From ad567ea8300281a4a43ef3b734e8189a0208415c Mon Sep 17 00:00:00 2001 From: yunwei37 <1067852565@qq.com> Date: Wed, 31 May 2023 01:12:44 +0800 Subject: [PATCH] fix code for 24-27 --- .vscode/settings.json | 5 ----- src/24-hide/.gitignore | 3 ++- src/24-hide/Makefile | 2 +- src/24-hide/README.md | 18 +++++++++++++++++- src/24-hide/common.h | 1 + src/24-hide/pidhide.bpf.c | 1 - src/25-signal/.gitignore | 2 +- src/25-signal/Makefile | 2 +- src/25-signal/README.md | 24 +++++++++++++++++++++++- src/25-signal/common.h | 21 --------------------- src/26-sudo/.gitignore | 2 +- src/26-sudo/Makefile | 2 +- src/26-sudo/README.md | 22 ++++++++++++++++++++-- src/26-sudo/common.h | 2 ++ src/26-sudo/sudoadd.bpf.c | 2 -- src/27-replace/README.md | 26 ++++++++++++++++++-------- 16 files changed, 88 insertions(+), 47 deletions(-) delete mode 100644 .vscode/settings.json diff --git a/.vscode/settings.json b/.vscode/settings.json deleted file mode 100644 index aafbd4e..0000000 --- a/.vscode/settings.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "files.associations": { - "common.h": "c" - } -} \ No newline at end of file diff --git a/src/24-hide/.gitignore b/src/24-hide/.gitignore index 81acd4b..1841117 100644 --- a/src/24-hide/.gitignore +++ b/src/24-hide/.gitignore @@ -6,4 +6,5 @@ package.json package.yaml ecli bootstrap -textreplace2 +pidhide + diff --git a/src/24-hide/Makefile b/src/24-hide/Makefile index ecfd9e1..7a64112 100644 --- a/src/24-hide/Makefile +++ b/src/24-hide/Makefile @@ -24,7 +24,7 @@ INCLUDES := -I$(OUTPUT) -I../../libbpf/include/uapi -I$(dir $(VMLINUX)) CFLAGS := -g -Wall ALL_LDFLAGS := $(LDFLAGS) $(EXTRA_LDFLAGS) -APPS = textreplace2 # minimal minimal_legacy uprobe kprobe fentry usdt sockfilter tc ksyscall +APPS = pidhide # minimal minimal_legacy uprobe kprobe fentry usdt sockfilter tc ksyscall CARGO ?= $(shell which cargo) ifeq ($(strip $(CARGO)),) diff --git a/src/24-hide/README.md b/src/24-hide/README.md index 1ad1aef..2de3afe 100644 --- a/src/24-hide/README.md +++ b/src/24-hide/README.md @@ -1,3 +1,19 @@ # 使用 eBPF 隐藏进程或文件信息 -TODO +## 隐藏 PID + +编译: + +```bash +make +``` + +使用方式: + +```sh +sudo ./pidhide --pid-to-hide 2222 +``` + +这个程序将匹配这个 pid 的进程隐藏,使得像 `ps` 这样的工具无法看到。 + +它通过挂接 `getdents64` 系统调用来工作,因为 `ps` 是通过查找 `/proc/` 的每个子文件夹来工作的。PidHide 解除了与 PID 匹配的文件夹的链接,因此 `ps` 只能看到它之前和之后的文件夹。 diff --git a/src/24-hide/common.h b/src/24-hide/common.h index 4686d92..8476caf 100644 --- a/src/24-hide/common.h +++ b/src/24-hide/common.h @@ -12,6 +12,7 @@ // Used when replacing text #define FILENAME_LEN_MAX 50 #define TEXT_LEN_MAX 20 +#define max_pid_len 10 // Simple message structure to get events from eBPF Programs // in the kernel to user spcae diff --git a/src/24-hide/pidhide.bpf.c b/src/24-hide/pidhide.bpf.c index f61dfaf..eef9259 100644 --- a/src/24-hide/pidhide.bpf.c +++ b/src/24-hide/pidhide.bpf.c @@ -52,7 +52,6 @@ const volatile int target_ppid = 0; // These store the string represenation // of the PID to hide. This becomes the name // of the folder in /proc/ -const int max_pid_len = 10; const volatile int pid_to_hide_len = 0; const volatile char pid_to_hide[max_pid_len]; diff --git a/src/25-signal/.gitignore b/src/25-signal/.gitignore index 81acd4b..e8a99c2 100644 --- a/src/25-signal/.gitignore +++ b/src/25-signal/.gitignore @@ -6,4 +6,4 @@ package.json package.yaml ecli bootstrap -textreplace2 +bpfdos diff --git a/src/25-signal/Makefile b/src/25-signal/Makefile index ecfd9e1..338993f 100644 --- a/src/25-signal/Makefile +++ b/src/25-signal/Makefile @@ -24,7 +24,7 @@ INCLUDES := -I$(OUTPUT) -I../../libbpf/include/uapi -I$(dir $(VMLINUX)) CFLAGS := -g -Wall ALL_LDFLAGS := $(LDFLAGS) $(EXTRA_LDFLAGS) -APPS = textreplace2 # minimal minimal_legacy uprobe kprobe fentry usdt sockfilter tc ksyscall +APPS = bpfdos # minimal minimal_legacy uprobe kprobe fentry usdt sockfilter tc ksyscall CARGO ?= $(shell which cargo) ifeq ($(strip $(CARGO)),) diff --git a/src/25-signal/README.md b/src/25-signal/README.md index b099bcb..1fe9aaf 100644 --- a/src/25-signal/README.md +++ b/src/25-signal/README.md @@ -1,2 +1,24 @@ -# signal +# 用 bpf_send_signal 发送信号终止恶意进程 +编译: + +```bash +make +``` + +使用方式: + +```bash +sudo ./bpfdos +``` + +这个程序会对任何试图使用 `ptrace` 系统调用的程序,例如 `strace`,发出 `SIG_KILL` 信号。 +一旦 bpf-dos 开始运行,你可以通过运行以下命令进行测试: + +```bash +strace /bin/whoami +``` + +## 参考资料 + +- diff --git a/src/25-signal/common.h b/src/25-signal/common.h index 4686d92..ac4be7f 100644 --- a/src/25-signal/common.h +++ b/src/25-signal/common.h @@ -2,17 +2,6 @@ #ifndef BAD_BPF_COMMON_H #define BAD_BPF_COMMON_H -// These are used by a number of -// different programs to sync eBPF Tail Call -// login between user space and kernel -#define PROG_00 0 -#define PROG_01 1 -#define PROG_02 2 - -// Used when replacing text -#define FILENAME_LEN_MAX 50 -#define TEXT_LEN_MAX 20 - // Simple message structure to get events from eBPF Programs // in the kernel to user spcae #define TASK_COMM_LEN 16 @@ -22,14 +11,4 @@ struct event { bool success; }; -struct tr_file { - char filename[FILENAME_LEN_MAX]; - unsigned int filename_len; -}; - -struct tr_text { - char text[TEXT_LEN_MAX]; - unsigned int text_len; -}; - #endif // BAD_BPF_COMMON_H diff --git a/src/26-sudo/.gitignore b/src/26-sudo/.gitignore index 81acd4b..b15967f 100644 --- a/src/26-sudo/.gitignore +++ b/src/26-sudo/.gitignore @@ -6,4 +6,4 @@ package.json package.yaml ecli bootstrap -textreplace2 +sudoadd diff --git a/src/26-sudo/Makefile b/src/26-sudo/Makefile index ecfd9e1..1c2357e 100644 --- a/src/26-sudo/Makefile +++ b/src/26-sudo/Makefile @@ -24,7 +24,7 @@ INCLUDES := -I$(OUTPUT) -I../../libbpf/include/uapi -I$(dir $(VMLINUX)) CFLAGS := -g -Wall ALL_LDFLAGS := $(LDFLAGS) $(EXTRA_LDFLAGS) -APPS = textreplace2 # minimal minimal_legacy uprobe kprobe fentry usdt sockfilter tc ksyscall +APPS = sudoadd # minimal minimal_legacy uprobe kprobe fentry usdt sockfilter tc ksyscall CARGO ?= $(shell which cargo) ifeq ($(strip $(CARGO)),) diff --git a/src/26-sudo/README.md b/src/26-sudo/README.md index bf41965..8c6f5c9 100644 --- a/src/26-sudo/README.md +++ b/src/26-sudo/README.md @@ -1,3 +1,21 @@ -# sudo +# 使用 eBPF 添加 sudo 用户 -TODO +编译: + +```bash +make +``` + +使用方式: + +```sh +sudo ./sudoadd --username lowpriv-user +``` + +这个程序允许一个通常权限较低的用户使用 `sudo` 成为 root。 + +它通过拦截 `sudo` 读取 `/etc/sudoers` 文件,并将第一行覆盖为 ` ALL=(ALL:ALL) NOPASSWD:ALL #` 的方式工作。这欺骗了 sudo,使其认为用户被允许成为 root。其他程序如 `cat` 或 `sudoedit` 不受影响,所以对于这些程序来说,文件未改变,用户并没有这些权限。行尾的 `#` 确保行的其余部分被当作注释处理,因此不会破坏文件的逻辑。 + +## 参考资料 + +- diff --git a/src/26-sudo/common.h b/src/26-sudo/common.h index 4686d92..3e51864 100644 --- a/src/26-sudo/common.h +++ b/src/26-sudo/common.h @@ -12,6 +12,8 @@ // Used when replacing text #define FILENAME_LEN_MAX 50 #define TEXT_LEN_MAX 20 +#define max_payload_len 100 +#define sudoers_len 13 // Simple message structure to get events from eBPF Programs // in the kernel to user spcae diff --git a/src/26-sudo/sudoadd.bpf.c b/src/26-sudo/sudoadd.bpf.c index 3e81b80..610d83a 100644 --- a/src/26-sudo/sudoadd.bpf.c +++ b/src/26-sudo/sudoadd.bpf.c @@ -40,7 +40,6 @@ const volatile int uid = 0; // add to /etc/sudoers when viewed by sudo // Which makes it think our user can sudo // without a password -const int max_payload_len = 100; const volatile int payload_len = 0; const volatile char payload[max_payload_len]; @@ -71,7 +70,6 @@ int handle_openat_enter(struct trace_event_raw_sys_enter *ctx) } // Now check we're opening sudoers - const int sudoers_len = 13; const char *sudoers = "/etc/sudoers"; char filename[sudoers_len]; bpf_probe_read_user(&filename, sudoers_len, (char*)ctx->args[1]); diff --git a/src/27-replace/README.md b/src/27-replace/README.md index 1558626..86b4bd7 100644 --- a/src/27-replace/README.md +++ b/src/27-replace/README.md @@ -1,26 +1,36 @@ # 使用 eBPF 替换任意程序读取或写入的文本 +编译: + +```bash +make +``` + +使用方式: + ```sh sudo ./replace --filename /path/to/file --input foo --replace bar ``` -This program replaces all text matching `input` in the file with the `replace` text. -This has a number of uses, for example: +这个程序将文件中所有与 `input` 匹配的文本替换为 `replace` 文本。 +这有很多用途,例如: -To hide kernel module `joydev` from tools such as `lsmod`: +隐藏内核模块 `joydev`,避免被如 `lsmod` 这样的工具发现: ```bash ./replace -f /proc/modules -i 'joydev' -r 'cryptd' ``` -Spoof the MAC address of the `eth0` interface: +伪造 `eth0` 接口的 MAC 地址: ```bash ./replace -f /sys/class/net/eth0/address -i '00:15:5d:01:ca:05' -r '00:00:00:00:00:00' ``` -Malware conducting anti-sandbox checks might check the MAC address to look for signs it is -running inside a Virtual Machine or Sandbox, and not on a 'real' machine. +恶意软件进行反沙箱检查可能会检查 MAC 地址,寻找是否正在虚拟机或沙箱内运行,而不是在“真实”的机器上运行的迹象。 -**NOTE:** Both `input` and `replace` must be the same length, to avoid adding NULL characters to the -middle of a block of text. To enter a newline from a bash prompt, use `$'\n'`, e.g. `--replace $'text\n'`. +**注意:** `input` 和 `replace` 的长度必须相同,以避免在文本块的中间添加 NULL 字符。在 bash 提示符下输入换行符,使用 `$'\n'`,例如 `--replace $'text\n'`。 + +## 参考资料 + +-