne.DataLen); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Comm); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &ne.Comm); err != nil { return } return nil } -func (this *NsprDataEvent) StringHex() string { +func (ne *NsprDataEvent) StringHex() string { var perfix, packetType string - switch AttachType(this.DataType) { + switch AttachType(ne.DataType) { case ProbeEntry: packetType = fmt.Sprintf("%sRecived%s", COLORGREEN, COLORRESET) perfix = COLORGREEN @@ -68,29 +68,29 @@ func (this *NsprDataEvent) StringHex() string { packetType = fmt.Sprintf("%sSend%s", COLORPURPLE, COLORRESET) perfix = fmt.Sprintf("%s\t", COLORPURPLE) default: - perfix = fmt.Sprintf("UNKNOW_%d", this.DataType) + perfix = fmt.Sprintf("UNKNOW_%d", ne.DataType) } var b *bytes.Buffer var s string // firefox 进程的通讯线程名为 Socket Thread - var fire_thread = strings.TrimSpace(fmt.Sprintf("%s", this.Comm[:13])) + var fire_thread = strings.TrimSpace(fmt.Sprintf("%s", ne.Comm[:13])) // disable filter default if false && strings.Compare(fire_thread, "Socket Thread") != 0 { b = bytes.NewBufferString(fmt.Sprintf("%s[ignore]%s", COLORBLUE, COLORRESET)) - s = fmt.Sprintf("PID:%d, Comm:%s, Type:%s, TID:%d, DataLen:%d bytes, Payload:%s", this.Pid, this.Comm, packetType, this.Tid, this.DataLen, b.String()) + s = fmt.Sprintf("PID:%d, Comm:%s, Type:%s, TID:%d, DataLen:%d bytes, Payload:%s", ne.Pid, ne.Comm, packetType, ne.Tid, ne.DataLen, b.String()) } else { - b = dumpByteSlice(this.Data[:this.DataLen], perfix) + b = dumpByteSlice(ne.Data[:ne.DataLen], perfix) b.WriteString(COLORRESET) - s = fmt.Sprintf("PID:%d, Comm:%s, Type:%s, TID:%d, DataLen:%d bytes, Payload:\n%s", this.Pid, this.Comm, packetType, this.Tid, this.DataLen, b.String()) + s = fmt.Sprintf("PID:%d, Comm:%s, Type:%s, TID:%d, DataLen:%d bytes, Payload:\n%s", ne.Pid, ne.Comm, packetType, ne.Tid, ne.DataLen, b.String()) } return s } -func (this *NsprDataEvent) String() string { +func (ne *NsprDataEvent) String() string { var perfix, packetType string - switch AttachType(this.DataType) { + switch AttachType(ne.DataType) { case ProbeEntry: packetType = fmt.Sprintf("%sRecived%s", COLORGREEN, COLORRESET) perfix = COLORGREEN @@ -98,39 +98,39 @@ func (this *NsprDataEvent) String() string { packetType = fmt.Sprintf("%sSend%s", COLORPURPLE, COLORRESET) perfix = COLORPURPLE default: - packetType = fmt.Sprintf("%sUNKNOW_%d%s", COLORRED, this.DataType, COLORRESET) + packetType = fmt.Sprintf("%sUNKNOW_%d%s", COLORRED, ne.DataType, COLORRESET) } var b *bytes.Buffer // firefox 进程的通讯线程名为 Socket Thread // disable filter default - if false && strings.TrimSpace(string(this.Comm[:13])) != "Socket Thread" { + if false && strings.TrimSpace(string(ne.Comm[:13])) != "Socket Thread" { b = bytes.NewBufferString("[ignore]") } else { - b = bytes.NewBuffer(this.Data[:this.DataLen]) + b = bytes.NewBuffer(ne.Data[:ne.DataLen]) } - s := fmt.Sprintf(" PID:%d, Comm:%s, TID:%d, TYPE:%s, DataLen:%d bytes, Payload:\n%s%s%s", this.Pid, this.Comm, this.Tid, packetType, this.DataLen, perfix, b.String(), COLORRESET) + s := fmt.Sprintf(" PID:%d, Comm:%s, TID:%d, TYPE:%s, DataLen:%d bytes, Payload:\n%s%s%s", ne.Pid, ne.Comm, ne.Tid, packetType, ne.DataLen, perfix, b.String(), COLORRESET) return s } -func (this *NsprDataEvent) Clone() IEventStruct { +func (ne *NsprDataEvent) Clone() IEventStruct { event := new(NsprDataEvent) - event.event_type = EventTypeEventProcessor + event.eventType = EventTypeEventProcessor return event } -func (this *NsprDataEvent) EventType() EventType { - return this.event_type +func (ne *NsprDataEvent) EventType() EventType { + return ne.eventType } -func (this *NsprDataEvent) GetUUID() string { - return fmt.Sprintf("%d_%d_%s_%d", this.Pid, this.Tid, this.Comm, this.DataType) +func (ne *NsprDataEvent) GetUUID() string { + return fmt.Sprintf("%d_%d_%s_%d", ne.Pid, ne.Tid, ne.Comm, ne.DataType) } -func (this *NsprDataEvent) Payload() []byte { - return this.Data[:this.DataLen] +func (ne *NsprDataEvent) Payload() []byte { + return ne.Data[:ne.DataLen] } -func (this *NsprDataEvent) PayloadLen() int { - return int(this.DataLen) +func (ne *NsprDataEvent) PayloadLen() int { + return int(ne.DataLen) } diff --git a/user/event/event_openssl.go b/user/event/event_openssl.go index 20e25a191..897383485 100644 --- a/user/event/event_openssl.go +++ b/user/event/event_openssl.go @@ -69,113 +69,113 @@ func (t TlsVersion) String() string { } type SSLDataEvent struct { - event_type EventType - DataType int64 `json:"dataType"` - Timestamp uint64 `json:"timestamp"` - Pid uint32 `json:"pid"` - Tid uint32 `json:"tid"` - Data [MaxDataSize]byte `json:"data"` - DataLen int32 `json:"dataLen"` - Comm [16]byte `json:"Comm"` - Fd uint32 `json:"fd"` - Version int32 `json:"version"` + eventType EventType + DataType int64 `json:"dataType"` + Timestamp uint64 `json:"timestamp"` + Pid uint32 `json:"pid"` + Tid uint32 `json:"tid"` + Data [MaxDataSize]byte `json:"data"` + DataLen int32 `json:"dataLen"` + Comm [16]byte `json:"Comm"` + Fd uint32 `json:"fd"` + Version int32 `json:"version"` } -func (this *SSLDataEvent) Decode(payload []byte) (err error) { +func (se *SSLDataEvent) Decode(payload []byte) (err error) { buf := bytes.NewBuffer(payload) - if err = binary.Read(buf, binary.LittleEndian, &this.DataType); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &se.DataType); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Timestamp); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &se.Timestamp); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Pid); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &se.Pid); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Tid); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &se.Tid); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Data); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &se.Data); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.DataLen); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &se.DataLen); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Comm); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &se.Comm); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Fd); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &se.Fd); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Version); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &se.Version); err != nil { return } return nil } -func (this *SSLDataEvent) GetUUID() string { - return fmt.Sprintf("%d_%d_%s_%d_%d", this.Pid, this.Tid, CToGoString(this.Comm[:]), this.Fd, this.DataType) +func (se *SSLDataEvent) GetUUID() string { + return fmt.Sprintf("%d_%d_%s_%d_%d", se.Pid, se.Tid, CToGoString(se.Comm[:]), se.Fd, se.DataType) } -func (this *SSLDataEvent) Payload() []byte { - return this.Data[:this.DataLen] +func (se *SSLDataEvent) Payload() []byte { + return se.Data[:se.DataLen] } -func (this *SSLDataEvent) PayloadLen() int { - return int(this.DataLen) +func (se *SSLDataEvent) PayloadLen() int { + return int(se.DataLen) } -func (this *SSLDataEvent) StringHex() string { - //addr := this.module.(*module.MOpenSSLProbe).GetConn(this.Pid, this.Fd) +func (se *SSLDataEvent) StringHex() string { + //addr := se.module.(*module.MOpenSSLProbe).GetConn(se.Pid, se.Fd) addr := "[TODO]" var perfix, connInfo string - switch AttachType(this.DataType) { + switch AttachType(se.DataType) { case ProbeEntry: - connInfo = fmt.Sprintf("%sRecived %d%s bytes from %s%s%s", COLORGREEN, this.DataLen, COLORRESET, COLORYELLOW, addr, COLORRESET) + connInfo = fmt.Sprintf("%sRecived %d%s bytes from %s%s%s", COLORGREEN, se.DataLen, COLORRESET, COLORYELLOW, addr, COLORRESET) perfix = COLORGREEN case ProbeRet: - connInfo = fmt.Sprintf("%sSend %d%s bytes to %s%s%s", COLORPURPLE, this.DataLen, COLORRESET, COLORYELLOW, addr, COLORRESET) + connInfo = fmt.Sprintf("%sSend %d%s bytes to %s%s%s", COLORPURPLE, se.DataLen, COLORRESET, COLORYELLOW, addr, COLORRESET) perfix = fmt.Sprintf("%s\t", COLORPURPLE) default: - perfix = fmt.Sprintf("UNKNOW_%d", this.DataType) + perfix = fmt.Sprintf("UNKNOW_%d", se.DataType) } - b := dumpByteSlice(this.Data[:this.DataLen], perfix) + b := dumpByteSlice(se.Data[:se.DataLen], perfix) b.WriteString(COLORRESET) - v := TlsVersion{Version: this.Version} - s := fmt.Sprintf("PID:%d, Comm:%s, TID:%d, %s, Version:%s, Payload:\n%s", this.Pid, CToGoString(this.Comm[:]), this.Tid, connInfo, v.String(), b.String()) + v := TlsVersion{Version: se.Version} + s := fmt.Sprintf("PID:%d, Comm:%s, TID:%d, %s, Version:%s, Payload:\n%s", se.Pid, CToGoString(se.Comm[:]), se.Tid, connInfo, v.String(), b.String()) return s } -func (this *SSLDataEvent) String() string { - //addr := this.module.(*module.MOpenSSLProbe).GetConn(this.Pid, this.Fd) +func (se *SSLDataEvent) String() string { + //addr := se.module.(*module.MOpenSSLProbe).GetConn(se.Pid, se.Fd) addr := "[TODO]" var perfix, connInfo string - switch AttachType(this.DataType) { + switch AttachType(se.DataType) { case ProbeEntry: - connInfo = fmt.Sprintf("%sRecived %d%s bytes from %s%s%s", COLORGREEN, this.DataLen, COLORRESET, COLORYELLOW, addr, COLORRESET) + connInfo = fmt.Sprintf("%sRecived %d%s bytes from %s%s%s", COLORGREEN, se.DataLen, COLORRESET, COLORYELLOW, addr, COLORRESET) perfix = COLORGREEN case ProbeRet: - connInfo = fmt.Sprintf("%sSend %d%s bytes to %s%s%s", COLORPURPLE, this.DataLen, COLORRESET, COLORYELLOW, addr, COLORRESET) + connInfo = fmt.Sprintf("%sSend %d%s bytes to %s%s%s", COLORPURPLE, se.DataLen, COLORRESET, COLORYELLOW, addr, COLORRESET) perfix = COLORPURPLE default: - connInfo = fmt.Sprintf("%sUNKNOW_%d%s", COLORRED, this.DataType, COLORRESET) + connInfo = fmt.Sprintf("%sUNKNOW_%d%s", COLORRED, se.DataType, COLORRESET) } - v := TlsVersion{Version: this.Version} - s := fmt.Sprintf("PID:%d, Comm:%s, TID:%d, Version:%s, %s, Payload:\n%s%s%s", this.Pid, bytes.TrimSpace(this.Comm[:]), this.Tid, v.String(), connInfo, perfix, string(this.Data[:this.DataLen]), COLORRESET) + v := TlsVersion{Version: se.Version} + s := fmt.Sprintf("PID:%d, Comm:%s, TID:%d, Version:%s, %s, Payload:\n%s%s%s", se.Pid, bytes.TrimSpace(se.Comm[:]), se.Tid, v.String(), connInfo, perfix, string(se.Data[:se.DataLen]), COLORRESET) return s } -func (this *SSLDataEvent) Clone() IEventStruct { +func (se *SSLDataEvent) Clone() IEventStruct { event := new(SSLDataEvent) - event.event_type = EventTypeEventProcessor + event.eventType = EventTypeEventProcessor return event } -func (this *SSLDataEvent) EventType() EventType { - return this.event_type +func (se *SSLDataEvent) EventType() EventType { + return se.eventType } // connect_events map @@ -188,7 +188,7 @@ uint64_t timestamp_ns; char Comm[TASK_COMM_LEN]; */ type ConnDataEvent struct { - event_type EventType + eventType EventType TimestampNs uint64 `json:"timestampNs"` Pid uint32 `json:"pid"` Tid uint32 `json:"tid"` @@ -198,60 +198,60 @@ type ConnDataEvent struct { Addr string `json:"addr"` } -func (this *ConnDataEvent) Decode(payload []byte) (err error) { +func (ce *ConnDataEvent) Decode(payload []byte) (err error) { buf := bytes.NewBuffer(payload) - if err = binary.Read(buf, binary.LittleEndian, &this.TimestampNs); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &ce.TimestampNs); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Pid); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &ce.Pid); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Tid); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &ce.Tid); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Fd); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &ce.Fd); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.SaData); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &ce.SaData); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Comm); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &ce.Comm); err != nil { return } - port := binary.BigEndian.Uint16(this.SaData[0:2]) - ip := net.IPv4(this.SaData[2], this.SaData[3], this.SaData[4], this.SaData[5]) - this.Addr = fmt.Sprintf("%s:%d", ip, port) + port := binary.BigEndian.Uint16(ce.SaData[0:2]) + ip := net.IPv4(ce.SaData[2], ce.SaData[3], ce.SaData[4], ce.SaData[5]) + ce.Addr = fmt.Sprintf("%s:%d", ip, port) return nil } -func (this *ConnDataEvent) StringHex() string { - s := fmt.Sprintf("PID:%d, Comm:%s, TID:%d, FD:%d, Addr: %s", this.Pid, bytes.TrimSpace(this.Comm[:]), this.Tid, this.Fd, this.Addr) +func (ce *ConnDataEvent) StringHex() string { + s := fmt.Sprintf("PID:%d, Comm:%s, TID:%d, FD:%d, Addr: %s", ce.Pid, bytes.TrimSpace(ce.Comm[:]), ce.Tid, ce.Fd, ce.Addr) return s } -func (this *ConnDataEvent) String() string { - s := fmt.Sprintf("PID:%d, Comm:%s, TID:%d, FD:%d, Addr: %s", this.Pid, bytes.TrimSpace(this.Comm[:]), this.Tid, this.Fd, this.Addr) +func (ce *ConnDataEvent) String() string { + s := fmt.Sprintf("PID:%d, Comm:%s, TID:%d, FD:%d, Addr: %s", ce.Pid, bytes.TrimSpace(ce.Comm[:]), ce.Tid, ce.Fd, ce.Addr) return s } -func (this *ConnDataEvent) Clone() IEventStruct { +func (ce *ConnDataEvent) Clone() IEventStruct { event := new(ConnDataEvent) - event.event_type = EventTypeModuleData + event.eventType = EventTypeModuleData return event } -func (this *ConnDataEvent) EventType() EventType { - return this.event_type +func (ce *ConnDataEvent) EventType() EventType { + return ce.eventType } -func (this *ConnDataEvent) GetUUID() string { - return fmt.Sprintf("%d_%d_%s_%d", this.Pid, this.Tid, bytes.TrimSpace(this.Comm[:]), this.Fd) +func (ce *ConnDataEvent) GetUUID() string { + return fmt.Sprintf("%d_%d_%s_%d", ce.Pid, ce.Tid, bytes.TrimSpace(ce.Comm[:]), ce.Fd) } -func (this *ConnDataEvent) Payload() []byte { - return []byte(this.Addr) +func (ce *ConnDataEvent) Payload() []byte { + return []byte(ce.Addr) } -func (this *ConnDataEvent) PayloadLen() int { - return len(this.Addr) +func (ce *ConnDataEvent) PayloadLen() int { + return len(ce.Addr) } diff --git a/user/event/event_openssl_tc.go b/user/event/event_openssl_tc.go index b273dec37..f077a7c3d 100644 --- a/user/event/event_openssl_tc.go +++ b/user/event/event_openssl_tc.go @@ -25,71 +25,71 @@ const ( ) type TcSkbEvent struct { - event_type EventType - Ts uint64 `json:"ts"` - Pid uint32 `json:"pid"` - Comm [TaskCommLen]byte `json:"Comm"` - Len uint32 `json:"len"` - Ifindex uint32 `json:"ifindex"` - payload []byte + eventType EventType + Ts uint64 `json:"ts"` + Pid uint32 `json:"pid"` + Comm [TaskCommLen]byte `json:"Comm"` + Len uint32 `json:"len"` + Ifindex uint32 `json:"ifindex"` + payload []byte } -func (this *TcSkbEvent) Decode(payload []byte) (err error) { +func (te *TcSkbEvent) Decode(payload []byte) (err error) { buf := bytes.NewBuffer(payload) - if err = binary.Read(buf, binary.LittleEndian, &this.Ts); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &te.Ts); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Pid); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &te.Pid); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Comm); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &te.Comm); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Len); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &te.Len); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Ifindex); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &te.Ifindex); err != nil { return } - tmpData := make([]byte, this.Len) + tmpData := make([]byte, te.Len) if err = binary.Read(buf, binary.LittleEndian, &tmpData); err != nil { return } - this.payload = tmpData + te.payload = tmpData return nil } -func (this *TcSkbEvent) StringHex() string { - b := dumpByteSlice(this.payload, COLORGREEN) +func (te *TcSkbEvent) StringHex() string { + b := dumpByteSlice(te.payload, COLORGREEN) b.WriteString(COLORRESET) - s := fmt.Sprintf("Pid:%d, Comm:%s, Length:%d, Ifindex:%d, Payload:%s", this.Pid, this.Comm, this.Len, this.Ifindex, b.String()) + s := fmt.Sprintf("Pid:%d, Comm:%s, Length:%d, Ifindex:%d, Payload:%s", te.Pid, te.Comm, te.Len, te.Ifindex, b.String()) return s } -func (this *TcSkbEvent) String() string { +func (te *TcSkbEvent) String() string { - s := fmt.Sprintf("Pid:%d, Comm:%s, Length:%d, Ifindex:%d, Payload:[internal data]", this.Pid, this.Comm, this.Len, this.Ifindex) + s := fmt.Sprintf("Pid:%d, Comm:%s, Length:%d, Ifindex:%d, Payload:[internal data]", te.Pid, te.Comm, te.Len, te.Ifindex) return s } -func (this *TcSkbEvent) Clone() IEventStruct { +func (te *TcSkbEvent) Clone() IEventStruct { event := new(TcSkbEvent) - event.event_type = EventTypeModuleData + event.eventType = EventTypeModuleData return event } -func (this *TcSkbEvent) EventType() EventType { - return this.event_type +func (te *TcSkbEvent) EventType() EventType { + return te.eventType } -func (this *TcSkbEvent) GetUUID() string { - return fmt.Sprintf("%d-%d-%s", this.Pid, this.Ifindex, this.Comm) +func (te *TcSkbEvent) GetUUID() string { + return fmt.Sprintf("%d-%d-%s", te.Pid, te.Ifindex, te.Comm) } -func (this *TcSkbEvent) Payload() []byte { - return this.payload +func (te *TcSkbEvent) Payload() []byte { + return te.payload } -func (this *TcSkbEvent) PayloadLen() int { - return int(this.Len) +func (te *TcSkbEvent) PayloadLen() int { + return int(te.Len) } diff --git a/user/event/event_postgres.go b/user/event/event_postgres.go index 33db9ae2c..2daa1c482 100644 --- a/user/event/event_postgres.go +++ b/user/event/event_postgres.go @@ -34,58 +34,58 @@ char Comm[TASK_COMM_LEN]; const PostgresMaxDataSize = 256 type PostgresEvent struct { - event_type EventType - Pid uint64 `json:"pid"` - Timestamp uint64 `json:"timestamp"` - Query [PostgresMaxDataSize]uint8 `json:"Query"` - Comm [16]uint8 `json:"Comm"` + eventType EventType + Pid uint64 `json:"pid"` + Timestamp uint64 `json:"timestamp"` + Query [PostgresMaxDataSize]uint8 `json:"Query"` + Comm [16]uint8 `json:"Comm"` } -func (this *PostgresEvent) Decode(payload []byte) (err error) { +func (pe *PostgresEvent) Decode(payload []byte) (err error) { buf := bytes.NewBuffer(payload) - if err = binary.Read(buf, binary.LittleEndian, &this.Pid); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &pe.Pid); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Timestamp); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &pe.Timestamp); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Query); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &pe.Query); err != nil { return } - if err = binary.Read(buf, binary.LittleEndian, &this.Comm); err != nil { + if err = binary.Read(buf, binary.LittleEndian, &pe.Comm); err != nil { return } return nil } -func (this *PostgresEvent) String() string { - s := fmt.Sprintf(fmt.Sprintf(" PID: %d, Comm: %s, Time: %d, Query: %s", this.Pid, this.Comm, this.Timestamp, unix.ByteSliceToString((this.Query[:])))) +func (pe *PostgresEvent) String() string { + s := fmt.Sprintf(fmt.Sprintf(" PID: %d, Comm: %s, Time: %d, Query: %s", pe.Pid, pe.Comm, pe.Timestamp, unix.ByteSliceToString((pe.Query[:])))) return s } -func (this *PostgresEvent) StringHex() string { - s := fmt.Sprintf(fmt.Sprintf(" PID: %d, Comm: %s, Time: %d, Query: %s", this.Pid, this.Comm, this.Timestamp, unix.ByteSliceToString((this.Query[:])))) +func (pe *PostgresEvent) StringHex() string { + s := fmt.Sprintf(fmt.Sprintf(" PID: %d, Comm: %s, Time: %d, Query: %s", pe.Pid, pe.Comm, pe.Timestamp, unix.ByteSliceToString((pe.Query[:])))) return s } -func (this *PostgresEvent) Clone() IEventStruct { +func (pe *PostgresEvent) Clone() IEventStruct { event := new(PostgresEvent) - event.event_type = EventTypeOutput + event.eventType = EventTypeOutput return event } -func (this *PostgresEvent) EventType() EventType { - return this.event_type +func (pe *PostgresEvent) EventType() EventType { + return pe.eventType } -func (this *PostgresEvent) GetUUID() string { - return fmt.Sprintf("%d_%s", this.Pid, this.Comm) +func (pe *PostgresEvent) GetUUID() string { + return fmt.Sprintf("%d_%s", pe.Pid, pe.Comm) } -func (this *PostgresEvent) Payload() []byte { - return this.Query[:] +func (pe *PostgresEvent) Payload() []byte { + return pe.Query[:] } -func (this *PostgresEvent) PayloadLen() int { - return len(this.Query) +func (pe *PostgresEvent) PayloadLen() int { + return len(pe.Query) } diff --git a/user/module/imodule.go b/user/module/imodule.go index bc6a9b35c..789fea208 100644 --- a/user/module/imodule.go +++ b/user/module/imodule.go @@ -81,127 +81,127 @@ type Module struct { } // Init 对象初始化 -func (this *Module) Init(ctx context.Context, logger *log.Logger, conf config.IConfig) { - this.ctx = ctx - this.logger = logger - this.processor = event_processor.NewEventProcessor(logger, conf.GetHex()) - this.isKernelLess5_2 = false //set false default +func (m *Module) Init(ctx context.Context, logger *log.Logger, conf config.IConfig) { + m.ctx = ctx + m.logger = logger + m.processor = event_processor.NewEventProcessor(logger, conf.GetHex()) + m.isKernelLess5_2 = false //set false default kv, err := kernel.HostVersion() if err != nil { // nothing to do. } if kv < kernel.VersionCode(5, 2, 0) { - this.isKernelLess5_2 = true + m.isKernelLess5_2 = true } } -func (this *Module) geteBPFName(filename string) string { - if this.isKernelLess5_2 { +func (m *Module) geteBPFName(filename string) string { + if m.isKernelLess5_2 { return strings.Replace(filename, ".o", KernelLess52Prefix, 1) } return filename } -func (this *Module) SetChild(module IModule) { - this.child = module +func (m *Module) SetChild(module IModule) { + m.child = module } -func (this *Module) Start() error { +func (m *Module) Start() error { panic("Module.Start() not implemented yet") } -func (this *Module) Events() []*ebpf.Map { +func (m *Module) Events() []*ebpf.Map { panic("Module.Events() not implemented yet") } -func (this *Module) DecodeFun(p *ebpf.Map) (event.IEventStruct, bool) { +func (m *Module) DecodeFun(p *ebpf.Map) (event.IEventStruct, bool) { panic("Module.DecodeFun() not implemented yet") } -func (this *Module) Name() string { - return this.name +func (m *Module) Name() string { + return m.name } -func (this *Module) Run() error { - this.logger.Printf("ECAPTURE ::\tModule.Run()") +func (m *Module) Run() error { + m.logger.Printf("ECAPTURE ::\tModule.Run()") // start - err := this.child.Start() + err := m.child.Start() if err != nil { return err } go func() { - this.run() + m.run() }() go func() { - this.processor.Serve() + m.processor.Serve() }() - err = this.readEvents() + err = m.readEvents() if err != nil { return err } return nil } -func (this *Module) Stop() error { +func (m *Module) Stop() error { return nil } // Stop shuts down Module -func (this *Module) run() { +func (m *Module) run() { for { select { - case _ = <-this.ctx.Done(): - err := this.child.Stop() + case _ = <-m.ctx.Done(): + err := m.child.Stop() if err != nil { - this.logger.Fatalf("%s\t stop Module error:%v.", this.child.Name(), err) + m.logger.Fatalf("%s\t stop Module error:%v.", m.child.Name(), err) } return } } } -func (this *Module) readEvents() error { +func (m *Module) readEvents() error { var errChan = make(chan error, 8) go func() { for { select { case err := <-errChan: - this.logger.Printf("%s\treadEvents error:%v", this.child.Name(), err) + m.logger.Printf("%s\treadEvents error:%v", m.child.Name(), err) } } }() - for _, e := range this.child.Events() { + for _, e := range m.child.Events() { switch { case e.Type() == ebpf.RingBuf: - this.ringbufEventReader(errChan, e) + m.ringbufEventReader(errChan, e) case e.Type() == ebpf.PerfEventArray: - this.perfEventReader(errChan, e) + m.perfEventReader(errChan, e) default: return fmt.Errorf("%s\tunsupported mapType:%s , mapinfo:%s", - this.child.Name(), e.Type().String(), e.String()) + m.child.Name(), e.Type().String(), e.String()) } } return nil } -func (this *Module) perfEventReader(errChan chan error, em *ebpf.Map) { +func (m *Module) perfEventReader(errChan chan error, em *ebpf.Map) { rd, err := perf.NewReader(em, os.Getpagesize()*BufferSizeOfEbpfMap) if err != nil { errChan <- fmt.Errorf("creating %s reader dns: %s", em.String(), err) return } - this.reader = append(this.reader, rd) + m.reader = append(m.reader, rd) go func() { for { //判断ctx是不是结束 select { - case _ = <-this.ctx.Done(): - this.logger.Printf("%s\tperfEventReader received close signal from context.Done().", this.child.Name()) + case _ = <-m.ctx.Done(): + m.logger.Printf("%s\tperfEventReader received close signal from context.Done().", m.child.Name()) return default: } @@ -211,41 +211,41 @@ func (this *Module) perfEventReader(errChan chan error, em *ebpf.Map) { if errors.Is(err, perf.ErrClosed) { return } - errChan <- fmt.Errorf("%s\treading from perf event reader: %s", this.child.Name(), err) + errChan <- fmt.Errorf("%s\treading from perf event reader: %s", m.child.Name(), err) return } if record.LostSamples != 0 { - this.logger.Printf("%s\tperf event ring buffer full, dropped %d samples", this.child.Name(), record.LostSamples) + m.logger.Printf("%s\tperf event ring buffer full, dropped %d samples", m.child.Name(), record.LostSamples) continue } var e event.IEventStruct - e, err = this.child.Decode(em, record.RawSample) + e, err = m.child.Decode(em, record.RawSample) if err != nil { - this.logger.Printf("%s\tthis.child.decode error:%v", this.child.Name(), err) + m.logger.Printf("%s\tm.child.decode error:%v", m.child.Name(), err) continue } // 上报数据 - this.Dispatcher(e) + m.Dispatcher(e) } }() } -func (this *Module) ringbufEventReader(errChan chan error, em *ebpf.Map) { +func (m *Module) ringbufEventReader(errChan chan error, em *ebpf.Map) { rd, err := ringbuf.NewReader(em) if err != nil { - errChan <- fmt.Errorf("%s\tcreating %s reader dns: %s", this.child.Name(), em.String(), err) + errChan <- fmt.Errorf("%s\tcreating %s reader dns: %s", m.child.Name(), em.String(), err) return } - this.reader = append(this.reader, rd) + m.reader = append(m.reader, rd) go func() { for { //判断ctx是不是结束 select { - case _ = <-this.ctx.Done(): - this.logger.Printf("%s\tringbufEventReader received close signal from context.Done().", this.child.Name()) + case _ = <-m.ctx.Done(): + m.logger.Printf("%s\tringbufEventReader received close signal from context.Done().", m.child.Name()) return default: } @@ -253,30 +253,30 @@ func (this *Module) ringbufEventReader(errChan chan error, em *ebpf.Map) { record, err := rd.Read() if err != nil { if errors.Is(err, ringbuf.ErrClosed) { - this.logger.Printf("%s\tReceived signal, exiting..", this.child.Name()) + m.logger.Printf("%s\tReceived signal, exiting..", m.child.Name()) return } - errChan <- fmt.Errorf("%s\treading from ringbuf reader: %s", this.child.Name(), err) + errChan <- fmt.Errorf("%s\treading from ringbuf reader: %s", m.child.Name(), err) return } var e event.IEventStruct - e, err = this.child.Decode(em, record.RawSample) + e, err = m.child.Decode(em, record.RawSample) if err != nil { - this.logger.Printf("%s\tthis.child.decode error:%v", this.child.Name(), err) + m.logger.Printf("%s\tm.child.decode error:%v", m.child.Name(), err) continue } // 上报数据 - this.Dispatcher(e) + m.Dispatcher(e) } }() } -func (this *Module) Decode(em *ebpf.Map, b []byte) (event event.IEventStruct, err error) { - es, found := this.child.DecodeFun(em) +func (m *Module) Decode(em *ebpf.Map, b []byte) (event event.IEventStruct, err error) { + es, found := m.child.DecodeFun(em) if !found { - err = fmt.Errorf("%s\tcan't found decode function :%s, address:%p", this.child.Name(), em.String(), em) + err = fmt.Errorf("%s\tcan't found decode function :%s, address:%p", m.child.Name(), em.String(), em) return } @@ -289,29 +289,29 @@ func (this *Module) Decode(em *ebpf.Map, b []byte) (event event.IEventStruct, er } // 写入数据,或者上传到远程数据库,写入到其他chan 等。 -func (this *Module) Dispatcher(e event.IEventStruct) { +func (m *Module) Dispatcher(e event.IEventStruct) { switch e.EventType() { case event.EventTypeOutput: - if this.conf.GetHex() { - this.logger.Println(e.StringHex()) + if m.conf.GetHex() { + m.logger.Println(e.StringHex()) } else { - this.logger.Println(e.String()) + m.logger.Println(e.String()) } case event.EventTypeEventProcessor: - this.processor.Write(e) + m.processor.Write(e) case event.EventTypeModuleData: // Save to cache - this.child.Dispatcher(e) + m.child.Dispatcher(e) } } -func (this *Module) Close() error { - this.logger.Printf("%s\tclose", this.child.Name()) - for _, iClose := range this.reader { +func (m *Module) Close() error { + m.logger.Printf("%s\tclose", m.child.Name()) + for _, iClose := range m.reader { if err := iClose.Close(); err != nil { return err } } - err := this.processor.Close() + err := m.processor.Close() return err } diff --git a/user/module/probe_bash.go b/user/module/probe_bash.go index 96fcae316..6fbbc0a5b 100644 --- a/user/module/probe_bash.go +++ b/user/module/probe_bash.go @@ -38,47 +38,47 @@ type MBashProbe struct { } // 对象初始化 -func (this *MBashProbe) Init(ctx context.Context, logger *log.Logger, conf config.IConfig) error { - this.Module.Init(ctx, logger, conf) - this.conf = conf - this.Module.SetChild(this) - this.eventMaps = make([]*ebpf.Map, 0, 2) - this.eventFuncMaps = make(map[*ebpf.Map]event.IEventStruct) +func (b *MBashProbe) Init(ctx context.Context, logger *log.Logger, conf config.IConfig) error { + b.Module.Init(ctx, logger, conf) + b.conf = conf + b.Module.SetChild(b) + b.eventMaps = make([]*ebpf.Map, 0, 2) + b.eventFuncMaps = make(map[*ebpf.Map]event.IEventStruct) return nil } -func (this *MBashProbe) Start() error { - if err := this.start(); err != nil { +func (b *MBashProbe) Start() error { + if err := b.start(); err != nil { return err } return nil } -func (this *MBashProbe) start() error { +func (b *MBashProbe) start() error { // fetch ebpf assets - var bpfFileName = this.geteBPFName("user/bytecode/bash_kern.o") - this.logger.Printf("%s\tBPF bytecode filename:%s\n", this.Name(), bpfFileName) + var bpfFileName = b.geteBPFName("user/bytecode/bash_kern.o") + b.logger.Printf("%s\tBPF bytecode filename:%s\n", b.Name(), bpfFileName) byteBuf, err := assets.Asset(bpfFileName) if err != nil { return fmt.Errorf("couldn't find asset %v", err) } // setup the managers - this.setupManagers() + b.setupManagers() // initialize the bootstrap manager - if err = this.bpfManager.InitWithOptions(bytes.NewReader(byteBuf), this.bpfManagerOptions); err != nil { + if err = b.bpfManager.InitWithOptions(bytes.NewReader(byteBuf), b.bpfManagerOptions); err != nil { return fmt.Errorf("couldn't init manager %v ", err) } // start the bootstrap manager - if err = this.bpfManager.Start(); err != nil { + if err = b.bpfManager.Start(); err != nil { return fmt.Errorf("couldn't start bootstrap manager %v ", err) } // 加载map信息,map对应events decode表。 - err = this.initDecodeFun() + err = b.initDecodeFun() if err != nil { return err } @@ -86,62 +86,62 @@ func (this *MBashProbe) start() error { return nil } -func (this *MBashProbe) Close() error { - if err := this.bpfManager.Stop(manager.CleanAll); err != nil { +func (b *MBashProbe) Close() error { + if err := b.bpfManager.Stop(manager.CleanAll); err != nil { return fmt.Errorf("couldn't stop manager %v ", err) } - return this.Module.Close() + return b.Module.Close() } // 通过elf的常量替换方式传递数据 -func (this *MBashProbe) constantEditor() []manager.ConstantEditor { +func (b *MBashProbe) constantEditor() []manager.ConstantEditor { var editor = []manager.ConstantEditor{ { Name: "target_pid", - Value: uint64(this.conf.GetPid()), + Value: uint64(b.conf.GetPid()), //FailOnMissing: true, }, { Name: "target_uid", - Value: uint64(this.conf.GetUid()), + Value: uint64(b.conf.GetUid()), //FailOnMissing: true, }, { Name: "target_errno", - Value: uint64(this.Module.conf.(*config.BashConfig).ErrNo), + Value: uint64(b.Module.conf.(*config.BashConfig).ErrNo), }, } - if this.conf.GetPid() <= 0 { - this.logger.Printf("%s\ttarget all process. \n", this.Name()) + if b.conf.GetPid() <= 0 { + b.logger.Printf("%s\ttarget all process. \n", b.Name()) } else { - this.logger.Printf("%s\ttarget PID:%d \n", this.Name(), this.conf.GetPid()) + b.logger.Printf("%s\ttarget PID:%d \n", b.Name(), b.conf.GetPid()) } - if this.conf.GetUid() <= 0 { - this.logger.Printf("%s\ttarget all users. \n", this.Name()) + if b.conf.GetUid() <= 0 { + b.logger.Printf("%s\ttarget all users. \n", b.Name()) } else { - this.logger.Printf("%s\ttarget UID:%d \n", this.Name(), this.conf.GetUid()) + b.logger.Printf("%s\ttarget UID:%d \n", b.Name(), b.conf.GetUid()) } return editor } -func (this *MBashProbe) setupManagers() { +func (b *MBashProbe) setupManagers() { var binaryPath string - switch this.conf.(*config.BashConfig).ElfType { + switch b.conf.(*config.BashConfig).ElfType { case config.ElfTypeBin: - binaryPath = this.conf.(*config.BashConfig).Bashpath + binaryPath = b.conf.(*config.BashConfig).Bashpath case config.ElfTypeSo: - binaryPath = this.conf.(*config.BashConfig).Readline + binaryPath = b.conf.(*config.BashConfig).Readline default: binaryPath = "/bin/bash" } - this.logger.Printf("%s\tHOOK binrayPath:%s, FunctionName:readline\n", this.Name(), binaryPath) - this.logger.Printf("%s\tHOOK binrayPath:%s, FunctionName:execute_command\n", this.Name(), binaryPath) + b.logger.Printf("%s\tHOOK binrayPath:%s, FunctionName:readline\n", b.Name(), binaryPath) + b.logger.Printf("%s\tHOOK binrayPath:%s, FunctionName:execute_command\n", b.Name(), binaryPath) - this.bpfManager = &manager.Manager{ + b.bpfManager = &manager.Manager{ Probes: []*manager.Probe{ { Section: "uretprobe/bash_readline", @@ -165,7 +165,7 @@ func (this *MBashProbe) setupManagers() { }, } - this.bpfManagerOptions = manager.Options{ + b.bpfManagerOptions = manager.Options{ DefaultKProbeMaxActive: 512, VerifierOptions: ebpf.CollectionOptions{ @@ -180,37 +180,37 @@ func (this *MBashProbe) setupManagers() { }, } - if this.conf.EnableGlobalVar() { + if b.conf.EnableGlobalVar() { // 填充 RewriteContants 对应map - this.bpfManagerOptions.ConstantEditors = this.constantEditor() + b.bpfManagerOptions.ConstantEditors = b.constantEditor() } } -func (this *MBashProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool) { - fun, found := this.eventFuncMaps[em] +func (b *MBashProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool) { + fun, found := b.eventFuncMaps[em] return fun, found } -func (this *MBashProbe) initDecodeFun() error { +func (b *MBashProbe) initDecodeFun() error { //bashEventsMap 与解码函数映射 - bashEventsMap, found, err := this.bpfManager.GetMap("events") + bashEventsMap, found, err := b.bpfManager.GetMap("events") if err != nil { return err } if !found { return errors.New("cant found map:events") } - this.eventMaps = append(this.eventMaps, bashEventsMap) + b.eventMaps = append(b.eventMaps, bashEventsMap) bashevent := &event.BashEvent{} - //bashevent.SetModule(this) - this.eventFuncMaps[bashEventsMap] = bashevent + //bashevent.SetModule(b) + b.eventFuncMaps[bashEventsMap] = bashevent return nil } -func (this *MBashProbe) Events() []*ebpf.Map { - return this.eventMaps +func (b *MBashProbe) Events() []*ebpf.Map { + return b.eventMaps } func init() { diff --git a/user/module/probe_gnutls.go b/user/module/probe_gnutls.go index 970628836..19d764590 100644 --- a/user/module/probe_gnutls.go +++ b/user/module/probe_gnutls.go @@ -39,50 +39,50 @@ type MGnutlsProbe struct { } // 对象初始化 -func (this *MGnutlsProbe) Init(ctx context.Context, logger *log.Logger, conf config.IConfig) error { - this.Module.Init(ctx, logger, conf) - this.conf = conf - this.Module.SetChild(this) - this.eventMaps = make([]*ebpf.Map, 0, 2) - this.eventFuncMaps = make(map[*ebpf.Map]event.IEventStruct) +func (g *MGnutlsProbe) Init(ctx context.Context, logger *log.Logger, conf config.IConfig) error { + g.Module.Init(ctx, logger, conf) + g.conf = conf + g.Module.SetChild(g) + g.eventMaps = make([]*ebpf.Map, 0, 2) + g.eventFuncMaps = make(map[*ebpf.Map]event.IEventStruct) return nil } -func (this *MGnutlsProbe) Start() error { - if err := this.start(); err != nil { +func (g *MGnutlsProbe) Start() error { + if err := g.start(); err != nil { return err } return nil } -func (this *MGnutlsProbe) start() error { +func (g *MGnutlsProbe) start() error { // fetch ebpf assets - var bpfFileName = this.geteBPFName("user/bytecode/gnutls_kern.o") - this.logger.Printf("%s\tBPF bytecode filename:%s\n", this.Name(), bpfFileName) + var bpfFileName = g.geteBPFName("user/bytecode/gnutls_kern.o") + g.logger.Printf("%s\tBPF bytecode filename:%s\n", g.Name(), bpfFileName) byteBuf, err := assets.Asset(bpfFileName) if err != nil { return fmt.Errorf("couldn't find asset %v", err) } // setup the managers - err = this.setupManagers() + err = g.setupManagers() if err != nil { return fmt.Errorf("tls(gnutls) module couldn't find binPath %v", err) } // initialize the bootstrap manager - if err = this.bpfManager.InitWithOptions(bytes.NewReader(byteBuf), this.bpfManagerOptions); err != nil { + if err = g.bpfManager.InitWithOptions(bytes.NewReader(byteBuf), g.bpfManagerOptions); err != nil { return fmt.Errorf("couldn't init manager %v", err) } // start the bootstrap manager - if err = this.bpfManager.Start(); err != nil { + if err = g.bpfManager.Start(); err != nil { return fmt.Errorf("couldn't start bootstrap manager %v", err) } // 加载map信息,map对应events decode表。 - err = this.initDecodeFun() + err = g.initDecodeFun() if err != nil { return err } @@ -90,38 +90,38 @@ func (this *MGnutlsProbe) start() error { return nil } -func (this *MGnutlsProbe) Close() error { - if err := this.bpfManager.Stop(manager.CleanAll); err != nil { +func (g *MGnutlsProbe) Close() error { + if err := g.bpfManager.Stop(manager.CleanAll); err != nil { return fmt.Errorf("couldn't stop manager %v", err) } - return this.Module.Close() + return g.Module.Close() } // 通过elf的常量替换方式传递数据 -func (this *MGnutlsProbe) constantEditor() []manager.ConstantEditor { +func (g *MGnutlsProbe) constantEditor() []manager.ConstantEditor { var editor = []manager.ConstantEditor{ { Name: "target_pid", - Value: uint64(this.conf.GetPid()), + Value: uint64(g.conf.GetPid()), //FailOnMissing: true, }, } - if this.conf.GetPid() <= 0 { - this.logger.Printf("%s\ttarget all process. \n", this.Name()) + if g.conf.GetPid() <= 0 { + g.logger.Printf("%s\ttarget all process. \n", g.Name()) } else { - this.logger.Printf("%s\ttarget PID:%d \n", this.Name(), this.conf.GetPid()) + g.logger.Printf("%s\ttarget PID:%d \n", g.Name(), g.conf.GetPid()) } return editor } -func (this *MGnutlsProbe) setupManagers() error { +func (g *MGnutlsProbe) setupManagers() error { var binaryPath string - switch this.conf.(*config.GnutlsConfig).ElfType { + switch g.conf.(*config.GnutlsConfig).ElfType { case config.ElfTypeBin: - binaryPath = this.conf.(*config.GnutlsConfig).Curlpath + binaryPath = g.conf.(*config.GnutlsConfig).Curlpath case config.ElfTypeSo: - binaryPath = this.conf.(*config.GnutlsConfig).Gnutls + binaryPath = g.conf.(*config.GnutlsConfig).Gnutls default: //如果没找到 binaryPath = "/lib/x86_64-linux-gnu/libgnutls.so.30" @@ -132,9 +132,9 @@ func (this *MGnutlsProbe) setupManagers() error { return err } - this.logger.Printf("%s\tHOOK type:%d, binrayPath:%s\n", this.Name(), this.conf.(*config.GnutlsConfig).ElfType, binaryPath) + g.logger.Printf("%s\tHOOK type:%d, binrayPath:%s\n", g.Name(), g.conf.(*config.GnutlsConfig).ElfType, binaryPath) - this.bpfManager = &manager.Manager{ + g.bpfManager = &manager.Manager{ Probes: []*manager.Probe{ { Section: "uprobe/gnutls_record_send", @@ -169,7 +169,7 @@ func (this *MGnutlsProbe) setupManagers() error { }, } - this.bpfManagerOptions = manager.Options{ + g.bpfManagerOptions = manager.Options{ DefaultKProbeMaxActive: 512, VerifierOptions: ebpf.CollectionOptions{ @@ -184,35 +184,35 @@ func (this *MGnutlsProbe) setupManagers() error { }, } - if this.conf.EnableGlobalVar() { + if g.conf.EnableGlobalVar() { // 填充 RewriteContants 对应map - this.bpfManagerOptions.ConstantEditors = this.constantEditor() + g.bpfManagerOptions.ConstantEditors = g.constantEditor() } return nil } -func (this *MGnutlsProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool) { - fun, found := this.eventFuncMaps[em] +func (g *MGnutlsProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool) { + fun, found := g.eventFuncMaps[em] return fun, found } -func (this *MGnutlsProbe) initDecodeFun() error { +func (g *MGnutlsProbe) initDecodeFun() error { //GnutlsEventsMap 与解码函数映射 - GnutlsEventsMap, found, err := this.bpfManager.GetMap("gnutls_events") + GnutlsEventsMap, found, err := g.bpfManager.GetMap("gnutls_events") if err != nil { return err } if !found { return errors.New("cant found map:gnutls_events") } - this.eventMaps = append(this.eventMaps, GnutlsEventsMap) - this.eventFuncMaps[GnutlsEventsMap] = &event.GnutlsDataEvent{} + g.eventMaps = append(g.eventMaps, GnutlsEventsMap) + g.eventFuncMaps[GnutlsEventsMap] = &event.GnutlsDataEvent{} return nil } -func (this *MGnutlsProbe) Events() []*ebpf.Map { - return this.eventMaps +func (g *MGnutlsProbe) Events() []*ebpf.Map { + return g.eventMaps } func init() { diff --git a/user/module/probe_gotls.go b/user/module/probe_gotls.go index e994fcf40..e6a548924 100644 --- a/user/module/probe_gotls.go +++ b/user/module/probe_gotls.go @@ -53,44 +53,44 @@ type GoTLSProbe struct { isRegisterABI bool } -func (this *GoTLSProbe) Init(ctx context.Context, l *log.Logger, cfg config.IConfig) error { - this.Module.Init(ctx, l, cfg) - this.conf = cfg - this.Module.SetChild(this) +func (g *GoTLSProbe) Init(ctx context.Context, l *log.Logger, cfg config.IConfig) error { + g.Module.Init(ctx, l, cfg) + g.conf = cfg + g.Module.SetChild(g) - this.eventMaps = make([]*ebpf.Map, 0, 2) - this.eventFuncMaps = make(map[*ebpf.Map]event.IEventStruct) + g.eventMaps = make([]*ebpf.Map, 0, 2) + g.eventFuncMaps = make(map[*ebpf.Map]event.IEventStruct) - this.masterSecrets = make(map[string]bool) - this.path = cfg.(*config.GoTLSConfig).Path - ver, err := proc.ExtraceGoVersion(this.path) + g.masterSecrets = make(map[string]bool) + g.path = cfg.(*config.GoTLSConfig).Path + ver, err := proc.ExtraceGoVersion(g.path) if err != nil { return fmt.Errorf("%s, error:%v", NotGoCompiledBin, err) } // supported at 1.17 via https://github.com/golang/go/issues/40724 if ver.After(1, 17) { - this.isRegisterABI = true + g.isRegisterABI = true } - this.keyloggerFilename = MasterSecretKeyLogName - file, err := os.OpenFile(this.keyloggerFilename, os.O_APPEND|os.O_WRONLY|os.O_CREATE, 0600) + g.keyloggerFilename = MasterSecretKeyLogName + file, err := os.OpenFile(g.keyloggerFilename, os.O_APPEND|os.O_WRONLY|os.O_CREATE, 0600) if err != nil { return err } - this.keylogger = file + g.keylogger = file - var writeFile = this.conf.(*config.GoTLSConfig).Write + var writeFile = g.conf.(*config.GoTLSConfig).Write if len(writeFile) > 0 { - this.eBPFProgramType = EbpfprogramtypeOpensslTc + g.eBPFProgramType = EbpfprogramtypeOpensslTc fileInfo, err := filepath.Abs(writeFile) if err != nil { return err } - this.pcapngFilename = fileInfo + g.pcapngFilename = fileInfo } else { - this.eBPFProgramType = EbpfprogramtypeOpensslUprobe - this.logger.Printf("%s\tmaster key keylogger: %s\n", this.Name(), this.keyloggerFilename) + g.eBPFProgramType = EbpfprogramtypeOpensslUprobe + g.logger.Printf("%s\tmaster key keylogger: %s\n", g.Name(), g.keyloggerFilename) } var ts unix.Timespec @@ -101,63 +101,63 @@ func (this *GoTLSProbe) Init(ctx context.Context, l *log.Logger, cfg config.ICon startTime := ts.Nano() bootTime := time.Now().UnixNano() - startTime - this.startTime = uint64(startTime) - this.bootTime = uint64(bootTime) + g.startTime = uint64(startTime) + g.bootTime = uint64(bootTime) - this.tcPackets = make([]*TcPacket, 0, 1024) - this.tcPacketLocker = &sync.Mutex{} - this.masterKeyBuffer = bytes.NewBuffer([]byte{}) + g.tcPackets = make([]*TcPacket, 0, 1024) + g.tcPacketLocker = &sync.Mutex{} + g.masterKeyBuffer = bytes.NewBuffer([]byte{}) return nil } -func (this *GoTLSProbe) Name() string { +func (g *GoTLSProbe) Name() string { return ModuleNameGotls } -func (this *GoTLSProbe) Start() error { - return this.start() +func (g *GoTLSProbe) Start() error { + return g.start() } -func (this *GoTLSProbe) start() error { +func (g *GoTLSProbe) start() error { var err error - switch this.eBPFProgramType { + switch g.eBPFProgramType { case EbpfprogramtypeOpensslTc: - this.logger.Printf("%s\tTC MODEL\n", this.Name()) - err = this.setupManagersTC() + g.logger.Printf("%s\tTC MODEL\n", g.Name()) + err = g.setupManagersTC() case EbpfprogramtypeOpensslUprobe: - this.logger.Printf("%s\tUPROBE MODEL\n", this.Name()) - err = this.setupManagersUprobe() + g.logger.Printf("%s\tUPROBE MODEL\n", g.Name()) + err = g.setupManagersUprobe() default: - this.logger.Printf("%s\tUPROBE MODEL\n", this.Name()) - err = this.setupManagersUprobe() + g.logger.Printf("%s\tUPROBE MODEL\n", g.Name()) + err = g.setupManagersUprobe() } if err != nil { return err } - var bpfFileName = this.geteBPFName("user/bytecode/gotls_kern.o") - this.logger.Printf("%s\tBPF bytecode filename:%s\n", this.Name(), bpfFileName) + var bpfFileName = g.geteBPFName("user/bytecode/gotls_kern.o") + g.logger.Printf("%s\tBPF bytecode filename:%s\n", g.Name(), bpfFileName) byteBuf, err := assets.Asset(bpfFileName) if err != nil { return err } - if err = this.bpfManager.InitWithOptions(bytes.NewReader(byteBuf), this.bpfManagerOptions); err != nil { + if err = g.bpfManager.InitWithOptions(bytes.NewReader(byteBuf), g.bpfManagerOptions); err != nil { return fmt.Errorf("couldn't init manager %v", err) } // start the bootstrap manager - if err = this.bpfManager.Start(); err != nil { + if err = g.bpfManager.Start(); err != nil { return fmt.Errorf("couldn't start bootstrap manager %v .", err) } // 加载map信息,map对应events decode表。 - switch this.eBPFProgramType { + switch g.eBPFProgramType { case EbpfprogramtypeOpensslTc: - err = this.initDecodeFunTC() + err = g.initDecodeFunTC() case EbpfprogramtypeOpensslUprobe: - err = this.initDecodeFun() + err = g.initDecodeFun() default: - err = this.initDecodeFun() + err = g.initDecodeFun() } if err != nil { return err @@ -165,13 +165,13 @@ func (this *GoTLSProbe) start() error { return nil } -func (this *GoTLSProbe) setupManagersUprobe() error { +func (g *GoTLSProbe) setupManagersUprobe() error { var ( sec, msSec, readSec string fn, msFn, readFn string ) - if this.isRegisterABI { + if g.isRegisterABI { sec = "uprobe/gotls_write_register" fn = "gotls_write_register" readSec = "uprobe/gotls_read_register" @@ -186,20 +186,20 @@ func (this *GoTLSProbe) setupManagersUprobe() error { msSec = "uprobe/gotls_mastersecret_stack" msFn = "gotls_mastersecret_stack" } - this.logger.Printf("%s\teBPF Function Name:%s, isRegisterABI:%t\n", this.Name(), fn, this.isRegisterABI) - this.bpfManager = &manager.Manager{ + g.logger.Printf("%s\teBPF Function Name:%s, isRegisterABI:%t\n", g.Name(), fn, g.isRegisterABI) + g.bpfManager = &manager.Manager{ Probes: []*manager.Probe{ { Section: sec, EbpfFuncName: fn, AttachToFuncName: goTlsWriteFunc, - BinaryPath: this.path, + BinaryPath: g.path, }, { Section: msSec, EbpfFuncName: msFn, AttachToFuncName: goTlsMasterSecretFunc, - BinaryPath: this.path, + BinaryPath: g.path, UID: "uprobe_gotls_master_secret", }, }, @@ -213,21 +213,21 @@ func (this *GoTLSProbe) setupManagersUprobe() error { }, } - readOffsets := this.conf.(*config.GoTLSConfig).ReadTlsAddrs - //this.bpfManager.Probes = []*manager.Probe{} + readOffsets := g.conf.(*config.GoTLSConfig).ReadTlsAddrs + //g.bpfManager.Probes = []*manager.Probe{} for _, v := range readOffsets { var uid = fmt.Sprintf("%s_%d", readFn, v) - this.logger.Printf("%s\tadd uretprobe function :%s, offset:0x%X\n", this.Name(), config.GoTlsReadFunc, v) - this.bpfManager.Probes = append(this.bpfManager.Probes, &manager.Probe{ + g.logger.Printf("%s\tadd uretprobe function :%s, offset:0x%X\n", g.Name(), config.GoTlsReadFunc, v) + g.bpfManager.Probes = append(g.bpfManager.Probes, &manager.Probe{ Section: readSec, EbpfFuncName: readFn, AttachToFuncName: config.GoTlsReadFunc, - BinaryPath: this.path, + BinaryPath: g.path, UprobeOffset: uint64(v), UID: uid, }) } - this.bpfManagerOptions = manager.Options{ + g.bpfManagerOptions = manager.Options{ DefaultKProbeMaxActive: 512, VerifierOptions: ebpf.CollectionOptions{ @@ -242,49 +242,49 @@ func (this *GoTLSProbe) setupManagersUprobe() error { }, } - if this.conf.EnableGlobalVar() { + if g.conf.EnableGlobalVar() { // 填充 RewriteContants 对应map - this.bpfManagerOptions.ConstantEditors = this.constantEditor() + g.bpfManagerOptions.ConstantEditors = g.constantEditor() } return nil } // 通过elf的常量替换方式传递数据 -func (this *GoTLSProbe) constantEditor() []manager.ConstantEditor { +func (g *GoTLSProbe) constantEditor() []manager.ConstantEditor { var editor = []manager.ConstantEditor{ { Name: "target_pid", - Value: uint64(this.conf.GetPid()), + Value: uint64(g.conf.GetPid()), //FailOnMissing: true, }, { Name: "target_uid", - Value: uint64(this.conf.GetUid()), + Value: uint64(g.conf.GetUid()), }, { Name: "target_port", - Value: uint64(this.conf.(*config.GoTLSConfig).Port), + Value: uint64(g.conf.(*config.GoTLSConfig).Port), }, } - if this.conf.GetPid() <= 0 { - this.logger.Printf("%s\ttarget all process. \n", this.Name()) + if g.conf.GetPid() <= 0 { + g.logger.Printf("%s\ttarget all process. \n", g.Name()) } else { - this.logger.Printf("%s\ttarget PID:%d \n", this.Name(), this.conf.GetPid()) + g.logger.Printf("%s\ttarget PID:%d \n", g.Name(), g.conf.GetPid()) } - if this.conf.GetUid() <= 0 { - this.logger.Printf("%s\ttarget all users. \n", this.Name()) + if g.conf.GetUid() <= 0 { + g.logger.Printf("%s\ttarget all users. \n", g.Name()) } else { - this.logger.Printf("%s\ttarget UID:%d \n", this.Name(), this.conf.GetUid()) + g.logger.Printf("%s\ttarget UID:%d \n", g.Name(), g.conf.GetUid()) } return editor } -func (this *GoTLSProbe) initDecodeFun() error { +func (g *GoTLSProbe) initDecodeFun() error { - m, found, err := this.bpfManager.GetMap("events") + m, found, err := g.bpfManager.GetMap("events") if err != nil { return err } @@ -292,57 +292,57 @@ func (this *GoTLSProbe) initDecodeFun() error { return errors.New("cant found map:tls_events") } - this.eventMaps = append(this.eventMaps, m) + g.eventMaps = append(g.eventMaps, m) gotlsEvent := &event.GoTLSEvent{} - //sslEvent.SetModule(this) - this.eventFuncMaps[m] = gotlsEvent + //sslEvent.SetModule(g) + g.eventFuncMaps[m] = gotlsEvent // master secrets map at ebpf code - MasterkeyEventsMap, found, err := this.bpfManager.GetMap("mastersecret_go_events") + MasterkeyEventsMap, found, err := g.bpfManager.GetMap("mastersecret_go_events") if err != nil { return err } if !found { return errors.New("cant found map:mastersecret_events") } - this.eventMaps = append(this.eventMaps, MasterkeyEventsMap) + g.eventMaps = append(g.eventMaps, MasterkeyEventsMap) var masterkeyEvent event.IEventStruct // goTLS Event struct masterkeyEvent = &event.MasterSecretGotlsEvent{} - this.eventFuncMaps[MasterkeyEventsMap] = masterkeyEvent + g.eventFuncMaps[MasterkeyEventsMap] = masterkeyEvent return nil } -func (this *GoTLSProbe) DecodeFun(m *ebpf.Map) (event.IEventStruct, bool) { - fun, found := this.eventFuncMaps[m] +func (g *GoTLSProbe) DecodeFun(m *ebpf.Map) (event.IEventStruct, bool) { + fun, found := g.eventFuncMaps[m] return fun, found } -func (this *GoTLSProbe) Close() error { +func (g *GoTLSProbe) Close() error { - if this.eBPFProgramType == EbpfprogramtypeOpensslTc { - this.logger.Printf("%s\tsaving pcapng file %s\n", this.Name(), this.pcapngFilename) - i, err := this.savePcapng() + if g.eBPFProgramType == EbpfprogramtypeOpensslTc { + g.logger.Printf("%s\tsaving pcapng file %s\n", g.Name(), g.pcapngFilename) + i, err := g.savePcapng() if err != nil { - this.logger.Printf("%s\tsave pcanNP failed, error:%v. \n", this.Name(), err) + g.logger.Printf("%s\tsave pcanNP failed, error:%v. \n", g.Name(), err) } if i == 0 { - this.logger.Printf("nothing captured, please check your network interface, see \"ecapture tls -h\" for more information.") + g.logger.Printf("nothing captured, please check your network interface, see \"ecapture tls -h\" for more information.") } else { - this.logger.Printf("%s\t save %d packets into pcapng file.\n", this.Name(), i) + g.logger.Printf("%s\t save %d packets into pcapng file.\n", g.Name(), i) } } - this.logger.Printf("%s\tclose. \n", this.Name()) - if err := this.bpfManager.Stop(manager.CleanAll); err != nil { + g.logger.Printf("%s\tclose. \n", g.Name()) + if err := g.bpfManager.Stop(manager.CleanAll); err != nil { return fmt.Errorf("couldn't stop manager %v .", err) } - return this.Module.Close() + return g.Module.Close() } -func (this *GoTLSProbe) saveMasterSecret(secretEvent *event.MasterSecretGotlsEvent) { +func (g *GoTLSProbe) saveMasterSecret(secretEvent *event.MasterSecretGotlsEvent) { var label, clientRandom, secret string label = string(secretEvent.Label[0:secretEvent.LabelLen]) clientRandom = string(secretEvent.ClientRandom[0:secretEvent.ClientRandomLen]) @@ -350,7 +350,7 @@ func (this *GoTLSProbe) saveMasterSecret(secretEvent *event.MasterSecretGotlsEve var k = fmt.Sprintf("%s-%02x", label, clientRandom) - _, f := this.masterSecrets[k] + _, f := g.masterSecrets[k] if f { // 已存在该随机数的masterSecret,不需要重复写入 return @@ -360,30 +360,30 @@ func (this *GoTLSProbe) saveMasterSecret(secretEvent *event.MasterSecretGotlsEve // save to file var b string b = fmt.Sprintf("%s %02x %02x\n", label, clientRandom, secret) - l, e := this.keylogger.WriteString(b) + l, e := g.keylogger.WriteString(b) if e != nil { - this.logger.Fatalf("%s: save masterSecrets to file error:%s", secretEvent.String(), e.Error()) + g.logger.Fatalf("%s: save masterSecrets to file error:%s", secretEvent.String(), e.Error()) return } - this.logger.Printf("%s: save CLIENT_RANDOM %02x to file success, %d bytes", label, clientRandom, l) - e = this.savePcapngSslKeyLog([]byte(b)) + g.logger.Printf("%s: save CLIENT_RANDOM %02x to file success, %d bytes", label, clientRandom, l) + e = g.savePcapngSslKeyLog([]byte(b)) if e != nil { - this.logger.Fatalf("%s: save masterSecrets to pcapng error:%s", secretEvent.String(), e.Error()) + g.logger.Fatalf("%s: save masterSecrets to pcapng error:%s", secretEvent.String(), e.Error()) return } } -func (this *GoTLSProbe) Dispatcher(eventStruct event.IEventStruct) { +func (g *GoTLSProbe) Dispatcher(eventStruct event.IEventStruct) { // detect eventStruct type switch eventStruct.(type) { case *event.MasterSecretGotlsEvent: - this.saveMasterSecret(eventStruct.(*event.MasterSecretGotlsEvent)) + g.saveMasterSecret(eventStruct.(*event.MasterSecretGotlsEvent)) case *event.TcSkbEvent: - err := this.dumpTcSkb(eventStruct.(*event.TcSkbEvent)) + err := g.dumpTcSkb(eventStruct.(*event.TcSkbEvent)) if err != nil { - this.logger.Printf("%s\t save packet error %s .\n", this.Name(), err.Error()) + g.logger.Printf("%s\t save packet error %s .\n", g.Name(), err.Error()) } } - //this.logger.Println(eventStruct) + //g.logger.Println(eventStruct) } diff --git a/user/module/probe_gotls_tc.go b/user/module/probe_gotls_tc.go index fdea94132..5593128db 100644 --- a/user/module/probe_gotls_tc.go +++ b/user/module/probe_gotls_tc.go @@ -26,12 +26,12 @@ import ( "net" ) -func (this *GoTLSProbe) setupManagersTC() error { +func (g *GoTLSProbe) setupManagersTC() error { var ifname string - ifname = this.conf.(*config.GoTLSConfig).Ifname - this.ifName = ifname - interf, err := net.InterfaceByName(this.ifName) + ifname = g.conf.(*config.GoTLSConfig).Ifname + g.ifName = ifname + interf, err := net.InterfaceByName(g.ifName) if err != nil { return err } @@ -40,13 +40,13 @@ func (this *GoTLSProbe) setupManagersTC() error { isNetIfaceLo := interf.Flags&net.FlagLoopback == net.FlagLoopback skipLoopback := true // TODO: detect loopback devices via aquasecrity/tracee/pkg/ebpf/probes/probe.go line 322 if isNetIfaceLo && skipLoopback { - return fmt.Errorf("%s\t%s is a loopback interface, skip it", this.Name(), this.ifName) + return fmt.Errorf("%s\t%s is a loopback interface, skip it", g.Name(), g.ifName) } - this.ifIdex = interf.Index + g.ifIdex = interf.Index - this.logger.Printf("%s\tHOOK type:golang elf, binrayPath:%s\n", this.Name(), this.path) - this.logger.Printf("%s\tIfname:%s, Ifindex:%d, Port:%d, Pcapng filepath:%s\n", this.Name(), this.ifName, this.ifIdex, this.conf.(*config.GoTLSConfig).Port, this.pcapngFilename) - this.logger.Printf("%s\tHook masterKey function:%s\n", this.Name(), goTlsMasterSecretFunc) + g.logger.Printf("%s\tHOOK type:golang elf, binrayPath:%s\n", g.Name(), g.path) + g.logger.Printf("%s\tIfname:%s, Ifindex:%d, Port:%d, Pcapng filepath:%s\n", g.Name(), g.ifName, g.ifIdex, g.conf.(*config.GoTLSConfig).Port, g.pcapngFilename) + g.logger.Printf("%s\tHook masterKey function:%s\n", g.Name(), goTlsMasterSecretFunc) // create pcapng writer netIfs, err := net.Interfaces() @@ -54,7 +54,7 @@ func (this *GoTLSProbe) setupManagersTC() error { return err } - err = this.createPcapng(netIfs) + err = g.createPcapng(netIfs) if err != nil { return err } @@ -64,7 +64,7 @@ func (this *GoTLSProbe) setupManagersTC() error { fn string ) - if this.isRegisterABI { + if g.isRegisterABI { sec = "uprobe/gotls_mastersecret_register" fn = "gotls_mastersecret_register" } else { @@ -72,18 +72,18 @@ func (this *GoTLSProbe) setupManagersTC() error { fn = "gotls_mastersecret_stack" } - this.bpfManager = &manager.Manager{ + g.bpfManager = &manager.Manager{ Probes: []*manager.Probe{ { Section: "classifier/egress", EbpfFuncName: "egress_cls_func", - Ifname: this.ifName, + Ifname: g.ifName, NetworkDirection: manager.Egress, }, { Section: "classifier/ingress", EbpfFuncName: "ingress_cls_func", - Ifname: this.ifName, + Ifname: g.ifName, NetworkDirection: manager.Ingress, }, // -------------------------------------------------- @@ -93,7 +93,7 @@ func (this *GoTLSProbe) setupManagersTC() error { Section: sec, EbpfFuncName: fn, AttachToFuncName: goTlsMasterSecretFunc, - BinaryPath: this.path, + BinaryPath: g.path, UID: "uprobe_gotls_master_secret", }, }, @@ -108,7 +108,7 @@ func (this *GoTLSProbe) setupManagersTC() error { }, } - this.bpfManagerOptions = manager.Options{ + g.bpfManagerOptions = manager.Options{ DefaultKProbeMaxActive: 512, VerifierOptions: ebpf.CollectionOptions{ @@ -123,46 +123,46 @@ func (this *GoTLSProbe) setupManagersTC() error { }, } - if this.conf.EnableGlobalVar() { + if g.conf.EnableGlobalVar() { // 填充 RewriteContants 对应map - this.bpfManagerOptions.ConstantEditors = this.constantEditor() + g.bpfManagerOptions.ConstantEditors = g.constantEditor() } return nil } -func (this *GoTLSProbe) initDecodeFunTC() error { +func (g *GoTLSProbe) initDecodeFunTC() error { //SkbEventsMap 与解码函数映射 - SkbEventsMap, found, err := this.bpfManager.GetMap("skb_events") + SkbEventsMap, found, err := g.bpfManager.GetMap("skb_events") if err != nil { return err } if !found { return errors.New("cant found map:skb_events") } - this.eventMaps = append(this.eventMaps, SkbEventsMap) + g.eventMaps = append(g.eventMaps, SkbEventsMap) sslEvent := &event.TcSkbEvent{} - //sslEvent.SetModule(this) - this.eventFuncMaps[SkbEventsMap] = sslEvent + //sslEvent.SetModule(g) + g.eventFuncMaps[SkbEventsMap] = sslEvent // master secrets map at ebpf code - MasterkeyEventsMap, found, err := this.bpfManager.GetMap("mastersecret_go_events") + MasterkeyEventsMap, found, err := g.bpfManager.GetMap("mastersecret_go_events") if err != nil { return err } if !found { return errors.New("cant found map:mastersecret_events") } - this.eventMaps = append(this.eventMaps, MasterkeyEventsMap) + g.eventMaps = append(g.eventMaps, MasterkeyEventsMap) var masterkeyEvent event.IEventStruct // goTLS Event struct masterkeyEvent = &event.MasterSecretGotlsEvent{} - this.eventFuncMaps[MasterkeyEventsMap] = masterkeyEvent + g.eventFuncMaps[MasterkeyEventsMap] = masterkeyEvent return nil } -func (this *GoTLSProbe) Events() []*ebpf.Map { - return this.eventMaps +func (g *GoTLSProbe) Events() []*ebpf.Map { + return g.eventMaps } diff --git a/user/module/probe_mysqld.go b/user/module/probe_mysqld.go index 8aa45b499..83c163a3f 100644 --- a/user/module/probe_mysqld.go +++ b/user/module/probe_mysqld.go @@ -42,50 +42,50 @@ type MMysqldProbe struct { } // 对象初始化 -func (this *MMysqldProbe) Init(ctx context.Context, logger *log.Logger, conf config.IConfig) error { - this.Module.Init(ctx, logger, conf) - this.conf = conf - this.Module.SetChild(this) - this.eventMaps = make([]*ebpf.Map, 0, 2) - this.eventFuncMaps = make(map[*ebpf.Map]event.IEventStruct) +func (m *MMysqldProbe) Init(ctx context.Context, logger *log.Logger, conf config.IConfig) error { + m.Module.Init(ctx, logger, conf) + m.conf = conf + m.Module.SetChild(m) + m.eventMaps = make([]*ebpf.Map, 0, 2) + m.eventFuncMaps = make(map[*ebpf.Map]event.IEventStruct) return nil } -func (this *MMysqldProbe) Start() error { - if err := this.start(); err != nil { +func (m *MMysqldProbe) Start() error { + if err := m.start(); err != nil { return err } return nil } -func (this *MMysqldProbe) start() error { +func (m *MMysqldProbe) start() error { // fetch ebpf assets - var bpfFileName = this.geteBPFName("user/bytecode/mysqld_kern.o") - this.logger.Printf("%s\tBPF bytecode filename:%s\n", this.Name(), bpfFileName) + var bpfFileName = m.geteBPFName("user/bytecode/mysqld_kern.o") + m.logger.Printf("%s\tBPF bytecode filename:%s\n", m.Name(), bpfFileName) byteBuf, err := assets.Asset(bpfFileName) if err != nil { return fmt.Errorf("couldn't find asset %v.", err) } // setup the managers - err = this.setupManagers() + err = m.setupManagers() if err != nil { return fmt.Errorf("mysqld module couldn't find binPath %v.", err) } // initialize the bootstrap manager - if err = this.bpfManager.InitWithOptions(bytes.NewReader(byteBuf), this.bpfManagerOptions); err != nil { + if err = m.bpfManager.InitWithOptions(bytes.NewReader(byteBuf), m.bpfManagerOptions); err != nil { return fmt.Errorf("couldn't init manager %v", err) } // start the bootstrap manager - if err = this.bpfManager.Start(); err != nil { + if err = m.bpfManager.Start(); err != nil { return fmt.Errorf("couldn't start bootstrap manager %v", err) } // 加载map信息,map对应events decode表。 - err = this.initDecodeFun() + err = m.initDecodeFun() if err != nil { return err } @@ -93,18 +93,18 @@ func (this *MMysqldProbe) start() error { return nil } -func (this *MMysqldProbe) Close() error { - if err := this.bpfManager.Stop(manager.CleanAll); err != nil { +func (m *MMysqldProbe) Close() error { + if err := m.bpfManager.Stop(manager.CleanAll); err != nil { return fmt.Errorf("couldn't stop manager %v", err) } - return this.Module.Close() + return m.Module.Close() } -func (this *MMysqldProbe) setupManagers() error { +func (m *MMysqldProbe) setupManagers() error { var binaryPath string - switch this.conf.(*config.MysqldConfig).ElfType { + switch m.conf.(*config.MysqldConfig).ElfType { case config.ElfTypeBin: - binaryPath = this.conf.(*config.MysqldConfig).Mysqldpath + binaryPath = m.conf.(*config.MysqldConfig).Mysqldpath default: //如果没找到 binaryPath = "/usr/sbin/mariadbd" @@ -114,10 +114,10 @@ func (this *MMysqldProbe) setupManagers() error { if err != nil { return err } - attachFunc := this.conf.(*config.MysqldConfig).FuncName - offset := this.conf.(*config.MysqldConfig).Offset - version := this.conf.(*config.MysqldConfig).Version - versionInfo := this.conf.(*config.MysqldConfig).VersionInfo + attachFunc := m.conf.(*config.MysqldConfig).FuncName + offset := m.conf.(*config.MysqldConfig).Offset + version := m.conf.(*config.MysqldConfig).Version + versionInfo := m.conf.(*config.MysqldConfig).VersionInfo // mariadbd version : 10.5.13-MariaDB-0ubuntu0.21.04.1 // objdump -T /usr/sbin/mariadbd |grep dispatch_command @@ -178,7 +178,7 @@ func (this *MMysqldProbe) setupManagers() error { } } - this.bpfManager = &manager.Manager{ + m.bpfManager = &manager.Manager{ Probes: probes, Maps: []*manager.Map{ { @@ -187,9 +187,9 @@ func (this *MMysqldProbe) setupManagers() error { }, } - this.logger.Printf("%s\tMysql Version:%s, binrayPath:%s, FunctionName:%s ,UprobeOffset:%d\n", this.Name(), versionInfo, binaryPath, attachFunc, offset) + m.logger.Printf("%s\tMysql Version:%s, binrayPath:%s, FunctionName:%s ,UprobeOffset:%d\n", m.Name(), versionInfo, binaryPath, attachFunc, offset) - this.bpfManagerOptions = manager.Options{ + m.bpfManagerOptions = manager.Options{ DefaultKProbeMaxActive: 512, VerifierOptions: ebpf.CollectionOptions{ @@ -206,28 +206,28 @@ func (this *MMysqldProbe) setupManagers() error { return nil } -func (this *MMysqldProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool) { - fun, found := this.eventFuncMaps[em] +func (m *MMysqldProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool) { + fun, found := m.eventFuncMaps[em] return fun, found } -func (this *MMysqldProbe) initDecodeFun() error { +func (m *MMysqldProbe) initDecodeFun() error { // mysqldEventsMap 与解码函数映射 - mysqldEventsMap, found, err := this.bpfManager.GetMap("events") + mysqldEventsMap, found, err := m.bpfManager.GetMap("events") if err != nil { return err } if !found { return errors.New("cant found map:events") } - this.eventMaps = append(this.eventMaps, mysqldEventsMap) - this.eventFuncMaps[mysqldEventsMap] = &event.MysqldEvent{} + m.eventMaps = append(m.eventMaps, mysqldEventsMap) + m.eventFuncMaps[mysqldEventsMap] = &event.MysqldEvent{} return nil } -func (this *MMysqldProbe) Events() []*ebpf.Map { - return this.eventMaps +func (m *MMysqldProbe) Events() []*ebpf.Map { + return m.eventMaps } func init() { diff --git a/user/module/probe_nspr.go b/user/module/probe_nspr.go index 0e584855f..a9af7fbf1 100644 --- a/user/module/probe_nspr.go +++ b/user/module/probe_nspr.go @@ -39,50 +39,50 @@ type MNsprProbe struct { } // 对象初始化 -func (this *MNsprProbe) Init(ctx context.Context, logger *log.Logger, conf config.IConfig) error { - this.Module.Init(ctx, logger, conf) - this.conf = conf - this.Module.SetChild(this) - this.eventMaps = make([]*ebpf.Map, 0, 2) - this.eventFuncMaps = make(map[*ebpf.Map]event.IEventStruct) +func (n *MNsprProbe) Init(ctx context.Context, logger *log.Logger, conf config.IConfig) error { + n.Module.Init(ctx, logger, conf) + n.conf = conf + n.Module.SetChild(n) + n.eventMaps = make([]*ebpf.Map, 0, 2) + n.eventFuncMaps = make(map[*ebpf.Map]event.IEventStruct) return nil } -func (this *MNsprProbe) Start() error { - if err := this.start(); err != nil { +func (n *MNsprProbe) Start() error { + if err := n.start(); err != nil { return err } return nil } -func (this *MNsprProbe) start() error { +func (n *MNsprProbe) start() error { // fetch ebpf assets - var bpfFileName = this.geteBPFName("user/bytecode/nspr_kern.o") - this.logger.Printf("%s\tBPF bytecode filename:%s\n", this.Name(), bpfFileName) + var bpfFileName = n.geteBPFName("user/bytecode/nspr_kern.o") + n.logger.Printf("%s\tBPF bytecode filename:%s\n", n.Name(), bpfFileName) byteBuf, err := assets.Asset(bpfFileName) if err != nil { return fmt.Errorf("couldn't find asset %v .", err) } // setup the managers - err = this.setupManagers() + err = n.setupManagers() if err != nil { return fmt.Errorf("tls module couldn't find binPath %v ", err) } // initialize the bootstrap manager - if err = this.bpfManager.InitWithOptions(bytes.NewReader(byteBuf), this.bpfManagerOptions); err != nil { + if err = n.bpfManager.InitWithOptions(bytes.NewReader(byteBuf), n.bpfManagerOptions); err != nil { return fmt.Errorf("couldn't init manager %v ", err) } // start the bootstrap manager - if err := this.bpfManager.Start(); err != nil { + if err := n.bpfManager.Start(); err != nil { return fmt.Errorf("couldn't start bootstrap manager %v ", err) } // 加载map信息,map对应events decode表。 - err = this.initDecodeFun() + err = n.initDecodeFun() if err != nil { return err } @@ -90,37 +90,37 @@ func (this *MNsprProbe) start() error { return nil } -func (this *MNsprProbe) Close() error { - if err := this.bpfManager.Stop(manager.CleanAll); err != nil { +func (n *MNsprProbe) Close() error { + if err := n.bpfManager.Stop(manager.CleanAll); err != nil { return fmt.Errorf("couldn't stop manager %v ", err) } - return this.Module.Close() + return n.Module.Close() } // 通过elf的常量替换方式传递数据 -func (this *MNsprProbe) constantEditor() []manager.ConstantEditor { +func (n *MNsprProbe) constantEditor() []manager.ConstantEditor { var editor = []manager.ConstantEditor{ { Name: "target_pid", - Value: uint64(this.conf.GetPid()), + Value: uint64(n.conf.GetPid()), }, } - if this.conf.GetPid() <= 0 { - this.logger.Printf("%s\ttarget all process. \n", this.Name()) + if n.conf.GetPid() <= 0 { + n.logger.Printf("%s\ttarget all process. \n", n.Name()) } else { - this.logger.Printf("%s\ttarget PID:%d \n", this.Name(), this.conf.GetPid()) + n.logger.Printf("%s\ttarget PID:%d \n", n.Name(), n.conf.GetPid()) } return editor } -func (this *MNsprProbe) setupManagers() error { +func (n *MNsprProbe) setupManagers() error { var binaryPath string - switch this.conf.(*config.NsprConfig).ElfType { + switch n.conf.(*config.NsprConfig).ElfType { case config.ElfTypeBin: - binaryPath = this.conf.(*config.NsprConfig).Firefoxpath + binaryPath = n.conf.(*config.NsprConfig).Firefoxpath case config.ElfTypeSo: - binaryPath = this.conf.(*config.NsprConfig).Nsprpath + binaryPath = n.conf.(*config.NsprConfig).Nsprpath default: //如果没找到 binaryPath = "/lib/x86_64-linux-gnu/libnspr4.so" @@ -131,9 +131,9 @@ func (this *MNsprProbe) setupManagers() error { return err } - this.logger.Printf("%s\tHOOK type:%d, binrayPath:%s\n", this.Name(), this.conf.(*config.NsprConfig).ElfType, binaryPath) + n.logger.Printf("%s\tHOOK type:%d, binrayPath:%s\n", n.Name(), n.conf.(*config.NsprConfig).ElfType, binaryPath) - this.bpfManager = &manager.Manager{ + n.bpfManager = &manager.Manager{ Probes: []*manager.Probe{ { Section: "uprobe/PR_Write", @@ -203,7 +203,7 @@ func (this *MNsprProbe) setupManagers() error { }, } - this.bpfManagerOptions = manager.Options{ + n.bpfManagerOptions = manager.Options{ DefaultKProbeMaxActive: 512, VerifierOptions: ebpf.CollectionOptions{ @@ -218,35 +218,35 @@ func (this *MNsprProbe) setupManagers() error { }, } - if this.conf.EnableGlobalVar() { + if n.conf.EnableGlobalVar() { // 填充 RewriteContants 对应map - this.bpfManagerOptions.ConstantEditors = this.constantEditor() + n.bpfManagerOptions.ConstantEditors = n.constantEditor() } return nil } -func (this *MNsprProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool) { - fun, found := this.eventFuncMaps[em] +func (n *MNsprProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool) { + fun, found := n.eventFuncMaps[em] return fun, found } -func (this *MNsprProbe) initDecodeFun() error { +func (n *MNsprProbe) initDecodeFun() error { // NsprEventsMap 与解码函数映射 - NsprEventsMap, found, err := this.bpfManager.GetMap("nspr_events") + NsprEventsMap, found, err := n.bpfManager.GetMap("nspr_events") if err != nil { return err } if !found { return errors.New("cant found map:nspr_events") } - this.eventMaps = append(this.eventMaps, NsprEventsMap) - this.eventFuncMaps[NsprEventsMap] = &event.NsprDataEvent{} + n.eventMaps = append(n.eventMaps, NsprEventsMap) + n.eventFuncMaps[NsprEventsMap] = &event.NsprDataEvent{} return nil } -func (this *MNsprProbe) Events() []*ebpf.Map { - return this.eventMaps +func (n *MNsprProbe) Events() []*ebpf.Map { + return n.eventMaps } func init() { diff --git a/user/module/probe_openssl.go b/user/module/probe_openssl.go index 268233d37..8b1507c14 100644 --- a/user/module/probe_openssl.go +++ b/user/module/probe_openssl.go @@ -78,34 +78,34 @@ type MOpenSSLProbe struct { } // 对象初始化 -func (this *MOpenSSLProbe) Init(ctx context.Context, logger *log.Logger, conf config.IConfig) error { - this.Module.Init(ctx, logger, conf) - this.conf = conf - this.Module.SetChild(this) - this.eventMaps = make([]*ebpf.Map, 0, 2) - this.eventFuncMaps = make(map[*ebpf.Map]event.IEventStruct) - //this.pidConns = make(map[uint32]map[uint32]string) - this.masterKeys = make(map[string]bool) - this.sslVersionBpfMap = make(map[string]string) +func (m *MOpenSSLProbe) Init(ctx context.Context, logger *log.Logger, conf config.IConfig) error { + m.Module.Init(ctx, logger, conf) + m.conf = conf + m.Module.SetChild(m) + m.eventMaps = make([]*ebpf.Map, 0, 2) + m.eventFuncMaps = make(map[*ebpf.Map]event.IEventStruct) + //m.pidConns = make(map[uint32]map[uint32]string) + m.masterKeys = make(map[string]bool) + m.sslVersionBpfMap = make(map[string]string) //fd := os.Getpid() - this.keyloggerFilename = MasterSecretKeyLogName - file, err := os.OpenFile(this.keyloggerFilename, os.O_APPEND|os.O_WRONLY|os.O_CREATE, 0600) + m.keyloggerFilename = MasterSecretKeyLogName + file, err := os.OpenFile(m.keyloggerFilename, os.O_APPEND|os.O_WRONLY|os.O_CREATE, 0600) if err != nil { return err } - this.keylogger = file - var writeFile = this.conf.(*config.OpensslConfig).Write + m.keylogger = file + var writeFile = m.conf.(*config.OpensslConfig).Write if len(writeFile) > 0 { - this.eBPFProgramType = EbpfprogramtypeOpensslTc + m.eBPFProgramType = EbpfprogramtypeOpensslTc fileInfo, err := filepath.Abs(writeFile) if err != nil { return err } - this.pcapngFilename = fileInfo + m.pcapngFilename = fileInfo } else { - this.eBPFProgramType = EbpfprogramtypeOpensslUprobe - this.logger.Printf("%s\tmaster key keylogger: %s\n", this.Name(), this.keyloggerFilename) + m.eBPFProgramType = EbpfprogramtypeOpensslUprobe + m.logger.Printf("%s\tmaster key keylogger: %s\n", m.Name(), m.keyloggerFilename) } var ts unix.Timespec @@ -114,66 +114,66 @@ func (this *MOpenSSLProbe) Init(ctx context.Context, logger *log.Logger, conf co return err } startTime := ts.Nano() - // Calculate the boot time using the monotonic time (since this is the clock we're using as a timestamp) - // Note: this is NOT the real boot time, as the monotonic clock doesn't take into account system sleeps. + // Calculate the boot time using the monotonic time (since m is the clock we're using as a timestamp) + // Note: m is NOT the real boot time, as the monotonic clock doesn't take into account system sleeps. bootTime := time.Now().UnixNano() - startTime - this.startTime = uint64(startTime) - this.bootTime = uint64(bootTime) + m.startTime = uint64(startTime) + m.bootTime = uint64(bootTime) - this.tcPackets = make([]*TcPacket, 0, 1024) - this.tcPacketLocker = &sync.Mutex{} - this.masterKeyBuffer = bytes.NewBuffer([]byte{}) + m.tcPackets = make([]*TcPacket, 0, 1024) + m.tcPacketLocker = &sync.Mutex{} + m.masterKeyBuffer = bytes.NewBuffer([]byte{}) - this.initOpensslOffset() + m.initOpensslOffset() return nil } // getSslBpfFile 根据sslVersion参数,获取对应的bpf文件 -func (this *MOpenSSLProbe) getSslBpfFile(soPath, sslVersion string) error { +func (m *MOpenSSLProbe) getSslBpfFile(soPath, sslVersion string) error { defer func() { - if strings.Contains(this.sslBpfFile, "boringssl") { - this.isBoringSSL = true - this.masterHookFunc = MasterKeyHookFuncBoringSSL + if strings.Contains(m.sslBpfFile, "boringssl") { + m.isBoringSSL = true + m.masterHookFunc = MasterKeyHookFuncBoringSSL } else { - this.masterHookFunc = MasterKeyHookFuncOpenSSL + m.masterHookFunc = MasterKeyHookFuncOpenSSL } }() if sslVersion != "" { - this.logger.Printf("%s\tOpenSSL/BoringSSL version: %s\n", this.Name(), sslVersion) - bpfFile, found := this.sslVersionBpfMap[sslVersion] + m.logger.Printf("%s\tOpenSSL/BoringSSL version: %s\n", m.Name(), sslVersion) + bpfFile, found := m.sslVersionBpfMap[sslVersion] if found { - this.sslBpfFile = bpfFile + m.sslBpfFile = bpfFile return nil } else { - this.logger.Printf("%s\tCan't found OpenSSL/BoringSSL bpf bytecode file. auto detected.\n", this.Name()) + m.logger.Printf("%s\tCan't found OpenSSL/BoringSSL bpf bytecode file. auto detected.\n", m.Name()) } } // 未找到对应的bpf文件,尝试从so文件中获取 - err := this.detectOpenssl(soPath) + err := m.detectOpenssl(soPath) return err } -func (this *MOpenSSLProbe) Start() error { - return this.start() +func (m *MOpenSSLProbe) Start() error { + return m.start() } -func (this *MOpenSSLProbe) start() error { +func (m *MOpenSSLProbe) start() error { var err error // setup the managers - switch this.eBPFProgramType { + switch m.eBPFProgramType { case EbpfprogramtypeOpensslTc: - this.logger.Printf("%s\tTC MODEL\n", this.Name()) - err = this.setupManagersTC() + m.logger.Printf("%s\tTC MODEL\n", m.Name()) + err = m.setupManagersTC() case EbpfprogramtypeOpensslUprobe: - this.logger.Printf("%s\tUPROBE MODEL\n", this.Name()) - err = this.setupManagersUprobe() + m.logger.Printf("%s\tUPROBE MODEL\n", m.Name()) + err = m.setupManagersUprobe() default: - this.logger.Printf("%s\tUPROBE MODEL\n", this.Name()) - err = this.setupManagersUprobe() + m.logger.Printf("%s\tUPROBE MODEL\n", m.Name()) + err = m.setupManagersUprobe() } if err != nil { return err @@ -181,32 +181,32 @@ func (this *MOpenSSLProbe) start() error { // fetch ebpf assets // user/bytecode/openssl_kern.o - var bpfFileName = this.geteBPFName(filepath.Join("user/bytecode", this.sslBpfFile)) - this.logger.Printf("%s\tBPF bytecode filename:%s\n", this.Name(), bpfFileName) + var bpfFileName = m.geteBPFName(filepath.Join("user/bytecode", m.sslBpfFile)) + m.logger.Printf("%s\tBPF bytecode filename:%s\n", m.Name(), bpfFileName) byteBuf, err := assets.Asset(bpfFileName) if err != nil { - return fmt.Errorf("%s\tcouldn't find asset %v .", this.Name(), err) + return fmt.Errorf("%s\tcouldn't find asset %v .", m.Name(), err) } // initialize the bootstrap manager - if err = this.bpfManager.InitWithOptions(bytes.NewReader(byteBuf), this.bpfManagerOptions); err != nil { + if err = m.bpfManager.InitWithOptions(bytes.NewReader(byteBuf), m.bpfManagerOptions); err != nil { return fmt.Errorf("couldn't init manager %v", err) } // start the bootstrap manager - if err = this.bpfManager.Start(); err != nil { + if err = m.bpfManager.Start(); err != nil { return fmt.Errorf("couldn't start bootstrap manager %v .", err) } // 加载map信息,map对应events decode表。 - switch this.eBPFProgramType { + switch m.eBPFProgramType { case EbpfprogramtypeOpensslTc: - err = this.initDecodeFunTC() + err = m.initDecodeFunTC() case EbpfprogramtypeOpensslUprobe: - err = this.initDecodeFun() + err = m.initDecodeFun() default: - err = this.initDecodeFun() + err = m.initDecodeFun() } if err != nil { return err @@ -215,77 +215,77 @@ func (this *MOpenSSLProbe) start() error { return nil } -func (this *MOpenSSLProbe) Close() error { - if this.eBPFProgramType == EbpfprogramtypeOpensslTc { - this.logger.Printf("%s\tsaving pcapng file %s\n", this.Name(), this.pcapngFilename) - i, err := this.savePcapng() +func (m *MOpenSSLProbe) Close() error { + if m.eBPFProgramType == EbpfprogramtypeOpensslTc { + m.logger.Printf("%s\tsaving pcapng file %s\n", m.Name(), m.pcapngFilename) + i, err := m.savePcapng() if err != nil { - this.logger.Printf("%s\tsave pcanNP failed, error:%v. \n", this.Name(), err) + m.logger.Printf("%s\tsave pcanNP failed, error:%v. \n", m.Name(), err) } if i == 0 { - this.logger.Printf("nothing captured, please check your network interface, see \"ecapture tls -h\" for more information.") + m.logger.Printf("nothing captured, please check your network interface, see \"ecapture tls -h\" for more information.") } else { - this.logger.Printf("%s\t save %d packets into pcapng file.\n", this.Name(), i) + m.logger.Printf("%s\t save %d packets into pcapng file.\n", m.Name(), i) } } - this.logger.Printf("%s\tclose. \n", this.Name()) - if err := this.bpfManager.Stop(manager.CleanAll); err != nil { + m.logger.Printf("%s\tclose. \n", m.Name()) + if err := m.bpfManager.Stop(manager.CleanAll); err != nil { return fmt.Errorf("couldn't stop manager %v .", err) } - return this.Module.Close() + return m.Module.Close() } // 通过elf的常量替换方式传递数据 -func (this *MOpenSSLProbe) constantEditor() []manager.ConstantEditor { +func (m *MOpenSSLProbe) constantEditor() []manager.ConstantEditor { var editor = []manager.ConstantEditor{ { Name: "target_pid", - Value: uint64(this.conf.GetPid()), + Value: uint64(m.conf.GetPid()), //FailOnMissing: true, }, { Name: "target_uid", - Value: uint64(this.conf.GetUid()), + Value: uint64(m.conf.GetUid()), }, { Name: "target_port", - Value: uint64(this.conf.(*config.OpensslConfig).Port), + Value: uint64(m.conf.(*config.OpensslConfig).Port), }, } - if this.conf.GetPid() <= 0 { - this.logger.Printf("%s\ttarget all process. \n", this.Name()) + if m.conf.GetPid() <= 0 { + m.logger.Printf("%s\ttarget all process. \n", m.Name()) } else { - this.logger.Printf("%s\ttarget PID:%d \n", this.Name(), this.conf.GetPid()) + m.logger.Printf("%s\ttarget PID:%d \n", m.Name(), m.conf.GetPid()) } - if this.conf.GetUid() <= 0 { - this.logger.Printf("%s\ttarget all users. \n", this.Name()) + if m.conf.GetUid() <= 0 { + m.logger.Printf("%s\ttarget all users. \n", m.Name()) } else { - this.logger.Printf("%s\ttarget UID:%d \n", this.Name(), this.conf.GetUid()) + m.logger.Printf("%s\ttarget UID:%d \n", m.Name(), m.conf.GetUid()) } return editor } -func (this *MOpenSSLProbe) setupManagersUprobe() error { +func (m *MOpenSSLProbe) setupManagersUprobe() error { var binaryPath, sslVersion string - sslVersion = this.conf.(*config.OpensslConfig).SslVersion + sslVersion = m.conf.(*config.OpensslConfig).SslVersion sslVersion = strings.ToLower(sslVersion) - switch this.conf.(*config.OpensslConfig).ElfType { + switch m.conf.(*config.OpensslConfig).ElfType { case config.ElfTypeBin: - binaryPath = this.conf.(*config.OpensslConfig).Curlpath + binaryPath = m.conf.(*config.OpensslConfig).Curlpath case config.ElfTypeSo: - binaryPath = this.conf.(*config.OpensslConfig).Openssl - err := this.getSslBpfFile(binaryPath, sslVersion) + binaryPath = m.conf.(*config.OpensslConfig).Openssl + err := m.getSslBpfFile(binaryPath, sslVersion) if err != nil { return err } default: //如果没找到 binaryPath = "/lib/x86_64-linux-gnu/libssl.so.1.1" - err := this.getSslBpfFile(binaryPath, sslVersion) + err := m.getSslBpfFile(binaryPath, sslVersion) if err != nil { return err } @@ -296,10 +296,10 @@ func (this *MOpenSSLProbe) setupManagersUprobe() error { return err } - this.logger.Printf("%s\tHOOK type:%d, binrayPath:%s\n", this.Name(), this.conf.(*config.OpensslConfig).ElfType, binaryPath) - this.logger.Printf("%s\tHook masterKey function:%s\n", this.Name(), this.masterHookFunc) + m.logger.Printf("%s\tHOOK type:%d, binrayPath:%s\n", m.Name(), m.conf.(*config.OpensslConfig).ElfType, binaryPath) + m.logger.Printf("%s\tHook masterKey function:%s\n", m.Name(), m.masterHookFunc) - this.bpfManager = &manager.Manager{ + m.bpfManager = &manager.Manager{ Probes: []*manager.Probe{ { @@ -342,7 +342,7 @@ func (this *MOpenSSLProbe) setupManagersUprobe() error { { Section: "uprobe/SSL_write_key", EbpfFuncName: "probe_ssl_master_key", - AttachToFuncName: this.masterHookFunc, + AttachToFuncName: m.masterHookFunc, BinaryPath: binaryPath, UID: "uprobe_ssl_master_key", }, @@ -361,7 +361,7 @@ func (this *MOpenSSLProbe) setupManagersUprobe() error { }, } - this.bpfManagerOptions = manager.Options{ + m.bpfManagerOptions = manager.Options{ DefaultKProbeMaxActive: 512, VerifierOptions: ebpf.CollectionOptions{ @@ -376,80 +376,80 @@ func (this *MOpenSSLProbe) setupManagersUprobe() error { }, } - if this.conf.EnableGlobalVar() { + if m.conf.EnableGlobalVar() { // 填充 RewriteContants 对应map - this.bpfManagerOptions.ConstantEditors = this.constantEditor() + m.bpfManagerOptions.ConstantEditors = m.constantEditor() } return nil } -func (this *MOpenSSLProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool) { - fun, found := this.eventFuncMaps[em] +func (m *MOpenSSLProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool) { + fun, found := m.eventFuncMaps[em] return fun, found } -func (this *MOpenSSLProbe) initDecodeFun() error { +func (m *MOpenSSLProbe) initDecodeFun() error { //SSLDumpEventsMap 与解码函数映射 - SSLDumpEventsMap, found, err := this.bpfManager.GetMap("tls_events") + SSLDumpEventsMap, found, err := m.bpfManager.GetMap("tls_events") if err != nil { return err } if !found { return errors.New("cant found map:tls_events") } - this.eventMaps = append(this.eventMaps, SSLDumpEventsMap) + m.eventMaps = append(m.eventMaps, SSLDumpEventsMap) sslEvent := &event.SSLDataEvent{} - //sslEvent.SetModule(this) - this.eventFuncMaps[SSLDumpEventsMap] = sslEvent + //sslEvent.SetModule(m) + m.eventFuncMaps[SSLDumpEventsMap] = sslEvent - ConnEventsMap, found, err := this.bpfManager.GetMap("connect_events") + ConnEventsMap, found, err := m.bpfManager.GetMap("connect_events") if err != nil { return err } if !found { return errors.New("cant found map:connect_events") } - this.eventMaps = append(this.eventMaps, ConnEventsMap) + m.eventMaps = append(m.eventMaps, ConnEventsMap) connEvent := &event.ConnDataEvent{} - //connEvent.SetModule(this) - this.eventFuncMaps[ConnEventsMap] = connEvent + //connEvent.SetModule(m) + m.eventFuncMaps[ConnEventsMap] = connEvent - MasterkeyEventsMap, found, err := this.bpfManager.GetMap("mastersecret_events") + MasterkeyEventsMap, found, err := m.bpfManager.GetMap("mastersecret_events") if err != nil { return err } if !found { return errors.New("cant found map:mastersecret_events") } - this.eventMaps = append(this.eventMaps, MasterkeyEventsMap) + m.eventMaps = append(m.eventMaps, MasterkeyEventsMap) var masterkeyEvent event.IEventStruct - if this.isBoringSSL { + if m.isBoringSSL { masterkeyEvent = &event.MasterSecretBSSLEvent{} } else { masterkeyEvent = &event.MasterSecretEvent{} } - //masterkeyEvent.SetModule(this) - this.eventFuncMaps[MasterkeyEventsMap] = masterkeyEvent + //masterkeyEvent.SetModule(m) + m.eventFuncMaps[MasterkeyEventsMap] = masterkeyEvent return nil } -func (this *MOpenSSLProbe) Events() []*ebpf.Map { - return this.eventMaps +func (m *MOpenSSLProbe) Events() []*ebpf.Map { + return m.eventMaps } -func (this *MOpenSSLProbe) saveMasterSecret(secretEvent *event.MasterSecretEvent) { +func (m *MOpenSSLProbe) saveMasterSecret(secretEvent *event.MasterSecretEvent) { var k = fmt.Sprintf("%02x", secretEvent.ClientRandom) - _, f := this.masterKeys[k] + _, f := m.masterKeys[k] if f { // 已存在该随机数的masterSecret,不需要重复写入 return } - this.masterKeys[k] = true + m.masterKeys[k] = true // save to file var b *bytes.Buffer @@ -467,7 +467,7 @@ func (this *MOpenSSLProbe) saveMasterSecret(secretEvent *event.MasterSecretEvent length = 48 transcript = crypto.SHA384 default: - this.logger.Printf("non-TLSv1.3 cipher suite found, CipherId: %d", secretEvent.CipherId) + m.logger.Printf("non-TLSv1.3 cipher suite found, CipherId: %d", secretEvent.CipherId) return } @@ -494,29 +494,29 @@ func (this *MOpenSSLProbe) saveMasterSecret(secretEvent *event.MasterSecretEvent b = bytes.NewBufferString(fmt.Sprintf("%s %02x %02x\n", hkdf.KeyLogLabelTLS12, secretEvent.ClientRandom, secretEvent.MasterKey)) } v := event.TlsVersion{Version: secretEvent.Version} - l, e := this.keylogger.WriteString(b.String()) + l, e := m.keylogger.WriteString(b.String()) if e != nil { - this.logger.Fatalf("%s: save CLIENT_RANDOM to file error:%s", v.String(), e.Error()) + m.logger.Fatalf("%s: save CLIENT_RANDOM to file error:%s", v.String(), e.Error()) return } // - switch this.eBPFProgramType { + switch m.eBPFProgramType { case EbpfprogramtypeOpensslTc: - e = this.savePcapngSslKeyLog(b.Bytes()) + e = m.savePcapngSslKeyLog(b.Bytes()) if e != nil { - this.logger.Fatalf("%s: save CLIENT_RANDOM to pcapng error:%s", v.String(), e.Error()) + m.logger.Fatalf("%s: save CLIENT_RANDOM to pcapng error:%s", v.String(), e.Error()) return } default: } - this.logger.Printf("%s: save CLIENT_RANDOM %02x to file success, %d bytes", v.String(), secretEvent.ClientRandom, l) + m.logger.Printf("%s: save CLIENT_RANDOM %02x to file success, %d bytes", v.String(), secretEvent.ClientRandom, l) } -func (this *MOpenSSLProbe) saveMasterSecretBSSL(secretEvent *event.MasterSecretBSSLEvent) { +func (m *MOpenSSLProbe) saveMasterSecretBSSL(secretEvent *event.MasterSecretBSSLEvent) { var k = fmt.Sprintf("%02x", secretEvent.ClientRandom) - _, f := this.masterKeys[k] + _, f := m.masterKeys[k] if f { // 已存在该随机数的masterSecret,不需要重复写入 return @@ -526,27 +526,27 @@ func (this *MOpenSSLProbe) saveMasterSecretBSSL(secretEvent *event.MasterSecretB var b *bytes.Buffer switch secretEvent.Version { case event.Tls12Version: - if this.bSSLEvent12NullSecrets(secretEvent) { + if m.bSSLEvent12NullSecrets(secretEvent) { return } var length = int(secretEvent.HashLen) if length > event.MasterSecretMaxLen { length = event.MasterSecretMaxLen - this.logger.Println("master secret length is too long, truncate to 48 bytes, but it may cause keylog file error") + m.logger.Println("master secret length is too long, truncate to 48 bytes, but it may cause keylog file error") } b = bytes.NewBufferString(fmt.Sprintf("%s %02x %02x\n", hkdf.KeyLogLabelTLS12, secretEvent.ClientRandom, secretEvent.Secret[:length])) - this.masterKeys[k] = true + m.masterKeys[k] = true case event.Tls13Version: fallthrough default: var length int length = int(secretEvent.HashLen) // 判断 密钥是否为空 - if this.bSSLEvent13NullSecrets(secretEvent) { + if m.bSSLEvent13NullSecrets(secretEvent) { return } - this.masterKeys[k] = true - //this.logger.Printf("secretEvent.HashLen:%d, CipherId:%d", secretEvent.HashLen, secretEvent.HashLen) + m.masterKeys[k] = true + //m.logger.Printf("secretEvent.HashLen:%d, CipherId:%d", secretEvent.HashLen, secretEvent.HashLen) b = bytes.NewBufferString(fmt.Sprintf("%s %02x %02x\n", hkdf.KeyLogLabelClientHandshake, secretEvent.ClientRandom, secretEvent.ClientHandshakeSecret[:length])) //b.WriteString(fmt.Sprintf("%s %02x %02x\n", hkdf.KeyLogLabelClientEarlyTafficSecret, secretEvent.ClientRandom, secretEvent.EarlyTrafficSecret[:length])) b.WriteString(fmt.Sprintf("%s %02x %02x\n", hkdf.KeyLogLabelClientTraffic, secretEvent.ClientRandom, secretEvent.ClientTrafficSecret0[:length])) @@ -556,27 +556,27 @@ func (this *MOpenSSLProbe) saveMasterSecretBSSL(secretEvent *event.MasterSecretB } v := event.TlsVersion{Version: secretEvent.Version} - l, e := this.keylogger.WriteString(b.String()) + l, e := m.keylogger.WriteString(b.String()) if e != nil { - this.logger.Fatalf("%s: save CLIENT_RANDOM to file error:%s", v.String(), e.Error()) + m.logger.Fatalf("%s: save CLIENT_RANDOM to file error:%s", v.String(), e.Error()) return } // - switch this.eBPFProgramType { + switch m.eBPFProgramType { case EbpfprogramtypeOpensslTc: - this.logger.Printf("%s: save CLIENT_RANDOM %02x to file success, %d bytes", v.String(), secretEvent.ClientRandom, l) - e = this.savePcapngSslKeyLog(b.Bytes()) + m.logger.Printf("%s: save CLIENT_RANDOM %02x to file success, %d bytes", v.String(), secretEvent.ClientRandom, l) + e = m.savePcapngSslKeyLog(b.Bytes()) if e != nil { - this.logger.Fatalf("%s: save CLIENT_RANDOM to pcapng error:%s", v.String(), e.Error()) + m.logger.Fatalf("%s: save CLIENT_RANDOM to pcapng error:%s", v.String(), e.Error()) return } default: - this.logger.Printf("%s: save CLIENT_RANDOM %02x to file success, %d bytes", v.String(), secretEvent.ClientRandom, l) + m.logger.Printf("%s: save CLIENT_RANDOM %02x to file success, %d bytes", v.String(), secretEvent.ClientRandom, l) } } -func (this *MOpenSSLProbe) bSSLEvent12NullSecrets(e *event.MasterSecretBSSLEvent) bool { +func (m *MOpenSSLProbe) bSSLEvent12NullSecrets(e *event.MasterSecretBSSLEvent) bool { var isNull = true var hashLen = int(e.HashLen) for i := 0; i < hashLen; i++ { @@ -588,7 +588,7 @@ func (this *MOpenSSLProbe) bSSLEvent12NullSecrets(e *event.MasterSecretBSSLEvent return isNull } -func (this *MOpenSSLProbe) bSSLEvent13NullSecrets(e *event.MasterSecretBSSLEvent) bool { +func (m *MOpenSSLProbe) bSSLEvent13NullSecrets(e *event.MasterSecretBSSLEvent) bool { var isNUllCount = 5 var hashLen = int(e.HashLen) @@ -622,22 +622,22 @@ func (this *MOpenSSLProbe) bSSLEvent13NullSecrets(e *event.MasterSecretBSSLEvent return isNUllCount != 0 } -func (this *MOpenSSLProbe) Dispatcher(eventStruct event.IEventStruct) { +func (m *MOpenSSLProbe) Dispatcher(eventStruct event.IEventStruct) { // detect eventStruct type switch eventStruct.(type) { case *event.ConnDataEvent: - //this.AddConn(eventStruct.(*event.ConnDataEvent).Pid, eventStruct.(*event.ConnDataEvent).Fd, eventStruct.(*event.ConnDataEvent).Addr) + //m.AddConn(eventStruct.(*event.ConnDataEvent).Pid, eventStruct.(*event.ConnDataEvent).Fd, eventStruct.(*event.ConnDataEvent).Addr) case *event.MasterSecretEvent: - this.saveMasterSecret(eventStruct.(*event.MasterSecretEvent)) + m.saveMasterSecret(eventStruct.(*event.MasterSecretEvent)) case *event.MasterSecretBSSLEvent: - this.saveMasterSecretBSSL(eventStruct.(*event.MasterSecretBSSLEvent)) + m.saveMasterSecretBSSL(eventStruct.(*event.MasterSecretBSSLEvent)) case *event.TcSkbEvent: - err := this.dumpTcSkb(eventStruct.(*event.TcSkbEvent)) + err := m.dumpTcSkb(eventStruct.(*event.TcSkbEvent)) if err != nil { - this.logger.Printf("%s\t save packet error %s .\n", this.Name(), err.Error()) + m.logger.Printf("%s\t save packet error %s .\n", m.Name(), err.Error()) } } - //this.logger.Println(eventStruct) + //m.logger.Println(eventStruct) } func init() { diff --git a/user/module/probe_openssl_lib.go b/user/module/probe_openssl_lib.go index c3be0403c..c23e0e6a9 100644 --- a/user/module/probe_openssl_lib.go +++ b/user/module/probe_openssl_lib.go @@ -40,8 +40,8 @@ const ( ) // initOpensslOffset initial BpfMap -func (this *MOpenSSLProbe) initOpensslOffset() { - this.sslVersionBpfMap = map[string]string{ +func (m *MOpenSSLProbe) initOpensslOffset() { + m.sslVersionBpfMap = map[string]string{ // openssl 1.0.2* LinuxDefauleFilename_1_0_2: "openssl_1_0_2a_kern.o", @@ -61,40 +61,40 @@ func (this *MOpenSSLProbe) initOpensslOffset() { // in openssl source files, there are 4 offset groups for all 1.1.1* version. // group a : 1.1.1a - this.sslVersionBpfMap["openssl 1.1.1a"] = "openssl_1_1_1a_kern.o" + m.sslVersionBpfMap["openssl 1.1.1a"] = "openssl_1_1_1a_kern.o" // group b : 1.1.1b-1.1.1c - this.sslVersionBpfMap["openssl 1.1.1b"] = "openssl_1_1_1b_kern.o" - this.sslVersionBpfMap["openssl 1.1.1c"] = "openssl_1_1_1b_kern.o" + m.sslVersionBpfMap["openssl 1.1.1b"] = "openssl_1_1_1b_kern.o" + m.sslVersionBpfMap["openssl 1.1.1c"] = "openssl_1_1_1b_kern.o" // group c : 1.1.1d-1.1.1i for ch := 'd'; ch <= 'i'; ch++ { - this.sslVersionBpfMap["openssl 1.1.1"+string(ch)] = "openssl_1_1_1d_kern.o" + m.sslVersionBpfMap["openssl 1.1.1"+string(ch)] = "openssl_1_1_1d_kern.o" } // group e : 1.1.1j-1.1.1s for ch := 'j'; ch <= MaxSupportedOpenSSL111Version; ch++ { - this.sslVersionBpfMap["openssl 1.1.1"+string(ch)] = "openssl_1_1_1j_kern.o" + m.sslVersionBpfMap["openssl 1.1.1"+string(ch)] = "openssl_1_1_1j_kern.o" } // openssl 3.0.0 - 3.0.7 for ch := '0'; ch <= MaxSupportedOpenSSL30Version; ch++ { - this.sslVersionBpfMap["openssl 3.0."+string(ch)] = "openssl_3_0_0_kern.o" + m.sslVersionBpfMap["openssl 3.0."+string(ch)] = "openssl_3_0_0_kern.o" } // openssl 1.1.0a - 1.1.0l for ch := 'a'; ch <= MaxSupportedOpenSSL110Version; ch++ { - this.sslVersionBpfMap["openssl 1.1.0"+string(ch)] = "openssl_1_1_1a_kern.o" + m.sslVersionBpfMap["openssl 1.1.0"+string(ch)] = "openssl_1_1_1a_kern.o" } // openssl 1.0.2a - 1.0.2u for ch := 'a'; ch <= MaxSupportedOpenSSL102Version; ch++ { - this.sslVersionBpfMap["openssl 1.0.2"+string(ch)] = "openssl_1_0_2a_kern.o" + m.sslVersionBpfMap["openssl 1.0.2"+string(ch)] = "openssl_1_0_2a_kern.o" } } -func (this *MOpenSSLProbe) detectOpenssl(soPath string) error { +func (m *MOpenSSLProbe) detectOpenssl(soPath string) error { f, err := os.OpenFile(soPath, os.O_RDONLY, os.ModePerm) if err != nil { return fmt.Errorf("can not open %s, with error:%v", soPath, err) @@ -182,29 +182,29 @@ func (this *MOpenSSLProbe) detectOpenssl(soPath string) error { var found bool if versionKey != "" { versionKeyLower := strings.ToLower(versionKey) - this.logger.Printf("%s\torigin version:%s, as key:%s", this.Name(), versionKey, versionKeyLower) + m.logger.Printf("%s\torigin version:%s, as key:%s", m.Name(), versionKey, versionKeyLower) // find the sslVersion bpfFile from sslVersionBpfMap - bpfFile, found = this.sslVersionBpfMap[versionKeyLower] + bpfFile, found = m.sslVersionBpfMap[versionKeyLower] if found { - this.sslBpfFile = bpfFile + m.sslBpfFile = bpfFile return nil } } - isAndroid := this.conf.(*config.OpensslConfig).IsAndroid + isAndroid := m.conf.(*config.OpensslConfig).IsAndroid // if not found, use default if isAndroid { - bpfFile, _ = this.sslVersionBpfMap[AndroidDefauleFilename] - this.logger.Printf("%s\tOpenSSL/BoringSSL version not found, used default version :%s\n", this.Name(), AndroidDefauleFilename) + bpfFile, _ = m.sslVersionBpfMap[AndroidDefauleFilename] + m.logger.Printf("%s\tOpenSSL/BoringSSL version not found, used default version :%s\n", m.Name(), AndroidDefauleFilename) } else { if strings.Contains(soPath, "libssl.so.3") { - bpfFile, _ = this.sslVersionBpfMap[LinuxDefauleFilename_3_0] - this.logger.Printf("%s\tOpenSSL/BoringSSL version not found from shared library file, used default version:%s\n", this.Name(), LinuxDefauleFilename_3_0) + bpfFile, _ = m.sslVersionBpfMap[LinuxDefauleFilename_3_0] + m.logger.Printf("%s\tOpenSSL/BoringSSL version not found from shared library file, used default version:%s\n", m.Name(), LinuxDefauleFilename_3_0) } else { - bpfFile, _ = this.sslVersionBpfMap[LinuxDefauleFilename_1_1_1] - this.logger.Printf("%s\tOpenSSL/BoringSSL version not found from shared library file, used default version:%s\n", this.Name(), LinuxDefauleFilename_1_1_1) + bpfFile, _ = m.sslVersionBpfMap[LinuxDefauleFilename_1_1_1] + m.logger.Printf("%s\tOpenSSL/BoringSSL version not found from shared library file, used default version:%s\n", m.Name(), LinuxDefauleFilename_1_1_1) } } - this.sslBpfFile = bpfFile + m.sslBpfFile = bpfFile return nil } diff --git a/user/module/probe_openssl_tc.go b/user/module/probe_openssl_tc.go index 471396290..f34db5a9a 100644 --- a/user/module/probe_openssl_tc.go +++ b/user/module/probe_openssl_tc.go @@ -33,12 +33,12 @@ type NetEventMetadata struct { ProcessName [16]byte `json:"processName"` } -func (this *MOpenSSLProbe) setupManagersTC() error { +func (m *MOpenSSLProbe) setupManagersTC() error { var ifname, binaryPath, sslVersion string - ifname = this.conf.(*config.OpensslConfig).Ifname - this.ifName = ifname - interf, err := net.InterfaceByName(this.ifName) + ifname = m.conf.(*config.OpensslConfig).Ifname + m.ifName = ifname + interf, err := net.InterfaceByName(m.ifName) if err != nil { return err } @@ -47,33 +47,33 @@ func (this *MOpenSSLProbe) setupManagersTC() error { isNetIfaceLo := interf.Flags&net.FlagLoopback == net.FlagLoopback skipLoopback := true // TODO: detect loopback devices via aquasecrity/tracee/pkg/ebpf/probes/probe.go line 322 if isNetIfaceLo && skipLoopback { - return fmt.Errorf("%s\t%s is a loopback interface, skip it", this.Name(), this.ifName) + return fmt.Errorf("%s\t%s is a loopback interface, skip it", m.Name(), m.ifName) } - this.ifIdex = interf.Index + m.ifIdex = interf.Index - sslVersion = this.conf.(*config.OpensslConfig).SslVersion + sslVersion = m.conf.(*config.OpensslConfig).SslVersion sslVersion = strings.ToLower(sslVersion) - switch this.conf.(*config.OpensslConfig).ElfType { + switch m.conf.(*config.OpensslConfig).ElfType { case config.ElfTypeBin: - binaryPath = this.conf.(*config.OpensslConfig).Curlpath + binaryPath = m.conf.(*config.OpensslConfig).Curlpath case config.ElfTypeSo: - binaryPath = this.conf.(*config.OpensslConfig).Openssl - err := this.getSslBpfFile(binaryPath, sslVersion) + binaryPath = m.conf.(*config.OpensslConfig).Openssl + err := m.getSslBpfFile(binaryPath, sslVersion) if err != nil { return err } default: //如果没找到 binaryPath = "/lib/x86_64-linux-gnu/libssl.so.1.1" - err := this.getSslBpfFile(binaryPath, sslVersion) + err := m.getSslBpfFile(binaryPath, sslVersion) if err != nil { return err } } - this.logger.Printf("%s\tHOOK type:%d, binrayPath:%s\n", this.Name(), this.conf.(*config.OpensslConfig).ElfType, binaryPath) - this.logger.Printf("%s\tIfname:%s, Ifindex:%d, Port:%d, Pcapng filepath:%s\n", this.Name(), this.ifName, this.ifIdex, this.conf.(*config.OpensslConfig).Port, this.pcapngFilename) - this.logger.Printf("%s\tHook masterKey function:%s\n", this.Name(), this.masterHookFunc) + m.logger.Printf("%s\tHOOK type:%d, binrayPath:%s\n", m.Name(), m.conf.(*config.OpensslConfig).ElfType, binaryPath) + m.logger.Printf("%s\tIfname:%s, Ifindex:%d, Port:%d, Pcapng filepath:%s\n", m.Name(), m.ifName, m.ifIdex, m.conf.(*config.OpensslConfig).Port, m.pcapngFilename) + m.logger.Printf("%s\tHook masterKey function:%s\n", m.Name(), m.masterHookFunc) // create pcapng writer netIfs, err := net.Interfaces() @@ -81,12 +81,12 @@ func (this *MOpenSSLProbe) setupManagersTC() error { return err } - err = this.createPcapng(netIfs) + err = m.createPcapng(netIfs) if err != nil { return err } - this.bpfManager = &manager.Manager{ + m.bpfManager = &manager.Manager{ Probes: []*manager.Probe{ // customize deleteed TC filter // tc filter del dev eth0 ingress @@ -100,13 +100,13 @@ func (this *MOpenSSLProbe) setupManagersTC() error { { Section: "classifier/egress", EbpfFuncName: "egress_cls_func", - Ifname: this.ifName, + Ifname: m.ifName, NetworkDirection: manager.Egress, }, { Section: "classifier/ingress", EbpfFuncName: "ingress_cls_func", - Ifname: this.ifName, + Ifname: m.ifName, NetworkDirection: manager.Ingress, }, // -------------------------------------------------- @@ -115,7 +115,7 @@ func (this *MOpenSSLProbe) setupManagersTC() error { { Section: "uprobe/SSL_write_key", EbpfFuncName: "probe_ssl_master_key", - AttachToFuncName: this.masterHookFunc, // SSL_do_handshake or SSL_write + AttachToFuncName: m.masterHookFunc, // SSL_do_handshake or SSL_write BinaryPath: binaryPath, UID: "uprobe_ssl_master_key", }, @@ -131,7 +131,7 @@ func (this *MOpenSSLProbe) setupManagersTC() error { }, } - this.bpfManagerOptions = manager.Options{ + m.bpfManagerOptions = manager.Options{ DefaultKProbeMaxActive: 512, VerifierOptions: ebpf.CollectionOptions{ @@ -146,45 +146,45 @@ func (this *MOpenSSLProbe) setupManagersTC() error { }, } - if this.conf.EnableGlobalVar() { + if m.conf.EnableGlobalVar() { // 填充 RewriteContants 对应map - this.bpfManagerOptions.ConstantEditors = this.constantEditor() + m.bpfManagerOptions.ConstantEditors = m.constantEditor() } return nil } -func (this *MOpenSSLProbe) initDecodeFunTC() error { +func (m *MOpenSSLProbe) initDecodeFunTC() error { //SkbEventsMap 与解码函数映射 - SkbEventsMap, found, err := this.bpfManager.GetMap("skb_events") + SkbEventsMap, found, err := m.bpfManager.GetMap("skb_events") if err != nil { return err } if !found { return errors.New("cant found map:skb_events") } - this.eventMaps = append(this.eventMaps, SkbEventsMap) + m.eventMaps = append(m.eventMaps, SkbEventsMap) sslEvent := &event.TcSkbEvent{} - //sslEvent.SetModule(this) - this.eventFuncMaps[SkbEventsMap] = sslEvent + //sslEvent.SetModule(m) + m.eventFuncMaps[SkbEventsMap] = sslEvent - MasterkeyEventsMap, found, err := this.bpfManager.GetMap("mastersecret_events") + MasterkeyEventsMap, found, err := m.bpfManager.GetMap("mastersecret_events") if err != nil { return err } if !found { return errors.New("cant found map:mastersecret_events") } - this.eventMaps = append(this.eventMaps, MasterkeyEventsMap) + m.eventMaps = append(m.eventMaps, MasterkeyEventsMap) var masterkeyEvent event.IEventStruct - if this.isBoringSSL { + if m.isBoringSSL { masterkeyEvent = &event.MasterSecretBSSLEvent{} } else { masterkeyEvent = &event.MasterSecretEvent{} } - //masterkeyEvent.SetModule(this) - this.eventFuncMaps[MasterkeyEventsMap] = masterkeyEvent + //masterkeyEvent.SetModule(m) + m.eventFuncMaps[MasterkeyEventsMap] = masterkeyEvent return nil } diff --git a/user/module/probe_postgres.go b/user/module/probe_postgres.go index 6bb60b3b0..a9d6fc4f5 100644 --- a/user/module/probe_postgres.go +++ b/user/module/probe_postgres.go @@ -43,50 +43,50 @@ type MPostgresProbe struct { } // init probe -func (this *MPostgresProbe) Init(ctx context.Context, logger *log.Logger, conf config.IConfig) error { - this.Module.Init(ctx, logger, conf) - this.conf = conf - this.Module.SetChild(this) - this.eventMaps = make([]*ebpf.Map, 0, 2) - this.eventFuncMaps = make(map[*ebpf.Map]event.IEventStruct) +func (p *MPostgresProbe) Init(ctx context.Context, logger *log.Logger, conf config.IConfig) error { + p.Module.Init(ctx, logger, conf) + p.conf = conf + p.Module.SetChild(p) + p.eventMaps = make([]*ebpf.Map, 0, 2) + p.eventFuncMaps = make(map[*ebpf.Map]event.IEventStruct) return nil } -func (this *MPostgresProbe) Start() error { - if err := this.start(); err != nil { +func (p *MPostgresProbe) Start() error { + if err := p.start(); err != nil { return err } return nil } -func (this *MPostgresProbe) start() error { +func (p *MPostgresProbe) start() error { // fetch ebpf assets - var bpfFileName = this.geteBPFName("user/bytecode/postgres_kern.o") - this.logger.Printf("%s\tBPF bytecode filename:%s\n", this.Name(), bpfFileName) + var bpfFileName = p.geteBPFName("user/bytecode/postgres_kern.o") + p.logger.Printf("%s\tBPF bytecode filename:%s\n", p.Name(), bpfFileName) byteBuf, err := assets.Asset("user/bytecode/postgres_kern.o") if err != nil { return fmt.Errorf("couldn't find asset") } // setup the managers - err = this.setupManagers() + err = p.setupManagers() if err != nil { return fmt.Errorf("postgres module couldn't find binPath %v.", err) } // initialize the bootstrap manager - if err := this.bpfManager.InitWithOptions(bytes.NewReader(byteBuf), this.bpfManagerOptions); err != nil { + if err := p.bpfManager.InitWithOptions(bytes.NewReader(byteBuf), p.bpfManagerOptions); err != nil { return fmt.Errorf("couldn't init manager %v.", err) } // start the bootstrap manager - if err := this.bpfManager.Start(); err != nil { + if err := p.bpfManager.Start(); err != nil { return fmt.Errorf("couldn't start bootstrap manager %v.", err) } // 加载map信息,map对应events decode表。 - err = this.initDecodeFun() + err = p.initDecodeFun() if err != nil { return err } @@ -94,21 +94,21 @@ func (this *MPostgresProbe) start() error { return nil } -func (this *MPostgresProbe) Close() error { - if err := this.bpfManager.Stop(manager.CleanAll); err != nil { +func (p *MPostgresProbe) Close() error { + if err := p.bpfManager.Stop(manager.CleanAll); err != nil { return fmt.Errorf("couldn't stop manager %v.", err) } - return this.Module.Close() + return p.Module.Close() } -func (this *MPostgresProbe) setupManagers() error { - binaryPath := this.conf.(*config.PostgresConfig).PostgresPath +func (p *MPostgresProbe) setupManagers() error { + binaryPath := p.conf.(*config.PostgresConfig).PostgresPath _, err := os.Stat(binaryPath) if err != nil { return err } - attachFunc := this.conf.(*config.PostgresConfig).FuncName + attachFunc := p.conf.(*config.PostgresConfig).FuncName probes := []*manager.Probe{ { @@ -119,7 +119,7 @@ func (this *MPostgresProbe) setupManagers() error { }, } - this.bpfManager = &manager.Manager{ + p.bpfManager = &manager.Manager{ Probes: probes, Maps: []*manager.Map{ { @@ -128,9 +128,9 @@ func (this *MPostgresProbe) setupManagers() error { }, } - this.logger.Printf("Postgres, binrayPath: %s, FunctionName: %s\n", binaryPath, attachFunc) + p.logger.Printf("Postgres, binrayPath: %s, FunctionName: %s\n", binaryPath, attachFunc) - this.bpfManagerOptions = manager.Options{ + p.bpfManagerOptions = manager.Options{ DefaultKProbeMaxActive: 512, VerifierOptions: ebpf.CollectionOptions{ @@ -147,28 +147,28 @@ func (this *MPostgresProbe) setupManagers() error { return nil } -func (this *MPostgresProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool) { - fun, found := this.eventFuncMaps[em] +func (p *MPostgresProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool) { + fun, found := p.eventFuncMaps[em] return fun, found } -func (this *MPostgresProbe) initDecodeFun() error { +func (p *MPostgresProbe) initDecodeFun() error { // postgresEventsMap to hook - postgresEventsMap, found, err := this.bpfManager.GetMap("events") + postgresEventsMap, found, err := p.bpfManager.GetMap("events") if err != nil { return err } if !found { return errors.New("cant found map: events") } - this.eventMaps = append(this.eventMaps, postgresEventsMap) - this.eventFuncMaps[postgresEventsMap] = &event.PostgresEvent{} + p.eventMaps = append(p.eventMaps, postgresEventsMap) + p.eventFuncMaps[postgresEventsMap] = &event.PostgresEvent{} return nil } -func (this *MPostgresProbe) Events() []*ebpf.Map { - return this.eventMaps +func (p *MPostgresProbe) Events() []*ebpf.Map { + return p.eventMaps } func init() { diff --git a/user/module/probe_tc.go b/user/module/probe_tc.go index ac534020a..bd8c16678 100644 --- a/user/module/probe_tc.go +++ b/user/module/probe_tc.go @@ -43,21 +43,21 @@ type MTCProbe struct { tcPacketLocker *sync.Mutex } -func (this *MTCProbe) dumpTcSkb(tcEvent *event.TcSkbEvent) error { - var timeStamp = this.bootTime + tcEvent.Ts - return this.writePacket(tcEvent.Len, time.Unix(0, int64(timeStamp)), tcEvent.Payload()) +func (t *MTCProbe) dumpTcSkb(tcEvent *event.TcSkbEvent) error { + var timeStamp = t.bootTime + tcEvent.Ts + return t.writePacket(tcEvent.Len, time.Unix(0, int64(timeStamp)), tcEvent.Payload()) } // save pcapng file ,merge master key into pcapng file TODO -func (this *MTCProbe) savePcapng() (i int, err error) { - err = this.pcapWriter.WriteDecryptionSecretsBlock(pcapgo.DSB_SECRETS_TYPE_TLS, this.masterKeyBuffer.Bytes()) +func (t *MTCProbe) savePcapng() (i int, err error) { + err = t.pcapWriter.WriteDecryptionSecretsBlock(pcapgo.DSB_SECRETS_TYPE_TLS, t.masterKeyBuffer.Bytes()) if err != nil { return } - this.tcPacketLocker.Lock() - defer this.tcPacketLocker.Unlock() - for _, packet := range this.tcPackets { - err = this.pcapWriter.WritePacket(packet.info, packet.data) + t.tcPacketLocker.Lock() + defer t.tcPacketLocker.Unlock() + for _, packet := range t.tcPackets { + err = t.pcapWriter.WritePacket(packet.info, packet.data) i++ if err != nil { return @@ -67,12 +67,12 @@ func (this *MTCProbe) savePcapng() (i int, err error) { if i == 0 { return } - err = this.pcapWriter.Flush() + err = t.pcapWriter.Flush() return } -func (this *MTCProbe) createPcapng(netIfs []net.Interface) error { - pcapFile, err := os.OpenFile(this.pcapngFilename, os.O_TRUNC|os.O_WRONLY|os.O_CREATE, 0644) +func (t *MTCProbe) createPcapng(netIfs []net.Interface) error { + pcapFile, err := os.OpenFile(t.pcapngFilename, os.O_TRUNC|os.O_WRONLY|os.O_CREATE, 0644) if err != nil { return fmt.Errorf("error creating pcap file: %v", err) } @@ -88,7 +88,7 @@ func (this *MTCProbe) createPcapng(netIfs []net.Interface) error { } // write interface description ngIface := pcapgo.NgInterface{ - Name: this.ifName, + Name: t.ifName, Comment: "eCapture (旁观者): github.com/gojue/ecapture", Filter: "", LinkType: layers.LinkTypeEthernet, @@ -123,11 +123,11 @@ func (this *MTCProbe) createPcapng(netIfs []net.Interface) error { } // TODO 保存数据包所属进程ID信息,以LRU Cache方式存储。 - this.pcapWriter = pcapWriter + t.pcapWriter = pcapWriter return nil } -func (this *MTCProbe) writePacket(dataLen uint32, timeStamp time.Time, packetBytes []byte) error { +func (t *MTCProbe) writePacket(dataLen uint32, timeStamp time.Time, packetBytes []byte) error { info := gopacket.CaptureInfo{ Timestamp: timeStamp, CaptureLength: int(dataLen), @@ -141,11 +141,11 @@ func (this *MTCProbe) writePacket(dataLen uint32, timeStamp time.Time, packetByt packet := &TcPacket{info: info, data: packetBytes} - this.tcPackets = append(this.tcPackets, packet) + t.tcPackets = append(t.tcPackets, packet) return nil } -func (this *MTCProbe) savePcapngSslKeyLog(sslKeyLog []byte) (err error) { - _, e := this.masterKeyBuffer.Write(sslKeyLog) +func (t *MTCProbe) savePcapngSslKeyLog(sslKeyLog []byte) (err error) { + _, e := t.masterKeyBuffer.Write(sslKeyLog) return e }