Commit Graph

9 Commits

Author SHA1 Message Date
5b967134e8 typo fixed: scanner.Run() -> scanner.Errors() 2020-01-19 02:26:15 +01:00
d800683dce RunEvery() and better Error-handling added
1. symbolyze.Scanner now implements the RunEvery(time.Duration) method
   that will call scanner.Run() periodically.  It should be called to
   run in its own goroutine.  The loop can be stopped by calling
   scanner.Stop().

2. The scanner now collects all errors from all observers in a private
   error type `errors []error`. It's Error() returns a cumulated list of
   errors, seperated by a newline.
2020-01-18 20:27:23 +01:00
edd9212e89 Rename symbolyze.New -> symbolze.NewScanner 2020-01-16 00:13:03 +01:00
80e5782a45 Added commandline flags 2020-01-16 00:02:59 +01:00
7af1728eed Cleanup done and documtation added
symbolyze.go has been simplified and cleaned up.  It now also is documented,
f.e.:

 % go doc Scanner
package symbolyze // import "."

type Scanner struct {
	*log.Logger // Embedded logger

	// Has unexported fields.
}
    Scanner represents an engine for scanning for a specific symbol in all
    ELF-files matching a certain pattern. The pattern is described in
    fileapth.Match().

    Once a Scanner is created with New(), it should be populated with Observer
    functions using OnFound(). Optionally, the scanner can be put into debugging
    mode by a call to DebugOn() prior to a call to Run().

    A call to Scanner.Run() then starts the engine and it will scan all pids in
    /proc. Whenever a match is found, all observers will be called with the
    (pid, offset), concurrently.

func New(symbol, pathglob string) *Scanner
func (S *Scanner) DebugOn()
func (S *Scanner) OnFound(fun Observer)
func (S *Scanner) Run() error
2020-01-15 23:26:30 +01:00
fb59ca1072 modular solution, first working draft
symbolyze/ now contains a module that exposes a Finder type with a
simple API, like:

	finder := symbolyze.New("_PyRuntime", "*python3*")
	finder.Debug(true)
	finder.OnFound(mapFD.Set)
	finder.Run()

Instead of writing (pid, offset) directly to a eBPF-map, it implements
an observer-pattern and expects a callback.

TODOs/next steps:

	- Write documentation
	- Add tests
	- Experiment and re-evaluate design
2020-01-15 20:42:53 +01:00
a9f0f27ee2 Rough solution for Tasks 1, 2, 3
main.go:

	- reading /proc
	- iteration over entries in NNN/maps
	- filter glob-search for "*python3*" in pathname
	- find symbol and its offset in pathnanme
	- calculate offset in memory
	- add pid and offset to map

	TODO: encapsulating this into a module

ebpf.go:

	- added type MapFD int, changing all function on a FD to methods
	  This allows us to enrich the data type going forward

	- added bpf_update_elem() from the manpage ebpf2.
	  .updateElement() is the verbatim wrapper to it.

	- added .Add/.Change/.Set methods, which call .updateElement
	  with specific flags

	TODO: re-implement ebpf.go with pure go, using direct syscalls.
2020-01-15 19:04:56 +01:00
64f54c622d first steps of exploration 2020-01-15 12:48:36 +01:00
Sean Heelan
3f6517aae2 Initial import 2020-01-14 14:32:06 +00:00