.

rileyfiretail · rileyfiretail · commit 277f6747f9d7 · 2025-05-15T12:17:04.000+01:00
diff --git a/src2/ssl_read.c b/src2/ssl_read.c
@@ -1,4 +1,4 @@
-#include "vmlinux.h"
+#include <linux/types.h>
 #include <bpf/bpf_helpers.h>
 #include <bpf/bpf_tracing.h>
 #include <bpf/bpf_core_read.h>
@@ -18,52 +18,53 @@ struct event {
 struct {
     __uint(type, BPF_MAP_TYPE_HASH);
     __uint(max_entries, 1024);
-    __type(key, __u64);  // pid_tgid | TLS_MASK
+    __type(key, __u64);
     __type(value, void *);
 } ssl_read_args SEC(".maps");
 
 struct {
     __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
 } events SEC(".maps");
 
-// --- Helper to store buffer pointer at function entry ---
 static __always_inline void ssl_uprobe_read_enter_v3(struct pt_regs *ctx, __u64 id, __u32 pid, void *ssl, void *buffer, int num, int dummy) {
-    if (buffer == NULL)
-        return;
-
+    if (buffer == NULL) return;
     bpf_map_update_elem(&ssl_read_args, &id, &buffer, BPF_ANY);
 }
 
-// --- Helper to process the return from SSL_read ---
 static __always_inline void process_exit_of_syscalls_read_recvfrom(struct pt_regs *ctx, __u64 id, __u64 pid, int ret, int is_tls) {
     void **bufp = bpf_map_lookup_elem(&ssl_read_args, &id);
-    if (!bufp)
-        return;
+    if (!bufp) return;
 
     void *buf = *bufp;
     bpf_map_delete_elem(&ssl_read_args, &id);
 
-    if (ret <= 0 || ret > MAX_BUF_SIZE)
-        return;
+    if (ret <= 0 || ret > MAX_BUF_SIZE) return;
 
     struct event evt = {};
     evt.pid = pid;
     evt.tid = id;
     evt.len = ret;
-
-    // Read plaintext data from buffer
     bpf_probe_read_user(&evt.buf, ret, buf);
-
-    // Submit to userspace
     bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &evt, sizeof(evt));
 }
 
-// --- Entry probe for SSL_read ---
-SEC("uprobe/SSL_read_v3")
-void BPF_UPROBE(ssl_read_enter_v3, void *ssl, void *buffer, int num) {
+SEC("uprobe/SSL_read")
+int BPF_UPROBE(ssl_read_enter_v3, void *ssl, void *buffer, int num) {
     __u64 pid_tgid = bpf_get_current_pid_tgid();
     __u32 pid = pid_tgid >> 32;
     __u64 id = pid_tgid | TLS_MASK;
 
     ssl_uprobe_read_enter_v3(ctx, id, pid, ssl, buffer, num, 0);
+    return 0;
+}
+
+SEC("uretprobe/SSL_read")
+int BPF_URETPROBE(ssl_ret_read_v3) {
+    __u64 pid_tgid = bpf_get_current_pid_tgid();
+    __u64 pid = pid_tgid >> 32;
+    __u64 id = pid_tgid | TLS_MASK;
+
+    int returnValue = PT_REGS_RC(ctx);
+    process_exit_of_syscalls_read_recvfrom(ctx, id, pid, returnValue, 1);
+    return 0;
 }
