gui774ume / ebpfkit-monitor Goto Github PK
View Code? Open in Web Editor NEWebpfkit-monitor is a tool that detects and protects against eBPF powered rootkits
License: Apache License 2.0
ebpfkit-monitor is a tool that detects and protects against eBPF powered rootkits
License: Apache License 2.0
sudo ebpfkit-monitor start
FATAL[2022-06-05T12:23:40Z] failed to start ebpfkit-monitor: failed to setup eBPF manager: failed to init eBPF manager: load license: missing license section
I use strace to trace the syscall and info,but it did not get the license alert before.I've search the google and find nothing about it.
4351 execve("/usr/bin/ebpfkit-monitor", ["ebpfkit-monitor", "start"], 0x7fffb3caa7a0 /* 24 vars /) = 0
4351 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
4351 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
4351 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=23241, ...}, AT_EMPTY_PATH) = 0
4351 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
4351 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=2216304, ...}, AT_EMPTY_PATH) = 0
4351 openat(AT_FDCWD, "/sys/kernel/mm/transparent_hugepage/hpage_pmd_size", O_RDONLY) = 3
4351 openat(AT_FDCWD, "/proc/stat", O_RDONLY|O_CLOEXEC) = 3
4351 newfstatat(AT_FDCWD, "/usr/bin/getconf", {st_mode=S_IFREG|0755, st_size=35112, ...}, 0) = 0
4351 openat(AT_FDCWD, "/dev/null", O_RDONLY|O_CLOEXEC) = 3
4358 execve("/usr/bin/getconf", ["/usr/bin/getconf", "CLK_TCK"], 0xc00009cf70 / 24 vars */) = 0
4358 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
4358 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
4358 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=23241, ...}, AT_EMPTY_PATH) = 0
4358 openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
4358 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=2216304, ...}, AT_EMPTY_PATH) = 0
4358 openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_CTYPE", O_RDONLY|O_CLOEXEC) = 3
4358 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=353616, ...}, AT_EMPTY_PATH) = 0
4358 openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache", O_RDONLY) = 3
4358 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=27002, ...}, AT_EMPTY_PATH) = 0
4358 openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_MESSAGES", O_RDONLY|O_CLOEXEC) = 3
4358 newfstatat(3, "", {st_mode=S_IFDIR|0755, st_size=4096, ...}, AT_EMPTY_PATH) = 0
4358 openat(AT_FDCWD, "/usr/lib/locale/C.utf8/LC_MESSAGES/SYS_LC_MESSAGES", O_RDONLY|O_CLOEXEC) = 3
4358 newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=48, ...}, AT_EMPTY_PATH) = 0
4358 newfstatat(1, "", {st_mode=S_IFIFO|0600, st_size=0, ...}, AT_EMPTY_PATH) = 0
4358 +++ exited with 0 +++
4353 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=4358, si_uid=0, si_status=0, si_utime=0, si_stime=0} ---
4351 newfstatat(AT_FDCWD, ".", {st_mode=S_IFDIR|0700, st_size=4096, ...}, 0) = 0
4351 newfstatat(AT_FDCWD, "/root", {st_mode=S_IFDIR|0700, st_size=4096, ...}, 0) = 0
4351 openat(AT_FDCWD, "/proc/net/psched", O_RDONLY|O_CLOEXEC) = 3
4351 openat(AT_FDCWD, "/proc/stat", O_RDONLY|O_CLOEXEC) = 3
4351 readlinkat(AT_FDCWD, "/proc/self/exe", "/usr/bin/ebpfkit-monitor", 128) = 24
4351 openat(AT_FDCWD, "/etc/os-release", O_RDONLY|O_CLOEXEC) = 3
4351 openat(AT_FDCWD, "/proc/kallsyms", O_RDONLY|O_CLOEXEC) = 3
4351 --- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=4351, si_uid=0} ---
4351 openat(AT_FDCWD, "/etc/localtime", O_RDONLY) = 3
4357 +++ exited with 1 +++
bpfkit-monitor map --asset samples/kit
FATAfailed to run ebpfkit-monitor: couldn't parse asset samples/kit: load license: missing license section
Hi, I encountered this error when I am running the make command
I'm suspecting its because kconfig.h does not exist at /lib/modules like what was stated in the system requirements
But, I'm not really sure how I can resolve this issue as I'm a new Linux user, I've checked that the linux-headers is installed and the kconfig.h exists at /usr/src/linux-headers-4.19.0-20-common/include/linux. Anyone has any idea how I can resolve this issue? Thanks in advance.
Hey, your tool looks quite awesome for the reverse engineering of malware that loads some BPF components via embedded ELF files, especially the graph command looks cool to get a quick overview!
I had some troubles getting it running though:
-fno-stack-protector
or --no-default-config
in the Makefile should fix it.LoadCollectionSpecFromReader
fails withFATAL[2023-02-19T11:22:56Z] failed to run ebpfkit-monitor: couldn't parse asset .output/minimal.bpf.o: load data sections: data section .bss: can't get contents: unexpected read from SHT_NOBITS section
key
attribute, e.g., the bootstrap example from libbpf-bootstrap. Then the call to LoadCollectionSpecFromReader
fails withFATAL[2023-02-19T12:42:21Z] failed to run ebpfkit-monitor: couldn't parse asset .output/bootstrap.bpf.o: load BTF maps: map rb: can't get BTF: map rb: missing 'key' in type
It looks like its a problem in your dependencies but I have no clue about "go" so I'm not sure how to update them or if there is a fix available.
Would be cool if you could take a look at that, please ask if you need further info.
Edit: I updated the dependencies go list -u -m all && go get -u ./... && make
and both errors still persist.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.