markdrayton/gist:d077459b7ed23ce25bb3eff2d5e220ba

## gistfile1.txt
import ctypes as ct
from bcc import BPF, DEBUG_PREPROCESSOR, DEBUG_BPF, DEBUG_LLVM_IR

prog = """
#include <linux/ptrace.h>
#include <linux/sched.h>        /* For TASK_COMM_LEN */

struct probe_SSL_data_t
{
        u64 timestamp_ns;
        u32 pid;
        u32 len;
        char comm[TASK_COMM_LEN];
        char v0[400];
};

BPF_PERF_OUTPUT(perf_SSL_write);

int probe_SSL_write(struct pt_regs *ctx)
{
        struct probe_SSL_data_t __data = {0};
        __data.timestamp_ns = bpf_ktime_get_ns();
        __data.pid = bpf_get_current_pid_tgid();

        bpf_get_current_comm(&__data.comm, sizeof(__data.comm));

        int ret;

        if ( (void *) PT_REGS_PARM2(ctx) != 0) {
                bpf_probe_read(&__data.v0, sizeof(__data.v0), (void *) ctx->si);
                ret = bpf_probe_read(&__data.v0, sizeof(__data.v0), (unsigned char*) PT_REGS_PARM2(ctx));
        }

        __data.len = sizeof(ret);

        perf_SSL_write.perf_submit(ctx, &__data, sizeof(__data));
        return 0;
}

BPF_PERF_OUTPUT(perf_SSL_read);

BPF_HASH(bufs, u32, u64);

int probe_SSL_read_enter(struct pt_regs *ctx)
{
        u32 pid = bpf_get_current_pid_tgid();
        u64 buf = (u64)PT_REGS_PARM2(ctx);
        bufs.update(&pid, &buf);
        return 0;
}

int probe_SSL_read_exit(struct pt_regs *ctx) {
        u32 pid = bpf_get_current_pid_tgid();
        u64 *bufp = bufs.lookup(&pid);
        if (bufp == 0) {
                return 0;
        }

        struct probe_SSL_data_t __data = {0};
        __data.timestamp_ns = bpf_ktime_get_ns();
        __data.pid = pid;

        bpf_get_current_comm(&__data.comm, sizeof(__data.comm));

        int ret;
        if (bufp != 0) {
                ret = bpf_probe_read(&__data.v0, sizeof(__data.v0), (char *)*bufp);
        }

        __data.len = sizeof(ret);
        bufs.delete(&pid);

        perf_SSL_read.perf_submit(ctx, &__data, sizeof(__data));
        return 0;
}
"""

b = BPF(text=prog)
libpath = "/usr/lib/libssl.so.1.0.0"

# Join to ssl_write
function = "SSL_write"
probe_name = "probe_SSL_write"

b.attach_uprobe(name=libpath, sym=function, fn_name=probe_name)

# Join to ssl_read
b.attach_uprobe(name=libpath, sym="SSL_read", fn_name="probe_SSL_read_enter")
b.attach_uretprobe(name=libpath, sym="SSL_read", fn_name="probe_SSL_read_exit")

# define output data structure in Python
TASK_COMM_LEN = 16    # linux/sched.h
class Data(ct.Structure):
    _fields_ = [
            ("timestamp_ns", ct.c_ulonglong),
            ("pid", ct.c_uint),
            ("len", ct.c_uint),
            ("comm", ct.c_char * 16),       # TASK_COMM_LEN
            ("v0", ct.c_char * 400)
    ]


# header
print("%-18s %-16s %-6s" % ("TIME(s)", "COMM", "PID"))

# process event
start = 0
def print_event_write(cpu, data, size):
    global start
    event = ct.cast(data, ct.POINTER(Data)).contents
    if start == 0:
            start = event.timestamp_ns
    time_s = (float(event.timestamp_ns - start)) / 1000000000

    if event.pid == 12369: #tengo aqui un proceso generando mucho ruido
        return
    print("WRITE: %-18.9f %-16s %-6d %d\n%s" % (time_s, event.comm, event.pid, event.len, event.v0))

def print_event_read(cpu, data, size):
    global start
    event = ct.cast(data, ct.POINTER(Data)).contents
    if start == 0:
            start = event.timestamp_ns
    time_s = (float(event.timestamp_ns - start)) / 1000000000

    print("READ: %-18.9f %-16s %-6d %d\n%s" % (time_s, event.comm, event.pid, event.len, event.v0))

b["perf_SSL_write"].open_perf_buffer(print_event_write)
b["perf_SSL_read"].open_perf_buffer(print_event_read)
while 1:
    b.kprobe_poll()


$ sudo python sniff_openssl.py
TIME(s)            COMM             PID
WRITE: 0.000000000        curl             2665   4
GET / HTTP/1.1
User-Agent: curl/7.35.0
Host: google.es
Accept: */*


READ: 0.048204734        curl             2665   4
HTTP/1.1 301 Moved Permanently
Location: https://www.google.es/
Content-Type: text/html; charset=UTF-8
Date: Fri, 12 Aug 2016 23:17:08 GMT
Expires: Sun, 11 Sep 2016 23:17:08 GMT
Cache-Control: public, max-age=2592000
Server: gws
Content-Length: 219
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 443:quic
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34,33,32
	import ctypes as ct
	from bcc import BPF, DEBUG_PREPROCESSOR, DEBUG_BPF, DEBUG_LLVM_IR

	prog = """
	#include <linux/ptrace.h>
	#include <linux/sched.h> /* For TASK_COMM_LEN */

	struct probe_SSL_data_t
	{
	u64 timestamp_ns;
	u32 pid;
	u32 len;
	char comm[TASK_COMM_LEN];
	char v0[400];
	};

	BPF_PERF_OUTPUT(perf_SSL_write);

	int probe_SSL_write(struct pt_regs *ctx)
	{
	struct probe_SSL_data_t __data = {0};
	__data.timestamp_ns = bpf_ktime_get_ns();
	__data.pid = bpf_get_current_pid_tgid();

	bpf_get_current_comm(&__data.comm, sizeof(__data.comm));

	int ret;

	if ( (void *) PT_REGS_PARM2(ctx) != 0) {
	bpf_probe_read(&__data.v0, sizeof(__data.v0), (void *) ctx->si);
	ret = bpf_probe_read(&__data.v0, sizeof(__data.v0), (unsigned char*) PT_REGS_PARM2(ctx));
	}

	__data.len = sizeof(ret);

	perf_SSL_write.perf_submit(ctx, &__data, sizeof(__data));
	return 0;
	}

	BPF_PERF_OUTPUT(perf_SSL_read);

	BPF_HASH(bufs, u32, u64);

	int probe_SSL_read_enter(struct pt_regs *ctx)
	{
	u32 pid = bpf_get_current_pid_tgid();
	u64 buf = (u64)PT_REGS_PARM2(ctx);
	bufs.update(&pid, &buf);
	return 0;
	}

	int probe_SSL_read_exit(struct pt_regs *ctx) {
	u32 pid = bpf_get_current_pid_tgid();
	u64 *bufp = bufs.lookup(&pid);
	if (bufp == 0) {
	return 0;
	}

	struct probe_SSL_data_t __data = {0};
	__data.timestamp_ns = bpf_ktime_get_ns();
	__data.pid = pid;

	bpf_get_current_comm(&__data.comm, sizeof(__data.comm));

	int ret;
	if (bufp != 0) {
	ret = bpf_probe_read(&__data.v0, sizeof(__data.v0), (char )bufp);
	}

	__data.len = sizeof(ret);
	bufs.delete(&pid);

	perf_SSL_read.perf_submit(ctx, &__data, sizeof(__data));
	return 0;
	}
	"""

	b = BPF(text=prog)
	libpath = "/usr/lib/libssl.so.1.0.0"

	# Join to ssl_write
	function = "SSL_write"
	probe_name = "probe_SSL_write"

	b.attach_uprobe(name=libpath, sym=function, fn_name=probe_name)

	# Join to ssl_read
	b.attach_uprobe(name=libpath, sym="SSL_read", fn_name="probe_SSL_read_enter")
	b.attach_uretprobe(name=libpath, sym="SSL_read", fn_name="probe_SSL_read_exit")

	# define output data structure in Python
	TASK_COMM_LEN = 16 # linux/sched.h
	class Data(ct.Structure):
	_fields_ = [
	("timestamp_ns", ct.c_ulonglong),
	("pid", ct.c_uint),
	("len", ct.c_uint),
	("comm", ct.c_char * 16), # TASK_COMM_LEN
	("v0", ct.c_char * 400)
	]


	# header
	print("%-18s %-16s %-6s" % ("TIME(s)", "COMM", "PID"))

	# process event
	start = 0
	def print_event_write(cpu, data, size):
	global start
	event = ct.cast(data, ct.POINTER(Data)).contents
	if start == 0:
	start = event.timestamp_ns
	time_s = (float(event.timestamp_ns - start)) / 1000000000

	if event.pid == 12369: #tengo aqui un proceso generando mucho ruido
	return
	print("WRITE: %-18.9f %-16s %-6d %d\n%s" % (time_s, event.comm, event.pid, event.len, event.v0))

	def print_event_read(cpu, data, size):
	global start
	event = ct.cast(data, ct.POINTER(Data)).contents
	if start == 0:
	start = event.timestamp_ns
	time_s = (float(event.timestamp_ns - start)) / 1000000000

	print("READ: %-18.9f %-16s %-6d %d\n%s" % (time_s, event.comm, event.pid, event.len, event.v0))

	b["perf_SSL_write"].open_perf_buffer(print_event_write)
	b["perf_SSL_read"].open_perf_buffer(print_event_read)
	while 1:
	b.kprobe_poll()


	$ sudo python sniff_openssl.py
	TIME(s) COMM PID
	WRITE: 0.000000000 curl 2665 4
	GET / HTTP/1.1
	User-Agent: curl/7.35.0
	Host: google.es
	Accept: /


	READ: 0.048204734 curl 2665 4
	HTTP/1.1 301 Moved Permanently
	Location: https://www.google.es/
	Content-Type: text/html; charset=UTF-8
	Date: Fri, 12 Aug 2016 23:17:08 GMT
	Expires: Sun, 11 Sep 2016 23:17:08 GMT
	Cache-Control: public, max-age=2592000
	Server: gws
	Content-Length: 219
	X-XSS-Protection: 1; mode=block
	X-Frame-Options: SAMEORIGIN
	Alternate-Protocol: 443:quic
	Alt-Svc: quic=":443"; ma=2592000; v="36,35,34,33,32