gui774ume / ebpfkit Goto Github PK
View Code? Open in Web Editor NEWebpfkit is a rootkit powered by eBPF
License: Apache License 2.0
ebpfkit is a rootkit powered by eBPF
License: Apache License 2.0
I have installed everything successfully without any errors. But Still get when I run this
GET /get_net_dis HTTP/1.1
Host: localhost:8000
User-Agent: 0000_______________________________________________________________________________________________________________________________________________________________
_______________________________________________________________________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________________________________________________________
2021/12/15 10:57:03 127.0.0.1:60878 - GET /get_net_dis - 404
DEBUG[2021-12-15T10:57:03Z]
GET /get_fswatch HTTP/1.1
Host: localhost:8000
User-Agent: 0/ebpfkit/network_discovery#_______________________________________________________________________________________________________________________________________
_______________________________________________________________________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________________________________________________________
2021/12/15 10:57:03 127.0.0.1:60878 - GET /get_fswatch - 404
panic: runtime error: index out of range [32] with length 10
goroutine 1 [running]:
github.com/Gui774ume/ebpfkit/cmd/ebpfkit-client/run/network_discovery.parseNetworkDiscoveryOutput(0xc000172000, 0xa, 0x200, 0x21, 0xc000169200, 0x1f4, 0xc000172000)
/home/yasindce1998/ebpfkit/cmd/ebpfkit-client/run/network_discovery/get.go:61 +0x983
github.com/Gui774ume/ebpfkit/cmd/ebpfkit-client/run/network_discovery.SendGetNetworkDiscoveryRequest(0x84090e, 0x15, 0xc000040000, 0x0, 0x0)
/home/yasindce1998/ebpfkit/cmd/ebpfkit-client/run/network_discovery/get.go:109 +0x1e0
github.com/Gui774ume/ebpfkit/cmd/ebpfkit-client/run.getNetworkDiscoveryCmd(0xb57b40, 0xc0000864c0, 0x0, 0x2, 0x0, 0x0)
/home/yasindce1998/ebpfkit/cmd/ebpfkit-client/run/ebpfkit-client.go:164 +0x5f
github.com/spf13/cobra.(*Command).execute(0xb57b40, 0xc0000864a0, 0x2, 0x2, 0xb57b40, 0xc0000864a0)
/home/yasindce1998/go/pkg/mod/github.com/spf13/[email protected]/command.go:850 +0x460
github.com/spf13/cobra.(*Command).ExecuteC(0xb58080, 0x8c86c0, 0xc000094480, 0xc000068058)
/home/yasindce1998/go/pkg/mod/github.com/spf13/[email protected]/command.go:958 +0x349
github.com/spf13/cobra.(*Command).Execute(...)
/home/yasindce1998/go/pkg/mod/github.com/spf13/[email protected]/command.go:895
main.main()
/home/yasindce1998/ebpfkit/cmd/ebpfkit-client/main.go:31 +0x8c```
It would be better if you give me some explanation about what's going on.
Thank you
Hello, nice rootkit!
I build it successfully on my env:
But when I run ./ebpfkit
, it exits with error:
➜ ./ebpfkit
Error: couldn't start: couldn't start main manager: couldn't init main manager: couldn't load eBPF programs: program xdp/ingress/syn_loop: can't load program: invalid argument: 0: (bf) r6 = r1
1: (b7) r9 = 2
2: (61) r1 = *(u32 *)(r6 +4)
3: (61) r8 = *(u32 *)(r6 +0)
4: (bf) r2 = r8
5: (07) r2 += 14
6: (2d) if r2 > r1 goto pc+358
R1_w=pkt_end(id=0,off=0,imm=0) R2_w=pkt(id=0,off=14,r=14,imm=0) R6_w=ctx(id=0,off=0,imm=0) R8_w=pkt(id=0,off=0,r=14,imm=0) R9_w=inv2 R10=fp0
7: (15) if r8 == 0x0 goto pc+357
R1_w=pkt_end(id=0,off=0,imm=0) R2_w=pkt(id=0,off=14,r=14,imm=0) R6_w=ctx(id=0,off=0,imm=0) R8_w=pkt(id=0,off=0,r=14,imm=0) R9_w=inv2 R10=fp0
8: (71) r3 = *(u8 *)(r8 +12)
9: (71) r4 = *(u8 *)(r8 +13)
10: (67) r4 <<= 8
11: (4f) r4 |= r3
12: (55) if r4 != 0x8 goto pc+352
R1=pkt_end(id=0,off=0,imm=0) R2=pkt(id=0,off=14,r=14,imm=0) R3=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R4=inv8 R6=ctx(id=0,off=0,imm=0) R8=pkt(id=0,off=0,r=14,imm=0) R9=inv2 R10=fp0
13: (bf) r7 = r8
14: (07) r7 += 34
15: (2d) if r7 > r1 goto pc+349
R1=pkt_end(id=0,off=0,imm=0) R2=pkt(id=0,off=14,r=34,imm=0) R3=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R4=inv8
......
Usage:
ebpfkit [flags]
Flags:
--append (file override feature only) when set, the content of the source file will be appended to the content of the target file
--comm string (file override feature only) comm of the process for which the file override should apply
--disable-bpf-obfuscation when set, ebpfkit will not hide itself from the bpf syscall
--disable-network-probes when set, ebpfkit will not try to load its network related probes
--docker string path to the Docker daemon executable (default "/usr/bin/dockerd")
-e, --egress string egress interface name (default "enp0s3")
-h, --help help for ebpfkit
-i, --ingress string ingress interface name (default "enp0s3")
-l, --log-level string log level, options: panic, fatal, error, warn, info, debug or trace (default "info")
--postgres string path to the Postgres daemon executable (default "/usr/lib/postgresql/12/bin/postgres")
--src string (file override feature only) source file which content will be used to override the content of the target file
--target string (file override feature only) target file to override
-p, --target-http-server-port int Target HTTP server port used for Command and Control (default 8000)
--webapp-rasp string path to the webapp on which the RASP is installed
Have you come across such issues? Any helpful suggestions? Thanks : )
What license should I have to use?
yasindce1998@ubuntu-focal:~/ebpfkit$ sudo ./bin/ebpfkit -l info
Error: couldn't start: couldn't init bootstrap manager: load license: missing license section
Usage:
ebpfkit [flags]
Flags:
--append (file override feature only) when set, the content of the source file will be appended to the content of the target file
--comm string (file override feature only) comm of the process for which the file override should apply
--disable-bpf-obfuscation when set, ebpfkit will not hide itself from the bpf syscall
--disable-network-probes when set, ebpfkit will not try to load its network related probes
--docker string path to the Docker daemon executable (default "/usr/bin/dockerd")
-e, --egress string egress interface name (default "enp0s3")
-h, --help help for ebpfkit
-i, --ingress string ingress interface name (default "enp0s3")
-l, --log-level string log level, options: panic, fatal, error, warn, info, debug or trace (default "info")
--postgres string path to the Postgres daemon executable (default "/usr/lib/postgresql/12/bin/postgres")
--src string (file override feature only) source file which content will be used to override the content of the target file
--target string (file override feature only) target file to override
-p, --target-http-server-port int Target HTTP server port used for Command and Control (default 8000)
--webapp-rasp string path to the webapp on which the RASP is installed
Surprising ideas! I have a question. General rootkits can hide specific processes and prevent them from being detected by commands such as ps. Is this possible for ebpfkit?
#7 hello, i have tried lo
, eth0
, enp0s3
in my VMs' interface ,but it didn't work.
my host env config:
## host kernel version
Linux VirtualBox 5.4.0-110-generic #124-Ubuntu SMP Thu Apr 14 19:46:19 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
## my kernel with bpf compile config
$ cat /boot/config-$(uname -r) |grep bpf
CONFIG_CGROUP_BPF=y
CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
CONFIG_IPV6_SEG6_BPF=y
CONFIG_NETFILTER_XT_MATCH_BPF=m
CONFIG_BPFILTER=y
CONFIG_BPFILTER_UMH=m
CONFIG_NET_CLS_BPF=m
CONFIG_NET_ACT_BPF=m
CONFIG_BPF_JIT=y
CONFIG_BPF_STREAM_PARSER=y
CONFIG_LWTUNNEL_BPF=y
CONFIG_HAVE_EBPF_JIT=y
CONFIG_BPF_EVENTS=y
CONFIG_BPF_KPROBE_OVERRIDE=y
CONFIG_TEST_BPF=m
and that's my interfaces in host and docker i used.
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.2.15 netmask 255.255.255.0 broadcast 10.0.2.255
inet6 fe80::1ad6:b997:5c8c:d269 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:ac:19:0b txqueuelen 1000 (Ethernet)
RX packets 15027 bytes 18707045 (18.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8244 bytes 557794 (557.7 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
the command and error when i run ebpfkit as follows.
root@service:/data/ebpfkit/bin# ./ebpfkit -i enp0s3 -e enp0s3
Error: couldn't start: couldn't start main manager: couldn't start main manager: probes activation validation failed: 2 errors occurred:
* {UID:egress Section:classifier/egress}: couldn't add a "clsact" qdisc to interface 2: netlink receive: no such file or directory
* {UID:lo Section:classifier/egress}: couldn't add a "clsact" qdisc to interface 1: netlink receive: no such file or directory
Any helpful suggestions? Thanks : )
And can you tell me,which kernel version and bpf compile you used ?
hello i'm trying to run ebpfkit rootkit with exploit effect described in 《blackhat 2021》:container breakout1 :escaping throngh a pipe.
the environment configure :
but when i run ebpfkit ,i got the error:
Error: couldn't start: couldn't start main manager: couldn't start main manager: probes activation validation failed: 2 errors occurred:
* {UID:egress Section:classifier/egress}: couldn't add a "clsact" qdisc to interface 2: netlink receive: no such file or directory
* {UID:lo Section:classifier/egress}: couldn't add a "clsact" qdisc to interface 1: netlink receive: no such file or directory
Have you come across such issues? Any helpful suggestions? Thanks : )
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.