From 95d4e85d331ee19c0e81f8ea98d747d9388b01c7 Mon Sep 17 00:00:00 2001 From: "QCQCQC@Ubuntu" <1220204124@zust.edu.cn> Date: Mon, 7 Apr 2025 13:07:37 +0800 Subject: [PATCH] debug --- Makefile | 7 ++++++- execve_intercept.c | 36 ++++++++++++++++++++++++++++-------- intercept.so | Bin 26328 -> 26496 bytes logs/execve.log | 37 ++++++++++++++++++++++++++++++++++--- logs/execve_out.log | 14 ++++++++++++++ 5 files changed, 82 insertions(+), 12 deletions(-) diff --git a/Makefile b/Makefile index 33e80ba..bbb60c6 100644 --- a/Makefile +++ b/Makefile @@ -4,10 +4,15 @@ LDFLAGS = -ldl -ljson-c TARGET = intercept.so SRC = execve_intercept.c +# 如果需要开启 debug,只需执行 make DEBUG=1 +ifeq ($(DEBUG),1) + CFLAGS += -DDEBUG +endif + all: $(TARGET) $(TARGET): $(SRC) $(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) clean: - rm -f $(TARGET) + rm -f $(TARGET) \ No newline at end of file diff --git a/execve_intercept.c b/execve_intercept.c index 9a0fecb..7f52b43 100644 --- a/execve_intercept.c +++ b/execve_intercept.c @@ -10,6 +10,14 @@ #include #include +#ifdef DEBUG +#define DEBUG_LOG(fmt, ...) \ + fprintf(stderr, "[DEBUG] %s:%d:%s(): " fmt "\n", __FILE__, __LINE__, \ + __func__, ##__VA_ARGS__) +#else +#define DEBUG_LOG(fmt, ...) ((void)0) +#endif + #define CONFIG_FILE "./config/execve_rules.json" #define LOG_FILE "./logs/execve.log" #define LOG_OUT_FILE "./logs/execve_out.log" @@ -36,10 +44,11 @@ typedef struct { // 加载配置 Config load_config() { + DEBUG_LOG("Loading configuration from %s", CONFIG_FILE); Config config = {false, NULL, 0}; json_object *root = json_object_from_file(CONFIG_FILE); if (!root) { - fprintf(stderr, "Failed to parse JSON from %s\n", CONFIG_FILE); + DEBUG_LOG("Failed to parse config file from %s", CONFIG_FILE); return config; } @@ -101,11 +110,13 @@ Config load_config() { } json_object_put(root); + DEBUG_LOG("Loaded %d rules", config.rule_count); return config; } // 检查 args 是否匹配 int args_match(char *const argv[], Rule *rule) { + DEBUG_LOG("Matching args for rule with cmd: %s", rule->cmd); if (rule->arg_count == 0) { return 1; // 没有 args 约束,则直接匹配 } @@ -125,6 +136,7 @@ int args_match(char *const argv[], Rule *rule) { // 写入日志 void write_log(const char *filename, char *const argv[]) { + DEBUG_LOG("Writing exec log for command: %s", filename); time_t now; time(&now); @@ -148,6 +160,7 @@ int is_ansi_escape_sequence(const char *str) { // 复制标准输出和错误输出到日志文件 void duplicate_output_to_log() { + DEBUG_LOG("Duplicating stdout/stderr to log file: %s", LOG_OUT_FILE); int log_fd = open(LOG_OUT_FILE, O_WRONLY | O_CREAT | O_APPEND, 0644); if (log_fd == -1) { perror("Failed to open log file"); @@ -266,15 +279,12 @@ void load_config_if_needed() { } int execve(const char *filename, char *const argv[], char *const envp[]) { - // 如果功能被禁用,则直接执行 - if (!config.enabled) { - orig_execve_type orig_execve = - (orig_execve_type)dlsym(RTLD_NEXT, "execve"); - return orig_execve(filename, argv, envp); - } + DEBUG_LOG("Intercepted execve for: %s", filename); + DEBUG_LOG("argv[0] = %s", argv[0]); // 仅在 shell 终端调用 execve 时拦截 if (!is_terminal_shell()) { + DEBUG_LOG("Not a terminal shell, bypassing interception."); orig_execve_type orig_execve = (orig_execve_type)dlsym(RTLD_NEXT, "execve"); return orig_execve(filename, argv, envp); @@ -283,6 +293,14 @@ int execve(const char *filename, char *const argv[], char *const envp[]) { // 加载配置(仅在需要时) load_config_if_needed(); + // 如果功能被禁用,则直接执行 + if (!config.enabled) { + DEBUG_LOG("Not enabled."); + orig_execve_type orig_execve = + (orig_execve_type)dlsym(RTLD_NEXT, "execve"); + return orig_execve(filename, argv, envp); + } + write_log(filename, argv); const char *basename = argv[0]; @@ -301,6 +319,8 @@ int execve(const char *filename, char *const argv[], char *const envp[]) { for (int i = 0; i < config.rule_count; i++) { if (strcmp(basename, config.rules[i].cmd) == 0 && args_match(argv, &config.rules[i])) { + DEBUG_LOG("Rule matched: %s (type: %s)", config.rules[i].cmd, + config.rules[i].type); if (strcmp(config.rules[i].type, "warn") == 0) { printf(ANSI_COLOR_YELLOW "[Warning] %s\n" ANSI_COLOR_RESET, config.rules[i].msg); @@ -321,7 +341,7 @@ int execve(const char *filename, char *const argv[], char *const envp[]) { } // 复制 stdout 和 stderr 到日志文件 - duplicate_output_to_log(); + // duplicate_output_to_log(); orig_execve_type orig_execve = (orig_execve_type)dlsym(RTLD_NEXT, "execve"); return orig_execve(filename, argv, envp); diff --git a/intercept.so b/intercept.so index 35c2659d6e6303379358a95694c340dfe2bb303e..1a385460c92dd04aa806c71e41c85633d8ae7b06 100755 GIT binary patch delta 6056 zcmaJ_3sh9s6@72?DG+f61qbBg_(4Vf3W69aeny8ZHA;d?l_0{PlkgLUM7xp4D$6#ucz}@| z8`veU;k6DWMXqkWq`V}vK4qXB!e;7*vmJv295)k%%}#p)2Of}eG(-6s;ig8|I#4h!YJ~Br zqW!c-A5H4GeY~c})&{I$7Xu;#%WA4Bipp%|*4Cc_;s>O*XbLw9g<^mxq-qUsEWR6W zY%Lhls*_V$u-?e-*AEHqS}7E0d?Hvj&~l(|KQxL}0Nn=kh98>7wgdeXXn@uQSs2BR z0=*41+z%biegc|c7!o|u4;{l24Mw&CXr>=Jjuisk4AkO>W-u4f4}dQ7Lnp8gf%XDj z5P4d#hHCQOOo8{Z>y@iR8`eO$_4h(_!*h#U^sQ) zl;*pFLn0&;%E4$!YELGrD=Y$##g#sRil)vsfRg)_pH!9I89!qFF|0PA?q&d%Ci7v- z#-|QTb<1J%-AqWh&3B*!n}uYP<{@nEC7LV!mSDGWo9S%Pgfa0KutY7c{AP<2#$3Ty zxyEPIMZg_ZMG`_GX{Po%wtYg3JdIe64T7~pV{P%Vw!yK64*jM(SP78sAg244s&2fY z=o@A=|W&`aNQV#x)lhmK7(vQeBk|YaDBfV$)i$6 zi*Ve5lnnA8{HNHuiE)no=%~}Ynd0m*qwX|swv-$b{(MPl&%h;ga}1&H1dKBHgpoYp zq3G&nLH7d|d2^6F0fAg@l*@<`(kd zIaU@IKY|HSn@7|}qJ`|OxOh2_eGwO*-ZsMPm-9!F+;1p;r@4bv|9(SD?qNUhc{XLz z-0)8zLXcgUBwdny4j5g;C}mqGWymYokx4VBeTUwi`F%)o8#YfQd1ljb%$>(D`P$c# zL08zpP%6?J!%%qU ztmmad(`^(v=tBkpWxH-WozfS2nL>*cpX&yEmw=`Wws7e04Wck z_V0vAx?|UvJ~2%9)ipLgaS5&KKVW+oYp@XhB9AVNUHcm%gm>`Ogz=wKB%Tlw;R1Uy zairr_RGJ#PFuof8*#JlUsp8 z6cl=lAh|#1#{a>M(_5{>#;3$-q&bkrdRgbLk_qYrCQkB3uV@^-%CeH8b?;tf1xb;) zM~6`ud@U`30a~i}!@EA{V$SUINi#KRj8D4VCmng6eVAmNy88;>Yf>!E7rVIyVW{cQ zM>3M91*?bO4{>&UPEb&Se&vGFCV5D$7Y3nOK2YvOfnB?;L3&uU!o-*p89e# z-aD?aXH(J~ePhCoKBi2LHP@03sKYqbUC#Z` zZ~6^o$f@LO(s8KgQXPIBxd{I{m8odb)2XB-v8u@C2!Fdls-h5zR*Wu)ZJ%snz6YnUqWvS>UT|ouP(ChCr3HpP&dw| zVjDaxw!wcQpY0=&GK~J&`>06&U?{gNf?EyqFo#qaKz~ip1@%p$MhfaKLEY_7O#oFG zd7b+>ug(S&MZyHOFDvm!34XcYzv9ooKuL2cM>uxK(%FgFRrgDMEMbbt;ldd~7@rO` z{d>v_I4y7NlQ(tPsh3lec%10vTYUQ4Cy8Fp2k`)H{=JloUMzR_GJ?X!0Rl4svtj|l zHy@tQcX9fJ&s2@adWO&`#hK4V+L~E>k?o!m8XV1S@!hNYd-nO1oC)WHDWx1?-}CXx zL}X5mdLt{i$fl*4!XCsz?=+vFdD3%-{C0+|h-Z~)qe8}Vs=nc`0!@f#ze|g9oV`E> z^_#W}R7K=Y^9kRvN5=7Ei^PS&|N1W>jx`66uZTG6NV06~4am!FI)c0z5k&heqPfCi z0;x#v6;n>6{Z({p+4!+Rfq$DPF*$uWJC!y#s)y_FNEZml8X6G^l$MZE^ke({jnwq= zA^x*J_6RU{Ah?a@FY2HAqQE{1@AdWwBFJL*w;2E1N=^1EQ+07o ztySZj=-(XJY;w*5N54Gk54_k?Q%zmDRrJuG{RPGLk~QR5an0&lQ(09F*Ec<3v#&9g zRFr1)Y$CS zB4ktRNGq6rMT9ncB}tAPFufcCtPRQVHP#|2ol?~nYNMpT18<*J)ozr{XYu97M)CGJ zRW+gPajPm_Sw#1!>PnO&u;l7dzJN8o1Eqv*tOI2a%5G}o!TFaSc5YV0p!$=l+NWcK zW{+`LzEM?tCA<%*t-vn_csCu0v?mIs9lrzJs(O)bMa)ADztqhR9yH+Wz#)SJB$B^? z-C<`ago6L; z@7S%`F}mLKY~-96U1l%KniFG`5kJ4O@sb+Jxz@!Yrw0Xku3)O!%>^@bn=@I~!gu9G ztvw50)ya))>*6X|Vsf4_B1OBBfiL_SjkgYWJk=~U&nRzUxp~QQ3tOKz!?6<*Su#j% zxR;=ZhLWCE{0Kj+;n>aivtPrzG+f()B-&z0zfZ%%g}U_AK*A%W9mN9h;FKodW281s z5TFsxae+Y!&~EAmv(tH_f-ZA(m}Hp8f*u<002T4*rOlZdODhHem!)v2Q8Vh14(B-j z`aR-7L>UEKl0qcUb)ZL@tl8OekDcipH{vY6(xWQM#q7XCMtLbajmtv!z;Fx(YVt06 zEA;=tME8X9*KF~_M%MgrIELx;!^!egc6^{wewl4pYLs)S&RPbA%av4%Xu`y$Yq@*x z6<_0==UMR*BWueKmmlEmPX6xU%v&1s-Wx*$apZCQolfu6c{rT(cSl*I;rHHAKFWLT zSQ0L8rJC}4=!wYoa;qQHJK~JS)@~-f7n6nD$BSH3$72p-yO%}}A1d8@B{`c*XYu#L z{Jomq5$iCS?z*Z(o1RTvrta@|n<&wEFrs_0na-e6$ zG_ti;^ky}%Hftt!ic8iRVI7NwCoOdCiih^eNMFvfX79{sVXg B@}2+y delta 4876 zcmZu#4OA4@6`omG1p+P$tjn*gqR6j+KR`?@U|c$yXz*vFm?-}!1|lX)Ytow409LZu z1aqSyp5%m+leV@!H5^G(ViSd$0On7Ko)$f7NotZMh_3h()Wqrc-psOF+Bs+6o%h}E z-gobv_ulNAohQYC&&B2h&AOt!NtyoZ^a8)u?X5}+uuN4tmZ^K+niF94ReDz6y=Uk6 zAM{argQORK2&rAH^gNOxHAlmGB2PS8zsPrN>2nn?zO(br<@FoBYiPfu`AigTw9>~& zeZB+Yv;3}8n=Y2LU)8=UzFg`n>M2hXO0ARqY)Pq#D_;87UlCCinqhmqj%gRSj0F`Cm~DV$&7g zvu-}RY~VBT3SLXw{5Bi5Jhk)9Nn|>SA|d9O1Ys!O!FT1q+!-yel=iq^`?3QrDP|BzDuo@qS_rt&5+Q zsD)mrOSVY$i@1gMxm$al-i*&#-EAHeq#m=Ajn!jz zF@czz;moeb*@q;hCUdV;zoS>Edk_(JXG3EL$M6y3ID!T^^$V~&n6Y!mPxN@Q>7k+b zFpDLJrA4yC+!6HdIL%pbSC)}u7&I+xkhVLluiMwT$2_Qe&pcS~5*s?LY1|O%UEE>x z&@#ngtLm`8`R@XR$^#oEY^F53Nn#?Y{*(J3|Rh=_+PyxP3B?+M^ z2eTLvK-ZC(2>qz2B>$CBA+2P|v*=;)F|{Tnioc;x5=^!uw|PcgUkA5D%fg>N}BiWZb?Uom$vM;5oFM06dCsdWF zn;OVsu$$YMMK-^IMGu`!jG{jz22cI;7FTz;)g3Id-B2fs&(od6bn{O@wG>d7F1*+@{6>HoZP%ty~udO1MIC z_Ch=K5Swz2Mkjk@$j*w9>c`}|>EQXPyjJk++zSZvKo~N@$a#x9KX)gGc|XU!-v_Iq z5T29sac`@;H<$}H2wYs{ol8pR;tk46i_v_1gNoClN*&zzA1sm`u*W2*yC2cHSac3U zokv@wYNvU$8$8-PMQaV{X*>;6wmOcn#@TzF&Zor~-@gujEKMB(4pjrT-Xwi`^t|2P zy4!g3vtaU&wGzMNaIk2O2&~*qUqEL-=;?8`K9%an?Csj6c=hoW+T+~so&3{Kj~BBV zonwega2~$q9snLKoWlyl7dDVk4}#JQK*Vtbotf8VlgFzOs)~2>-1vAd|MaOWB+UT6SKl& z;vNkj1v4L)bTc{3*Nw&Ol}G$(%ckE#HFe zPkSMauFQ?noViMY^JdwePXia>hbZ+TZlY`0&&pxfR;${XxG!e+2x8EMV0yI6(PdYU z_CfUyS>$4Yj@RA@UkILK_I(mpX+yXdLnssW#sZsy2C=TAv6%PRj&y&JGFTW=#R|Gd zvYWAuYDe(;|DQd?g@8^RXYYIqUbj;Hr2?sG2VNX?ol=vfL-(HcO;{=KwQRV4kyoc% z>gmB~zOu7)l>Ry26n_n~QmMhst9(qxmAtvKGkTQPEimQ&d7RqDYGJo@B0LPp=gV?f zqYDVt!uHJHz=mO-4=0>+(V+#ov)}h1FTo3vWCQNvs2ZH?v|J@arpfRvR(_B9G%NRz z9ru#mAf?i>%vgOaH`O(+RnYKMdL}bk|MeB-P}h*8pu;H?nH3p58pvwOWB5QJH12^% zIQvTq6=cQOj&g#!a{4bL4~O>e-q?r0oZDf$$9!t%j#Gu!ShP=DBf$Gq;W?8)=|ExS zp;OGaL))t=^iT}#QpQV75d^#WwC7)e*e7WPnv*pteB(XiLEeQ0%JMJ*ypzlVeCXHS z!5G~m4X>^@pBC}&2xo+Q&8KxQRARZ{U86kBouDC%{oL<(VYghNs_eLSdv@LA_5%G9 z&C9t_VfiKa(_U_}ZZ*}GJo!|GY1!(BSJ11u1++VFDd`sPp_auPCRJ>&DEmbPbv=+k z)0f0h?vm{`G0Nw@Y9xl>gtqf24wHkj+y>bR$zJ1C7iD=6@{AMP2%gH}Az3y-9{FCD zb0IH7vNOs%BeJ{`G8IK`g?tUN6Y@Dc=Rrtz;bqM)@tIYExILI&GV3RqFs|T3zcbIU zjr~iOv5SmfjQ$vYF5oV<^{Q7iq!qti|CZ%iyb1*Kl;GW(2ZAQ~Z1N49>?bh&EBN() zC(HcU<<@KZn40U~h5mV@#7|R-J~U{OMjj`e2I0veTAx2{#%`p{k9BT8J{=nOIAKU_ z_9Z%yKTXp(LPsF_N9b(+G~)q0J$@t`H(KTcqxL-gE`NXbk*b+)Ezi+NnY3`lA#rp2 z(26%T{=sn=8CNqkt=t-6QV&@QCgA)g2pY5nq+ex>a38_k+AQ3NLWIytd8^XIKH9b_ zCovxtVpv;=!U|W(2UTvbiu+Oj%GiLvaWq7zT|&>Sj<=maS0m^IDO0sl#Ys*J7u;t* zxAq*z4T7-IjVSUPF7$%?IPTVt;YJj~g%&jkH|~qFih>dU4vO87A|okdjZrkwS3X8D zm$xf_u7yM_OJH8z8J8zhHE+Jm9TaJ`v$`}6Td?IO2sFB=4b}4Jf%M}d+kZ|XYi-? zJ@HXfIiRLED~NY|@CEsif4V z!5;E;=^QF33no)px;{NliPbG#R8p1};$BT|IV+gnDw`AFp50i8XUp>SHC}rS^WsMt z<*@ diff --git a/logs/execve.log b/logs/execve.log index d43c449..09bfbc5 100644 --- a/logs/execve.log +++ b/logs/execve.log @@ -1,11 +1,42 @@ -[Thu Apr 3 16:51:04 2025 + +[Mon Apr 7 13:05:57 2025 ] Command: /usr/bin/lesspipe arg[0]: lesspipe -[Thu Apr 3 16:51:04 2025 +[Mon Apr 7 13:05:57 2025 ] Command: /usr/bin/dircolors arg[0]: dircolors arg[1]: -b -[Thu Apr 3 16:51:05 2025 +[Mon Apr 7 13:05:58 2025 +] Command: /usr/bin/ls +arg[0]: ls +arg[1]: --color=auto +[Mon Apr 7 13:06:00 2025 +] Command: /usr/bin/ls +arg[0]: ls +arg[1]: --color=auto +arg[2]: -alF +[Mon Apr 7 13:06:03 2025 +] Command: /usr/lib/command-not-found +arg[0]: /usr/lib/command-not-found +arg[1]: -- +arg[2]: conda +[Mon Apr 7 13:07:03 2025 +] Command: /usr/bin/lesspipe +arg[0]: lesspipe +[Mon Apr 7 13:07:03 2025 +] Command: /usr/bin/dircolors +arg[0]: dircolors +arg[1]: -b +[Mon Apr 7 13:07:04 2025 +] Command: /usr/bin/ls +arg[0]: ls +arg[1]: --color=auto +[Mon Apr 7 13:07:06 2025 +] Command: /usr/bin/ls +arg[0]: ls +arg[1]: --color=auto +arg[2]: -alF +[Mon Apr 7 13:07:07 2025 ] Command: /usr/bin/ls arg[0]: ls arg[1]: --color=auto diff --git a/logs/execve_out.log b/logs/execve_out.log index b548394..dce29d2 100644 --- a/logs/execve_out.log +++ b/logs/execve_out.log @@ -1,3 +1,4 @@ + export LESSOPEN="| /usr/bin/lesspipe %s"; export LESSCLOSE="/usr/bin/lesspipe %s %s"; LS_COLORS='rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:'; @@ -9,3 +10,16 @@ logs Makefile README.md test_bash.sh +总计 67 +drwxrwxr-x 6 qcqcqc qcqcqc 11 4月 7 13:05 ./ +drwxrwxr-x 12 qcqcqc qcqcqc 12 3月 20 21:08 ../ +drwxrwxr-x 2 qcqcqc qcqcqc 3 3月 26 09:04 config/ +-rw-rw-r-- 1 qcqcqc qcqcqc 11067 4月 7 13:05 execve_intercept.c +drwxrwxr-x 8 qcqcqc qcqcqc 14 4月 7 09:30 .git/ +-rwxrwxr-x 1 qcqcqc qcqcqc 26328 4月 7 13:05 intercept.so* +drwxrwxr-x 2 qcqcqc qcqcqc 4 3月 26 16:09 logs/ +-rw-rw-r-- 1 qcqcqc qcqcqc 323 4月 7 13:01 Makefile +-rw-rw-r-- 1 qcqcqc qcqcqc 4361 4月 3 16:52 README.md +-rwxrwxr-x 1 qcqcqc qcqcqc 2390 3月 26 16:49 test_bash.sh* +drwxrwxr-x 2 qcqcqc qcqcqc 3 4月 7 09:16 .vscode/ +conda:未找到命令