test

aquasecurity · Dec 29, 2024 · a37c7cd · a37c7cd
1 parent 1fc09d8
commit a37c7cd
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/pkg/events/derive/hooked_syscall.go b/pkg/events/derive/hooked_syscall.go
@@ -8,6 +8,7 @@ import (
 	"github.com/aquasecurity/tracee/pkg/errfmt"
 	"github.com/aquasecurity/tracee/pkg/events"
 	"github.com/aquasecurity/tracee/pkg/events/parse"
+	"github.com/aquasecurity/tracee/pkg/logger"
 	"github.com/aquasecurity/tracee/pkg/utils/environment"
 	"github.com/aquasecurity/tracee/types/trace"
 )
@@ -53,6 +54,10 @@ func deriveDetectHookedSyscallArgs(kernelSymbols *environment.KernelSymbolTable)
 		hookedFuncName := ""
 		hookedOwner := ""
 		hookedFuncSymbol, err := kernelSymbols.GetSymbolByAddr(address)
+		logger.Infow(fmt.Sprintf("GetSymbolByAddr(%x) = %v, error: %v", address, hookedFuncSymbol, err))
+		for _, sym := range hookedFuncSymbol {
+			logger.Infow(fmt.Sprintf("hooked func: %s %x %s", sym.Name(), sym.Address(), sym.Owner()))
+		}
 		if err == nil {
 			hookedFuncName = hookedFuncSymbol[0].Name()
 			hookedOwner = hookedFuncSymbol[0].Owner()

diff --git a/tests/e2e-inst-signatures/scripts/hooked_syscall.sh b/tests/e2e-inst-signatures/scripts/hooked_syscall.sh
@@ -18,6 +18,10 @@ make && ./load.sh || exit_err "could not load module"
 # Sleep a bit to allow module to load
 sleep 5
 lsmod | grep hijack || exit_err "module not loaded"
+echo "from /proc/kallsyms:"
+sudo cat /proc/kallsyms | grep hijack
+sudo cat /proc/kallsyms | grep conntrack_mt_init
+echo "done"
 
 # Unload module after 30 seconds
 nohup sleep 30 > /dev/null 2>&1 && ./unload.sh &