gui774ume / ebpfkit-monitor Goto Github PK

sudo ebpfkit-monitor start
FATAL[2022-06-05T12:23:40Z] failed to start ebpfkit-monitor: failed to setup eBPF manager: failed to init eBPF manager: load license: missing license section
I use strace to trace the syscall and info,but it did not get the license alert before.I've search the google and find nothing about it.

4351 execve("/usr/bin/ebpfkit-monitor", ["ebpfkit-monitor", "start"], 0x7fffb3caa7a0 /* 24 vars /) = 0
4351 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
4351 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
4351 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=23241, ...}, AT_EMPTY_PATH) = 0
4351 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
4351 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=2216304, ...}, AT_EMPTY_PATH) = 0
4351 openat(AT_FDCWD, "/sys/kernel/mm/transparent_hugepage/hpage_pmd_size", O_RDONLY) = 3
4351 openat(AT_FDCWD, "/proc/stat", O_RDONLY|O_CLOEXEC) = 3
4351 newfstatat(AT_FDCWD, "/usr/bin/getconf", {st_mode=S_IFREG|0755, st_size=35112, ...}, 0) = 0
4351 openat(AT_FDCWD, "/dev/null", O_RDONLY|O_CLOEXEC) = 3
4358 execve("/usr/bin/getconf", ["/usr/bin/getconf", "CLK_TCK"], 0xc00009cf70 / 24 vars */) = 0
4358 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
4358 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
4358 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=23241, ...}, AT_EMPTY_PATH) = 0
4358 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
4358 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=2216304, ...}, AT_EMPTY_PATH) = 0
4358 openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_CTYPE", O_RDONLY|O_CLOEXEC) = 3
4358 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=353616, ...}, AT_EMPTY_PATH) = 0
4358 openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache", O_RDONLY) = 3
4358 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=27002, ...}, AT_EMPTY_PATH) = 0
4358 openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_MESSAGES", O_RDONLY|O_CLOEXEC) = 3
4358 newfstatat(3, "", {st_mode=S_IFDIR|0755, st_size=4096, ...}, AT_EMPTY_PATH) = 0
4358 openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_MESSAGES/SYS_LC_MESSAGES", O_RDONLY|O_CLOEXEC) = 3
4358 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=48, ...}, AT_EMPTY_PATH) = 0
4358 newfstatat(1, "", {st_mode=S_IFIFO|0600, st_size=0, ...}, AT_EMPTY_PATH) = 0
4358 +++ exited with 0 +++
4353 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4358, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
4351 newfstatat(AT_FDCWD, ".", {st_mode=S_IFDIR|0700, st_size=4096, ...}, 0) = 0
4351 newfstatat(AT_FDCWD, "/root", {st_mode=S_IFDIR|0700, st_size=4096, ...}, 0) = 0
4351 openat(AT_FDCWD, "/proc/net/psched", O_RDONLY|O_CLOEXEC) = 3
4351 openat(AT_FDCWD, "/proc/stat", O_RDONLY|O_CLOEXEC) = 3
4351 readlinkat(AT_FDCWD, "/proc/self/exe", "/usr/bin/ebpfkit-monitor", 128) = 24
4351 openat(AT_FDCWD, "/etc/os-release", O_RDONLY|O_CLOEXEC) = 3
4351 openat(AT_FDCWD, "/proc/kallsyms", O_RDONLY|O_CLOEXEC) = 3
4351 --- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=4351, si_uid=0} ---
4351 openat(AT_FDCWD, "/etc/localtime", O_RDONLY) = 3
4357 +++ exited with 1 +++

bpfkit-monitor map --asset samples/kit
FATAfailed to run ebpfkit-monitor: couldn't parse asset samples/kit: load license: missing license section

Hi, I encountered this error when I am running the make command

I'm suspecting its because kconfig.h does not exist at /lib/modules like what was stated in the system requirements

But, I'm not really sure how I can resolve this issue as I'm a new Linux user, I've checked that the linux-headers is installed and the kconfig.h exists at /usr/src/linux-headers-4.19.0-20-common/include/linux. Anyone has any idea how I can resolve this issue? Thanks in advance.

Hey, your tool looks quite awesome for the reverse engineering of malware that loads some BPF components via embedded ELF files, especially the graph command looks cool to get a quick overview!

I had some troubles getting it running though:

• The first one was rather minor: Some distros enable stack protectors via a system wide compiler config, adding -fno-stack-protector or --no-default-config in the Makefile should fix it.
• The second one occurs if the BPF ELF file has a ".bss" section (I guess it is generated if you use uninit global variables, e.g. the libbpf-bootstrap "minimal" example). Then the call to LoadCollectionSpecFromReader fails with

FATAL[2023-02-19T11:22:56Z] failed to run ebpfkit-monitor: couldn't parse asset .output/minimal.bpf.o: load data sections: data section .bss: can't get contents: unexpected read from SHT_NOBITS section

• The third one occurs if the BPF ELF file uses a ringbuffer map since they have no key attribute, e.g., the bootstrap example from libbpf-bootstrap. Then the call to LoadCollectionSpecFromReader fails with

FATAL[2023-02-19T12:42:21Z] failed to run ebpfkit-monitor: couldn't parse asset .output/bootstrap.bpf.o: load BTF maps: map rb: can't get BTF: map rb: missing 'key' in type

It looks like its a problem in your dependencies but I have no clue about "go" so I'm not sure how to update them or if there is a fix available.

Would be cool if you could take a look at that, please ask if you need further info.

Edit: I updated the dependencies go list -u -m all && go get -u ./... && make and both errors still persist.