__ __ __ __ _____ _ _ _____ _ _ _ | \/ | \ \ / / | __ \ (_) | | / ____| | | | | | \ / |_ __\ V / | |__) | __ ___ ____ _| |_ ___ | (___ | |__ ___| | | | |\/| | '__|> < | ___/ '__| \ \ / / _` | __/ _ \ \___ \| '_ \ / _ \ | | | | | | |_ / . \ | | | | | |\ V / (_| | || __/ ____) | | | | __/ | | |_| |_|_(_)_/ \_\ |_| |_| |_| \_/ \__,_|\__\___| |_____/|_| |_|\___V 2.1 if you need WebShell for Seo everyday contact me on Telegram Telegram Address : @jackleetFor_More_Tools:
#!/usr/bin/python
# @lint-avoid-python-3-compatibility-imports
#
# undump Dump UNIX socket packets.
# For Linux, uses BCC, eBPF. Embedded C.
# USAGE: undump [-h] [-t] [-p PID]
#
# This uses dynamic tracing of kernel functions, and will need to be updated
# to match kernel changes.
#
# Copyright (c) 2021 Rong Tao.
# Licensed under the GPL License, Version 2.0
#
# 27-Aug-2021 Rong Tao Created this.
# 17-Sep-2021 Rong Tao Simplify according to chenhengqi's suggestion
# https://github.com/iovisor/bcc/pull/3615
#
from __future__ import print_function
from bcc import BPF
from bcc.containers import filter_by_containers
from bcc.utils import printb
import argparse
from socket import inet_ntop, ntohs, AF_INET, AF_INET6
from struct import pack
from time import sleep
from datetime import datetime
import sys
# arguments
examples = """examples:
./undump # trace/dump all UNIX packets
./undump -p 181 # only trace/dump PID 181
"""
parser = argparse.ArgumentParser(
description="Dump UNIX socket packets",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog=examples)
parser.add_argument("-p", "--pid",
help="trace this PID only")
args = parser.parse_args()
# define BPF program
bpf_text = """
#include <uapi/linux/ptrace.h>
#include <net/sock.h>
#include <bcc/proto.h>
#include <linux/aio.h>
#include <linux/socket.h>
#include <linux/net.h>
#include <linux/fs.h>
#include <linux/mount.h>
#include <linux/module.h>
#include <net/sock.h>
#include <net/af_unix.h>
#define MAX_PKT 512
struct recv_data_t {
u32 recv_len;
u8 pkt[MAX_PKT];
};
// single element per-cpu array to hold the current event off the stack
BPF_PERCPU_ARRAY(unix_data, struct recv_data_t, 1);
BPF_PERF_OUTPUT(unix_recv_events);
int trace_unix_stream_read_actor(struct pt_regs *ctx)
{
u32 zero = 0;
int ret = PT_REGS_RC(ctx);
u64 pid_tgid = bpf_get_current_pid_tgid();
u32 pid = pid_tgid >> 32;
u32 tid = pid_tgid;
FILTER_PID
struct sk_buff *skb = (struct sk_buff *)PT_REGS_PARM1(ctx);
struct recv_data_t *data = unix_data.lookup(&zero);
if (!data)
return 0;
unsigned int data_len = skb->len;
if(data_len > MAX_PKT)
return 0;
void *iodata = (void *)skb->data;
data->recv_len = data_len;
bpf_probe_read(data->pkt, data_len, iodata);
unix_recv_events.perf_submit(ctx, data, data_len+sizeof(u32));
return 0;
}
"""
if args.pid:
bpf_text = bpf_text.replace('FILTER_PID',
'if (pid != %s) { return 0; }' % args.pid)
bpf_text = bpf_text.replace('FILTER_PID', '')
# process event
def print_recv_pkg(cpu, data, size):
event = b["unix_recv_events"].event(data)
if args.pid:
print("PID \033[1;31m%s\033[m " % args.pid, end="")
print("Recv \033[1;31m%d\033[m bytes" % event.recv_len)
print(" ", end="")
for i in range(0, event.recv_len):
print("%02x " % event.pkt[i], end="")
sys.stdout.flush()
if (i+1)%16 == 0:
print("")
print(" ", end="")
print("")
# initialize BPF
b = BPF(text=bpf_text)
b.attach_kprobe(event="unix_stream_read_actor", fn_name="trace_unix_stream_read_actor")
if args.pid:
print("Tracing \033[1;31mPID=%s\033[m UNIX socket packets ... Hit Ctrl-C to end" % args.pid)
else:
print("Tracing UNIX socket packets ... Hit Ctrl-C to end")
start_ts = 0
# read events
b["unix_recv_events"].open_perf_buffer(print_recv_pkg)
while True:
try:
b.perf_buffer_poll()
except KeyboardInterrupt:
exit()
| Name | Type | Size | Permission | Actions |
|---|---|---|---|---|
| CMakeLists.txt | File | 276 B | 0644 |
|
| biolatpcts.py | File | 3.23 KB | 0755 |
|
| biolatpcts_example.txt | File | 650 B | 0644 |
|
| bitehist.py | File | 1.36 KB | 0755 |
|
| bitehist_example.txt | File | 1.18 KB | 0644 |
|
| dddos.py | File | 3.73 KB | 0755 |
|
| dddos_example.txt | File | 2.06 KB | 0644 |
|
| disksnoop.py | File | 1.9 KB | 0755 |
|
| disksnoop_example.txt | File | 1.55 KB | 0644 |
|
| hello_fields.py | File | 679 B | 0755 |
|
| hello_perf_output.py | File | 1.24 KB | 0755 |
|
| hello_perf_output_using_ns.py | File | 1.8 KB | 0755 |
|
| kvm_hypercall.py | File | 1.48 KB | 0755 |
|
| kvm_hypercall.txt | File | 1.74 KB | 0644 |
|
| mallocstacks.py | File | 1.9 KB | 0755 |
|
| mysqld_query.py | File | 1.66 KB | 0755 |
|
| mysqld_query_example.txt | File | 499 B | 0644 |
|
| nflatency.py | File | 6.07 KB | 0755 |
|
| nodejs_http_server.py | File | 1.34 KB | 0755 |
|
| nodejs_http_server_example.txt | File | 276 B | 0644 |
|
| stack_buildid_example.py | File | 3.03 KB | 0755 |
|
| stacksnoop.py | File | 3.18 KB | 0755 |
|
| stacksnoop_example.txt | File | 2.8 KB | 0644 |
|
| strlen_count.py | File | 1.3 KB | 0755 |
|
| strlen_hist.py | File | 1.81 KB | 0755 |
|
| strlen_hist_ifunc.py | File | 3.71 KB | 0755 |
|
| strlen_snoop.py | File | 1.35 KB | 0755 |
|
| sync_timing.py | File | 1.36 KB | 0755 |
|
| task_switch.c | File | 499 B | 0644 |
|
| task_switch.py | File | 486 B | 0755 |
|
| tcpv4connect.py | File | 2.36 KB | 0755 |
|
| tcpv4connect_example.txt | File | 1.04 KB | 0644 |
|
| trace_fields.py | File | 589 B | 0755 |
|
| trace_perf_output.py | File | 1.56 KB | 0755 |
|
| undump.py | File | 3.52 KB | 0755 |
|
| undump_example.txt | File | 886 B | 0644 |
|
| urandomread-explicit.py | File | 1.48 KB | 0755 |
|
| urandomread.py | File | 1.01 KB | 0755 |
|
| urandomread_example.txt | File | 675 B | 0644 |
|
| vfsreadlat.c | File | 896 B | 0644 |
|
| vfsreadlat.py | File | 1.3 KB | 0755 |
|
| vfsreadlat_example.txt | File | 3.53 KB | 0644 |
|