{"id":13612977,"url":"https://github.com/gojue/ebpfmanager","last_synced_at":"2025-04-08T11:07:44.283Z","repository":{"id":37320709,"uuid":"444440104","full_name":"gojue/ebpfmanager","owner":"gojue","description":"A golang ebpf libary based on  cilium/ebpf and datadog/ebpf.","archived":false,"fork":false,"pushed_at":"2025-03-23T13:28:32.000Z","size":286,"stargazers_count":327,"open_issues_count":1,"forks_count":50,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-04-01T09:27:12.445Z","etag":null,"topics":["ebpf","golang","hids"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gojue.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-01-04T14:01:21.000Z","updated_at":"2025-03-24T02:41:19.000Z","dependencies_parsed_at":"2023-07-12T19:50:49.137Z","dependency_job_id":"bd7e6760-3505-4376-ab71-2b551b80d507","html_url":"https://github.com/gojue/ebpfmanager","commit_stats":{"total_commits":85,"total_committers":6,"mean_commits":"14.166666666666666","dds":0.09411764705882353,"last_synced_commit":"11525325c96c65722b2c2096fce73ba9122bb922"},"previous_names":["ehids/ebpfmanager"],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gojue%2Febpfmanager","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gojue%2Febpfmanager/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gojue%2Febpfmanager/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gojue%2Febpfmanager/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gojue","download_url":"https://codeload.github.com/gojue/ebpfmanager/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247829491,"owners_count":21002995,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ebpf","golang","hids"],"created_at":"2024-08-01T20:00:37.502Z","updated_at":"2025-04-08T11:07:44.259Z","avatar_url":"https://github.com/gojue.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# 介绍\n[![](https://godoc.org/github.com/gojue/ebpfmanager?status.svg)](https://godoc.org/github.com/gojue/ebpfmanager)\n\n\nebpfmanager参照datadog/ebpf/manager包的思想，基于cilium/ebpf实现的ebpf类库封装。\n\n相比`cilium/ebpf`实现配置化，自动加载，更具备面向对象思想，且实现了`probe`颗粒的卡开启关闭功能。 相比`datadog/ebpf`，实现了依赖包方式加载`cilium/ebpf`\n，而非fork方式，这点与其期望走的方向一致。且依赖`cilium/ebpf`版本更新到最新v0.9.0。\n\u003eWork is underway to convert this library to wrap the upstream library, rather than forking.\n\n\n# 依赖\n\n* [cilium/ebpf v0.9.0](https://github.com/cilium/ebpf/releases/tag/v0.9.0)    2022-06-16\n* [go-bindata](https://github.com/shuLhan/go-bindata/cmd/go-bindata)  用于生成ebpf字节码文件的go包，与`go:embed`类似。\n```shell\ngo get -d github.com/shuLhan/go-bindata/cmd/go-bindata\n```\n\n# 说明\nmanager与probe是一对多关系。每个probe必须配置`Section`与`EbpfFuncName`两个属性。如果是`k(ret)probe`或`u(ret)probe`，则还需要配置`AttachToFuncName`属性。\n```go\n    // UID 可选自定义的唯一字符串\n    UID string\n    \n    // Section elf字节码的Section名字，比如SEC(\"[section]\"). 用于识别probe的类型[ku](ret)?probe/xdp/(raw_)?tracepoint/tc等\n    // 早期datadog/ebpf类库用于manager的collectionSpec.Programs的索引。\n    // 但cilium/ebpf v0.7.0中，不被返回作为programSpec map作为索引。索引改用MatchFuncName\n    Section string\n    \n    // AttachToFuncName 被HOOK的syscall名字，忽略系统内核版本、CPU位数，比如 mkdirat 会被转换为__x64_sys_mkdirat、__ia32_sys_mkdirat等\n    // Uprobe时，直接作为挂载的函数名。\n    // 若不填写，则自动获取  Section 字段的最后一段作为挂载函数名   \n    AttachToFuncName string\n    \n    // EbpfFuncName 表示字节码内内核态C函数的名字，取自字节码elf的符号表\n    EbpfFuncName string\n    \n    // funcName 目标hook对象的函数名；私有属性，会自动计算赋值。uprobe中，若为空，则使用offset。\n    funcName  string\n```\n\n# 使用方法\n\n参考`examples`目录下例子，比如`uprobe`\n\n```go\npackage main\n\nimport (\n\t\"github.com/gojue/ebpfmanager\"\n\t\"github.com/sirupsen/logrus\"\n)\n\nvar m = \u0026manager.Manager{\n\tProbes: []*manager.Probe{\n\t\t{\n\t\t\tSection:          \"uprobe/readline\",\n\t\t\tEbpfFuncName:     \"uprobe_readline\",\n\t\t\tAttachToFuncName: \"readline\",\n\t\t\tBinaryPath:       \"/usr/bin/bash\",\n\t\t},\n\t},\n}\n\nfunc main() {\n\t// Initialize the manager\n\tif err := m.Init(recoverAssets()); err != nil {\n\t\tlogrus.Fatal(err)\n\t}\n\n\t// Start the manager\n\tif err := m.Start(); err != nil {\n\t\tlogrus.Fatal(err)\n\t}\n\n\tlogrus.Println(\"successfully started, head over to /sys/kernel/debug/tracing/trace_pipe\")\n\n\t// Spawn a bash and right a command to trigger the probe\n\tif err := trigger(); err != nil {\n\t\tlogrus.Error(err)\n\t}\n\n\t// Close the manager\n\tif err := m.Stop(manager.CleanAll); err != nil {\n\t\tlogrus.Fatal(err)\n\t}\n}\n```\n\n# 案例项目\n\n* eCapture : [capture SSL/TLS text content without CA cert using eBPF.](https://github.com/ehids/ecapture)\n* eHIDS-Agent : [A Linux Host-based Intrusion Detection System based on eBPF.](https://github.com/ehids/ehids-agent)\n\n# 注意\n\n1. v0.7.0及以后的版本中，ebpf在`loadProgram`函数返回的progs map中，索引已经改为C代码中函数名。 见`elf_reader.go`312行`res[prog.Name] = prog`\n   ，这点不同于老版本。（老版本是以section名字作为索引）\n2. 在 [datadog/ebpf af587081](https://github.com/DataDog/ebpf/commit/af5870810f0b2c2f9ba996d02db16955de58266f)  Nov 17,\n   2021 版本上实现本类库。\n\n# 感谢\n\n感谢 [https://jetbrains.com/](https://jetbrains.com/) 的 All Products Pack IDE使用授权。\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgojue%2Febpfmanager","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgojue%2Febpfmanager","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgojue%2Febpfmanager/lists"}