package inject /* #cgo CFLAGS: -I include #cgo amd64 LDFLAGS: ${SRCDIR}/lib/libhotpatch_amd64.a #cgo arm64 LDFLAGS: ${SRCDIR}/lib/libhotpatch_arm64.a #include "hotpatch.h" #include */ import "C" import ( "bufio" "debug/elf" "fmt" "github.com/coroot/coroot-node-agent/utils" klog "github.com/sirupsen/logrus" "golang.org/x/arch/x86/x86asm" "os" "path/filepath" "strings" "syscall" "unsafe" ) const ( IO_FD_FDID_SYM_OFFSET = 129 NET_SEND_SYM_OFFSET = 518 // 备份指令长度 ORIGIN_CODE_LEN = 12 ) type InstInfo struct { SymName string SymSize uint64 SymAddr uint64 PC uint64 Inst x86asm.Inst OriginInst x86asm.Inst OriginCode []byte TargetAddr uint64 OriginTargetAddr uint64 } type InnerSymbolInfo struct { IO_fd_fdID InstInfo NET_Send InstInfo } func (j *JvmInjector) findReleaseAddressInfoFromMem() error { klog.Infof("findReleaseAddressInfoFromMem start.") funcAbsAddress := j.ReleaseLibNetInfo.FuncSymbol.SymAddr releaseFuncSym := InnerSymbolInfo{} code, err := j.readMemory(funcAbsAddress, j.ReleaseLibNetInfo.FuncSymbol.SymSize) if err != nil { return err } pc := uint64(0) callCount := 0 preContext := InstInfo{} for pc < uint64(len(code)) { inst, err := x86asm.Decode(code[pc:], 64) if err != nil { klog.Errorf("Decode error at offset 0x%x: %v\n", pc, err) pc++ // Skip this byte and try to decode again continue } //fmt.Printf("Decoded instuction at 0x%x: %v\n", funcAbsAddress+pc, Inst) //fmt.Printf("Decoded x86 instuction at 0x%x: %v\n", funcAbsAddress+pc, x86asm.IntelSyntax(inst, 0, nil)) //fmt.Printf("Decoded GNU instuction at 0x%x: %v\n", funcAbsAddress+pc, x86asm.GNUSyntax(Inst, 0, nil)) currentData := InstInfo{ PC: pc, SymAddr: funcAbsAddress + pc, Inst: inst, //IntelInst: x86asm.IntelSyntax(inst, 0, nil), } if pc == 10 && inst.Op == x86asm.JMP { // 已经被修改过的首指令 j.PreCheck.EbpfCanInjection = true j.Uprobe.ELFPath = j.DebugLibNetInfo.LibPath if j.DebugLibNetInfo.FileDeleted { j.Uprobe.ELFPath = j.DebugLibNetInfo.MapFile } klog.Infof("[inject] Inst already modified. <%s>;elf:%s", x86asm.IntelSyntax(inst, 0, nil), j.Uprobe.ELFPath) return nil } if pc == 0 { j.ReleaseLibNetInfo.FuncSymbol.PC = currentData.PC j.ReleaseLibNetInfo.FuncSymbol.Inst = currentData.Inst j.ReleaseLibNetInfo.FuncSymbol.OriginInst = currentData.Inst } if inst.Op == x86asm.MOV { if dst, okDst := inst.Args[0].(x86asm.Mem); okDst { if dst.Base == x86asm.RBP { if src, okSrc := inst.Args[1].(x86asm.Reg); okSrc { if src == x86asm.R9L { // debug so klog.Infof("[inject] release.so is debug.so. <%s>", x86asm.IntelSyntax(inst, 0, nil)) j.PreCheck.EbpfCanInjection = true j.Uprobe.ELFPath = j.ReleaseLibNetInfo.LibPath if j.ReleaseLibNetInfo.FileDeleted { j.Uprobe.ELFPath = j.ReleaseLibNetInfo.MapFile } return fmt.Errorf("MOV from register %v to memory %v\n", src, dst) //return nil } } } } //src, okSrc := inst.Args[1].(x86asm.Reg) //fmt.Println(inst.Args) //fmt.Printf("Instruction: %+v\n", inst) // //fmt.Println(okSrc) //if okDst && okSrc && dst == x86asm.RBP && src == x86asm.R9L { // fmt.Println("Instruction is 'mov %r9d, %rbp'") //} } if inst.Op == x86asm.CALL { //fmt.Printf("Pre instuction at 0x%x: %v\n", preContext.PC, preContext.Inst) if callCount == 0 { releaseFuncSym.IO_fd_fdID = preContext releaseFuncSym.IO_fd_fdID.SymName = "(Release)" preInst := preContext.Inst klog.Infof("[findReleaseAddressInfoFromMem] preInst %v\n]", preInst) // 计算目标地址 if preInst.Op == x86asm.MOV && len(preInst.Args) == 4 && preInst.Args[0] != nil && preInst.Args[0] == x86asm.RDX && preInst.Args[1] != nil { if mem, ok := preInst.Args[1].(x86asm.Mem); ok && mem.Base == x86asm.RIP { relOffset := mem.Disp // 直接从Mem结构体中读取偏移 targetAddress := preContext.SymAddr + uint64(preInst.Len) + uint64(relOffset) klog.Infof("[findReleaseAddressInfoFromMem] target address 0x%x\n", targetAddress) releaseFuncSym.IO_fd_fdID.TargetAddr = targetAddress } else { return fmt.Errorf("The instruction does not use RIP-relative addressing.") } } else { return fmt.Errorf("[findReleaseAddressInfoFromMem] The decoded instruction is not a MOV to RDX.") } } callCount++ if callCount == 4 { releaseFuncSym.NET_Send = currentData klog.Infof("4 call Decoded instuction at 0x%x: %v\n", funcAbsAddress+pc, inst) relOffset, ok := inst.Args[0].(x86asm.Rel) if !ok { return fmt.Errorf("The instruction does not use RIP-relative addressing.") } targetAddress := currentData.SymAddr + uint64(inst.Len) + uint64(relOffset) releaseFuncSym.NET_Send.TargetAddr = targetAddress klog.Infof("[findReleaseAddressInfoFromMem] target address 0x%x\n", releaseFuncSym.NET_Send) releaseFuncSym.NET_Send.SymName = "(Release)" klog.Infof("[findReleaseAddressInfoFromMem] target address 0x%x\n", targetAddress) } } preContext = InstInfo{ PC: pc, SymAddr: funcAbsAddress + pc, Inst: inst, } pc += uint64(inst.Len) } j.ReleaseLibNetInfo.InnerSymbol = releaseFuncSym j.ReleaseLibNetInfo.FuncSymbol.OriginCode = code[0:ORIGIN_CODE_LEN] return nil } func (j *JvmInjector) findDebugAddressInfoFromMem() (uint64, error) { klog.Infof("[findDebugAddressInfoFromMem] Looking for debug address info from Mem") funcAbsAddress := j.DebugLibNetInfo.FuncSymbol.SymAddr debugFuncSym := InnerSymbolInfo{} //debugFuncSym.FuncSymbol.SymAddr = funcAbsAddress //offset := sym.Value size := j.DebugLibNetInfo.FuncSymbol.SymSize code, err := j.readMemory(funcAbsAddress, size) //fmt.Println(code, err) if err != nil { return 0, err } pc := uint64(0) preContext := InstInfo{} for pc < uint64(len(code)) { inst, err := x86asm.Decode(code[pc:], 64) if err != nil { klog.Errorf("Decode error at offset 0x%x: %v\n", pc, err) pc++ // Skip this byte and try to decode again continue } //fmt.Printf("Decoded instuction at 0x%x: %v\n", funcAbsAddress+pc, Inst) //fmt.Printf("Decoded x86 instuction at 0x%x: %v\n", funcAbsAddress+pc, x86asm.IntelSyntax(inst, 0, nil)) //fmt.Printf("Decoded GNU instuction at 0x%x: %v\n", funcAbsAddress+pc, x86asm.GNUSyntax(Inst, 0, nil)) currentData := InstInfo{ PC: pc, SymAddr: funcAbsAddress + pc, Inst: inst, } if pc == 0 { j.DebugLibNetInfo.FuncSymbol.PC = currentData.PC j.DebugLibNetInfo.FuncSymbol.Inst = currentData.Inst j.DebugLibNetInfo.FuncSymbol.OriginInst = currentData.Inst } if pc == IO_FD_FDID_SYM_OFFSET { klog.Infof("Instuction at 0x%x: %v\n", preContext.PC, preContext.Inst) debugFuncSym.IO_fd_fdID = currentData debugFuncSym.IO_fd_fdID.SymName = "(Debug)" // 计算目标地址 if currentData.Inst.Op == x86asm.MOV && len(currentData.Inst.Args) == 4 && currentData.Inst.Args[0] != nil && currentData.Inst.Args[0] == x86asm.RDX && currentData.Inst.Args[1] != nil { if mem, ok := currentData.Inst.Args[1].(x86asm.Mem); ok && mem.Base == x86asm.RIP { // 直接从Mem结构体中读取偏移 relOffset := mem.Disp targetAddress := currentData.SymAddr + uint64(currentData.Inst.Len) + uint64(relOffset) klog.Infof("Find %s Target address: 0x%x\n", debugFuncSym.IO_fd_fdID.SymName, targetAddress) debugFuncSym.IO_fd_fdID.TargetAddr = targetAddress // 保存原始数据 debugFuncSym.IO_fd_fdID.OriginTargetAddr = targetAddress debugFuncSym.IO_fd_fdID.OriginInst = currentData.Inst j.PreCheck.IoFdCheck = true } else { return 0, fmt.Errorf("The instruction does not use RIP-relative addressing.") } } else { return 0, fmt.Errorf("[findDebugAddressInfoFromMem] The decoded instruction is not a MOV to RDX.") } } if pc == NET_SEND_SYM_OFFSET { debugFuncSym.NET_Send = currentData klog.Infof("4 call Decoded instuction at 0x%x: %v\n", funcAbsAddress+pc, inst) relOffset, ok := (inst.Args[0].(x86asm.Rel)) if !ok { return 0, fmt.Errorf("The decoded instruction is not a Rel.") } targetAddress := currentData.SymAddr + uint64(inst.Len) + uint64(relOffset) debugFuncSym.NET_Send.TargetAddr = targetAddress debugFuncSym.NET_Send.SymName = "(Debug)" klog.Infof("Find %s Target address: 0x%x\n", debugFuncSym.NET_Send.SymName, targetAddress) // 保存原始数据 debugFuncSym.NET_Send.OriginTargetAddr = targetAddress debugFuncSym.NET_Send.OriginInst = currentData.Inst j.PreCheck.NetSendFuncCheck = true } preContext = InstInfo{ PC: pc, SymAddr: funcAbsAddress + pc, Inst: inst, } pc += uint64(inst.Len) } j.DebugLibNetInfo.InnerSymbol = debugFuncSym return 0, nil } func (j *JvmInjector) checkDebugFuncSymAfterChange() (uint64, error) { klog.Infof("Checking debug function symbol after injection") funcAbsAddress := j.DebugLibNetInfo.FuncSymbol.SymAddr debugFuncSym := InnerSymbolInfo{} code, err := j.readMemory(funcAbsAddress, j.DebugLibNetInfo.FuncSymbol.SymSize) if err != nil { return 0, err } pc := uint64(0) preContext := InstInfo{} for pc < uint64(len(code)) { inst, err := x86asm.Decode(code[pc:], 64) if err != nil { klog.Infof("Decode error at offset 0x%x: %v\n", pc, err) pc++ // Skip this byte and try to decode again continue } //fmt.Printf("Decoded instuction at 0x%x: %v\n", funcAbsAddress+pc, Inst) //fmt.Printf("Decoded x86 instuction at 0x%x: %v\n", funcAbsAddress+pc, x86asm.IntelSyntax(inst, 0, nil)) //fmt.Printf("Decoded GNU instuction at 0x%x: %v\n", funcAbsAddress+pc, x86asm.GNUSyntax(Inst, 0, nil)) currentData := InstInfo{ PC: pc, SymAddr: funcAbsAddress + pc, Inst: inst, } if pc == NET_SEND_SYM_OFFSET { klog.Infof("Instuction at 0x%x: %v\n", preContext.PC, preContext.Inst) debugFuncSym.IO_fd_fdID = currentData debugFuncSym.IO_fd_fdID.SymName = "(Debug)" // 计算目标地址 if currentData.Inst.Op == x86asm.MOV && len(currentData.Inst.Args) == 4 && currentData.Inst.Args[0] != nil && currentData.Inst.Args[0] == x86asm.RDX && currentData.Inst.Args[1] != nil { if mem, ok := currentData.Inst.Args[1].(x86asm.Mem); ok && mem.Base == x86asm.RIP { // 直接从Mem结构体中读取偏移 relOffset := mem.Disp targetAddress := currentData.SymAddr + uint64(currentData.Inst.Len) + uint64(relOffset) klog.Infof("Find %s Target address: 0x%x\n", debugFuncSym.IO_fd_fdID.SymName, targetAddress) debugFuncSym.IO_fd_fdID.TargetAddr = targetAddress //j.PreCheck.IoFdCheck = true if targetAddress == j.ReleaseLibNetInfo.InnerSymbol.IO_fd_fdID.TargetAddr { j.DebugLibNetInfo.InnerSymbol.IO_fd_fdID.TargetAddr = targetAddress j.DebugLibNetInfo.InnerSymbol.IO_fd_fdID.Inst = currentData.Inst j.AfterCheck.IoFdCheck = true klog.Infoln("ok") } } else { return 0, fmt.Errorf("The instruction does not use RIP-relative addressing.") } } else { return 0, fmt.Errorf("[checkDebugFuncSymAfterChange] The decoded instruction is not a MOV to RDX.") } } if pc == NET_SEND_SYM_OFFSET { debugFuncSym.NET_Send = currentData //fmt.Println(currentData.IntelInst) //klog.Infof("4 call Decoded instuction at 0x%x: %v\n", funcAbsAddress+pc, inst) relOffset, ok := (inst.Args[0].(x86asm.Rel)) if !ok { return 0, fmt.Errorf("The decoded instruction is not a Rel.") } targetAddress := currentData.SymAddr + uint64(inst.Len) + uint64(relOffset) debugFuncSym.NET_Send.TargetAddr = targetAddress debugFuncSym.NET_Send.SymName = "(Debug)" klog.Infof("Find %s Target address: 0x%x\n", debugFuncSym.NET_Send.SymName, targetAddress) if targetAddress == j.ReleaseLibNetInfo.InnerSymbol.NET_Send.TargetAddr { j.DebugLibNetInfo.InnerSymbol.NET_Send.TargetAddr = targetAddress j.DebugLibNetInfo.InnerSymbol.NET_Send.Inst = currentData.Inst j.AfterCheck.NetSendFuncCheck = true } } preContext = InstInfo{ PC: pc, SymAddr: funcAbsAddress + pc, Inst: inst, } pc += uint64(inst.Len) } return 0, nil } func (j *JvmInjector) checkReleaseFuncSymAfterChange() error { funcAbsAddress := j.ReleaseLibNetInfo.FuncSymbol.SymAddr code, err := j.readMemory(funcAbsAddress, j.ReleaseLibNetInfo.FuncSymbol.SymSize) if err != nil { return fmt.Errorf("readMemory error in checkReleaseFuncSymAfterChange <%v>", err) } // 原函数内容注释掉 // inst, err := x86asm.Decode(code[0:], 64) // if err != nil { // return fmt.Errorf("Decode error in checkReleaseFuncSymAfterChange <%v>", err) // } // if inst.Op != x86asm.JMP { // return fmt.Errorf("The instruction does not JMP.") // } // relOffset, ok := inst.Args[0].(x86asm.Rel) // if !ok { // return fmt.Errorf("The instruction does not use RIP-relative addressing.") // } // // 验证target与Debug入口是否一致 // targetAddress := funcAbsAddress + uint64(inst.Len) + uint64(relOffset) // if targetAddress != j.DebugLibNetInfo.FuncSymbol.SymAddr { // return fmt.Errorf("Function entry jmp address does not match expectations.") // } // 新的验证逻辑:验证指令序列:movabs $imm64,%rax 和 jmp *%rax if len(code) < 13 { // movabs(10字节) + jmp(3字节) = 13字节 return fmt.Errorf("Instruction sequence too short, expected at least 13 bytes, got %d", len(code)) } // 验证第一个指令:movabs $imm64,%rax // movabs 指令格式:48 B8 + 8字节立即数 (RAX寄存器) // 48 B8 = movabs rax, imm64 if code[0] != 0x48 || code[1] != 0xB8 { return fmt.Errorf("First instruction is not movabs rax, imm64. Got: 0x%02x 0x%02x", code[0], code[1]) } // 提取立即数值 (小端序) imm64 := uint64(code[2]) | uint64(code[3])<<8 | uint64(code[4])<<16 | uint64(code[5])<<24 | uint64(code[6])<<32 | uint64(code[7])<<40 | uint64(code[8])<<48 | uint64(code[9])<<56 // 验证立即数是否与 Debug 函数地址一致 expectedAddr := j.DebugLibNetInfo.FuncSymbol.SymAddr if imm64 != expectedAddr { return fmt.Errorf("movabs immediate value mismatch. Expected: 0x%x (Debug function addr), Got: 0x%x", expectedAddr, imm64) } // 验证第二个指令:jmp *%rax // jmp *%rax 指令格式:FF E0 if code[10] != 0xFF || code[11] != 0xE0 { return fmt.Errorf("Second instruction is not jmp *%%rax. Got: 0x%02x 0x%02x", code[10], code[11]) } klog.Infof("[checkReleaseFuncSymAfterChange] Successfully verified instruction sequence: movabs $0x%x,%%rax; jmp *%%rax", imm64) return nil } // readMemory 用于读取指定地址的内存数据 func (j *JvmInjector) readMemory(address uint64, size uint64) ([]byte, error) { memFile := fmt.Sprintf("/proc/%d/mem", j.Pid) file, err := os.Open(memFile) if err != nil { return nil, err } defer file.Close() data := make([]byte, size) _, err = file.ReadAt(data, int64(address)) if err != nil { return nil, err } return data, nil } // findLibraryBases 用于在 /proc/[pid]/maps 文件中查找库的所有基地址 func findLibraryBasesList(pid int, libraryName string, libPath string) ([]uint64, error) { mapsFile := fmt.Sprintf("/proc/%d/maps", pid) file, err := os.Open(mapsFile) if err != nil { return nil, err } defer file.Close() var bases []uint64 scanner := bufio.NewScanner(file) for scanner.Scan() { line := scanner.Text() if strings.Contains(line, libraryName) && strings.Contains(line, libPath) { var start, end uint64 fmt.Sscanf(line, "%x-%x", &start, &end) bases = append(bases, start) } } if len(bases) == 0 { return nil, fmt.Errorf("library %s not found", libraryName) } return bases, nil } func (j *JvmInjector) findLibBaseFromProcMaps(pid int, libName string) (uint64, string, string, bool, error) { mapsFile := fmt.Sprintf("/proc/%d/maps", j.Pid) file, err := os.Open(mapsFile) if err != nil { return 0, "", "", false, err } defer file.Close() var start, end uint64 var deleted bool scanner := bufio.NewScanner(file) for scanner.Scan() { line := scanner.Text() if strings.Contains(line, "/"+libName) { fmt.Sscanf(line, "%x-%x", &start, &end) fields := strings.Fields(line) if len(fields) > 5 { path := fields[5] if len(fields) > 6 && fields[6] == "(deleted)" { deleted = true } if strings.HasSuffix(path, ".so") { klog.Infof("[inject] found library in map %s", path) return start, path, fmt.Sprintf("/proc/%d/map_files/%s", j.Pid, fields[0]), deleted, nil } } } } return 1, "", "", false, fmt.Errorf("library %s not found", libName) } func (j *JvmInjector) findLibBaseByPathFromProcMaps(libPath string) (uint64, string, error) { mapsFile := fmt.Sprintf("/proc/%d/maps", j.Pid) file, err := os.Open(mapsFile) if err != nil { return 0, "", err } defer file.Close() var start, end uint64 scanner := bufio.NewScanner(file) for scanner.Scan() { line := scanner.Text() if strings.Contains(line, libPath) { fmt.Sscanf(line, "%x-%x", &start, &end) fields := strings.Fields(line) if len(fields) > 5 { path := fields[5] if strings.HasSuffix(path, ".so") { return start, path, nil } } } } return 1, "", fmt.Errorf("library %s not found in process.", libPath) } func (j *JvmInjector) getFunctionOffset(libPath, functionName string) (elf.Symbol, error) { elfFile, err := elf.Open(libPath) if err != nil { return elf.Symbol{}, fmt.Errorf("failed to open ELF file: %v", err) } defer elfFile.Close() symbols, err := elfFile.DynamicSymbols() if err != nil { return elf.Symbol{}, fmt.Errorf("failed to read dynamic symbols: %v", err) } for _, sym := range symbols { if sym.Name == functionName { //fmt.Println("size:", sym.Size) return sym, nil } } //textSection := elfFile.Section(".text") //if textSection == nil { // fmt.Println("textSection is null") // //return nil //} //textSectionData, err := textSection.Data() //if err != nil { // fmt.Println("textSectionData error is", err) // //return nil //} //textSectionLen := uint64(len(textSectionData) - 1) return elf.Symbol{}, fmt.Errorf("function %s not found", functionName) } //var PID string func (j *JvmInjector) InitProg() error { // 获取release库的基地址 baseAddress, releaseSoFilePathInProc, mapFilesPath, deleted, err := FindLibBaseFromProcMaps(j.Pid, j.ReleaseLibNetInfo.LibName) //j.ReleaseLibNetInfo.LibPath = releaseSoFilePathInProc j.ReleaseLibNetInfo.FileDeleted = deleted j.ReleaseLibNetInfo.MapFile = mapFilesPath pJvmlibnetPhysicalPath := j.Rootfs + releaseSoFilePathInProc j.ReleaseLibNetInfo.LibPath = pJvmlibnetPhysicalPath if err != nil { return fmt.Errorf("Error finding base addresses: %v", err) } // jvm prog base //pJvmLibBaseDir := filepath.Dir(pJvmlibnetPhysicalPath) jvmLibBaseDir := filepath.Dir(releaseSoFilePathInProc) // proc maps load path debugSoFilePathInProc := filepath.Join(jvmLibBaseDir, j.DebugLibNetInfo.LibName) // Physical path debugSoFilePhysicalPath := filepath.Join(j.Rootfs, debugSoFilePathInProc) _, noFileErr := os.Stat(debugSoFilePhysicalPath) // find cwlibnet.so in proc maps var readDebugSoPathInMaps string _, readDebugSoPathInMaps, j.DebugLibNetInfo.MapFile, j.DebugLibNetInfo.FileDeleted, _ = FindLibBaseFromProcMaps(j.Pid, j.DebugLibNetInfo.LibName) j.DebugLibNetInfo.LibPath = debugSoFilePhysicalPath j.DebugLibNetInfo.ProcLoadPath = filepath.Join(jvmLibBaseDir, j.DebugLibNetInfo.LibName) // condition create pathFromProg := utils.GetDefaultLibsPath("jvm", j.DebugLibNetInfo.LibName) if noFileErr != nil && readDebugSoPathInMaps == "" && !j.DebugLibNetInfo.FileDeleted { err = CopyFileAndMatchPermissions(pathFromProg, debugSoFilePhysicalPath, pJvmlibnetPhysicalPath) klog.Infof("[src:%s],[target:%s],[perm:%s]", pathFromProg, debugSoFilePhysicalPath, pJvmlibnetPhysicalPath) if err != nil { return err } } functionName := j.ReleaseLibNetInfo.FuncSymbol.SymName //j.ReleaseLibNetInfo.LibPath = pJvmlibnetPhysicalPath klog.Infof("[inject] Base address of [%s]:[%x]", j.ReleaseLibNetInfo.LibName, baseAddress) // 获取函数的偏移量 functionSym, err := GetFunctionOffset(pJvmlibnetPhysicalPath, functionName) // 计算函数的实际内存地址 j.ReleaseLibNetInfo.FuncSymbol.SymAddr = baseAddress + functionSym.Value j.ReleaseLibNetInfo.FuncSymbol.SymSize = functionSym.Size if err != nil { klog.WithError(err).Errorf("Error getting function offset") return err } klog.Infof("[inject] Actual memory address of %s at base 0x%x: 0x%x", functionName, baseAddress, j.ReleaseLibNetInfo.FuncSymbol.SymAddr) if j.Uprobe.ELFPath == "" { if j.DebugLibNetInfo.FileDeleted { j.Uprobe.ELFPath = j.DebugLibNetInfo.MapFile } else { j.Uprobe.ELFPath = debugSoFilePhysicalPath } } err = j.findReleaseAddressInfoFromMem() if err != nil { return err } else { j.PreCheck.NeedInjectionCheck = true } return nil } func (j *JvmInjector) findDebugFuncContextFromLibPath() error { //libName := j.DebugLibNetInfo.LibPath // 获取release库的基地址 baseAddress, libPath, err := FindLibBaseByPathFromProcMaps(j.Pid, j.DebugLibNetInfo.ProcLoadPath) klog.Infof("[inject] debug base address of [%s] : %x", libPath, baseAddress) functionName := j.DebugLibNetInfo.FuncSymbol.SymName //j.DebugLibNetInfo.LibPath = libPath if err != nil { klog.WithError(err).Errorf("[inject] error.") return err } // 获取函数的偏移量 functionSym, err := GetFunctionOffset(j.DebugLibNetInfo.LibPath, functionName) // 计算函数的实际内存地址 j.DebugLibNetInfo.FuncSymbol.SymAddr = baseAddress + functionSym.Value j.DebugLibNetInfo.FuncSymbol.SymSize = functionSym.Size if err != nil { return fmt.Errorf("Error getting function offset: %v", err) } functionConvert0Sym, err := GetFunctionOffset(j.DebugLibNetInfo.LibPath, j.DebugLibNetInfo.FuncConvert0Symbol.SymName) // 计算函数的实际内存地址 j.DebugLibNetInfo.FuncConvert0Symbol.SymAddr = baseAddress + functionConvert0Sym.Value j.DebugLibNetInfo.FuncConvert0Symbol.SymSize = functionConvert0Sym.Size if err != nil { return fmt.Errorf("Error getting function offset: %v", err) } functionGetTTLSym, err := GetFunctionOffset(j.DebugLibNetInfo.LibPath, j.DebugLibNetInfo.FuncGetTTLSymbol.SymName) // 计算函数的实际内存地址 j.DebugLibNetInfo.FuncGetTTLSymbol.SymAddr = baseAddress + functionGetTTLSym.Value j.DebugLibNetInfo.FuncGetTTLSymbol.SymSize = functionGetTTLSym.Size if err != nil { return fmt.Errorf("Error getting function offset: %v", err) } _, err = j.findDebugAddressInfoFromMem() if err != nil { return fmt.Errorf("Error finding first CALL instuction: %v", err) } klog.Infof("First CALL instuction o1f %s at base 0x%x\n", functionName, baseAddress) return nil } func printCodeData(data LibNetInfo) { klog.Infof("========FuncEnter <0x%x> \n", data.FuncSymbol.SymAddr) klog.Infof("Name %s | CurrentAddr:<0x%x>\nOrigin-TargetAddr:<0x%x> | TargetAddr:<0x%x> \nOrigin-Inst:<%s> | Inst:<%s> \n", data.InnerSymbol.IO_fd_fdID.SymName, data.InnerSymbol.IO_fd_fdID.SymAddr, data.InnerSymbol.IO_fd_fdID.OriginTargetAddr, data.InnerSymbol.IO_fd_fdID.TargetAddr, x86asm.IntelSyntax(data.InnerSymbol.IO_fd_fdID.OriginInst, 0, nil), x86asm.IntelSyntax(data.InnerSymbol.IO_fd_fdID.Inst, 0, nil)) klog.Infof("\nName %s | CurrentAddr:<0x%x>\nOrigin-TargetAddr:<0x%x> | TargetAddr:<0x%x>\nOrigin-Inst:<%s> | Inst:<%s> \n", data.InnerSymbol.NET_Send.SymName, data.InnerSymbol.NET_Send.SymAddr, data.InnerSymbol.NET_Send.OriginTargetAddr, data.InnerSymbol.NET_Send.TargetAddr, x86asm.IntelSyntax(data.InnerSymbol.NET_Send.OriginInst, 0, nil), x86asm.IntelSyntax(data.InnerSymbol.NET_Send.Inst, 0, nil)) klog.Infoln("========") } func (j *JvmInjector) jvmInjectLib() int { dll := C.CString(j.DebugLibNetInfo.ProcLoadPath) rootfs := C.CString(j.Rootfs) defer C.free(unsafe.Pointer(dll)) result := C.cw_inject_library(C.int(j.Pid), C.int(1), dll, rootfs) klog.Infof("Result: %d\n", result) return int(result) } func (j *JvmInjector) validateAllPreCheck() bool { return j.PreCheck.NeedInjectionCheck && j.PreCheck.LoadingCheck && j.PreCheck.IoFdCheck && j.PreCheck.NetSendFuncCheck } func (j *JvmInjector) validateAllModifyCheck() bool { return j.AfterCheck.IoFdCheck && j.AfterCheck.NetSendFuncCheck } /*修改部分*/ func readData(pid int, addr uintptr) (uint64, error) { var data uint64 if _, err := syscall.PtracePeekData(pid, addr, (*[8]byte)(unsafe.Pointer(&data))[:]); err != nil { return 0, fmt.Errorf("ptrace PEEKDATA: %v", err) } return data, nil } func writeData(pid int, addr uintptr, data uint64) error { if _, err := syscall.PtracePokeData(pid, addr, (*[8]byte)(unsafe.Pointer(&data))[:]); err != nil { return fmt.Errorf("ptrace POKEDATA: %v", err) } return nil } func readDataBytes(pid int, addr uintptr, size int) ([]byte, error) { data := make([]byte, size) if _, err := syscall.PtracePeekData(pid, addr, data); err != nil { return nil, fmt.Errorf("ptrace PEEKDATA: %v", err) } return data, nil } func writeDataBytes(pid int, addr uintptr, data []byte) error { if _, err := syscall.PtracePokeData(pid, addr, data); err != nil { return fmt.Errorf("ptrace POKEDATA: %v", err) } return nil } func modifyIoFdTargetAddr(pid int, insertAddr, distAddr, getTTLFunctionAddr uintptr) error { // newOffset := distAddr - (insertAddr + 7) // targetAddr := insertAddr + 3 // // 获取目标地址处的数据 // originalData, err := readData(pid, targetAddr) // if err != nil { // return err // } // // 更新数据中的目标偏移 // updatedData := (originalData & 0xFFFFFFFF00000000) | uint64(newOffset&0xFFFFFFFF) // err = writeData(pid, targetAddr, updatedData) // if err != nil { // return err // } getTTLOffset := getTTLFunctionAddr - insertAddr - 5 // 读取原始数据 // alignedAddr := insertAddr & ^(uintptr(unsafe.Sizeof(uintptr(0))) - 1) originalData, err := readDataBytes(pid, insertAddr, 7) if err != nil { return err } // offset := insertAddr % uintptr(unsafe.Sizeof(uintptr(0))) offset := 0 // 写入AMD64的绝对跳转指令: mov rax, addr; jmp rax var getTTLOffset32 uint32 = uint32(getTTLOffset) originalData[offset] = 0xE8 // call originalData[offset+1] = byte(getTTLOffset32) originalData[offset+2] = byte(getTTLOffset32 >> 8) originalData[offset+3] = byte(getTTLOffset32 >> 16) originalData[offset+4] = byte(getTTLOffset32 >> 24) originalData[offset+5] = 0x90 //nop originalData[offset+6] = 0x90 //nop err = writeDataBytes(pid, insertAddr, originalData) if err != nil { return err } //以上是先跳转到2GB内存的无用函数中 //以下来写真正的跳转函数 TTLOriginalData, err := readDataBytes(pid, getTTLFunctionAddr, 16) if err != nil { return err } TTLOriginalData[offset] = 0x50 TTLOriginalData[offset+1] = 0x48 TTLOriginalData[offset+2] = 0xb8 TTLOriginalData[offset+3] = byte(distAddr) TTLOriginalData[offset+4] = byte(distAddr >> 8) TTLOriginalData[offset+5] = byte(distAddr >> 16) TTLOriginalData[offset+6] = byte(distAddr >> 24) TTLOriginalData[offset+7] = byte(distAddr >> 32) TTLOriginalData[offset+8] = byte(distAddr >> 40) TTLOriginalData[offset+9] = byte(distAddr >> 48) TTLOriginalData[offset+10] = byte(distAddr >> 56) TTLOriginalData[offset+11] = 0x48 TTLOriginalData[offset+12] = 0x8b TTLOriginalData[offset+13] = 0x10 TTLOriginalData[offset+14] = 0x58 //pop rax TTLOriginalData[offset+15] = 0xc3 //ret err = writeDataBytes(pid, getTTLFunctionAddr, TTLOriginalData) if err != nil { return err } return nil } func modifyNetSetTargetAddr(pid int, sendDebugAddr, sendReleaseAddr, convert0FunctionAddr uintptr) error { // sendOffset := sendReleaseAddr - sendDebugAddr - 5 // // 读取原始数据 // alignedAddr := sendDebugAddr & ^(uintptr(unsafe.Sizeof(uintptr(0))) - 1) // originalData, err := readData(pid, alignedAddr) // if err != nil { // return err // } // bytes := (*[8]byte)(unsafe.Pointer(&originalData)) // offsetLocation := (sendDebugAddr % uintptr(unsafe.Sizeof(uintptr(0)))) + 1 // *(*uint32)(unsafe.Pointer(&bytes[offsetLocation])) = uint32(sendOffset) // err = writeData(pid, alignedAddr, originalData) // if err != nil { // return err // } convert0Offset := convert0FunctionAddr - sendDebugAddr - 5 // 读取原始数据 // alignedAddr := insertAddr & ^(uintptr(unsafe.Sizeof(uintptr(0))) - 1) originalData, err := readDataBytes(pid, sendDebugAddr, 5) if err != nil { return err } // offset := insertAddr % uintptr(unsafe.Sizeof(uintptr(0))) offset := 0 // 写入AMD64的绝对跳转指令: mov rax, addr; jmp rax var convert0Offset32 uint32 = uint32(convert0Offset) originalData[offset] = 0xE8 // call originalData[offset+1] = byte(convert0Offset32) originalData[offset+2] = byte(convert0Offset32 >> 8) originalData[offset+3] = byte(convert0Offset32 >> 16) originalData[offset+4] = byte(convert0Offset32 >> 24) err = writeDataBytes(pid, sendDebugAddr, originalData) if err != nil { return err } convert0OriginalData, err := readDataBytes(pid, convert0FunctionAddr, 13) if err != nil { return err } convert0OriginalData[offset] = 0x48 convert0OriginalData[offset+1] = 0xb8 convert0OriginalData[offset+2] = byte(sendReleaseAddr) convert0OriginalData[offset+3] = byte(sendReleaseAddr >> 8) convert0OriginalData[offset+4] = byte(sendReleaseAddr >> 16) convert0OriginalData[offset+5] = byte(sendReleaseAddr >> 24) convert0OriginalData[offset+6] = byte(sendReleaseAddr >> 32) convert0OriginalData[offset+7] = byte(sendReleaseAddr >> 40) convert0OriginalData[offset+8] = byte(sendReleaseAddr >> 48) convert0OriginalData[offset+9] = byte(sendReleaseAddr >> 56) convert0OriginalData[offset+10] = 0xff convert0OriginalData[offset+11] = 0xd0 convert0OriginalData[offset+12] = 0xc3 err = writeDataBytes(pid, convert0FunctionAddr, convert0OriginalData) if err != nil { return err } return nil } // func modifyReleaseFuncEnter(pid int, originEnterAddr, debugEnterAddr uintptr) error { // offset := debugEnterAddr - (originEnterAddr + 5) // // 读取原始数据 // alignedAddr := originEnterAddr & ^(uintptr(unsafe.Sizeof(uintptr(0))) - 1) // originalData, err := readData(pid, alignedAddr) // if err != nil { // return err // } // bytes := (*[8]byte)(unsafe.Pointer(&originalData)) // bytes[originEnterAddr%uintptr(unsafe.Sizeof(uintptr(0)))] = 0xe9 // *(*uint32)(unsafe.Pointer(&bytes[(originEnterAddr%uintptr(unsafe.Sizeof(uintptr(0))))+1])) = uint32(offset) // err = writeData(pid, alignedAddr, originalData) // if err != nil { // return err // } // return nil // } func modifyReleaseFuncEnter(pid int, originEnterAddr, debugEnterAddr uintptr) error { // 读取原始数据 - 需要12字节来存储完整的跳转指令 alignedAddr := originEnterAddr & ^(uintptr(unsafe.Sizeof(uintptr(0))) - 1) originalData, err := readDataBytes(pid, alignedAddr, 12) if err != nil { return err } offset := originEnterAddr % uintptr(unsafe.Sizeof(uintptr(0))) // 写入AMD64的绝对跳转指令: mov rax, addr; jmp rax originalData[offset] = 0x48 // REX.W prefix originalData[offset+1] = 0xb8 // mov rax, imm64 // 按小端序写入64位地址 originalData[offset+2] = byte(debugEnterAddr) originalData[offset+3] = byte(debugEnterAddr >> 8) originalData[offset+4] = byte(debugEnterAddr >> 16) originalData[offset+5] = byte(debugEnterAddr >> 24) originalData[offset+6] = byte(debugEnterAddr >> 32) originalData[offset+7] = byte(debugEnterAddr >> 40) originalData[offset+8] = byte(debugEnterAddr >> 48) originalData[offset+9] = byte(debugEnterAddr >> 56) originalData[offset+10] = 0xff // jmp rax originalData[offset+11] = 0xe0 err = writeDataBytes(pid, alignedAddr, originalData) if err != nil { return err } return nil } func restoreOriginalInstructions(pid int, addr uintptr, instructions []byte) error { // alignedAddr := addr & ^(uintptr(unsafe.Sizeof(uintptr(0))) - 1) // originalData, err := readData(pid, alignedAddr) originalData, err := readDataBytes(pid, addr, len(instructions)) if err != nil { return err } // bytes := (*[8]byte)(unsafe.Pointer(&originalData)) // for i := 0; i < len(instructions); i++ { // bytes[addr%uintptr(unsafe.Sizeof(uintptr(0)))+uintptr(i)] = instructions[i] // } // offset := addr % uintptr(unsafe.Sizeof(uintptr(0))) for i := 0; i < len(instructions); i++ { originalData[i] = instructions[i] } // err = writeData(pid, alignedAddr, originalData) err = writeDataBytes(pid, addr, originalData) if err != nil { return err } return nil } // func main() { // flag.StringVar(&PID, "p", "", "PID") // flag.Parse() // pidStr := PID // 替换为目标进程的 PID // pid, err := strconv.Atoi(pidStr) // if err != nil { // log.Fatalf("Invalid PID: %v", err) // } // functionName := "Java_java_net_SocketOutputStream_socketWrite0" // libraryName := "libnet.so" // // cwLibraryName := "cwlibnet.so" // cwLibraryPath := "/root/cwlibnet.so" // // jvmInjector := &JvmInjector{ // pid: pid, // ReleaseLibNetInfo: LibNetInfo{ // libName: libraryName, // FuncSymbol: instInfo{ // SymName: functionName, // }, // }, // DebugLibNetInfo: LibNetInfo{ // // TODO 根据版本设置 // libName: cwLibraryName, // // TODO 根据版本设置 // libPath: cwLibraryPath, // FuncSymbol: instInfo{ // SymName: functionName, // }, // }, // } // // err = jvmInject(jvmInjector) // fmt.Println(err) // } func JvmInject(jvmInjector *JvmInjector) error { pid := jvmInjector.Pid var err error err = jvmInjector.InitProg() // Debug版本无需修改寄存器 // 已经加载so并指令修改正确的 if jvmInjector.PreCheck.EbpfCanInjection { klog.Infoln("[inject] eBPF can injection.") return nil } if err != nil { klog.WithError(err).Errorf("[inject] Error message during release phase.") return err } // 原指令校验通过 if !jvmInjector.PreCheck.NeedInjectionCheck { return err } printCodeData(jvmInjector.ReleaseLibNetInfo) _type, _, err := FindLibBaseByPathFromProcMaps(pid, jvmInjector.DebugLibNetInfo.ProcLoadPath) if err != nil { // load so if _type == 1 { klog.Infoln("[inject] start load so.") resCode := jvmInjector.jvmInjectLib() if resCode == 0 { klog.Infof("[inject] load so successful. proc load path is [%s], file path in node is [%s]", jvmInjector.DebugLibNetInfo.ProcLoadPath, jvmInjector.DebugLibNetInfo.LibPath) jvmInjector.PreCheck.LoadingCheck = true } else { klog.Errorf("[inject] Failed load so. so path is [%s]", jvmInjector.DebugLibNetInfo.LibPath) return fmt.Errorf("[inject] Failed load so. code is %d so path is [%s]", resCode, jvmInjector.DebugLibNetInfo.LibPath) } } } else { klog.Infoln("[inject] so already loaded.") jvmInjector.PreCheck.LoadingCheck = true } if !jvmInjector.PreCheck.LoadingCheck { klog.Infof("Failed load so") return err } err = jvmInjector.findDebugFuncContextFromLibPath() if err != nil { klog.WithError(err).Errorf("[inject] Failed to find debug Func Context from libPath") return err } if !jvmInjector.validateAllPreCheck() { klog.Errorf("[inject] validateAllPreCheck failed: "+ "NeedInjectionCheck=%v, LoadingCheck=%v, IoFdCheck=%v, NetSendFuncCheck=%v", jvmInjector.PreCheck.NeedInjectionCheck, jvmInjector.PreCheck.LoadingCheck, jvmInjector.PreCheck.IoFdCheck, jvmInjector.PreCheck.NetSendFuncCheck, ) return err } // 修改 debugFuncEnterAddr := uintptr(jvmInjector.DebugLibNetInfo.FuncSymbol.SymAddr) debugFuncGetTTLEnterAddr := uintptr(jvmInjector.DebugLibNetInfo.FuncGetTTLSymbol.SymAddr) debugFuncConvert0EnterAddr := uintptr(jvmInjector.DebugLibNetInfo.FuncConvert0Symbol.SymAddr) debugIoFdAddr := uintptr(jvmInjector.DebugLibNetInfo.InnerSymbol.IO_fd_fdID.SymAddr) debugNetSendAddr := uintptr(jvmInjector.DebugLibNetInfo.InnerSymbol.NET_Send.SymAddr) originFuncEnterAddr := uintptr(jvmInjector.ReleaseLibNetInfo.FuncSymbol.SymAddr) ioFdReleaseTargetAddr := uintptr(jvmInjector.ReleaseLibNetInfo.InnerSymbol.IO_fd_fdID.TargetAddr) netSendReleaseTargetAddr := uintptr(jvmInjector.ReleaseLibNetInfo.InnerSymbol.NET_Send.TargetAddr) klog.Infof("<0x%x> -> <0x%x>\n", originFuncEnterAddr, debugFuncEnterAddr) klog.Infof("<0x%x> -> <0x%x>\n", debugIoFdAddr, ioFdReleaseTargetAddr) klog.Infof("<0x%x> -> <0x%x>\n", debugNetSendAddr, netSendReleaseTargetAddr) klog.Infof("conver0 -> <0x%x>\n", debugFuncConvert0EnterAddr) klog.Infof("getttl -> <0x%x>\n", debugFuncGetTTLEnterAddr) // 附加到目标进程 klog.Infof("attach") err = syscall.PtraceAttach(pid) if err != nil { klog.Errorf("ptrace ATTACH: %v", err) } // 等待目标进程停止 klog.Infof("attach Wait") if _, err := syscall.Wait4(pid, nil, 0, nil); err != nil { klog.Errorf("wait4: %v", err) return err } //time.Now().UnixNano() // 修改目标的内存 klog.Infof("modifyIoFdTargetAddr") err = modifyIoFdTargetAddr(pid, debugIoFdAddr, ioFdReleaseTargetAddr, debugFuncGetTTLEnterAddr) if err != nil { klog.Error(err) PtraceDetach(pid) return err } klog.Infof("modifyNetSetTargetAddr") err = modifyNetSetTargetAddr(pid, debugNetSendAddr, netSendReleaseTargetAddr, debugFuncConvert0EnterAddr) if err != nil { klog.Error(err) PtraceDetach(pid) return err } // 二次效验 读取并验证地址 klog.Infof("checkDebugFuncSymAfterChange") _, err = jvmInjector.checkDebugFuncSymAfterChange() printCodeData(jvmInjector.ReleaseLibNetInfo) printCodeData(jvmInjector.DebugLibNetInfo) // 效验目标函数内地址是否与预期一致 if !jvmInjector.validateAllModifyCheck() && err == nil { klog.WithError(err).Errorf("[inject] failed validateAllModifyCheck") PtraceDetach(pid) return err } // 更新函数入口 klog.Infof("modifyReleaseFuncEnter") // 计算地址差 diff := originFuncEnterAddr - debugFuncEnterAddr if diff < 0 { diff = -diff } // 检查是否超过 2GB if diff > (1 << 31) { klog.Infof("[inject] originFuncEnterAddr(0x%x) and debugFuncEnterAddr(0x%x) distance > 2GB", originFuncEnterAddr, debugFuncEnterAddr) } err = modifyReleaseFuncEnter(pid, originFuncEnterAddr, debugFuncEnterAddr) if err != nil { klog.WithError(err).Errorf("[inject] failed modifyReleaseFuncEnter") PtraceDetach(pid) return err } // 校验jmp地址修改正确 临时注释 klog.Infof("checkReleaseFuncSymAfterChange") errReleaseFuncSymAfterChange := jvmInjector.checkReleaseFuncSymAfterChange() if errReleaseFuncSymAfterChange != nil { klog.WithError(errReleaseFuncSymAfterChange).Errorf("[inject] failed checkReleaseFuncSymAfterChange") // 回滚 if len(jvmInjector.ReleaseLibNetInfo.FuncSymbol.OriginCode) == ORIGIN_CODE_LEN { err = restoreOriginalInstructions(pid, originFuncEnterAddr, jvmInjector.ReleaseLibNetInfo.FuncSymbol.OriginCode) if err != nil { klog.WithError(err).Errorf("[inject] failed restoreOriginalInstructions") PtraceDetach(pid) return err } } //PtraceDetach(pid) //return errReleaseFuncSymAfterChange } return PtraceDetach(pid) } func PtraceDetach(pid int) error { // 恢复执行 klog.Infof("Detach") if err := syscall.PtraceDetach(pid); err != nil { klog.Errorf("ptrace DETACH: %v", err) return err } return nil }