support register compare filter

SeeFlowerX · Jan 17, 2024 · 93ddb8f · 93ddb8f
1 parent 4e42274
commit 93ddb8f
Show file tree

Hide file tree

Showing 8 changed files with 48 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -268,6 +268,12 @@ cat /proc/kallsyms  | grep "T sys_"
 ./stackplz -n com.starbucks.cn -s openat:f0.f1.f2 -f w:/system -f w:/dev -f b:/system/lib64 -o tmp.log
 ```
 
+LR比较，需要提前计算用于比较的值：
+
+```bash
+./stackplz -n com.chinarainbow.tft -w memcpy[ptr,ptr,int,ptr.f0:lr] -f eq:0x748a484d2c --stack --kill SIGSTOP
+```
+
 3.11 支持远程硬件断点，frida联动
 
 - server 监听命令 ./stackplz --rpc --stack

diff --git a/src/types.h b/src/types.h
@@ -30,6 +30,7 @@ typedef struct arg_filter {
     u32 filter_type;
     char str_val[256];
     u32 str_len;
+    u64 num_val;
 } arg_filter_t;
 
 enum arg_filter_e
@@ -92,6 +93,7 @@ enum op_code_e
     OP_READ_POINTER,
     OP_SAVE_POINTER,
     OP_SAVE_STRUCT,
+    OP_FILTER_VALUE,
     OP_FILTER_STRING,
     OP_SAVE_STRING,
     OP_SAVE_PTR_STRING,

diff --git a/src/utils.h b/src/utils.h
@@ -185,6 +185,25 @@ static __noinline u32 read_args(program_data_t* p, point_args_t* point_args, op_
                 }
                 op_ctx->save_index += 1;
                 break;
+            case OP_FILTER_VALUE: {
+                // 配合 OP_READ_REG 比较寄存器的值是否匹配
+                arg_filter_t* filter = bpf_map_lookup_elem(&arg_filter, &op->value);
+                if (unlikely(filter == NULL)) return 0;
+                if (filter->filter_type == EQUAL_FILTER) {
+                    if (filter->num_val != op_ctx->reg_value) {
+                        op_ctx->match_blacklist = 1;
+                    }
+                } else if (filter->filter_type == GREATER_FILTER) {
+                    if (filter->num_val <= op_ctx->reg_value) {
+                        op_ctx->match_blacklist = 1;
+                    }
+                } else if (filter->filter_type == LESS_FILTER) {
+                    if (filter->num_val >= op_ctx->reg_value) {
+                        op_ctx->match_blacklist = 1;
+                    }
+                }
+                break;
+            }
             case OP_FILTER_STRING: {
                 // 这里会受到循环次数的限制
                 // 实测 384 可以 512 不行 除非有什么更好的优化方法

diff --git a/user/argtype/op_helper.go b/user/argtype/op_helper.go
@@ -31,6 +31,7 @@ const (
 	OP_READ_POINTER
 	OP_SAVE_POINTER
 	OP_SAVE_STRUCT
+	OP_FILTER_VALUE
 	OP_FILTER_STRING
 	OP_SAVE_STRING
 	OP_SAVE_PTR_STRING
@@ -286,6 +287,7 @@ var OPC_READ_POINTER = ROP("READ_POINTER", OP_READ_POINTER)
 var OPC_SAVE_POINTER = ROP("SAVE_POINTER", OP_SAVE_POINTER)
 var OPC_SAVE_STRUCT = ROP("SAVE_STRUCT", OP_SAVE_STRUCT)
 var OPC_SAVE_STRING = ROP("SAVE_STRING", OP_SAVE_STRING)
+var OPC_FILTER_VALUE = ROP("FILTER_VALUE", OP_FILTER_VALUE)
 var OPC_FILTER_STRING = ROP("FILTER_STRING", OP_FILTER_STRING)
 var OPC_SAVE_PTR_STRING = ROP("SAVE_PTR_STRING", OP_SAVE_PTR_STRING)
 var OPC_READ_STD_STRING = ROP("READ_STD_STRING", OP_READ_STD_STRING)

diff --git a/user/config/config_filter.go b/user/config/config_filter.go
@@ -52,11 +52,13 @@ func (this *ArgFilter) ToEbpfValue() EArgFilter {
 	t.Filter_type = this.Filter_type
 	t.Str_len = this.Str_len
 	t.Str_val = this.Str_val
+	t.Num_val = this.Num_val
 	return t
 }
 
 type EArgFilter struct {
 	Filter_type uint32
 	Str_val     [common.MAX_STRCMP_LEN]byte
 	Str_len     uint32
+	Num_val     uint64
 }
diff --git a/user/config/config_module.go b/user/config/config_module.go
@@ -118,6 +118,14 @@ func (this *StackUprobeConfig) ParseArgType(arg_str string, point_arg *PointArg)
         point_arg.SetGroupType(EBPF_UPROBE_ENTER)
     case "ptr":
         point_arg.SetTypeIndex(POINTER)
+        filter_names := strings.Split(arg_filter, ".")
+        for _, filter_name := range filter_names {
+            for _, arg_filter := range *this.arg_filter {
+                if arg_filter.Match(filter_name) {
+                    point_arg.AddFilterIndex(arg_filter.Filter_index)
+                }
+            }
+        }
     case "ptr_arr", "uint_arr", "int_arr":
         arr_items := strings.SplitN(read_op_str, ":", 2)
         var count_str = ""

diff --git a/user/config/config_point_arg.go b/user/config/config_point_arg.go
@@ -89,6 +89,14 @@ func (this *PointArg) GetOpList() []uint32 {
 		op_list = append(op_list, argtype.Add_READ_SAVE_REG(uint64(this.RegIndex)).Index)
 		op_list = append(op_list, argtype.OPC_MOVE_REG_VALUE.Index)
 	}
+
+	if this.TypeIndex == POINTER {
+		for _, v := range this.FilterIndexList {
+			filter_op := argtype.OPC_FILTER_VALUE.NewValue(uint64(v))
+			op_list = append(op_list, filter_op.Index)
+		}
+	}
+
 	if this.ReadMore() {
 		for _, op_key := range argtype.GetOpKeyList(this.TypeIndex) {
 			op_list = append(op_list, op_key)

diff --git a/user/util/helper.go b/user/util/helper.go
@@ -35,7 +35,7 @@ func StrToNum(text string) uint32 {
 }
 
 func StrToNum64(text string) uint64 {
-	value, err := strconv.ParseUint(text, 10, 32)
+	value, err := strconv.ParseUint(text, 0, 64)
 	if err != nil {
 		panic(err)
 	}