-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathlemon.c
96 lines (77 loc) · 2.34 KB
/
lemon.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#include <stdio.h>
#include <unistd.h>
#include <bpf/bpf.h>
#include <bpf/libbpf.h>
#include <errno.h>
#include <sys/stat.h>
#include "lemon.h"
#include "lemon.ebpf.skel.h"
extern int get_memory_regions(struct ram_regions *restrict ram_regions, struct lemon_ebpf *restrict skel);
extern int dump_on_disk(const char *const restrict dump_file, const struct ram_regions *restrict ram_regions);
/*
* load_ebpf_progs() - load and attach eBPF programs
* @skel: eBPF skeleton
*
*/
int load_ebpf_progs(struct lemon_ebpf **restrict skel) {
/* Open the BPF object file */
if (!(*skel = lemon_ebpf__open()))
{
fprintf(stderr, "Failed to open BPF skeleton\n");
return errno;
}
/* Load the BPF objectes */
if ((lemon_ebpf__load(*skel)))
{
fprintf(stderr, "Failed to load BPF object: %d\n", errno);
return errno;
}
/* Attach the uprobe to the 'read_kernel_memory' function in the current executable */
if (lemon_ebpf__attach(*skel))
{
fprintf(stderr, "Failed to attach program\n");
return errno;
}
#ifdef DEBUG
printf("BPF program attached\n");
#endif
return 0;
}
int main(int argc, char **argv)
{
struct lemon_ebpf *skel = NULL;
struct ram_regions ram_regions;
int err;
struct stat stat_tmp;
/* Check if is running as root */
if(getuid() != 0) {
printf("Must be run as root\n");
return 0;
}
/* Parameters */
if(argc < 2) {
printf("Usage: lemon <output file>\n");
return 0;
}
/* Check for eBPF support */
bpf_prog_load(BPF_PROG_TYPE_UNSPEC, NULL, NULL, NULL, 0, NULL);
if(errno == ENOSYS) {
printf("eBPF not supported by this kernel :( %d\n", errno);
return 1;
}
/* Check for eBPF CORE support */
if(stat("/sys/kernel/btf/vmlinux", &stat_tmp)) {
printf("eBPF CORE not supported by this kernel.\n");
return 1;
}
/* Load eBPF progs */
if((err = load_ebpf_progs(&skel))) return err;
/* Determine the memory dumpable regions */
if((err = get_memory_regions(&ram_regions, skel))) goto cleanup;
/* Dump the content of the memory on a file */
if((err = dump_on_disk(argv[1], &ram_regions))) goto cleanup;
/* Cleanup: close BPF object */
cleanup:
if(skel) lemon_ebpf__destroy(skel);
return 0;
}