gui774ume / ebpfkit Goto Github PK

View Code? Open in Web Editor NEW

688.0 18.0 84.0 7.81 MB

ebpfkit is a rootkit powered by eBPF

License: Apache License 2.0

Makefile 0.51% Go 28.44% C 71.03% Dockerfile 0.02%

ebpf security rootkit linux linux-kernel linux-kernel-hacking runtime-security kernel

ebpfkit's People

Contributors

Stargazers

Watchers

ebpfkit's Issues

#7 i have tried lo, eth0, enp0s3 in my VMs' interface ,but it didn't work.

#7 hello, i have tried lo, eth0, enp0s3 in my VMs' interface ,but it didn't work.

my host env config:

## host kernel version
Linux VirtualBox 5.4.0-110-generic #124-Ubuntu SMP Thu Apr 14 19:46:19 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

## my kernel with  bpf compile config
$ cat /boot/config-$(uname -r) |grep bpf
CONFIG_CGROUP_BPF=y
CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
CONFIG_IPV6_SEG6_BPF=y
CONFIG_NETFILTER_XT_MATCH_BPF=m
CONFIG_BPFILTER=y
CONFIG_BPFILTER_UMH=m
CONFIG_NET_CLS_BPF=m
CONFIG_NET_ACT_BPF=m
CONFIG_BPF_JIT=y
CONFIG_BPF_STREAM_PARSER=y
CONFIG_LWTUNNEL_BPF=y
CONFIG_HAVE_EBPF_JIT=y
CONFIG_BPF_EVENTS=y
CONFIG_BPF_KPROBE_OVERRIDE=y
CONFIG_TEST_BPF=m

and that's my interfaces in host and docker i used.

enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
        inet6 fe80::1ad6:b997:5c8c:d269  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:ac:19:0b  txqueuelen 1000  (Ethernet)
        RX packets 15027  bytes 18707045 (18.7 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8244  bytes 557794 (557.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

the command and error when i run ebpfkit as follows.

root@service:/data/ebpfkit/bin# ./ebpfkit -i enp0s3 -e enp0s3

Error: couldn't start: couldn't start main manager: couldn't start main manager: probes activation validation failed: 2 errors occurred:
        * {UID:egress Section:classifier/egress}: couldn't add a "clsact" qdisc to interface 2: netlink receive: no such file or directory
        * {UID:lo Section:classifier/egress}: couldn't add a "clsact" qdisc to interface 1: netlink receive: no such file or directory

Any helpful suggestions? Thanks : )

And can you tell me,which kernel version and bpf compile you used ?

Build successfully but fail to run `ebpfkit`

Hello, nice rootkit!

I build it successfully on my env:

Ubuntu 21.04
clang/llvm 11.0.1
kernel: 5.11.0-36-generic

But when I run ./ebpfkit, it exits with error:

➜ ./ebpfkit
Error: couldn't start: couldn't start main manager: couldn't init main manager: couldn't load eBPF programs: program xdp/ingress/syn_loop: can't load program: invalid argument: 0: (bf) r6 = r1
1: (b7) r9 = 2
2: (61) r1 = *(u32 *)(r6 +4)
3: (61) r8 = *(u32 *)(r6 +0)
4: (bf) r2 = r8
5: (07) r2 += 14
6: (2d) if r2 > r1 goto pc+358
 R1_w=pkt_end(id=0,off=0,imm=0) R2_w=pkt(id=0,off=14,r=14,imm=0) R6_w=ctx(id=0,off=0,imm=0) R8_w=pkt(id=0,off=0,r=14,imm=0) R9_w=inv2 R10=fp0
7: (15) if r8 == 0x0 goto pc+357
 R1_w=pkt_end(id=0,off=0,imm=0) R2_w=pkt(id=0,off=14,r=14,imm=0) R6_w=ctx(id=0,off=0,imm=0) R8_w=pkt(id=0,off=0,r=14,imm=0) R9_w=inv2 R10=fp0
8: (71) r3 = *(u8 *)(r8 +12)
9: (71) r4 = *(u8 *)(r8 +13)
10: (67) r4 <<= 8
11: (4f) r4 |= r3
12: (55) if r4 != 0x8 goto pc+352
 R1=pkt_end(id=0,off=0,imm=0) R2=pkt(id=0,off=14,r=14,imm=0) R3=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R4=inv8 R6=ctx(id=0,off=0,imm=0) R8=pkt(id=0,off=0,r=14,imm=0) R9=inv2 R10=fp0
13: (bf) r7 = r8
14: (07) r7 += 34
15: (2d) if r7 > r1 goto pc+349
 R1=pkt_end(id=0,off=0,imm=0) R2=pkt(id=0,off=14,r=34,imm=0) R3=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R4=inv8 
......
Usage:
  ebpfkit [flags]

Flags:
      --append                        (file override feature only) when set, the content of the source file will be appended to the content of the target file
      --comm string                   (file override feature only) comm of the process for which the file override should apply
      --disable-bpf-obfuscation       when set, ebpfkit will not hide itself from the bpf syscall
      --disable-network-probes        when set, ebpfkit will not try to load its network related probes
      --docker string                 path to the Docker daemon executable (default "/usr/bin/dockerd")
  -e, --egress string                 egress interface name (default "enp0s3")
  -h, --help                          help for ebpfkit
  -i, --ingress string                ingress interface name (default "enp0s3")
  -l, --log-level string              log level, options: panic, fatal, error, warn, info, debug or trace (default "info")
      --postgres string               path to the Postgres daemon executable (default "/usr/lib/postgresql/12/bin/postgres")
      --src string                    (file override feature only) source file which content will be used to override the content of the target file
      --target string                 (file override feature only) target file to override
  -p, --target-http-server-port int   Target HTTP server port used for Command and Control (default 8000)
      --webapp-rasp string            path to the webapp on which the RASP is installed

Have you come across such issues? Any helpful suggestions? Thanks : )

panic: runtime error: index out of range [32] with length 10

I have installed everything successfully without any errors. But Still get when I run this

GET /get_net_dis HTTP/1.1
Host: localhost:8000
User-Agent: 0000_______________________________________________________________________________________________________________________________________________________________
_______________________________________________________________________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________________________________________________________
 
2021/12/15 10:57:03 127.0.0.1:60878 - GET /get_net_dis - 404
DEBUG[2021-12-15T10:57:03Z] 
GET /get_fswatch HTTP/1.1
Host: localhost:8000
User-Agent: 0/ebpfkit/network_discovery#_______________________________________________________________________________________________________________________________________
_______________________________________________________________________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________________________________________________________
 
2021/12/15 10:57:03 127.0.0.1:60878 - GET /get_fswatch - 404
panic: runtime error: index out of range [32] with length 10
goroutine 1 [running]:
github.com/Gui774ume/ebpfkit/cmd/ebpfkit-client/run/network_discovery.parseNetworkDiscoveryOutput(0xc000172000, 0xa, 0x200, 0x21, 0xc000169200, 0x1f4, 0xc000172000)
        /home/yasindce1998/ebpfkit/cmd/ebpfkit-client/run/network_discovery/get.go:61 +0x983
github.com/Gui774ume/ebpfkit/cmd/ebpfkit-client/run/network_discovery.SendGetNetworkDiscoveryRequest(0x84090e, 0x15, 0xc000040000, 0x0, 0x0)
        /home/yasindce1998/ebpfkit/cmd/ebpfkit-client/run/network_discovery/get.go:109 +0x1e0
github.com/Gui774ume/ebpfkit/cmd/ebpfkit-client/run.getNetworkDiscoveryCmd(0xb57b40, 0xc0000864c0, 0x0, 0x2, 0x0, 0x0)
        /home/yasindce1998/ebpfkit/cmd/ebpfkit-client/run/ebpfkit-client.go:164 +0x5f
github.com/spf13/cobra.(*Command).execute(0xb57b40, 0xc0000864a0, 0x2, 0x2, 0xb57b40, 0xc0000864a0)
        /home/yasindce1998/go/pkg/mod/github.com/spf13/[email protected]/command.go:850 +0x460
github.com/spf13/cobra.(*Command).ExecuteC(0xb58080, 0x8c86c0, 0xc000094480, 0xc000068058)
        /home/yasindce1998/go/pkg/mod/github.com/spf13/[email protected]/command.go:958 +0x349
github.com/spf13/cobra.(*Command).Execute(...)
        /home/yasindce1998/go/pkg/mod/github.com/spf13/[email protected]/command.go:895
main.main()
        /home/yasindce1998/ebpfkit/cmd/ebpfkit-client/main.go:31 +0x8c```
It would be better if you give me some explanation about what's going on.
Thank you

Is it possible to hide the process?

Surprising ideas! I have a question. General rootkits can hide specific processes and prevent them from being detected by commands such as ps. Is this possible for ebpfkit?

Error: couldn't start: couldn't start main manager: couldn't start main manager: probes activation validation failed: 2 errors occurred:

hello i'm trying to run ebpfkit rootkit with exploit effect described in 《blackhat 2021》：container breakout1 :escaping throngh a pipe.

the environment configure ：

ubuntu20.04.4 with kernel 5.4
golang 1.13.1
clang &&llvm(11.0.1)
go-bindata

but when i run ebpfkit ,i got the error:

Error: couldn't start: couldn't start main manager: couldn't start main manager: probes activation validation failed: 2 errors occurred:
        * {UID:egress Section:classifier/egress}: couldn't add a "clsact" qdisc to interface 2: netlink receive: no such file or directory
        * {UID:lo Section:classifier/egress}: couldn't add a "clsact" qdisc to interface 1: netlink receive: no such file or directory

Have you come across such issues? Any helpful suggestions? Thanks : )

@lebauce @L3n41c @safchain @paulcacheux @JulesDT

Error: couldn't start: couldn't init bootstrap manager: load license: missing license section

What license should I have to use?

yasindce1998@ubuntu-focal:~/ebpfkit$ sudo ./bin/ebpfkit -l info

Error: couldn't start: couldn't init bootstrap manager: load license: missing license section
Usage:
  ebpfkit [flags]

Flags:
      --append                        (file override feature only) when set, the content of the source file will be appended to the content of the target file
      --comm string                   (file override feature only) comm of the process for which the file override should apply
      --disable-bpf-obfuscation       when set, ebpfkit will not hide itself from the bpf syscall
      --disable-network-probes        when set, ebpfkit will not try to load its network related probes
      --docker string                 path to the Docker daemon executable (default "/usr/bin/dockerd")
  -e, --egress string                 egress interface name (default "enp0s3")
  -h, --help                          help for ebpfkit
  -i, --ingress string                ingress interface name (default "enp0s3")
  -l, --log-level string              log level, options: panic, fatal, error, warn, info, debug or trace (default "info")
      --postgres string               path to the Postgres daemon executable (default "/usr/lib/postgresql/12/bin/postgres")
      --src string                    (file override feature only) source file which content will be used to override the content of the target file
      --target string                 (file override feature only) target file to override
  -p, --target-http-server-port int   Target HTTP server port used for Command and Control (default 8000)
      --webapp-rasp string            path to the webapp on which the RASP is installed

gui774ume / ebpfkit Goto Github PK

ebpfkit's People

Contributors

Stargazers

Watchers

Forkers

ebpfkit's Issues

#7 i have tried lo, eth0, enp0s3 in my VMs' interface ,but it didn't work.

Build successfully but fail to run `ebpfkit`

panic: runtime error: index out of range [32] with length 10

Is it possible to hide the process?

Error: couldn't start: couldn't start main manager: couldn't start main manager: probes activation validation failed: 2 errors occurred:

Error: couldn't start: couldn't init bootstrap manager: load license: missing license section

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

Jobs