I want to get getaddrinfo function entry params(host->PT_REGS_PARM1), attach uretprobe/getaddrinfo, but it return any garbled text, how to get plaintext?
using golang cilium/ebpf
the uretprobe.c
#include "common.h"
#include "bpf_helpers.h"
#include "bpf_tracing.h"
char __license[] SEC("license") = "Dual MIT/GPL";
struct event {
u32 pid;
u8 comm[16];
u8 host[80];
};
struct {
// __uint(type, BPF_MAP_TYPE_RINGBUF);
// __uint(max_entries, 256 * 1024 /* 256 KB */);
__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
} events SEC(".maps");
struct event *unused __attribute__((unused));
SEC("uretprobe/getaddrinfo")
int getaddrinfo_return(struct pt_regs *ctx)
{
struct event event = {};
u64 pid_tgid = bpf_get_current_pid_tgid();
u32 pid = pid_tgid >> 32;
u32 tid = (u32)pid_tgid;
bpf_probe_read(&event.host, sizeof(event.host),
(void *)PT_REGS_PARM1(ctx));
bpf_get_current_comm(&event.comm, 16);
event.pid = pid;
bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event, sizeof(event));
return 0;
}
the main.go and log print
//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS --target=amd64 -type event bpf uretprobe.c -- -I../headers
binPath = "/lib/x86_64-linux-gnu/libc.so.6"
symbol = "getaddrinfo"
log.Printf("%s:%s return value:%d - %16s - %80s", binPath, symbol, event.Pid, event.Comm, event.Host,)
2022/09/18 08:47:24 /lib/x86_64-linux-gnu/libc.so.6:getaddrinfo return value:1460362 - curl - *P���qsʀv�Y��sqU\\�W�� sqU�a���]�W�U�Y�
