kernel/bpf-developer-tutorial
1
0
Fork 0
mirror of https://github.com/eunomia-bpf/bpf-developer-tutorial.git synced 2026-02-03 02:04:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix pidhide userspace program

Browse Source
This commit is contained in:
yunwei37
2023-09-13 14:59:33 +00:00
parent ffbd9a7ff4
commit c9b3cd80f9
3 changed files with 13 additions and 261 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
src/24-hide/pidhide.bpf.c
View File

@@ -3,7 +3,7 @@
#include <bpf/bpf_helpers.h> #include <bpf/bpf_helpers.h>
#include <bpf/bpf_tracing.h> #include <bpf/bpf_tracing.h>
#include <bpf/bpf_core_read.h> #include <bpf/bpf_core_read.h>
#include "common.h" #include "pidhide.h"
char LICENSE[] SEC("license") = "Dual BSD/GPL"; char LICENSE[] SEC("license") = "Dual BSD/GPL";
@@ -49,11 +49,15 @@ struct {
// Optional Target Parent PID // Optional Target Parent PID
const volatile int target_ppid = 0; const volatile int target_ppid = 0;
#define MAX_PID_LENTH 16
// These store the string represenation // These store the string represenation
// of the PID to hide. This becomes the name // of the PID to hide. This becomes the name
// of the folder in /proc/ // of the folder in /proc/
const volatile int pid_to_hide_len = 0; const volatile int pid_to_hide_len = 0;
const volatile char pid_to_hide[max_pid_len]; const volatile char pid_to_hide[MAX_PID_LENTH];
int handle_getdents_patch(struct trace_event_raw_sys_exit *ctx);
// struct linux_dirent64 { // struct linux_dirent64 {
// u64 d_ino; /* 64-bit inode number */ // u64 d_ino; /* 64-bit inode number */
@@ -111,7 +115,7 @@ int handle_getdents_exit(struct trace_event_raw_sys_exit *ctx)
struct linux_dirent64 *dirp = 0; struct linux_dirent64 *dirp = 0;
int pid = pid_tgid >> 32; int pid = pid_tgid >> 32;
short unsigned int d_reclen = 0; short unsigned int d_reclen = 0;
char filename[max_pid_len]; char filename[MAX_PID_LENTH];
unsigned int bpos = 0; unsigned int bpos = 0;
unsigned int *pBPOS = bpf_map_lookup_elem(&map_bytes_read, &pid_tgid); unsigned int *pBPOS = bpf_map_lookup_elem(&map_bytes_read, &pid_tgid);
@@ -140,7 +144,7 @@ int handle_getdents_exit(struct trace_event_raw_sys_exit *ctx)
// *********** // ***********
bpf_map_delete_elem(&map_bytes_read, &pid_tgid); bpf_map_delete_elem(&map_bytes_read, &pid_tgid);
bpf_map_delete_elem(&map_buffs, &pid_tgid); bpf_map_delete_elem(&map_buffs, &pid_tgid);
bpf_tail_call(ctx, &map_prog_array, PROG_02); handle_getdents_patch(ctx);
} }
bpf_map_update_elem(&map_to_patch, &pid_tgid, &dirp, BPF_ANY); bpf_map_update_elem(&map_to_patch, &pid_tgid, &dirp, BPF_ANY);
bpos += d_reclen; bpos += d_reclen;
@@ -148,10 +152,10 @@ int handle_getdents_exit(struct trace_event_raw_sys_exit *ctx)
// If we didn't find it, but there's still more to read, // If we didn't find it, but there's still more to read,
// jump back the start of this function and keep looking // jump back the start of this function and keep looking
if (bpos < total_bytes_read) { // if (bpos < total_bytes_read) {
bpf_map_update_elem(&map_bytes_read, &pid_tgid, &bpos, BPF_ANY); // bpf_map_update_elem(&map_bytes_read, &pid_tgid, &bpos, BPF_ANY);
bpf_tail_call(ctx, &map_prog_array, PROG_01); // handle_getdents_exit(ctx);
} // }
bpf_map_delete_elem(&map_bytes_read, &pid_tgid); bpf_map_delete_elem(&map_bytes_read, &pid_tgid);
bpf_map_delete_elem(&map_buffs, &pid_tgid); bpf_map_delete_elem(&map_buffs, &pid_tgid);
@@ -181,7 +185,7 @@ int handle_getdents_patch(struct trace_event_raw_sys_exit *ctx)
bpf_probe_read_user(&d_reclen, sizeof(d_reclen), &dirp->d_reclen); bpf_probe_read_user(&d_reclen, sizeof(d_reclen), &dirp->d_reclen);
// Debug print // Debug print
char filename[max_pid_len]; char filename[MAX_PID_LENTH];
bpf_probe_read_user_str(&filename, pid_to_hide_len, dirp_previous->d_name); bpf_probe_read_user_str(&filename, pid_to_hide_len, dirp_previous->d_name);
filename[pid_to_hide_len-1] = 0x00; filename[pid_to_hide_len-1] = 0x00;
bpf_printk("[PID_HIDE] filename previous %s\n", filename); bpf_printk("[PID_HIDE] filename previous %s\n", filename);

252
src/24-hide/pidhide.c
View File

@@ -1,252 +0,0 @@
// SPDX-License-Identifier: BSD-3-Clause
#include <argp.h>
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <bpf/bpf.h>
#include <bpf/libbpf.h>
#include <unistd.h>
#include <signal.h>
#include <sys/resource.h>
#include <errno.h>
#include <fcntl.h>
#include "pidhide.skel.h"
#include "common.h"
// These are used by a number of
// different programs to sync eBPF Tail Call
// login between user space and kernel
#define PROG_00 0
#define PROG_01 1
#define PROG_02 2
// Setup Argument stuff
static struct env
{
int pid_to_hide;
int target_ppid;
} env;
const char *argp_program_version = "pidhide 1.0";
const char *argp_program_bug_address = "<path@tofile.dev>";
const char argp_program_doc[] =
"PID Hider\n"
"\n"
"Uses eBPF to hide a process from usermode processes\n"
"By hooking the getdents64 syscall and unlinking the pid folder\n"
"\n"
"USAGE: ./pidhide -p 2222 [-t 1111]\n";
static const struct argp_option opts[] = {
{"pid-to-hide", 'p', "PID-TO-HIDE", 0, "Process ID to hide. Defaults to this program"},
{"target-ppid", 't', "TARGET-PPID", 0, "Optional Parent PID, will only affect its children."},
{},
};
static error_t parse_arg(int key, char *arg, struct argp_state *state)
{
switch (key)
{
case 'p':
errno = 0;
env.pid_to_hide = strtol(arg, NULL, 10);
if (errno || env.pid_to_hide <= 0)
{
fprintf(stderr, "Invalid pid: %s\n", arg);
argp_usage(state);
}
break;
case 't':
errno = 0;
env.target_ppid = strtol(arg, NULL, 10);
if (errno || env.target_ppid <= 0)
{
fprintf(stderr, "Invalid pid: %s\n", arg);
argp_usage(state);
}
break;
case ARGP_KEY_ARG:
argp_usage(state);
break;
default:
return ARGP_ERR_UNKNOWN;
}
return 0;
}
static const struct argp argp = {
.options = opts,
.parser = parse_arg,
.doc = argp_program_doc,
};
static volatile sig_atomic_t exiting;
void sig_int(int signo)
{
exiting = 1;
}
static bool setup_sig_handler()
{
// Add handlers for SIGINT and SIGTERM so we shutdown cleanly
__sighandler_t sighandler = signal(SIGINT, sig_int);
if (sighandler == SIG_ERR)
{
fprintf(stderr, "can't set signal handler: %s\n", strerror(errno));
return false;
}
sighandler = signal(SIGTERM, sig_int);
if (sighandler == SIG_ERR)
{
fprintf(stderr, "can't set signal handler: %s\n", strerror(errno));
return false;
}
return true;
}
static int libbpf_print_fn(enum libbpf_print_level level, const char *format, va_list args)
{
return vfprintf(stderr, format, args);
}
static bool setup()
{
// Set up libbpf errors and debug info callback
libbpf_set_print(libbpf_print_fn);
// Setup signal handler so we exit cleanly
if (!setup_sig_handler())
{
return false;
}
return true;
}
static int handle_event(void *ctx, void *data, size_t data_sz)
{
const struct event *e = data;
if (e->success)
printf("Hid PID from program %d (%s)\n", e->pid, e->comm);
else
printf("Failed to hide PID from program %d (%s)\n", e->pid, e->comm);
return 0;
}
int main(int argc, char **argv)
{
struct ring_buffer *rb = NULL;
struct pidhide_bpf *skel;
int err;
// Parse command line arguments
err = argp_parse(&argp, argc, argv, 0, NULL, NULL);
if (err)
{
return err;
}
if (env.pid_to_hide == 0)
{
printf("Pid Requried, see %s --help\n", argv[0]);
exit(1);
}
// Do common setup
if (!setup())
{
exit(1);
}
// Open BPF application
skel = pidhide_bpf__open();
if (!skel)
{
fprintf(stderr, "Failed to open BPF program: %s\n", strerror(errno));
return 1;
}
// Set the Pid to hide, defaulting to our own PID
char pid_to_hide[10];
if (env.pid_to_hide == 0)
{
env.pid_to_hide = getpid();
}
sprintf(pid_to_hide, "%d", env.pid_to_hide);
strncpy(skel->rodata->pid_to_hide, pid_to_hide, sizeof(skel->rodata->pid_to_hide));
skel->rodata->pid_to_hide_len = strlen(pid_to_hide) + 1;
skel->rodata->target_ppid = env.target_ppid;
// Verify and load program
err = pidhide_bpf__load(skel);
if (err)
{
fprintf(stderr, "Failed to load and verify BPF skeleton\n");
goto cleanup;
}
// Setup Maps for tail calls
int index = PROG_01;
int prog_fd = bpf_program__fd(skel->progs.handle_getdents_exit);
int ret = bpf_map_update_elem(
bpf_map__fd(skel->maps.map_prog_array),
&index,
&prog_fd,
BPF_ANY);
if (ret == -1)
{
printf("Failed to add program to prog array! %s\n", strerror(errno));
goto cleanup;
}
index = PROG_02;
prog_fd = bpf_program__fd(skel->progs.handle_getdents_patch);
ret = bpf_map_update_elem(
bpf_map__fd(skel->maps.map_prog_array),
&index,
&prog_fd,
BPF_ANY);
if (ret == -1)
{
printf("Failed to add program to prog array! %s\n", strerror(errno));
goto cleanup;
}
// Attach tracepoint handler
err = pidhide_bpf__attach(skel);
if (err)
{
fprintf(stderr, "Failed to attach BPF program: %s\n", strerror(errno));
goto cleanup;
}
// Set up ring buffer
rb = ring_buffer__new(bpf_map__fd(skel->maps.rb), handle_event, NULL, NULL);
if (!rb)
{
err = -1;
fprintf(stderr, "Failed to create ring buffer\n");
goto cleanup;
}
printf("Successfully started!\n");
printf("Hiding PID %d\n", env.pid_to_hide);
while (!exiting)
{
err = ring_buffer__poll(rb, 100 /* timeout, ms */);
/* Ctrl-C will cause -EINTR */
if (err == -EINTR)
{
err = 0;
break;
}
if (err < 0)
{
printf("Error polling perf buffer: %d\n", err);
break;
}
}
cleanup:
pidhide_bpf__destroy(skel);
return -err;
}

0
src/24-hide/common.h → src/24-hide/pidhide.h
View File