mirror of
https://github.com/varun-r-mallya/Python-BPF.git
synced 2025-12-31 21:06:25 +00:00
43 lines
1.3 KiB
C
43 lines
1.3 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
|
|
#include "vmlinux.h"
|
|
#include <bpf/bpf_helpers.h>
|
|
#include <bpf/bpf_tracing.h>
|
|
|
|
/*
|
|
Information gained from reversing this (multiple kernel versions):
|
|
There is no point of
|
|
```llvm
|
|
tail call void @llvm.dbg.value(metadata ptr %0, metadata !60, metadata !DIExpression()), !dbg !70
|
|
```
|
|
and the first argument of passthrough is fucking useless. It just needs to be a distinct integer:
|
|
```llvm
|
|
%9 = tail call ptr @llvm.bpf.passthrough.p0.p0(i32 3, ptr %8)
|
|
```
|
|
*/
|
|
|
|
SEC("tp/syscalls/sys_enter_execve")
|
|
int handle_setuid_entry(struct trace_event_raw_sys_enter *ctx) {
|
|
// Access each argument separately with clear variable assignments
|
|
long int id = ctx->id;
|
|
bpf_printk("This is context field %d", id);
|
|
/*
|
|
* the IR to aim for is
|
|
* %2 = alloca ptr, align 8
|
|
* store ptr %0, ptr %2, align 8
|
|
* Above, %0 is the arg pointer
|
|
* %5 = load ptr, ptr %2, align 8
|
|
* %6 = getelementptr inbounds %struct.trace_event_raw_sys_enter, ptr %5, i32 0, i32 2
|
|
* %7 = load i64, ptr @"llvm.trace_event_raw_sys_enter:0:16$0:2:0", align 8
|
|
* %8 = bitcast ptr %5 to ptr
|
|
* %9 = getelementptr i8, ptr %8, i64 %7
|
|
* %10 = bitcast ptr %9 to ptr
|
|
* %11 = call ptr @llvm.bpf.passthrough.p0.p0(i32 0, ptr %10)
|
|
* %12 = load i64, ptr %11, align 8, !dbg !101
|
|
*
|
|
*/
|
|
return 0;
|
|
}
|
|
|
|
char LICENSE[] SEC("license") = "GPL";
|