Comments (12)
I reproduced it too. The key to reproducibility is whether to execute the bash
command. Can you pinpoint the reason and send a PR?
from ecapture.
in my opinion:
- The number of built-in commands without returned value (such as exit, exec) is limited, perhaps they can be treated specially.
- The uretprobe/readline function should check whether the key already exists, and if so, perform an append operation (in fact, this logic should be done in user space rather than in kernel space. The BPF program merely sends the collected data to user space.).
from ecapture.
Example 1
is works in my Server. how to reproduce?
Example 2
run failed. Indeed, this is a bug.
from ecapture.
Screencast.from.02-25-2024.04.20.16.PM.webm
Here is the demo for Example 1
.
Some contexts:
OS: Ubuntu 22.04 (installed on bare metal)
Bash: 5.1.16
ecapture: commit 2127596
from ecapture.
Screencast.from.02-28-2024.08.59.42.PM.webm
Actually, in my computer without executing the bash
command, the bug can still be reproduced. I suspect that it is related to the bash
configuration.
So, I try to reproduced the similar result as yours in the video above after setting exec
's alias to "".
To confirm it, run in your initial bash
shell :
type exec
As for the fix for the missing command, in my opinion, more discussion is needed before really finding out the relatively weird behavior on your computer. Also the fix option I proposed (i.e., removing the support for returned value tracking) is a breaking change( removing a feature ), which may significantly contradicts your original design decision and the use case for eCapture.
So I want to ask for your advice. Would it better to remove the support for returned value tracing? Are there better option that I do not know without breaking the original feature
Finally, I confine the analysis the inherent defect for return value analysis on my initial comment:
- command might never return from
execute_command()
which leads to the miss. - command might only return once from
execute_command()
for a multi-line code block which contains multiple command.
Best wishes!
from ecapture.
Also the fix option I proposed (i.e., removing the support for returned value tracking) is a breaking change( removing a feature ), which may significantly contradicts your original design decision and the use case for eCapture.
Indeed, the original intention of eCapture's design was to track "input commands" without including return values. However, it does not mean that "return value tracking cannot be supported".
However, the current main goal is to determine the root cause of the problem.
from ecapture.
In a word, the root cause is that execute_command()
in bash might not return for every line of bash input (like example 1 and 2). However, eCapture just reads one line of command each time when hooking internal_readline_teardown()
and expects this line command to return in execute_command()
in order to print it out . If execute_command()
do not return the next line, hooking function for internal_readline_teardown()
will replace the previous one and the previous line is lost(never printed out).
from ecapture.
So, what is your solution? Remove the detection of execute_command
?
@sancppp, what do you think about this issue?
from ecapture.
I come up with three potential solution with different consideration:
- Remove the detection of
execute_command
with every interactive command recorded . However, in this way, we could not tracking returned value any more. - Stay the same with the risk of losing some commands when auditing (I don't know the tolerance for losing interactive commands in real auditing )
- Send a event(including info like cmdline, pid ) to userspace when return from
readline
function and sending another event when returned fromexecute_command
. When receiving event fromexecute_command
, we just print out all commands stored before according topid
and print the final return value we capture with best effort. For simple command, it works without losing track of every command and returned value. For command containing something likeif
, it will lost track on some returned value in the code blocks. Commands likeexec ls
would be missed in this solutiion. If we could track the function related toexec
internal command inBash
,exec ls
command line still can be tracked and no command will be lost.
from ecapture.
- Reported incorrect and unsuccessful executed events.
- Missed some events.
- More complex changes.
I agree with 3, but it may require extensive testing.
from ecapture.
So, what is your solution? Remove the detection of
execute_command
?@sancppp, what do you think about this issue?
I think execute_command()
cannot be used as a hook position for eBPF.
It is incorrect to cache input content in a bpf map and wait for return value from the execute_command function.
Hack:
QQ20240302-214301.mp4
from ecapture.
So, what is your solution? Remove the detection of
execute_command
?
@sancppp, what do you think about this issue?
I thinkIt is incorrect to cache input content in a bpf map and wait for return value from the execute_command function. Hack:execute_command()
cannot be used as a hook position for eBPF.QQ20240302-214301.mp4
Another great example that shows the difficulties to correctly trace both every the returned value and command line.
from ecapture.
Related Issues (20)
- The SSL structure in openssl 3.2.0 has been modified HOT 4
- PCAP mode can only decrypt partial HTTPS traffic, not all of it HOT 8
- fatal error: concurrent map read and map write HOT 1
- 这是我姿势不对么?最新版本的总提示No runnable modules, Exit(1) HOT 2
- tls子命令可否支持ip过滤 HOT 6
- archlinux不存在/boot/config-`uname -r`文件,导致启动程序时报错 HOT 6
- I am new. How to use software? HOT 1
- how to use ecapture with nodejs fetch and python urllib.request HOT 6
- how to print text not hex in curl HOT 7
- gotls报错 HOT 7
- how to use ecapture in redroid HOT 2
- real phone got wrong warning HOT 1
- /usr/bin/ld: /usr/bin/ld: DWARF error: invalid or unhandled FORM value: 0x22 HOT 1
- 安卓手机pixel6 pro 抓包app 报错:DumpResponse error HOT 10
- linux 环境抓go相关的包报错 HOT 4
- error: couldn't start bootstrap manager error HOT 1
- pcap mode failed on Android App while hex mode works fine HOT 2
- Potential hang for eCapture under really rare circumstances HOT 2
- ecapture 0.7.6依旧无法抓取docker pull的完全URL HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ecapture.