From d4dc382a3349d21d517a77a3d0c827c8205bda2a Mon Sep 17 00:00:00 2001
From: kenny <theozuang@gmail.com>
Date: Fri, 21 Nov 2025 22:04:29 +0200
Subject: [PATCH] Corrected the way bpftrace gets the PID infos + try at taking
 a path

---
 dns-debunk.sh | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/dns-debunk.sh b/dns-debunk.sh
index ec61e87..8df9428 100755
--- a/dns-debunk.sh
+++ b/dns-debunk.sh
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# dns_bpf_correlate_safe.sh
+# dns_bpf_correlate_fdmap.sh
 set -u
 
 DOMAIN=$1
@@ -40,7 +40,7 @@ tcpdump -n -i any port 53 -s0 -ttt -l 2>/dev/null >> "$DNSLOG" &
 TCPDUMP_PID=$!
 echo -e "${GREEN}[*] tcpdump started (PID $TCPDUMP_PID)${RESET}"
 
-# Start bpftrace (safe, prints nsecs/1000000, PID, COMM, FD)
+# Start safe bpftrace
 bpftrace -e '
 tracepoint:syscalls:sys_enter_sendto
 {
@@ -57,7 +57,7 @@ echo -e "${GREEN}[*] bpftrace started (PID $BPF_PID)${RESET}"
 sleep 1
 echo ""
 
-# Helper function: /proc info for PID
+# Helper: get process info and exe path
 proc_info_for_pid() {
     local pid="$1"
     if [[ -r "/proc/$pid/cmdline" ]]; then
@@ -69,7 +69,17 @@ proc_info_for_pid() {
     fi
 }
 
-# Tail tcpdump and correlate symmetrically
+# Map FD → inode → port using /proc/net/udp
+fd_to_udp_port() {
+    local pid="$1"
+    local fd="$2"
+    local inode
+    inode=$(awk -v fd="$fd" '$1==fd {print $2}' "/proc/$pid/fdinfo/$fd" 2>/dev/null)
+    [[ -z "$inode" ]] && return 1
+    awk -v inode="$inode" '$10==inode {split($2,a,":"); printf "%d", strtonum("0x"a[2])}' /proc/net/udp 2>/dev/null
+}
+
+# Tail tcpdump and correlate
 tail -Fn0 "$DNSLOG" | while IFS= read -r dnsline; do
     if echo "$dnsline" | grep -qi -- "$DOMAIN"; then
         detect_ms=$(now_ms)
@@ -95,7 +105,7 @@ tail -Fn0 "$DNSLOG" | while IFS= read -r dnsline; do
             echo "extracted_src_port: $srcPort" >> "$INCIDENT_FILE"
         fi
 
-        # Symmetric window: ±HALF_WINDOW_MS
+        # Symmetric window
         low_ms=$((detect_ms - HALF_WINDOW_MS))
         high_ms=$((detect_ms + HALF_WINDOW_MS))
         awk -v low="$low_ms" -v high="$high_ms" '
@@ -115,9 +125,15 @@ tail -Fn0 "$DNSLOG" | while IFS= read -r dnsline; do
 
             pids=$(sed -n 's/.*PID=\([0-9]\+\).*/\1/p' /tmp/_bpf_matches.$$ | sort -u)
             for pid in $pids; do
-                info=$(proc_info_for_pid "$pid")
-                echo "    [*] $info"
-                echo "  - $info" >> "$INCIDENT_FILE"
+                fds=$(awk -v pid="$pid" '$3==pid {print $5}' /tmp/_bpf_matches.$$ | grep -o '[0-9]\+')
+                for fd in $fds; do
+                    port=$(fd_to_udp_port "$pid" "$fd" 2>/dev/null || true)
+                    if [[ -n "$port" ]] && [[ "$port" -eq "$srcPort" ]]; then
+                        info=$(proc_info_for_pid "$pid")
+                        echo -e "${GREEN}[+] Matched process: $info${RESET}"
+                        echo "matched_process: $info" >> "$INCIDENT_FILE"
+                    fi
+                done
             done
         else
             echo -e "${YELLOW}[!] No bpftrace events in window${RESET}"