信息安全--LD_PRELOAD无法捕获网络数据问题

• 问题：做物理机操作行为捕获，使用LD_PRELOAD，目前，对机器操作的捕获有如下接口：

int (*realopen)(const char *pathname, int flags, int mode);
int (*realrename)(const char *oldname, const char *newname);
int (*realunlinkat)(int dfd, const char * pathname, int flag);

int (*realopenat)(int fdf, const char *pathname, int flags, int mode); 
int (*realmkdir)(const char *filename,int mode);
int (*realunlink)(const char *filename);
int (*reallink)(const char *oldname,const char *newfilename);
int (*realsymlink)(const char *oldname,const char *newfilename);
int (*reallinkat)(int, const char *, int, const char *, int);

DIR *(*real_opendir)(const char *name);
int (*real_closedir)(DIR *dirp);
struct dirent *(*real_readdir)(DIR *dirp);

使用svn客户端（小乌龟），http协议上传代码是，无法捕获任何操作行为，但是我们猜测，上传文件，坑定会有打开文件，然后写入文件的操作或者是那个进程调用了这些操作的进程信息，然而，这些都没有记录下来。
我们通过抓包进行分析：
通过ifsvnadmin创建svn版本库的数据包如下：

16:48:02.120978 IP 192.168.1.30.47072 > centos7-0109.localhost.http: Flags [S], seq 1791277403, win 29200, options [mss 1460,sackOK,TS val 328635568 ecr 0,nop,wscale 7], 0
16:48:02.121067 IP centos7-0109.localhost.http > 192.168.1.30.47072: Flags [S.], seq 1162010288, ack 1791277404, win 28960, options [mss 1460,sackOK,TS val 1309823390 ecr568,nop,wscale 7], length 0
16:48:02.121242 IP 192.168.1.30.47072 > centos7-0109.localhost.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 328635568 ecr 1309823390], length 0
16:48:02.121287 IP 192.168.1.30.47072 > centos7-0109.localhost.http: Flags [P.], seq 1:819, ack 1, win 229, options [nop,nop,TS val 328635568 ecr 1309823390], length 818:POST /svnadmin/repositorycreate.php HTTP/1.1
16:48:02.121346 IP centos7-0109.localhost.http > 192.168.1.30.47072: Flags [.], ack 819, win 240, options [nop,nop,TS val 1309823390 ecr 328635568], length 0
16:48:02.323754 IP centos7-0109.localhost.http > 192.168.1.30.47072: Flags [P.], seq 1:7091, ack 819, win 240, options [nop,nop,TS val 1309823593 ecr 328635568], length 7TP: HTTP/1.1 200 OK
16:48:02.323867 IP centos7-0109.localhost.http > 192.168.1.30.47072: Flags [F.], seq 7091, ack 819, win 240, options [nop,nop,TS val 1309823593 ecr 328635568], length 0
16:48:02.324167 IP 192.168.1.30.47072 > centos7-0109.localhost.http: Flags [.], ack 1449, win 251, options [nop,nop,TS val 328635771 ecr 1309823593], length 0
16:48:02.324199 IP 192.168.1.30.47072 > centos7-0109.localhost.http: Flags [.], ack 4345, win 296, options [nop,nop,TS val 328635771 ecr 1309823593], length 0
16:48:02.324325 IP 192.168.1.30.47072 > centos7-0109.localhost.http: Flags [.], ack 7091, win 339, options [nop,nop,TS val 328635771 ecr 1309823593], length 0
16:48:02.324560 IP 192.168.1.30.47072 > centos7-0109.localhost.http: Flags [F.], seq 819, ack 7092, win 339, options [nop,nop,TS val 328635771 ecr 1309823593], length 0
16:48:02.324587 IP centos7-0109.localhost.http > 192.168.1.30.47072: Flags [.], ack 820, win 240, options [nop,nop,TS val 1309823593 ecr 328635771], length 0
16:50:36.772740 ARP, Request who-has 192.168.1.30 tell 192.168.1.35, length 46
16:53:36.868358 ARP, Request who-has 192.168.1.30 tell 192.168.1.35, length 46

通过svn（小乌龟，http协议）上传文件的抓包数据如下：

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
16:20:49.521597 IP 192.168.1.30.47008 > centos7-0109.localhost.http: Flags [S], seq 1118295777, win 29200, options [mss 1460,sackOK,TS val 327002959 ecr 0,nop,wscale 7], length 0
16:20:49.521685 IP centos7-0109.localhost.http > 192.168.1.30.47008: Flags [S.], seq 3613391289, ack 1118295778, win 28960, options [mss 1460,sackOK,TS val 1308190790 ecr 327002959,nop,wscale 7], length 0
16:20:49.521858 IP 192.168.1.30.47008 > centos7-0109.localhost.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 327002959 ecr 1308190790], length 0
16:20:49.521905 IP 192.168.1.30.47008 > centos7-0109.localhost.http: Flags [P.], seq 1:553, ack 1, win 229, options [nop,nop,TS val 327002959 ecr 1308190790], length 552: HTTP: OPTIONS /svn/72-test1 HTTP/1.1
16:20:49.521980 IP centos7-0109.localhost.http > 192.168.1.30.47008: Flags [.], ack 553, win 235, options [nop,nop,TS val 1308190791 ecr 327002959], length 0
16:20:49.522989 IP centos7-0109.localhost.http > 192.168.1.30.47008: Flags [P.], seq 1:634, ack 553, win 235, options [nop,nop,TS val 1308190792 ecr 327002959], length 633: HTTP: HTTP/1.1 401 Unauthorized
16:20:49.523112 IP centos7-0109.localhost.http > 192.168.1.30.47008: Flags [F.], seq 634, ack 553, win 235, options [nop,nop,TS val 1308190792 ecr 327002959], length 0
16:20:49.523145 IP 192.168.1.30.47008 > centos7-0109.localhost.http: Flags [.], ack 634, win 239, options [nop,nop,TS val 327002960 ecr 1308190792], length 0
16:20:49.523262 IP 192.168.1.30.47008 > centos7-0109.localhost.http: Flags [F.], seq 553, ack 635, win 239, options [nop,nop,TS val 327002961 ecr 1308190792], length 0
16:20:49.523298 IP centos7-0109.localhost.http > 192.168.1.30.47008: Flags [.], ack 554, win 235, options [nop,nop,TS val 1308190792 ecr 327002961], length 0
16:20:49.530369 IP 192.168.1.30.47014 > centos7-0109.localhost.http: Flags [S], seq 4157513578, win 29200, options [mss 1460,sackOK,TS val 327002968 ecr 0,nop,wscale 7], length 0
16:20:49.530410 IP centos7-0109.localhost.http > 192.168.1.30.47014: Flags [S.], seq 3223585835, ack 4157513579, win 28960, options [mss 1460,sackOK,TS val 1308190799 ecr 327002968,nop,wscale 7], length 0
16:20:49.530607 IP 192.168.1.30.47014 > centos7-0109.localhost.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 327002968 ecr 1308190799], length 0
16:20:49.530643 IP 192.168.1.30.47014 > centos7-0109.localhost.http: Flags [P.], seq 1:592, ack 1, win 229, options [nop,nop,TS val 327002968 ecr 1308190799], length 591: HTTP: OPTIONS /svn/72-test1 HTTP/1.1
16:20:49.530706 IP centos7-0109.localhost.http > 192.168.1.30.47014: Flags [.], ack 592, win 236, options [nop,nop,TS val 1308190800 ecr 327002968], length 0
16:20:49.532120 IP centos7-0109.localhost.http > 192.168.1.30.47014: Flags [P.], seq 1:1366, ack 592, win 236, options [nop,nop,TS val 1308190801 ecr 327002968], length 1365: HTTP: HTTP/1.1 200 OK
16:20:49.532218 IP centos7-0109.localhost.http > 192.168.1.30.47014: Flags [F.], seq 1366, ack 592, win 236, options [nop,nop,TS val 1308190801 ecr 327002968], length 0
16:20:49.532459 IP 192.168.1.30.47014 > centos7-0109.localhost.http: Flags [.], ack 1366, win 251, options [nop,nop,TS val 327002970 ecr 1308190801], length 0
16:20:49.532659 IP 192.168.1.30.47014 > centos7-0109.localhost.http: Flags [F.], seq 592, ack 1367, win 251, options [nop,nop,TS val 327002970 ecr 1308190801], length 0
16:20:49.532818 IP centos7-0109.localhost.http > 192.168.1.30.47014: Flags [.], ack 593, win 236, options [nop,nop,TS val 1308190802 ecr 327002970], length 0
16:20:49.537736 IP 192.168.1.30.47020 > centos7-0109.localhost.http: Flags [S], seq 2887842484, win 29200, options [mss 1460,sackOK,TS val 327002975 ecr 0,nop,wscale 7], length 0
16:20:49.537763 IP centos7-0109.localhost.http > 192.168.1.30.47020: Flags [S.], seq 1663554593, ack 2887842485, win 28960, options [mss 1460,sackOK,TS val 1308190807 ecr 327002975,nop,wscale 7], length 0
16:20:49.537952 IP 192.168.1.30.47020 > centos7-0109.localhost.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 327002975 ecr 1308190807], length 0
16:20:49.537965 IP 192.168.1.30.47020 > centos7-0109.localhost.http: Flags [P.], seq 1:521, ack 1, win 229, options [nop,nop,TS val 327002975 ecr 1308190807], length 520: HTTP: OPTIONS /svn/72-test1 HTTP/1.1
16:20:49.537991 IP centos7-0109.localhost.http > 192.168.1.30.47020: Flags [.], ack 521, win 235, options [nop,nop,TS val 1308190807 ecr 327002975], length 0
16:20:49.539214 IP centos7-0109.localhost.http > 192.168.1.30.47020: Flags [P.], seq 1:866, ack 521, win 235, options [nop,nop,TS val 1308190808 ecr 327002975], length 865: HTTP: HTTP/1.1 200 OK
16:20:49.539297 IP centos7-0109.localhost.http > 192.168.1.30.47020: Flags [F.], seq 866, ack 521, win 235, options [nop,nop,TS val 1308190808 ecr 327002975], length 0
16:20:49.539370 IP 192.168.1.30.47020 > centos7-0109.localhost.http: Flags [.], ack 866, win 242, options [nop,nop,TS val 327002977 ecr 1308190808], length 0
16:20:49.539521 IP 192.168.1.30.47020 > centos7-0109.localhost.http: Flags [F.], seq 521, ack 867, win 242, options [nop,nop,TS val 327002977 ecr 1308190808], length 0
16:20:49.539543 IP centos7-0109.localhost.http > 192.168.1.30.47020: Flags [.], ack 522, win 235, options [nop,nop,TS val 1308190808 ecr 327002977], length 0
16:20:49.547046 IP 192.168.1.30.47026 > centos7-0109.localhost.http: Flags [S], seq 3776965028, win 29200, options [mss 1460,sackOK,TS val 327002984 ecr 0,nop,wscale 7], length 0
16:20:49.547110 IP centos7-0109.localhost.http > 192.168.1.30.47026: Flags [S.], seq 2155234157, ack 3776965029, win 28960, options [mss 1460,sackOK,TS val 1308190816 ecr 327002984,nop,wscale 7], length 0
16:20:49.547316 IP 192.168.1.30.47026 > centos7-0109.localhost.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 327002985 ecr 1308190816], length 0
16:20:49.547373 IP 192.168.1.30.47026 > centos7-0109.localhost.http: Flags [P.], seq 1:513, ack 1, win 229, options [nop,nop,TS val 327002985 ecr 1308190816], length 512: HTTP: POST /svn/72-test1/!svn/me HTTP/1.1
16:20:49.547419 IP centos7-0109.localhost.http > 192.168.1.30.47026: Flags [.], ack 513, win 235, options [nop,nop,TS val 1308190816 ecr 327002985], length 0
16:20:49.583338 IP centos7-0109.localhost.http > 192.168.1.30.47026: Flags [P.], seq 1:173, ack 513, win 235, options [nop,nop,TS val 1308190852 ecr 327002985], length 172: HTTP: HTTP/1.1 201 Created
16:20:49.583457 IP centos7-0109.localhost.http > 192.168.1.30.47026: Flags [F.], seq 173, ack 513, win 235, options [nop,nop,TS val 1308190852 ecr 327002985], length 0
16:20:49.583641 IP 192.168.1.30.47026 > centos7-0109.localhost.http: Flags [.], ack 173, win 237, options [nop,nop,TS val 327003021 ecr 1308190852], length 0
16:20:49.583844 IP 192.168.1.30.47026 > centos7-0109.localhost.http: Flags [F.], seq 513, ack 174, win 237, options [nop,nop,TS val 327003021 ecr 1308190852], length 0
16:20:49.583891 IP centos7-0109.localhost.http > 192.168.1.30.47026: Flags [.], ack 514, win 235, options [nop,nop,TS val 1308190853 ecr 327003021], length 0
16:20:49.589510 IP 192.168.1.30.47032 > centos7-0109.localhost.http: Flags [S], seq 814054632, win 29200, options [mss 1460,sackOK,TS val 327003027 ecr 0,nop,wscale 7], length 0
16:20:49.589549 IP centos7-0109.localhost.http > 192.168.1.30.47032: Flags [S.], seq 3355985364, ack 814054633, win 28960, options [mss 1460,sackOK,TS val 1308190858 ecr 327003027,nop,wscale 7], length 0
16:20:49.589694 IP 192.168.1.30.47032 > centos7-0109.localhost.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 327003027 ecr 1308190858], length 0
16:20:49.589724 IP 192.168.1.30.47032 > centos7-0109.localhost.http: Flags [P.], seq 1:786, ack 1, win 229, options [nop,nop,TS val 327003027 ecr 1308190858], length 785: HTTP: PROPPATCH /svn/72-test1/!svn/txn/19-r HTTP/1.1
16:20:49.589778 IP centos7-0109.localhost.http > 192.168.1.30.47032: Flags [.], ack 786, win 239, options [nop,nop,TS val 1308190859 ecr 327003027], length 0
16:20:49.595812 IP centos7-0109.localhost.http > 192.168.1.30.47032: Flags [P.], seq 1:631, ack 786, win 239, options [nop,nop,TS val 1308190865 ecr 327003027], length 630: HTTP: HTTP/1.1 207 Multi-Status
16:20:49.595954 IP centos7-0109.localhost.http > 192.168.1.30.47032: Flags [F.], seq 631, ack 786, win 239, options [nop,nop,TS val 1308190865 ecr 327003027], length 0
16:20:49.596000 IP 192.168.1.30.47032 > centos7-0109.localhost.http: Flags [.], ack 631, win 238, options [nop,nop,TS val 327003033 ecr 1308190865], length 0
16:20:49.596118 IP 192.168.1.30.47032 > centos7-0109.localhost.http: Flags [F.], seq 786, ack 632, win 238, options [nop,nop,TS val 327003033 ecr 1308190865], length 0
16:20:49.596200 IP centos7-0109.localhost.http > 192.168.1.30.47032: Flags [.], ack 787, win 239, options [nop,nop,TS val 1308190865 ecr 327003033], length 0
16:20:49.655989 IP 192.168.1.30.47038 > centos7-0109.localhost.http: Flags [S], seq 2356852320, win 29200, options [mss 1460,sackOK,TS val 327003093 ecr 0,nop,wscale 7], length 0
16:20:49.656070 IP centos7-0109.localhost.http > 192.168.1.30.47038: Flags [S.], seq 1075124968, ack 2356852321, win 28960, options [mss 1460,sackOK,TS val 1308190925 ecr 327003093,nop,wscale 7], length 0
16:20:49.656275 IP 192.168.1.30.47038 > centos7-0109.localhost.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 327003093 ecr 1308190925], length 0
16:20:49.656318 IP 192.168.1.30.47038 > centos7-0109.localhost.http: Flags [P.], seq 1:745, ack 1, win 229, options [nop,nop,TS val 327003094 ecr 1308190925], length 744: HTTP: PUT /svn/72-test1/!svn/txr/19-r/%E6%96%B0%E5%BB%BA%E6%96%87%E6%9C%AC%E6%96%87%E6%A1%A3%20(3).txt HTTP/1.1
16:20:49.656363 IP centos7-0109.localhost.http > 192.168.1.30.47038: Flags [.], ack 745, win 238, options [nop,nop,TS val 1308190925 ecr 327003094], length 0
16:20:49.679809 IP centos7-0109.localhost.http > 192.168.1.30.47038: Flags [P.], seq 1:178, ack 745, win 238, options [nop,nop,TS val 1308190949 ecr 327003094], length 177: HTTP: HTTP/1.1 204 No Content
16:20:49.680026 IP centos7-0109.localhost.http > 192.168.1.30.47038: Flags [F.], seq 178, ack 745, win 238, options [nop,nop,TS val 1308190949 ecr 327003094], length 0
16:20:49.680257 IP 192.168.1.30.47038 > centos7-0109.localhost.http: Flags [.], ack 178, win 237, options [nop,nop,TS val 327003117 ecr 1308190949], length 0
16:20:49.680304 IP 192.168.1.30.47038 > centos7-0109.localhost.http: Flags [F.], seq 745, ack 179, win 237, options [nop,nop,TS val 327003118 ecr 1308190949], length 0
16:20:49.680335 IP centos7-0109.localhost.http > 192.168.1.30.47038: Flags [.], ack 746, win 238, options [nop,nop,TS val 1308190949 ecr 327003118], length 0
16:20:49.691719 IP 192.168.1.30.47044 > centos7-0109.localhost.http: Flags [S], seq 1410860601, win 29200, options [mss 1460,sackOK,TS val 327003129 ecr 0,nop,wscale 7], length 0
16:20:49.691818 IP centos7-0109.localhost.http > 192.168.1.30.47044: Flags [S.], seq 2360124347, ack 1410860602, win 28960, options [mss 1460,sackOK,TS val 1308190961 ecr 327003129,nop,wscale 7], length 0
16:20:49.691985 IP 192.168.1.30.47044 > centos7-0109.localhost.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 327003129 ecr 1308190961], length 0
16:20:49.692019 IP 192.168.1.30.47044 > centos7-0109.localhost.http: Flags [P.], seq 1:804, ack 1, win 229, options [nop,nop,TS val 327003129 ecr 1308190961], length 803: HTTP: MERGE /svn/72-test1 HTTP/1.1
16:20:49.692118 IP centos7-0109.localhost.http > 192.168.1.30.47044: Flags [.], ack 804, win 239, options [nop,nop,TS val 1308190961 ecr 327003129], length 0
16:20:49.917701 IP centos7-0109.localhost.http > 192.168.1.30.47044: Flags [P.], seq 1:699, ack 804, win 239, options [nop,nop,TS val 1308191187 ecr 327003129], length 698: HTTP: HTTP/1.1 200 OK
16:20:49.917797 IP centos7-0109.localhost.http > 192.168.1.30.47044: Flags [F.], seq 699, ack 804, win 239, options [nop,nop,TS val 1308191187 ecr 327003129], length 0
16:20:49.918122 IP 192.168.1.30.47044 > centos7-0109.localhost.http: Flags [.], ack 699, win 240, options [nop,nop,TS val 327003355 ecr 1308191187], length 0
16:20:49.918187 IP 192.168.1.30.47044 > centos7-0109.localhost.http: Flags [F.], seq 804, ack 700, win 240, options [nop,nop,TS val 327003355 ecr 1308191187], length 0
16:20:49.918210 IP centos7-0109.localhost.http > 192.168.1.30.47044: Flags [.], ack 805, win 239, options [nop,nop,TS val 1308191187 ecr 327003355], length 0
16:35:36.253016 ARP, Request who-has 192.168.1.30 tell 192.168.1.35, length 46
16:44:35.722165 ARP, Request who-has 192.168.1.30 tell 192.168.1.147, length 46
16:45:57.452265 ARP, Request who-has 192.168.1.30 tell 192.168.1.144, length 46

• 分析：通过上面的数据包可以看出，数据确实是过来了，并且svn的功能也是正常的，但是在我们的系统上，既没有svn的进程，也没有httpd的进程，所以，我们要看一下到底接受http的数据是那个进程？

参考：

http://blog.chinaunix.net/uid-16979052-id-3506833.html

时间过去两天了，这个问题依然没有解决，实在搞不清楚到底是是因为什么，没有弄清楚这个原理，现在只能做尝试。下面尝试在so中增加read，write的监控，和socket和connect的监控，socket包括send，recv，sendto等

• 经过尝试，添加read，write到so中，依然不生效，无法捕获
• 我们之前有些过一个相同功能的模块，使用的是内核模块，而不是动态库模块，结果发现内核模块是可以捕获http，和svnadmin进程的操作。
• 至于ko和so的异同暂时不得而知。留待以后研究。