module

package
v0.9.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 18, 2025 License: Apache-2.0 Imports: 38 Imported by: 0

Documentation

Overview

Copyright 2022 CFC4N <cfc4n.cs@gmail.com>. All Rights Reserved.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Index

Constants

View Source 
const (
	ProbeTypeUprobe = "uprobe"
	ProbeTypeKprobe = "kprobe"
	ProbeTypeTC     = "TC"
	ProbeTypeTP     = "tracepoint"
	ProbeTypeXDP    = "XDP"
)
View Source 
const (
	ModuleNameBash     = "EBPFProbeBash"
	ModuleNameZsh      = "EBPFProbeZsh"
	ModuleNameMysqld   = "EBPFProbeMysqld"
	ModuleNamePostgres = "EBPFProbePostgres"
	ModuleNameOpenssl  = "EBPFProbeOPENSSL"
	ModuleNameGnutls   = "EBPFProbeGNUTLS"
	ModuleNameNspr     = "EBPFProbeNSPR"
	ModuleNameGotls    = "EBPFProbeGoTLS"
)
View Source 
const (
	BashErrnoDefault int = 128
	ZshErrnoDefault  int = 128
)
View Source 
const (
	// 备选 HOOK的函数  SSL_is_init_finished \ SSL_get_wbio \ SSL_write
	MasterKeyHookFuncOpenSSL = "SSL_write"

	/*
		在boringSSL类库里,SSL_write函数调用了 SSL_do_handshake ,
		SSL_do_handshake 函数执行时,当前SSL链接握手可能还未完成,且
	*/
	// 2022-12-16 改为 SSL_in_init
	MasterKeyHookFuncBoringSSL = "SSL_in_init"
	MasterKeyHookFuncSSLBefore = "SSL_in_before"
	MasterKeyHookFuncSSLState  = "SSL_state"
)
View Source 
const (
	KernelLess52Prefix = "_less52.o"
	BtfNotSupport      = "You can compile the BTF-free version by using the command `make nocore`, please read the Makefile for more information."
	BtfModeSwitch      = "If eCapture fails to run, try specifying the BTF mode. use `-b 2` to specify non-CORE mode."
)
View Source 
const (
	BashEventTypeReadline   = 0
	BashEventTypeRetval     = 1
	BashEventTypeExitOrExec = 2
)
View Source 
const (
	GnutlsSsl3, GnutlsDtls10  = iota, iota + 200
	GnutlsTls10, GnutlsDtls12 = iota, iota + 200
	GnutlsTls11               = iota
	GnutlsTls12
	GnutlsTls13
	GnutlsMacSha256
	GnutlsMacSha384
)
View Source 
const (
	ConnNotFound = "[TUPLE_NOT_FOUND]"
	DefaultTuple = "0.0.0.0:0-0.0.0.0:0"
	// OpenSSL the classes of BIOs
	// https://github.com/openssl/openssl/blob/openssl-3.0.0/include/openssl/bio.h.in
	BioTypeDescriptor = 0x0100
	BioTypeSourceSink = 0x0400
)
View Source 
const (
	Linuxdefaulefilename102 = "linux_default_1_0_2"
	Linuxdefaulefilename110 = "linux_default_1_1_0"
	Linuxdefaulefilename111 = "linux_default_1_1_1"
	Linuxdefaulefilename30  = "linux_default_3_0"
	Linuxdefaulefilename31  = "linux_default_3_0"
	Linuxdefaulefilename320 = "linux_default_3_2"
	Linuxdefaulefilename330 = "linux_default_3_3"
	Linuxdefaulefilename340 = "linux_default_3_4"
	AndroidDefauleFilename  = "android_default"

	OpenSslVersionLen = 30 // openssl version string length
)
View Source 
const (
	MaxSupportedOpenSSL102Version = 'u'
	MaxSupportedOpenSSL110Version = 'l'
	MaxSupportedOpenSSL111Version = 'w'
	MaxSupportedOpenSSL30Version  = 15
	MaxSupportedOpenSSL31Version  = 7
	SupportedOpenSSL32Version2    = 2 // openssl 3.2.0 ~ 3.2.2
	MaxSupportedOpenSSL32Version  = 3 // openssl 3.2.3 ~ newer
	SupportedOpenSSL33Version1    = 1 // openssl 3.3.0 ~ 3.3.1
	MaxSupportedOpenSSL33Version  = 2 // openssl 3.3.2
	SupportedOpenSSL34Version0    = 0 // openssl 3.4.0
)
View Source 
const EcaptureMagic = 0xCC0C4CFC
View Source 
const GnuTLSDefaultVersion = "3.6.12"
View Source 
const GnuTLSVersionLen = 32
View Source 
const (
	ZshEventTypeReadline = 0
)

Variables

View Source 
var (
	ErrProbeOpensslVerNotFound         = errors.New("OpenSSL/BoringSSL version not found")
	ErrProbeOpensslVerBytecodeNotFound = errors.New("OpenSSL/BoringSSL version bytecode not found")
	OpensslNoticeVersionGuideAndroid   = "\"--ssl_version='boringssl_a_13'\" , \"--ssl_version='boringssl_a_14'\""
	OpensslNoticeVersionGuideLinux     = "\"--ssl_version='openssl x.x.x'\", support openssl 1.0.x, 1.1.x, 3.x or newer"
	OpensslNoticeUsedDefault           = "" /* 131-byte string literal not displayed */
)
View Source 
var GnutlsVersionToString = map[int32]string{
	GnutlsSsl3:   "GNUTLS_SSL3",
	GnutlsTls10:  "GNUTLS_TLS1_0",
	GnutlsTls11:  "GNUTLS_TLS1_1",
	GnutlsTls12:  "GNUTLS_TLS1_2",
	GnutlsTls13:  "GNUTLS_TLS1_3",
	GnutlsDtls10: "GNUTLS_DTLS1_0",
	GnutlsDtls12: "GNUTLS_DTLS1_2",
}
View Source 
var NotGoCompiledBin = errors.New("it is not a program compiled in the Go language")

Functions

func GetModuleFunc added in v0.8.1 

func GetModuleFunc(name string) func() IModule

GetModuleFunc get module function by name

func RegisteFunc added in v0.8.1 

func RegisteFunc(f func() IModule)

RegisteFunc register module function

Types

type GoTLSProbe 

type GoTLSProbe struct {
	MTCProbe
	// contains filtered or unexported fields
}

GoTLSProbe represents a probe for Go SSL

func (*GoTLSProbe) Close 

func (g *GoTLSProbe) Close() error

func (*GoTLSProbe) DecodeFun 

func (g *GoTLSProbe) DecodeFun(m *ebpf.Map) (event.IEventStruct, bool)

func (*GoTLSProbe) Dispatcher 

func (g *GoTLSProbe) Dispatcher(eventStruct event.IEventStruct)

func (*GoTLSProbe) Events 

func (g *GoTLSProbe) Events() []*ebpf.Map

func (*GoTLSProbe) Init 

func (g *GoTLSProbe) Init(ctx context.Context, l *zerolog.Logger, cfg config.IConfig, ecw io.Writer) error

func (*GoTLSProbe) Name 

func (g *GoTLSProbe) Name() string

func (*GoTLSProbe) Start 

func (g *GoTLSProbe) Start() error

type IClose 

type IClose interface {
	Close() error
}

type IModule 

type IModule interface {
	// Init 初始化
	Init(context.Context, *zerolog.Logger, config.IConfig, io.Writer) error

	// Name 获取当前module的名字
	Name() string

	// Run 事件监听感知
	Run() error

	// Start 启动模块
	Start() error

	// Stop 停止模块
	Stop() error

	// Close 关闭退出
	Close() error

	SetChild(module IModule)

	Decode(*ebpf.Map, []byte) (event.IEventStruct, error)

	Events() []*ebpf.Map

	DecodeFun(p *ebpf.Map) (event.IEventStruct, bool)

	Dispatcher(event.IEventStruct)
}

func NewBashProbe added in v0.8.1 

func NewBashProbe() IModule

func NewGnutlsProbe added in v0.8.1 

func NewGnutlsProbe() IModule

func NewGoTLSProbe added in v0.8.1 

func NewGoTLSProbe() IModule

func NewMysqldProbe added in v0.8.1 

func NewMysqldProbe() IModule

func NewNsprProbe added in v0.8.1 

func NewNsprProbe() IModule

func NewOpenSSLProbe added in v0.8.1 

func NewOpenSSLProbe() IModule

func NewPostgresProbe added in v0.8.1 

func NewPostgresProbe() IModule

func NewZshProbe added in v0.9.0 

func NewZshProbe() IModule

type MBashProbe 

type MBashProbe struct {
	Module
	// contains filtered or unexported fields
}

func (*MBashProbe) Close 

func (b *MBashProbe) Close() error

func (*MBashProbe) DecodeFun 

func (b *MBashProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool)

func (*MBashProbe) Dispatcher 

func (b *MBashProbe) Dispatcher(eventStruct event.IEventStruct)

func (*MBashProbe) Events 

func (b *MBashProbe) Events() []*ebpf.Map

func (*MBashProbe) Init 

func (b *MBashProbe) Init(ctx context.Context, logger *zerolog.Logger, conf config.IConfig, ecw io.Writer) error

对象初始化

func (*MBashProbe) Start 

func (b *MBashProbe) Start() error

type MGnutlsProbe 

type MGnutlsProbe struct {
	MTCProbe
	// contains filtered or unexported fields
}

func (*MGnutlsProbe) Close 

func (g *MGnutlsProbe) Close() error

func (*MGnutlsProbe) DecodeFun 

func (g *MGnutlsProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool)

func (*MGnutlsProbe) Dispatcher added in v0.8.10 

func (g *MGnutlsProbe) Dispatcher(eventStruct event.IEventStruct)

func (*MGnutlsProbe) Events 

func (g *MGnutlsProbe) Events() []*ebpf.Map

func (*MGnutlsProbe) Init 

func (g *MGnutlsProbe) Init(ctx context.Context, logger *zerolog.Logger, conf config.IConfig, ecw io.Writer) error

对象初始化

func (*MGnutlsProbe) Start 

func (g *MGnutlsProbe) Start() error

type MMysqldProbe 

type MMysqldProbe struct {
	Module
	// contains filtered or unexported fields
}

func (*MMysqldProbe) Close 

func (m *MMysqldProbe) Close() error

func (*MMysqldProbe) DecodeFun 

func (m *MMysqldProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool)

func (*MMysqldProbe) Events 

func (m *MMysqldProbe) Events() []*ebpf.Map

func (*MMysqldProbe) Init 

func (m *MMysqldProbe) Init(ctx context.Context, logger *zerolog.Logger, conf config.IConfig, ecw io.Writer) error

对象初始化

func (*MMysqldProbe) Start 

func (m *MMysqldProbe) Start() error

type MNsprProbe 

type MNsprProbe struct {
	Module
	// contains filtered or unexported fields
}

func (*MNsprProbe) Close 

func (n *MNsprProbe) Close() error

func (*MNsprProbe) DecodeFun 

func (n *MNsprProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool)

func (*MNsprProbe) Events 

func (n *MNsprProbe) Events() []*ebpf.Map

func (*MNsprProbe) Init 

func (n *MNsprProbe) Init(ctx context.Context, logger *zerolog.Logger, conf config.IConfig, ecw io.Writer) error

对象初始化

func (*MNsprProbe) Start 

func (n *MNsprProbe) Start() error

type MOpenSSLProbe 

type MOpenSSLProbe struct {
	MTCProbe
	// contains filtered or unexported fields
}

func (*MOpenSSLProbe) AddConn 

func (m *MOpenSSLProbe) AddConn(pid, fd uint32, tuple string, sock uint64)

func (*MOpenSSLProbe) Close 

func (m *MOpenSSLProbe) Close() error

func (*MOpenSSLProbe) DecodeFun 

func (m *MOpenSSLProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool)

func (*MOpenSSLProbe) DelConn 

func (m *MOpenSSLProbe) DelConn(pid, fd uint32)

process exit :fd is 0 , delete all pid map fd exit :pid > 0, fd > 0, delete fd value TODO add fd * pid exit event hook

func (*MOpenSSLProbe) DestroyConn added in v0.9.0 

func (m *MOpenSSLProbe) DestroyConn(sock uint64)

func (*MOpenSSLProbe) Dispatcher 

func (m *MOpenSSLProbe) Dispatcher(eventStruct event.IEventStruct)

func (*MOpenSSLProbe) Events 

func (m *MOpenSSLProbe) Events() []*ebpf.Map

func (*MOpenSSLProbe) GetConn 

func (m *MOpenSSLProbe) GetConn(pid, fd uint32) string

func (*MOpenSSLProbe) Init 

func (m *MOpenSSLProbe) Init(ctx context.Context, logger *zerolog.Logger, conf config.IConfig, ecw io.Writer) error

对象初始化

func (*MOpenSSLProbe) Start 

func (m *MOpenSSLProbe) Start() error

type MPostgresProbe 

type MPostgresProbe struct {
	Module
	// contains filtered or unexported fields
}

func (*MPostgresProbe) Close 

func (p *MPostgresProbe) Close() error

func (*MPostgresProbe) DecodeFun 

func (p *MPostgresProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool)

func (*MPostgresProbe) Events 

func (p *MPostgresProbe) Events() []*ebpf.Map

func (*MPostgresProbe) Init 

func (p *MPostgresProbe) Init(ctx context.Context, logger *zerolog.Logger, conf config.IConfig, ecw io.Writer) error

init probe

func (*MPostgresProbe) Start 

func (p *MPostgresProbe) Start() error

type MTCProbe 

type MTCProbe struct {
	Module
	// contains filtered or unexported fields
}

func (*MTCProbe) ServePcap 

func (t *MTCProbe) ServePcap()

ServePcap is used to serve pcapng file

type MZshProbe added in v0.9.0 

type MZshProbe struct {
	Module
	// contains filtered or unexported fields
}

func (*MZshProbe) Close added in v0.9.0 

func (b *MZshProbe) Close() error

func (*MZshProbe) DecodeFun added in v0.9.0 

func (b *MZshProbe) DecodeFun(em *ebpf.Map) (event.IEventStruct, bool)

func (*MZshProbe) Dispatcher added in v0.9.0 

func (b *MZshProbe) Dispatcher(eventStruct event.IEventStruct)

func (*MZshProbe) Events added in v0.9.0 

func (b *MZshProbe) Events() []*ebpf.Map

func (*MZshProbe) Init added in v0.9.0 

func (b *MZshProbe) Init(ctx context.Context, logger *zerolog.Logger, conf config.IConfig, ecw io.Writer) error

对象初始化

func (*MZshProbe) Start added in v0.9.0 

func (b *MZshProbe) Start() error

type Module 

type Module struct {
	// contains filtered or unexported fields
}

func (*Module) Close 

func (m *Module) Close() error

func (*Module) Decode 

func (m *Module) Decode(em *ebpf.Map, b []byte) (event event.IEventStruct, err error)

func (*Module) DecodeFun 

func (m *Module) DecodeFun(p *ebpf.Map) (event.IEventStruct, bool)

func (*Module) Dispatcher 

func (m *Module) Dispatcher(e event.IEventStruct)

Dispatcher 写入数据,或者上传到远程数据库,写入到其他chan 等。

func (*Module) Events 

func (m *Module) Events() []*ebpf.Map

func (*Module) Init 

func (m *Module) Init(ctx context.Context, logger *zerolog.Logger, conf config.IConfig, eventCollector io.Writer) error

Init 对象初始化

func (*Module) Name 

func (m *Module) Name() string

func (*Module) Run 

func (m *Module) Run() error

func (*Module) SetChild 

func (m *Module) SetChild(module IModule)

func (*Module) Start 

func (m *Module) Start() error

func (*Module) Stop 

func (m *Module) Stop() error

type NetCaptureData 

type NetCaptureData struct {
	PacketLength     uint32 `json:"pktLen"`
	ConfigIfaceIndex uint32 `json:"ifIndex"`
}

func (NetCaptureData) GetSizeBytes 

func (NetCaptureData) GetSizeBytes() uint32

type NetEventMetadata 

type NetEventMetadata struct {
	TimeStamp   uint64   `json:"timeStamp"`
	HostTid     uint32   `json:"hostTid"`
	ProcessName [16]byte `json:"processName"`
}

type TcPacket 

type TcPacket struct {
	// contains filtered or unexported fields
}

packets of TC probe

type Tls13MasterSecret 

type Tls13MasterSecret struct {
	ServerHandshakeTrafficSecret []byte
	ExporterSecret               []byte
	ServerTrafficSecret0         []byte
	ClientHandshakeTrafficSecret []byte
	ClientTrafficSecret0         []byte
}

type TlsCaptureModelType 

type TlsCaptureModelType uint8
const (
	TlsCaptureModelTypePcap TlsCaptureModelType = iota
	TlsCaptureModelTypeText
	TlsCaptureModelTypeKeylog
)

func (TlsCaptureModelType) String added in v0.8.1 

func (t TlsCaptureModelType) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.