“`bpf_probe_read“` garbled text,how to get plaintext


This Content is from Stack Overflow. Question asked by sa Kevin

I want to get getaddrinfo function entry params(host->PT_REGS_PARM1), attach uretprobe/getaddrinfo, but it return any garbled text, how to get plaintext?

using golang cilium/ebpf

the uretprobe.c

#include "common.h"
#include "bpf_helpers.h"
#include "bpf_tracing.h"

char __license[] SEC("license") = "Dual MIT/GPL";

struct event {
    u32 pid;
    u8 comm[16];
    u8 host[80];

struct {
    // __uint(type, BPF_MAP_TYPE_RINGBUF);
    // __uint(max_entries, 256 * 1024 /* 256 KB */);
    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
} events SEC(".maps");

struct event *unused __attribute__((unused));

int getaddrinfo_return(struct pt_regs *ctx)
    struct event event = {};

    u64 pid_tgid = bpf_get_current_pid_tgid();
    u32 pid = pid_tgid >> 32;
    u32 tid = (u32)pid_tgid;
    bpf_probe_read(&event.host, sizeof(event.host),
                       (void *)PT_REGS_PARM1(ctx));
    bpf_get_current_comm(&event.comm, 16);
    event.pid = pid;
    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event, sizeof(event));

    return 0;

the main.go and log print

//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS --target=amd64 -type event bpf uretprobe.c -- -I../headers

binPath = "/lib/x86_64-linux-gnu/libc.so.6"
symbol  = "getaddrinfo"

log.Printf("%s:%s return value:%d -  %16s - %80s", binPath, symbol, event.Pid, event.Comm, event.Host,)

2022/09/18 08:47:24 /lib/x86_64-linux-gnu/libc.so.6:getaddrinfo return value:1460362 -  curl - *P���qsʀv�Y��sqU\�W��        sqU�a���]�W�U�Y�

Thank you in advance.


This question is not yet answered, be the first one who answer using the comment. Later the confirmed answer will be published as the solution.

This Question and Answer are collected from stackoverflow and tested by JTuto community, is licensed under the terms of CC BY-SA 2.5. - CC BY-SA 3.0. - CC BY-SA 4.0.

people found this article helpful. What about you?