Hi, I have beginning with eBPF filters in Linux and coding few PoCs, now I'm trying to hook sys_execve whose signature is:
const char __user *filename, const char __user *const __user *__argv, const char __user *const __user *__envp)
I have successfully hooked execve userland function whose signature is
const char *path, char *const argv[], char *const envp[])
with this code:
Code:
#include <uapi/linux/ptrace.h>
int count(struct pt_regs *ctx) {
char * buf[50];
bpf_probe_read(&buf, sizeof(buf), (void *)PT_REGS_PARM3(ctx));
bpf_trace_printk("whatever env var: %s", *&buf[12]);
return 0;
};
But when I try to hook sys_execve I can't access the cons char * const *
This doesn't work
Code:
#include <uapi/linux/ptrace.h>
int count(struct pt_regs *ctx) {
const char * const * buf[50];
bpf_probe_read(&buf, sizeof(buf),(void *)PT_REGS_PARM3(ctx));
bpf_trace_printk("whatever env var: %s", *&buf[0]);
return 0;
}