/
hooked_syscall.go
75 lines (59 loc) · 1.97 KB
/
hooked_syscall.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
package derive
import (
"fmt"
lru "github.com/hashicorp/golang-lru/v2"
"github.com/aquasecurity/libbpfgo/helpers"
"github.com/aquasecurity/tracee/pkg/errfmt"
"github.com/aquasecurity/tracee/pkg/events"
"github.com/aquasecurity/tracee/pkg/events/parse"
"github.com/aquasecurity/tracee/types/trace"
)
const (
maxSysCallTableSize = 500
)
var (
reportedHookedSyscalls *lru.Cache[int32, uint64]
)
// InitHookedSyscall initialize lru
func InitHookedSyscall() error {
var err error
reportedHookedSyscalls, err = lru.New[int32, uint64](maxSysCallTableSize)
return err
}
func DetectHookedSyscall(kernelSymbols *helpers.KernelSymbolTable) DeriveFunction {
return deriveSingleEvent(events.HookedSyscall, deriveDetectHookedSyscallArgs(kernelSymbols))
}
func deriveDetectHookedSyscallArgs(kernelSymbols *helpers.KernelSymbolTable) deriveArgsFunction {
return func(event trace.Event) ([]interface{}, error) {
syscallId, err := parse.ArgVal[int32](event.Args, "syscall_id")
if err != nil {
return nil, errfmt.Errorf("error parsing syscall_id arg: %v", err)
}
address, err := parse.ArgVal[uint64](event.Args, "syscall_address")
if err != nil {
return nil, errfmt.Errorf("error parsing syscall_address arg: %v", err)
}
alreadyReportedAddress, found := reportedHookedSyscalls.Get(syscallId)
if found && alreadyReportedAddress == address {
return nil, nil
}
reportedHookedSyscalls.Add(syscallId, address) // Upsert
hookedFuncName := ""
hookedOwner := ""
hookedFuncSymbol, err := kernelSymbols.GetSymbolByAddr(address)
if err == nil {
hookedFuncName = hookedFuncSymbol[0].Name
hookedOwner = hookedFuncSymbol[0].Owner
}
syscallName := convertToSyscallName(syscallId)
hexAddress := fmt.Sprintf("%x", address)
return []interface{}{syscallName, hexAddress, hookedFuncName, hookedOwner}, nil
}
}
func convertToSyscallName(syscallId int32) string {
definition, ok := events.CoreEvents[events.ID(syscallId)]
if !ok {
return ""
}
return definition.GetName()
}