From bbf1e24ad29d5be48ef5d0dda030bac50ec06e16 Mon Sep 17 00:00:00 2001 From: Paul Montag Date: Mon, 29 Jan 2024 22:20:58 -0600 Subject: [PATCH] added some more stuff --- content/posts/bpftrace_and_go.md | 56 ++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/content/posts/bpftrace_and_go.md b/content/posts/bpftrace_and_go.md index 052b542..397df5b 100644 --- a/content/posts/bpftrace_and_go.md +++ b/content/posts/bpftrace_and_go.md @@ -182,3 +182,59 @@ uprobe:/home/paul/Projects/go-play/go-play:main.neatFunction+0x17d { TAKE THAT GUNTHER!!! WHO'S A "ReAl ProGrAMeR" NOW!!!! Sorry, sorry... Let's move on. ### Dumping Function Parameters + +Lets start with a new go program. People like to write add functions at times like these... So let's write a minus! + +```go +func main() { + for { + minus(22, 12) + time.Sleep(1 * time.Second) + } +} + +//go:noinline +func minus(a, b int) int { + return a - b +} +``` + +Lets dump the assembly for the main function so we can see where the parameters are being set before calling the function. + +``` +❯ objdump --disassemble=main.main go-play +0000000000458d60 : + ... + 458d6e: b8 16 00 00 00 mov $0x16,%eax + 458d73: bb 0c 00 00 00 mov $0xc,%ebx + 458d78: e8 23 00 00 00 call 458da0 + ... +``` + +I have removed all the stuff that isn't part of the function call. + +`mov $0x16,%eax`: The keen eyed of you may realize that `0x16` is hexidecimal for 22. The `mov` instruction is used to copy data from one place to another. The place it is copying it `%eax` is a [register](https://en.wikipedia.org/wiki/Processor_register) on the CPU. This means our `minus` function assumes our first parameter will be in register `%eax`. + +`mov $0xc,%ebx`: does the same thing, but for the second argument. `0xc` is hexidecimal for 12, and we are loading 12 into `%ebx`. + +`call 458da0`: calls the function. The definition for which is at address `0x458da0`. + +Armed with this new knowlegde we can grab the values being passed into the function like so. + +``` +#!/usr/bin/bpftrace + +uprobe:/home/paul/Projects/go-play/go-play:main.minus { + printf("minus(%d, %d)\n", reg("ax"), reg("bx")); +} +``` + +Now we can run it + +``` +❯ sudo ./show_value.bt +Attaching 1 probe... +minus(22, 12) +minus(22, 12) +minus(22, 12) +```