Finished injection module at userspace using /proc/<pid>/maps, enables to overwrite the GOT section with RELRO activated

2025-12-25 19:03:07 +08:00 · 2022-04-07 07:11:28 -04:00
parent 96cfda8c1f
commit 3438f5846f
24 changed files with 14973 additions and 14466 deletions
--- a/src/ebpf/include/data/ring_buffer.h
+++ b/src/ebpf/include/data/ring_buffer.h
@@ -41,6 +41,31 @@ static __always_inline int ring_buffer_send(struct ring_buffer *rb, int pid, eve
 	bpf_ringbuf_submit(event, 0);
    return 0;
 }
+
+/**
+ * @brief Sends an event indicating a vulnerable syscall injection into the specified ring kernel buffer 
+ * 
+ * @return 0 if ok, -1 if error
+ */
+static __always_inline int ring_buffer_send_vuln_sys(struct ring_buffer *rb, int pid, __u64 syscall_address, __u64 process_stack_return_address, u64 libc_main_address, u64 libc_dlopen_mode_address, __u64 libc_malloc_address, __u64 got_address, int relro_active){
+    struct rb_event *event = (struct rb_event*) bpf_ringbuf_reserve(rb, sizeof(struct rb_event), 0);
+    if(!event){
+        return -1;
+    }
+
+    event->event_type = VULN_SYSCALL;
+    event->pid = pid;
+    event->libc_dlopen_mode_address = libc_dlopen_mode_address;
+    event->libc_main_address = libc_main_address;
+    event->libc_malloc_address = libc_malloc_address;
+    event->process_stack_return_address = process_stack_return_address;
+    event->syscall_address = syscall_address;
+    event->got_address = got_address;
+    event->relro_active = relro_active;
+
+	bpf_ringbuf_submit(event, 0);
+    return 0;
+}