gojue · cfc4n · Jul 8, 2022 · Jul 8, 2022
diff --git a/Makefile b/Makefile
@@ -6,7 +6,7 @@ nocore: ebpf_nocore assets build_nocore
 	@echo $(shell date)
 
 .ONESHELL:
-SHELL = /bin/sh
+SHELL = /bin/bash
 
 PARALLEL = $(shell $(CMD_GREP) -c ^processor /proc/cpuinfo)
 MAKE = make

diff --git a/README.md b/README.md
@@ -29,7 +29,7 @@
 ## use ELF binary file
 Download ELF zip file [release](https://github.com/ehids/ecapture/releases) , unzip and use by command `./ecapture --help`.
 
-* Linux kernel version >= 4.18
+* Linux kernel version >= 4.15 is required.
 * Enable BTF [BPF Type Format (BTF)](https://www.kernel.org/doc/html/latest/bpf/btf.html)  (Optional, 2022-04-17)
 
 ### check your server BTF config：
@@ -122,7 +122,8 @@ Probes: []*manager.Probe{
 hook `/bin/bash` symbol name `readline`.
 
 # How to compile
-Linux Kernel: >= 4.18.
+
+Linux Kernel: >= 4.15.
 
 ## Tools 
 * golang 1.16

diff --git a/README_CN.md b/README_CN.md
@@ -42,7 +42,7 @@ eBPF HOOK uprobe实现的各种用户态进程的数据捕获，无需改动原
 下载 [release](https://github.com/ehids/ecapture/releases) 的二进制包，可直接使用。
 
 系统配置要求
-* 系统linux kernel版本必须高于4.18。
+* 系统linux kernel版本必须高于4.15。
 * 开启BTF [BPF Type Format (BTF)](https://www.kernel.org/doc/html/latest/bpf/btf.html) 支持。 (可选, 2022-04-17)
 
 ### 验证方法：
@@ -135,8 +135,9 @@ Probes: []*manager.Probe{
 hook了`/bin/bash`的`readline`函数。
 
 # 编译方法
+
 针对个别程序使用的openssl类库是静态编译，也可以自行修改源码实现。若函数名不在符号表里，也可以自行反编译找到函数的offset偏移地址，填写到`UprobeOffset`属性上，进行编译。
-笔者环境`ubuntu 21.04`， Linux Kernel 4.18以上通用。
+笔者环境`ubuntu 21.04`， Linux Kernel 4.15以上通用。
 **推荐使用`UBUNTU 21.04`版本的Linux测试。**
 
 ## 工具链版本

diff --git a/builder/Makefile.release b/builder/Makefile.release
@@ -166,7 +166,7 @@ publish: \
 	.check_$(CMD_GITHUB)
 #
 	# release it!
-	$(CMD_GITHUB) release create $(SNAPSHOT_VERSION) $(OUT_ARCHIVE) $(OUT_CHECKSUMS) --title "eCapture $(SNAPSHOT_VERSION) release (Linux x86_64/aarch64, Android kernel 4.18+)."  --notes-file $(TAR_DIR)/release_notes.txt
+	$(CMD_GITHUB) release create $(SNAPSHOT_VERSION) $(OUT_ARCHIVE) $(OUT_CHECKSUMS) --title "eCapture $(SNAPSHOT_VERSION) release (Linux x86_64/aarch64, Android kernel 5.5+)."  --notes-file $(TAR_DIR)/release_notes.txt
 
 .PHONY: clean
 clean:

diff --git a/kern/bash_kern.c b/kern/bash_kern.c
@@ -78,7 +78,8 @@ int uretprobe_bash_retval(struct pt_regs *ctx) {
 
     if (event_p) {
         event_p->retval = retval;
-        bpf_map_update_elem(&events_t, &pid, event_p, BPF_ANY);
+//        bpf_map_update_elem(&events_t, &pid, event_p, BPF_ANY);
+        bpf_map_delete_elem(&events_t, &pid);
         bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, event_p,
                               sizeof(struct event));
     }

diff --git a/main.go b/main.go
@@ -23,8 +23,8 @@ func main() {
 	if err != nil {
 		log.Fatal(err)
 	}
-	if kv < kernel.VersionCode(4, 18, 0) {
-		log.Fatalf("Linux Kernel version %v is not supported. Need > 4.18 .", kv)
+	if kv < kernel.VersionCode(4, 15, 0) {
+		log.Fatalf("Linux Kernel version %v is not supported. Need > 4.15 .", kv)
 	}
 
 	enable, e := ebpf.IsEnableBPF()

diff --git a/user/iconfig.go b/user/iconfig.go
@@ -76,7 +76,6 @@ func (this *eConfig) EnableGlobalVar() bool {
 		return true
 	}
 	if kv < kernel.VersionCode(5, 2, 0) {
-		//log.Fatalf("Linux Kernel version %v is not supported. Need > 4.18 .", kv)
 		return false
 	}
 	return true