Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fix] get textStart from pclnTable #516

Merged
merged 1 commit into from
Apr 9, 2024
Merged

[Fix] get textStart from pclnTable #516

merged 1 commit into from
Apr 9, 2024
+13 −9

Conversation

wlingze
Copy link
Contributor

@wlingze wlingze commented Apr 7, 2024

fixup: #512
details: wlingze#2#514

@wlingze wlingze mentioned this pull request Apr 7, 2024
Closed
@cfc4n cfc4n added bug Something isn't working fix bug fix PR labels Apr 7, 2024
@sancppp
Copy link
Contributor

sancppp commented Apr 8, 2024

I did a simple test of v0.7.6 and PR#516 in an x64 Ubuntu 22.04 environment.

The test was to execute the command sudo . /bin/ecapture gotls --elfpath=/usr/bin/dockerd --hex while executing docker login in another terminal.

The result shows that eCapture was able to correctly find the crypto/tls.(*Conn).Read symbol entry, but was unable to locate the RET command:
image

At the same time, docker login returns a connect error:
CleanShot_2024-04-08_at_22 34 06@2x

@cfc4n
Copy link
Member

cfc4n commented Apr 9, 2024
edited
Loading

I think the connect error issue probably has nothing to do with the hook position. The hook here is looking for the RET instruction to hook, so it shouldn't affect network communication. There must be another reason, maybe it's just a sporadic network failure.

cfc4n
cfc4n approved these changes Apr 9, 2024
View reviewed changes
Copy link
Member

@cfc4n cfc4n left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks.

@cfc4n cfc4n merged commit 043c39d into gojue:master Apr 9, 2024
6 checks passed
@cfc4n cfc4n mentioned this pull request Apr 9, 2024
Closed
@sancppp
Copy link
Contributor

sancppp commented Apr 9, 2024
edited
Loading

I think the connect error issue probably has nothing to do with the hook position. The hook here is looking for the RET instruction to hook, so it shouldn't affect network communication. There must be another reason, maybe it's just a sporadic network failure.

It looks like eCpture is indeed affecting docker's network communication.

Normally docker login should return Error response from daemon: Get "https://registry-1.docker.io/v2/": unauthorized: incorrect username or password, however eCapture intervenes and returns an EOF error, while docker pull also returns an EOF error.

The test is relatively simple. I'm not sure if eCapture hooking other golang projects (buildmode=pie) would cause the same thing.

CleanShot_2024-04-09_at_21 33 03

cfc4n added a commit that referenced this pull request Apr 10, 2024
@cfc4n
fix: amd64, offset read error issue for PIE executable.
28952a5 
On amd64, when the executable program in PIE format compiled by golang reads the return instruction of the function, the start address of inst is incorrect, resulting in an exception, see PR #516 for details.

Signed-off-by: CFC4N <cfc4n.cs@gmail.com>
@cfc4n cfc4n mentioned this pull request Apr 10, 2024
Merged
cfc4n added a commit that referenced this pull request Apr 12, 2024
@cfc4n
fix: amd64, offset read error issue for PIE executable.
64ae3d6 
On amd64, when the executable program in PIE format compiled by golang reads the return instruction of the function, the start address of inst is incorrect, resulting in an exception, see PR #516 for details.

Signed-off-by: CFC4N <cfc4n.cs@gmail.com>
@wlingze wlingze deleted the fix/get_textstart_from_pclntable branch April 13, 2024 05:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cfc4n cfc4n cfc4n approved these changes

Assignees
No one assigned
Labels
bug Something isn't working fix bug fix PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wlingze @sancppp @cfc4n