A collection of eBPF programs demonstrating bad behavior, presented at DEF CON 29
License: BSD 3-Clause "New" or "Revised" License
Dad, researcher, and infosec psudo-specialist, posts and thoughts are my own. He/Him.
Hello, I'm a beginner in eBPF field and after several struggling, I managed to get it work on my Ubuntu 20.10.
So I assume that there is some information needed for beginners like me, and it would be great if some of it can be added to README.md
First of all, to clone the project, the command worked for me is this:
git clone https://github.com/pathtofile/bad-bpf.git --recusrivethe sequence of "--recursive" actually matters.
Install all these needed stuffs by this command
apt install build-essential clang-11 libelf-dev zlib1g-dev libbfd-dev libcap-dev libbfd-dev linux-tools-common linux-tools-genericI didn't find "libfd-dev" provided in README.md, so I guess it is "libbfd-dev"
The vmlinux.h provided occurred erros during compiling if you use Ubuntu20.10 like me.
So generating one locally is needed.
cd bad-bpf/src/
bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.hThis project work against clang-11, and I didn't find easy to to swtich clang version, so changing contents in Makefile while compiling might be a plausible option
Change contents in Makefile from
CLANG ?= clang
LLVM_STRIP ?= llvm-strip
to
CLANG ?= clang-11
LLVM_STRIP ?= llvm-strip-11
make
env:Android 13,Debian 11.7。
kernel:5.10.149.
Replaced bpftool in tools with ARM64
root@localhost:/home/bad-bpf/src# zcat /proc/config.gz | grep BTF
# CONFIG_VIDEO_SONY_BTF_MPX is not set
CONFIG_DEBUG_INFO_BTF=y
root@localhost:/home/bad-bpf/src# make
BINARY exechijack
writeblocker.bpf.c:29:14: warning: implicit declaration of function 'PT_REGS_PARM1' is invalid in C99 [-Wimplicit-function-declaration]
u32 fd = PT_REGS_PARM1(regs);
^
writeblocker.bpf.c:30:17: warning: implicit declaration of function 'PT_REGS_PARM3' is invalid in C99 [-Wimplicit-function-declaration]
u32 count = PT_REGS_PARM3(regs);
^
2 warnings generated.
GEN-SKEL .output/sudoadd.skel.h
CC .output/sudoadd.o
GEN-SKEL .output/writeblocker.skel.h
libbpf: failed to find BTF for extern 'PT_REGS_PARM1': -2
Error: failed to open BPF object file: No such file or directory
make: *** [Makefile:68: .output/writeblocker.skel.h] Error 254
make: *** Deleting file '.output/writeblocker.skel.h'
make: *** Waiting for unfinished jobs....
textreplace2.bpf.c:115:67: warning: implicit declaration of function 'PT_REGS_PARM2' is invalid in C99 [-Wimplicit-function-declaration]
bpf_probe_read_user(&check_filename, FILENAME_LEN_MAX, (void*)PT_REGS_PARM2(regs));
^
textreplace2.bpf.c:115:60: warning: cast to 'void *' from smaller integer type 'int' [-Wint-to-void-pointer-cast]
bpf_probe_read_user(&check_filename, FILENAME_LEN_MAX, (void*)PT_REGS_PARM2(regs));
^~~~~~~~~~~~~~~~~~~~~~~~~~
textreplace2.bpf.c:164:37: warning: implicit declaration of function 'PT_REGS_PARM1' is invalid in C99 [-Wimplicit-function-declaration]
unsigned int fd = (unsigned int)PT_REGS_PARM1(regs);
^
textreplace2.bpf.c:170:35: warning: implicit declaration of function 'PT_REGS_PARM2' is invalid in C99 [-Wimplicit-function-declaration]
long unsigned int buff_addr = PT_REGS_PARM2(regs);
^
textreplace2.bpf.c:174:32: warning: implicit declaration of function 'PT_REGS_PARM3' is invalid in C99 [-Wimplicit-function-declaration]
size_t buff_size = (size_t)PT_REGS_PARM3(regs);
^
5 warnings generated.
This project is great. Hello, if you want to compile samples for the ARM64 platform, what is the recommended environment to use?
Cloned code cannot dynamically allocate addresses during compilation. What is the reason for this?
pidhide.bpf.c:57:21: warning: variable length array folded to constant array as an extension [-Wgnu-folding-constant]
const volatile char pid_to_hide[max_pid_len];
^
fatal error: error in backend: Unsupported dynamic stack allocation
PLEASE submit a bug report to https://bugs.llvm.org/ and include the crash backtrace, preprocessed source, and associated run script.
Stack dump:
0. Program arguments: clang -g -O2 -target bpf -D__TARGET_ARCH_x86 -I.output -idirafter /usr/local/include -idirafter /usr/lib/llvm-12/lib/clang/12.0.1/include -idirafter /usr/include/x86_64-linux-gnu -idirafter /usr/include -c pidhide.bpf.c -o .output/pidhide.bpf.o
LLVM_SYMBOLIZER_PATH to point to it):PLEASE ATTACH THE FOLLOWING FILES TO THE BUG REPORT:
Preprocessed source(s) and associated run script(s) are located at:
clang: note: diagnostic msg: /tmp/pidhide-10b8aa.c
clang: note: diagnostic msg: /tmp/pidhide-10b8aa.sh
clang: note: diagnostic msg:
make: *** [Makefile:62: .output/pidhide.bpf.o] Error 70
Hi, great project! I tried to use it under centos7.5 and it has been compiled successfully.
This is my kernel information: 4.18.0-305.3.1.el8.x86_64 #1 SMP Tue Jun 1 16:14:33 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux.
I try to run a process and hide it:
sleep 1000
sudo ./pidhide -p 29357
Did not succeed (I know it was tested on Ubuntu 20.10 and Fedora 34, but I still want to try it on centos. Is there a way?):
libbpf: loading object 'pidhide_bpf' from buffer
libbpf: elf: section(2) tp/syscalls/sys_enter_getdents64, size 296, link 0, flags 6, type=1
libbpf: sec 'tp/syscalls/sys_enter_getdents64': found program 'handle_getdents_enter' at insn offset 0 (0 bytes), code size 37 insns (296 bytes)
libbpf: elf: section(3) tp/syscalls/sys_exit_getdents64, size 2248, link 0, flags 6, type=1
libbpf: sec 'tp/syscalls/sys_exit_getdents64': found program 'handle_getdents_exit' at insn offset 0 (0 bytes), code size 146 insns (1168 bytes)
libbpf: sec 'tp/syscalls/sys_exit_getdents64': found program 'handle_getdents_patch' at insn offset 146 (1168 bytes), code size 135 insns (1080 bytes)
libbpf: elf: section(4) license, size 13, link 0, flags 3, type=1
libbpf: license of pidhide_bpf is Dual BSD/GPL
libbpf: elf: section(5) .rodata, size 22, link 0, flags 2, type=1
libbpf: elf: section(6) .maps, size 144, link 0, flags 3, type=1
libbpf: elf: section(7) .rodata.str1.1, size 66, link 0, flags 32, type=1
libbpf: elf: skipping unrecognized data section(7) .rodata.str1.1
libbpf: elf: section(8) .BTF, size 27248, link 0, flags 0, type=1
libbpf: elf: section(9) .BTF.ext, size 2388, link 0, flags 0, type=1
libbpf: elf: section(10) .eh_frame, size 112, link 0, flags 2, type=1
libbpf: elf: skipping unrecognized data section(10) .eh_frame
libbpf: elf: section(11) .symtab, size 696, link 18, flags 0, type=2
libbpf: elf: section(12) .reltp/syscalls/sys_enter_getdents64, size 32, link 11, flags 0, type=9
libbpf: elf: section(13) .reltp/syscalls/sys_exit_getdents64, size 288, link 11, flags 0, type=9
libbpf: elf: section(16) .rel.eh_frame, size 48, link 11, flags 0, type=9
libbpf: elf: skipping relo section(16) .rel.eh_frame for section(10) .eh_frame
libbpf: looking for externs among 29 symbols...
libbpf: collected 0 externs total
libbpf: map 'map_buffs': at sec_idx 6, offset 0.
libbpf: map 'map_buffs': found type = 1.
libbpf: map 'map_buffs': found key [8], sz = 8.
libbpf: map 'map_buffs': found value [11], sz = 8.
libbpf: map 'map_buffs': found max_entries = 8192.
libbpf: map 'map_bytes_read': at sec_idx 6, offset 32.
libbpf: map 'map_bytes_read': found type = 1.
libbpf: map 'map_bytes_read': found key [8], sz = 8.
libbpf: map 'map_bytes_read': found value [2], sz = 4.
libbpf: map 'map_bytes_read': found max_entries = 8192.
libbpf: map 'map_prog_array': at sec_idx 6, offset 64.
libbpf: map 'map_prog_array': found type = 3.
libbpf: map 'map_prog_array': found key [23], sz = 4.
libbpf: map 'map_prog_array': found value [23], sz = 4.
libbpf: map 'map_prog_array': found max_entries = 5.
libbpf: map 'map_to_patch': at sec_idx 6, offset 96.
libbpf: map 'map_to_patch': found type = 1.
libbpf: map 'map_to_patch': found key [8], sz = 8.
libbpf: map 'map_to_patch': found value [11], sz = 8.
libbpf: map 'map_to_patch': found max_entries = 8192.
libbpf: map 'rb': at sec_idx 6, offset 128.
libbpf: map 'rb': found type = 27.
libbpf: map 'rb': found max_entries = 262144.
libbpf: map 'pidhide_.rodata' (global data): at sec_idx 5, offset 0, flags 480.
libbpf: map 5 is "pidhide_.rodata"
libbpf: sec '.reltp/syscalls/sys_enter_getdents64': collecting relocation for section(2) 'tp/syscalls/sys_enter_getdents64'
libbpf: sec '.reltp/syscalls/sys_enter_getdents64': relo #0: insn #3 against 'target_ppid'
libbpf: prog 'handle_getdents_enter': found data map 5 (pidhide_.rodata, sec 5, off 0) for insn 3
libbpf: sec '.reltp/syscalls/sys_enter_getdents64': relo #1: insn #31 against 'map_buffs'
libbpf: prog 'handle_getdents_enter': found map 0 (map_buffs, sec 6, off 0) for insn #31
libbpf: sec '.reltp/syscalls/sys_exit_getdents64': collecting relocation for section(3) 'tp/syscalls/sys_exit_getdents64'
libbpf: sec '.reltp/syscalls/sys_exit_getdents64': relo #0: insn #12 against 'map_buffs'
libbpf: prog 'handle_getdents_exit': found map 0 (map_buffs, sec 6, off 0) for insn #12
libbpf: sec '.reltp/syscalls/sys_exit_getdents64': relo #1: insn #24 against 'map_bytes_read'
libbpf: prog 'handle_getdents_exit': found map 1 (map_bytes_read, sec 6, off 32) for insn #24
libbpf: sec '.reltp/syscalls/sys_exit_getdents64': relo #2: insn #31 against 'pid_to_hide_len'
libbpf: prog 'handle_getdents_exit': found data map 5 (pidhide_.rodata, sec 5, off 0) for insn 31
libbpf: sec '.reltp/syscalls/sys_exit_getdents64': relo #3: insn #39 against 'map_to_patch'
libbpf: prog 'handle_getdents_exit': found map 3 (map_to_patch, sec 6, off 96) for insn #39
libbpf: sec '.reltp/syscalls/sys_exit_getdents64': relo #4: insn #59 against 'map_bytes_read'
libbpf: prog 'handle_getdents_exit': found map 1 (map_bytes_read, sec 6, off 32) for insn #59
libbpf: sec '.reltp/syscalls/sys_exit_getdents64': relo #5: insn #64 against 'map_prog_array'
libbpf: prog 'handle_getdents_exit': found map 2 (map_prog_array, sec 6, off 64) for insn #64
libbpf: sec '.reltp/syscalls/sys_exit_getdents64': relo #6: insn #102 against 'pid_to_hide'
libbpf: prog 'handle_getdents_exit': found data map 5 (pidhide_.rodata, sec 5, off 0) for insn 102
libbpf: sec '.reltp/syscalls/sys_exit_getdents64': relo #7: insn #119 against 'map_bytes_read'
libbpf: prog 'handle_getdents_exit': found map 1 (map_bytes_read, sec 6, off 32) for insn #119
libbpf: sec '.reltp/syscalls/sys_exit_getdents64': relo #8: insn #123 against 'map_buffs'
libbpf: prog 'handle_getdents_exit': found map 0 (map_buffs, sec 6, off 0) for insn #123
libbpf: sec '.reltp/syscalls/sys_exit_getdents64': relo #9: insn #129 against 'map_prog_array'
libbpf: prog 'handle_getdents_exit': found map 2 (map_prog_array, sec 6, off 64) for insn #129
libbpf: sec '.reltp/syscalls/sys_exit_getdents64': relo #10: insn #136 against 'map_bytes_read'
libbpf: prog 'handle_getdents_exit': found map 1 (map_bytes_read, sec 6, off 32) for insn #136
libbpf: sec '.reltp/syscalls/sys_exit_getdents64': relo #11: insn #140 against 'map_buffs'
libbpf: prog 'handle_getdents_exit': found map 0 (map_buffs, sec 6, off 0) for insn #140
libbpf: sec '.reltp/syscalls/sys_exit_getdents64': relo #12: insn #150 against 'map_to_patch'
libbpf: prog 'handle_getdents_patch': found map 3 (map_to_patch, sec 6, off 96) for insn #4
libbpf: sec '.reltp/syscalls/sys_exit_getdents64': relo #13: insn #177 against 'pid_to_hide_len'
libbpf: prog 'handle_getdents_patch': found data map 5 (pidhide_.rodata, sec 5, off 0) for insn 31
libbpf: sec '.reltp/syscalls/sys_exit_getdents64': relo #14: insn #185 against 'pid_to_hide_len'
libbpf: prog 'handle_getdents_patch': found data map 5 (pidhide_.rodata, sec 5, off 0) for insn 39
libbpf: sec '.reltp/syscalls/sys_exit_getdents64': relo #15: insn #214 against 'pid_to_hide_len'
libbpf: prog 'handle_getdents_patch': found data map 5 (pidhide_.rodata, sec 5, off 0) for insn 68
libbpf: sec '.reltp/syscalls/sys_exit_getdents64': relo #16: insn #253 against 'rb'
libbpf: prog 'handle_getdents_patch': found map 4 (rb, sec 6, off 128) for insn #107
libbpf: sec '.reltp/syscalls/sys_exit_getdents64': relo #17: insn #276 against 'map_to_patch'
libbpf: prog 'handle_getdents_patch': found map 3 (map_to_patch, sec 6, off 96) for insn #130
libbpf: loading kernel BTF '/sys/kernel/btf/vmlinux': 0
libbpf: map 'map_buffs': created successfully, fd=4
libbpf: map 'map_bytes_read': created successfully, fd=5
libbpf: map 'map_prog_array': created successfully, fd=6
libbpf: map 'map_to_patch': created successfully, fd=7
libbpf: map 'rb': created successfully, fd=8
libbpf: map 'pidhide_.rodata': created successfully, fd=9
libbpf: sec 'tp/syscalls/sys_enter_getdents64': found 3 CO-RE relocations
libbpf: prog 'handle_getdents_enter': relo #0: kind <byte_off> (0), spec is [46] struct task_struct.real_parent (0:57 @ offset 1184)
libbpf: CO-RE relocating [0] struct task_struct: found target candidate [152] struct task_struct in [vmlinux]
libbpf: prog 'handle_getdents_enter': relo #0: matching candidate #0 [152] struct task_struct.real_parent (0:61 @ offset 2320)
libbpf: prog 'handle_getdents_enter': relo #0: patched insn #8 (ALU/ALU64) imm 1184 -> 2320
libbpf: prog 'handle_getdents_enter': relo #1: kind <byte_off> (0), spec is [46] struct task_struct.tgid (0:55 @ offset 1172)
libbpf: prog 'handle_getdents_enter': relo #1: matching candidate #0 [152] struct task_struct.tgid (0:59 @ offset 2308)
libbpf: prog 'handle_getdents_enter': relo #1: patched insn #15 (ALU/ALU64) imm 1172 -> 2308
libbpf: prog 'handle_getdents_enter': relo #2: kind <byte_off> (0), spec is [36] struct trace_event_raw_sys_enter.args[1] (0:2:1 @ offset 24)
libbpf: CO-RE relocating [0] struct trace_event_raw_sys_enter: found target candidate [5505] struct trace_event_raw_sys_enter in [vmlinux]
libbpf: prog 'handle_getdents_enter': relo #2: matching candidate #0 [5505] struct trace_event_raw_sys_enter.args[1] (0:2:1 @ offset 24)
libbpf: prog 'handle_getdents_enter': relo #2: patched insn #25 (LDX/ST/STX) off 24 -> 24
libbpf: sec 'tp/syscalls/sys_exit_getdents64': found 6 CO-RE relocations
libbpf: prog 'handle_getdents_exit': relo #0: kind <byte_off> (0), spec is [315] struct trace_event_raw_sys_exit.ret (0:2 @ offset 16)
libbpf: CO-RE relocating [0] struct trace_event_raw_sys_exit: found target candidate [5506] struct trace_event_raw_sys_exit in [vmlinux]
libbpf: prog 'handle_getdents_exit': relo #0: matching candidate #0 [5506] struct trace_event_raw_sys_exit.ret (0:2 @ offset 16)
libbpf: prog 'handle_getdents_exit': relo #0: patched insn #4 (LDX/ST/STX) off 16 -> 16
libbpf: prog 'handle_getdents_exit': relo #1: kind <byte_off> (0), spec is [318] struct linux_dirent64.d_reclen (0:2 @ offset 16)
libbpf: CO-RE relocating [0] struct linux_dirent64: found target candidate [31970] struct linux_dirent64 in [vmlinux]
libbpf: prog 'handle_getdents_exit': relo #1: matching candidate #0 [31970] struct linux_dirent64.d_reclen (0:2 @ offset 16)
libbpf: prog 'handle_getdents_exit': relo #1: patched insn #79 (ALU/ALU64) imm 16 -> 16
libbpf: prog 'handle_getdents_exit': relo #2: kind <byte_off> (0), spec is [318] struct linux_dirent64.d_name (0:4 @ offset 19)
libbpf: prog 'handle_getdents_exit': relo #2: matching candidate #0 [31970] struct linux_dirent64.d_name (0:4 @ offset 19)
libbpf: prog 'handle_getdents_exit': relo #2: patched insn #86 (ALU/ALU64) imm 19 -> 19
libbpf: prog 'handle_getdents_patch': relo #3: kind <byte_off> (0), spec is [318] struct linux_dirent64.d_reclen (0:2 @ offset 16)
libbpf: prog 'handle_getdents_patch': relo #3: matching candidate #0 [31970] struct linux_dirent64.d_reclen (0:2 @ offset 16)
libbpf: prog 'handle_getdents_patch': relo #3: patched insn #11 (ALU/ALU64) imm 16 -> 16
libbpf: prog 'handle_getdents_patch': relo #4: kind <byte_off> (0), spec is [318] struct linux_dirent64.d_name (0:4 @ offset 19)
libbpf: prog 'handle_getdents_patch': relo #4: matching candidate #0 [31970] struct linux_dirent64.d_name (0:4 @ offset 19)
libbpf: prog 'handle_getdents_patch': relo #4: patched insn #29 (ALU/ALU64) imm 19 -> 19
libbpf: prog 'handle_getdents_patch': relo #5: kind <byte_off> (0), spec is [318] struct linux_dirent64.d_name (0:4 @ offset 19)
libbpf: prog 'handle_getdents_patch': relo #5: matching candidate #0 [31970] struct linux_dirent64.d_name (0:4 @ offset 19)
libbpf: prog 'handle_getdents_patch': relo #5: patched insn #65 (ALU/ALU64) imm 19 -> 19
libbpf: load bpf program failed: Permission denied
libbpf: -- BEGIN DUMP LOG ---
There is too much content here, I omitted it
libbpf: -- END LOG --
libbpf: failed to load program 'handle_getdents_exit'
libbpf: failed to load object 'pidhide_bpf'
libbpf: failed to load BPF skeleton 'pidhide_bpf': -4007
Failed to load and verify BPF skeleton
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.