Last active
August 12, 2016 23:54
-
-
Save markdrayton/d077459b7ed23ce25bb3eff2d5e220ba to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import ctypes as ct | |
from bcc import BPF, DEBUG_PREPROCESSOR, DEBUG_BPF, DEBUG_LLVM_IR | |
prog = """ | |
#include <linux/ptrace.h> | |
#include <linux/sched.h> /* For TASK_COMM_LEN */ | |
struct probe_SSL_data_t | |
{ | |
u64 timestamp_ns; | |
u32 pid; | |
u32 len; | |
char comm[TASK_COMM_LEN]; | |
char v0[400]; | |
}; | |
BPF_PERF_OUTPUT(perf_SSL_write); | |
int probe_SSL_write(struct pt_regs *ctx) | |
{ | |
struct probe_SSL_data_t __data = {0}; | |
__data.timestamp_ns = bpf_ktime_get_ns(); | |
__data.pid = bpf_get_current_pid_tgid(); | |
bpf_get_current_comm(&__data.comm, sizeof(__data.comm)); | |
int ret; | |
if ( (void *) PT_REGS_PARM2(ctx) != 0) { | |
bpf_probe_read(&__data.v0, sizeof(__data.v0), (void *) ctx->si); | |
ret = bpf_probe_read(&__data.v0, sizeof(__data.v0), (unsigned char*) PT_REGS_PARM2(ctx)); | |
} | |
__data.len = sizeof(ret); | |
perf_SSL_write.perf_submit(ctx, &__data, sizeof(__data)); | |
return 0; | |
} | |
BPF_PERF_OUTPUT(perf_SSL_read); | |
BPF_HASH(bufs, u32, u64); | |
int probe_SSL_read_enter(struct pt_regs *ctx) | |
{ | |
u32 pid = bpf_get_current_pid_tgid(); | |
u64 buf = (u64)PT_REGS_PARM2(ctx); | |
bufs.update(&pid, &buf); | |
return 0; | |
} | |
int probe_SSL_read_exit(struct pt_regs *ctx) { | |
u32 pid = bpf_get_current_pid_tgid(); | |
u64 *bufp = bufs.lookup(&pid); | |
if (bufp == 0) { | |
return 0; | |
} | |
struct probe_SSL_data_t __data = {0}; | |
__data.timestamp_ns = bpf_ktime_get_ns(); | |
__data.pid = pid; | |
bpf_get_current_comm(&__data.comm, sizeof(__data.comm)); | |
int ret; | |
if (bufp != 0) { | |
ret = bpf_probe_read(&__data.v0, sizeof(__data.v0), (char *)*bufp); | |
} | |
__data.len = sizeof(ret); | |
bufs.delete(&pid); | |
perf_SSL_read.perf_submit(ctx, &__data, sizeof(__data)); | |
return 0; | |
} | |
""" | |
b = BPF(text=prog) | |
libpath = "/usr/lib/libssl.so.1.0.0" | |
# Join to ssl_write | |
function = "SSL_write" | |
probe_name = "probe_SSL_write" | |
b.attach_uprobe(name=libpath, sym=function, fn_name=probe_name) | |
# Join to ssl_read | |
b.attach_uprobe(name=libpath, sym="SSL_read", fn_name="probe_SSL_read_enter") | |
b.attach_uretprobe(name=libpath, sym="SSL_read", fn_name="probe_SSL_read_exit") | |
# define output data structure in Python | |
TASK_COMM_LEN = 16 # linux/sched.h | |
class Data(ct.Structure): | |
_fields_ = [ | |
("timestamp_ns", ct.c_ulonglong), | |
("pid", ct.c_uint), | |
("len", ct.c_uint), | |
("comm", ct.c_char * 16), # TASK_COMM_LEN | |
("v0", ct.c_char * 400) | |
] | |
# header | |
print("%-18s %-16s %-6s" % ("TIME(s)", "COMM", "PID")) | |
# process event | |
start = 0 | |
def print_event_write(cpu, data, size): | |
global start | |
event = ct.cast(data, ct.POINTER(Data)).contents | |
if start == 0: | |
start = event.timestamp_ns | |
time_s = (float(event.timestamp_ns - start)) / 1000000000 | |
if event.pid == 12369: #tengo aqui un proceso generando mucho ruido | |
return | |
print("WRITE: %-18.9f %-16s %-6d %d\n%s" % (time_s, event.comm, event.pid, event.len, event.v0)) | |
def print_event_read(cpu, data, size): | |
global start | |
event = ct.cast(data, ct.POINTER(Data)).contents | |
if start == 0: | |
start = event.timestamp_ns | |
time_s = (float(event.timestamp_ns - start)) / 1000000000 | |
print("READ: %-18.9f %-16s %-6d %d\n%s" % (time_s, event.comm, event.pid, event.len, event.v0)) | |
b["perf_SSL_write"].open_perf_buffer(print_event_write) | |
b["perf_SSL_read"].open_perf_buffer(print_event_read) | |
while 1: | |
b.kprobe_poll() | |
$ sudo python sniff_openssl.py | |
TIME(s) COMM PID | |
WRITE: 0.000000000 curl 2665 4 | |
GET / HTTP/1.1 | |
User-Agent: curl/7.35.0 | |
Host: google.es | |
Accept: */* | |
READ: 0.048204734 curl 2665 4 | |
HTTP/1.1 301 Moved Permanently | |
Location: https://www.google.es/ | |
Content-Type: text/html; charset=UTF-8 | |
Date: Fri, 12 Aug 2016 23:17:08 GMT | |
Expires: Sun, 11 Sep 2016 23:17:08 GMT | |
Cache-Control: public, max-age=2592000 | |
Server: gws | |
Content-Length: 219 | |
X-XSS-Protection: 1; mode=block | |
X-Frame-Options: SAMEORIGIN | |
Alternate-Protocol: 443:quic | |
Alt-Svc: quic=":443"; ma=2592000; v="36,35,34,33,32 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment