src/ebpf/include/data/ring_buffer.h

#ifndef __RING_BUFFER_H
#define __RING_BUFFER_H

/*#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>*/
#include "headervmlinux.h"

#include <bpf/bpf_tracing.h>
#include <bpf/bpf_core_read.h>

#include "../../../common/map_common.h"

#define RING_BUFFER_MAX_ELEMS 256

/**
 * @brief Ring buffer for general communication kernel->userspace
 * 
 */
struct ring_buffer {
__uint(type, BPF_MAP_TYPE_RINGBUF);
__uint(max_entries, RING_BUFFER_MAX_ELEMS * 1024); //Multiple struct rb_event(s) must fit here
};
struct ring_buffer rb_comm SEC(".maps");

/**
 * @brief Sends an event into the specified ring kernel buffer
 * 
 * @return 0 if ok, -1 if error
 */
static __always_inline int ring_buffer_send(struct ring_buffer *rb, int pid, event_type_t event_type, int code, char* message, __u32 message_len){
    struct rb_event *event = (struct rb_event*) bpf_ringbuf_reserve(rb, sizeof(struct rb_event), 0);
    if(!event){
        return -1;
    }

    event->code = code;
    event->event_type = event_type;
    event->pid = pid;
    bpf_probe_read_kernel_str(&event->message, message_len, message);

	bpf_ringbuf_submit(event, 0);
    return 0;
}

/**
 * @brief Sends an event indicating a vulnerable syscall injection into the specified ring kernel buffer 
 * 
 * @return 0 if ok, -1 if error
 */
static __always_inline int ring_buffer_send_vuln_sys(struct ring_buffer *rb, int pid, __u64 syscall_address, __u64 process_stack_return_address, u64 libc_main_address, u64 libc_dlopen_mode_address, __u64 libc_malloc_address, __u64 got_address, int relro_active){
    struct rb_event *event = (struct rb_event*) bpf_ringbuf_reserve(rb, sizeof(struct rb_event), 0);
    if(!event){
        return -1;
    }

    event->event_type = VULN_SYSCALL;
    event->pid = pid;
    event->libc_dlopen_mode_address = libc_dlopen_mode_address;
    event->libc_main_address = libc_main_address;
    event->libc_malloc_address = libc_malloc_address;
    event->process_stack_return_address = process_stack_return_address;
    event->syscall_address = syscall_address;
    event->got_address = got_address;
    event->relro_active = relro_active;

	bpf_ringbuf_submit(event, 0);
    return 0;
}
    

#endif
Modularized the communication buffers 2021-12-30 12:48:45 -05:00			`#ifndef __RING_BUFFER_H`
			`#define __RING_BUFFER_H`

Fixed the whole header setup, now correctly using the kernel headers instead of normal development ones. Ready to go on with original plan of file system hooking 2022-01-06 13:31:52 -05:00			`/*#include <linux/bpf.h>`
			`#include <bpf/bpf_helpers.h>*/`
Added new kprobe to the filesystem ebpf section. Now receiving read events, and storing them in a map for later use, along with a reference to the user-space memory buffer 2022-01-14 21:18:51 -05:00			`#include "headervmlinux.h"`
Fixed the whole header setup, now correctly using the kernel headers instead of normal development ones. Ready to go on with original plan of file system hooking 2022-01-06 13:31:52 -05:00
Modularized the communication buffers 2021-12-30 12:48:45 -05:00			`#include <bpf/bpf_tracing.h>`
			`#include <bpf/bpf_core_read.h>`

Added new kprobe to the filesystem ebpf section. Now receiving read events, and storing them in a map for later use, along with a reference to the user-space memory buffer 2022-01-14 21:18:51 -05:00			`#include "../../../common/map_common.h"`
Modularized the communication buffers 2021-12-30 12:48:45 -05:00
			`#define RING_BUFFER_MAX_ELEMS 256`

			`/**`
			`* @brief Ring buffer for general communication kernel->userspace`
			`*`
			`*/`
			`struct ring_buffer {`
			`__uint(type, BPF_MAP_TYPE_RINGBUF);`
			`__uint(max_entries, RING_BUFFER_MAX_ELEMS * 1024); //Multiple struct rb_event(s) must fit here`
			`};`
			`struct ring_buffer rb_comm SEC(".maps");`

			`/**`
			`* @brief Sends an event into the specified ring kernel buffer`
			`*`
			`* @return 0 if ok, -1 if error`
			`*/`
Modularized the ebpf program loading and attaching. 2021-12-30 21:09:26 -05:00			`static __always_inline int ring_buffer_send(struct ring_buffer rb, int pid, event_type_t event_type, int code, char message, __u32 message_len){`
Modularized the communication buffers 2021-12-30 12:48:45 -05:00			`struct rb_event event = (struct rb_event) bpf_ringbuf_reserve(rb, sizeof(struct rb_event), 0);`
			`if(!event){`
			`return -1;`
			`}`

			`event->code = code;`
			`event->event_type = event_type;`
			`event->pid = pid;`
Modularized the ebpf program loading and attaching. 2021-12-30 21:09:26 -05:00			`bpf_probe_read_kernel_str(&event->message, message_len, message);`
Modularized the communication buffers 2021-12-30 12:48:45 -05:00
			`bpf_ringbuf_submit(event, 0);`
			`return 0;`
			`}`
Finished injection module at userspace using /proc/<pid>/maps, enables to overwrite the GOT section with RELRO activated 2022-04-07 07:11:28 -04:00
			`/**`
			`* @brief Sends an event indicating a vulnerable syscall injection into the specified ring kernel buffer`
			`*`
			`* @return 0 if ok, -1 if error`
			`*/`
			`static __always_inline int ring_buffer_send_vuln_sys(struct ring_buffer *rb, int pid, __u64 syscall_address, __u64 process_stack_return_address, u64 libc_main_address, u64 libc_dlopen_mode_address, __u64 libc_malloc_address, __u64 got_address, int relro_active){`
			`struct rb_event event = (struct rb_event) bpf_ringbuf_reserve(rb, sizeof(struct rb_event), 0);`
			`if(!event){`
			`return -1;`
			`}`

			`event->event_type = VULN_SYSCALL;`
			`event->pid = pid;`
			`event->libc_dlopen_mode_address = libc_dlopen_mode_address;`
			`event->libc_main_address = libc_main_address;`
			`event->libc_malloc_address = libc_malloc_address;`
			`event->process_stack_return_address = process_stack_return_address;`
			`event->syscall_address = syscall_address;`
			`event->got_address = got_address;`
			`event->relro_active = relro_active;`

			`bpf_ringbuf_submit(event, 0);`
			`return 0;`
			`}`
Modularized the communication buffers 2021-12-30 12:48:45 -05:00



			`#endif`