mirror of
https://github.com/eunomia-bpf/bpf-developer-tutorial.git
synced 2026-02-02 17:59:47 +08:00
fix code for 24-27
This commit is contained in:
yunwei37
5
.vscode/settings.json
vendored
5
.vscode/settings.json
vendored
@@ -1,5 +0,0 @@
|
||||
{
|
||||
"files.associations": {
|
||||
"common.h": "c"
|
||||
}
|
||||
}
|
||||
3
src/24-hide/.gitignore
vendored
3
src/24-hide/.gitignore
vendored
@@ -6,4 +6,5 @@ package.json
|
||||
package.yaml
|
||||
ecli
|
||||
bootstrap
|
||||
textreplace2
|
||||
pidhide
|
||||
|
||||
|
||||
@@ -24,7 +24,7 @@ INCLUDES := -I$(OUTPUT) -I../../libbpf/include/uapi -I$(dir $(VMLINUX))
|
||||
CFLAGS := -g -Wall
|
||||
ALL_LDFLAGS := $(LDFLAGS) $(EXTRA_LDFLAGS)
|
||||
|
||||
APPS = textreplace2 # minimal minimal_legacy uprobe kprobe fentry usdt sockfilter tc ksyscall
|
||||
APPS = pidhide # minimal minimal_legacy uprobe kprobe fentry usdt sockfilter tc ksyscall
|
||||
|
||||
CARGO ?= $(shell which cargo)
|
||||
ifeq ($(strip $(CARGO)),)
|
||||
|
||||
@@ -1,3 +1,19 @@
|
||||
# 使用 eBPF 隐藏进程或文件信息
|
||||
|
||||
TODO
|
||||
## 隐藏 PID
|
||||
|
||||
编译:
|
||||
|
||||
```bash
|
||||
make
|
||||
```
|
||||
|
||||
使用方式:
|
||||
|
||||
```sh
|
||||
sudo ./pidhide --pid-to-hide 2222
|
||||
```
|
||||
|
||||
这个程序将匹配这个 pid 的进程隐藏,使得像 `ps` 这样的工具无法看到。
|
||||
|
||||
它通过挂接 `getdents64` 系统调用来工作,因为 `ps` 是通过查找 `/proc/` 的每个子文件夹来工作的。PidHide 解除了与 PID 匹配的文件夹的链接,因此 `ps` 只能看到它之前和之后的文件夹。
|
||||
|
||||
@@ -12,6 +12,7 @@
|
||||
// Used when replacing text
|
||||
#define FILENAME_LEN_MAX 50
|
||||
#define TEXT_LEN_MAX 20
|
||||
#define max_pid_len 10
|
||||
|
||||
// Simple message structure to get events from eBPF Programs
|
||||
// in the kernel to user spcae
|
||||
|
||||
@@ -52,7 +52,6 @@ const volatile int target_ppid = 0;
|
||||
// These store the string represenation
|
||||
// of the PID to hide. This becomes the name
|
||||
// of the folder in /proc/
|
||||
const int max_pid_len = 10;
|
||||
const volatile int pid_to_hide_len = 0;
|
||||
const volatile char pid_to_hide[max_pid_len];
|
||||
|
||||
|
||||
2
src/25-signal/.gitignore
vendored
2
src/25-signal/.gitignore
vendored
@@ -6,4 +6,4 @@ package.json
|
||||
package.yaml
|
||||
ecli
|
||||
bootstrap
|
||||
textreplace2
|
||||
bpfdos
|
||||
|
||||
@@ -24,7 +24,7 @@ INCLUDES := -I$(OUTPUT) -I../../libbpf/include/uapi -I$(dir $(VMLINUX))
|
||||
CFLAGS := -g -Wall
|
||||
ALL_LDFLAGS := $(LDFLAGS) $(EXTRA_LDFLAGS)
|
||||
|
||||
APPS = textreplace2 # minimal minimal_legacy uprobe kprobe fentry usdt sockfilter tc ksyscall
|
||||
APPS = bpfdos # minimal minimal_legacy uprobe kprobe fentry usdt sockfilter tc ksyscall
|
||||
|
||||
CARGO ?= $(shell which cargo)
|
||||
ifeq ($(strip $(CARGO)),)
|
||||
|
||||
@@ -1,2 +1,24 @@
|
||||
# signal
|
||||
# 用 bpf_send_signal 发送信号终止恶意进程
|
||||
|
||||
编译:
|
||||
|
||||
```bash
|
||||
make
|
||||
```
|
||||
|
||||
使用方式:
|
||||
|
||||
```bash
|
||||
sudo ./bpfdos
|
||||
```
|
||||
|
||||
这个程序会对任何试图使用 `ptrace` 系统调用的程序,例如 `strace`,发出 `SIG_KILL` 信号。
|
||||
一旦 bpf-dos 开始运行,你可以通过运行以下命令进行测试:
|
||||
|
||||
```bash
|
||||
strace /bin/whoami
|
||||
```
|
||||
|
||||
## 参考资料
|
||||
|
||||
- <https://github.com/pathtofile/bad-bpf>
|
||||
|
||||
@@ -2,17 +2,6 @@
|
||||
#ifndef BAD_BPF_COMMON_H
|
||||
#define BAD_BPF_COMMON_H
|
||||
|
||||
// These are used by a number of
|
||||
// different programs to sync eBPF Tail Call
|
||||
// login between user space and kernel
|
||||
#define PROG_00 0
|
||||
#define PROG_01 1
|
||||
#define PROG_02 2
|
||||
|
||||
// Used when replacing text
|
||||
#define FILENAME_LEN_MAX 50
|
||||
#define TEXT_LEN_MAX 20
|
||||
|
||||
// Simple message structure to get events from eBPF Programs
|
||||
// in the kernel to user spcae
|
||||
#define TASK_COMM_LEN 16
|
||||
@@ -22,14 +11,4 @@ struct event {
|
||||
bool success;
|
||||
};
|
||||
|
||||
struct tr_file {
|
||||
char filename[FILENAME_LEN_MAX];
|
||||
unsigned int filename_len;
|
||||
};
|
||||
|
||||
struct tr_text {
|
||||
char text[TEXT_LEN_MAX];
|
||||
unsigned int text_len;
|
||||
};
|
||||
|
||||
#endif // BAD_BPF_COMMON_H
|
||||
|
||||
2
src/26-sudo/.gitignore
vendored
2
src/26-sudo/.gitignore
vendored
@@ -6,4 +6,4 @@ package.json
|
||||
package.yaml
|
||||
ecli
|
||||
bootstrap
|
||||
textreplace2
|
||||
sudoadd
|
||||
|
||||
@@ -24,7 +24,7 @@ INCLUDES := -I$(OUTPUT) -I../../libbpf/include/uapi -I$(dir $(VMLINUX))
|
||||
CFLAGS := -g -Wall
|
||||
ALL_LDFLAGS := $(LDFLAGS) $(EXTRA_LDFLAGS)
|
||||
|
||||
APPS = textreplace2 # minimal minimal_legacy uprobe kprobe fentry usdt sockfilter tc ksyscall
|
||||
APPS = sudoadd # minimal minimal_legacy uprobe kprobe fentry usdt sockfilter tc ksyscall
|
||||
|
||||
CARGO ?= $(shell which cargo)
|
||||
ifeq ($(strip $(CARGO)),)
|
||||
|
||||
@@ -1,3 +1,21 @@
|
||||
# sudo
|
||||
# 使用 eBPF 添加 sudo 用户
|
||||
|
||||
TODO
|
||||
编译:
|
||||
|
||||
```bash
|
||||
make
|
||||
```
|
||||
|
||||
使用方式:
|
||||
|
||||
```sh
|
||||
sudo ./sudoadd --username lowpriv-user
|
||||
```
|
||||
|
||||
这个程序允许一个通常权限较低的用户使用 `sudo` 成为 root。
|
||||
|
||||
它通过拦截 `sudo` 读取 `/etc/sudoers` 文件,并将第一行覆盖为 `<username> ALL=(ALL:ALL) NOPASSWD:ALL #` 的方式工作。这欺骗了 sudo,使其认为用户被允许成为 root。其他程序如 `cat` 或 `sudoedit` 不受影响,所以对于这些程序来说,文件未改变,用户并没有这些权限。行尾的 `#` 确保行的其余部分被当作注释处理,因此不会破坏文件的逻辑。
|
||||
|
||||
## 参考资料
|
||||
|
||||
- <https://github.com/pathtofile/bad-bpf>
|
||||
|
||||
@@ -12,6 +12,8 @@
|
||||
// Used when replacing text
|
||||
#define FILENAME_LEN_MAX 50
|
||||
#define TEXT_LEN_MAX 20
|
||||
#define max_payload_len 100
|
||||
#define sudoers_len 13
|
||||
|
||||
// Simple message structure to get events from eBPF Programs
|
||||
// in the kernel to user spcae
|
||||
|
||||
@@ -40,7 +40,6 @@ const volatile int uid = 0;
|
||||
// add to /etc/sudoers when viewed by sudo
|
||||
// Which makes it think our user can sudo
|
||||
// without a password
|
||||
const int max_payload_len = 100;
|
||||
const volatile int payload_len = 0;
|
||||
const volatile char payload[max_payload_len];
|
||||
|
||||
@@ -71,7 +70,6 @@ int handle_openat_enter(struct trace_event_raw_sys_enter *ctx)
|
||||
}
|
||||
|
||||
// Now check we're opening sudoers
|
||||
const int sudoers_len = 13;
|
||||
const char *sudoers = "/etc/sudoers";
|
||||
char filename[sudoers_len];
|
||||
bpf_probe_read_user(&filename, sudoers_len, (char*)ctx->args[1]);
|
||||
|
||||
@@ -1,26 +1,36 @@
|
||||
# 使用 eBPF 替换任意程序读取或写入的文本
|
||||
|
||||
编译:
|
||||
|
||||
```bash
|
||||
make
|
||||
```
|
||||
|
||||
使用方式:
|
||||
|
||||
```sh
|
||||
sudo ./replace --filename /path/to/file --input foo --replace bar
|
||||
```
|
||||
|
||||
This program replaces all text matching `input` in the file with the `replace` text.
|
||||
This has a number of uses, for example:
|
||||
这个程序将文件中所有与 `input` 匹配的文本替换为 `replace` 文本。
|
||||
这有很多用途,例如:
|
||||
|
||||
To hide kernel module `joydev` from tools such as `lsmod`:
|
||||
隐藏内核模块 `joydev`,避免被如 `lsmod` 这样的工具发现:
|
||||
|
||||
```bash
|
||||
./replace -f /proc/modules -i 'joydev' -r 'cryptd'
|
||||
```
|
||||
|
||||
Spoof the MAC address of the `eth0` interface:
|
||||
伪造 `eth0` 接口的 MAC 地址:
|
||||
|
||||
```bash
|
||||
./replace -f /sys/class/net/eth0/address -i '00:15:5d:01:ca:05' -r '00:00:00:00:00:00'
|
||||
```
|
||||
|
||||
Malware conducting anti-sandbox checks might check the MAC address to look for signs it is
|
||||
running inside a Virtual Machine or Sandbox, and not on a 'real' machine.
|
||||
恶意软件进行反沙箱检查可能会检查 MAC 地址,寻找是否正在虚拟机或沙箱内运行,而不是在“真实”的机器上运行的迹象。
|
||||
|
||||
**NOTE:** Both `input` and `replace` must be the same length, to avoid adding NULL characters to the
|
||||
middle of a block of text. To enter a newline from a bash prompt, use `$'\n'`, e.g. `--replace $'text\n'`.
|
||||
**注意:** `input` 和 `replace` 的长度必须相同,以避免在文本块的中间添加 NULL 字符。在 bash 提示符下输入换行符,使用 `$'\n'`,例如 `--replace $'text\n'`。
|
||||
|
||||
## 参考资料
|
||||
|
||||
- <https://github.com/pathtofile/bad-bpf>
|
||||
|
||||
Reference in New Issue
Block a user