mirror of
https://github.com/h3xduck/TripleCross.git
synced 2025-12-22 09:43:07 +08:00
[BUILD IS FAILING] Added file system hooks and other improvements. Uploading because of needing to backup
This commit is contained in:
h3xduck
9
src/ebpf/include/bpf/bpf_defs.h
Normal file
9
src/ebpf/include/bpf/bpf_defs.h
Normal file
@@ -0,0 +1,9 @@
|
||||
#ifndef __BPF_DEFS_H
|
||||
#define __BPF_DEFS_H
|
||||
|
||||
#define PT_REGS_PARM1(x) ((x)->rdi)
|
||||
#define PT_REGS_PARM2(x) ((x)->rsi)
|
||||
#define PT_REGS_PARM3(x) ((x)->rdx)
|
||||
#define PT_REGS_PARM4(x) ((x)->rcx)
|
||||
|
||||
#endif
|
||||
43
src/ebpf/include/bpf/fs.h
Normal file
43
src/ebpf/include/bpf/fs.h
Normal file
@@ -0,0 +1,43 @@
|
||||
#ifndef __FS_H
|
||||
#define __FS_H
|
||||
|
||||
#include <stdio.h>
|
||||
#include <linux/types.h>
|
||||
#include <unistd.h>
|
||||
#include <string.h>
|
||||
#include <linux/ptrace.h>
|
||||
|
||||
#include <linux/bpf.h>
|
||||
#include <bpf/bpf_helpers.h>
|
||||
#include <bpf/bpf_tracing.h>
|
||||
#include <bpf/bpf_core_read.h>
|
||||
|
||||
#include "../../../common/constants.h"
|
||||
#include "../../../common/map_defs.h"
|
||||
#include "../data/ring_buffer.h"
|
||||
#include "bpf_defs.h"
|
||||
|
||||
static __always_inline int kprobe__sys_read(struct pt_regs *ctx ,int fd ,char * buf){
|
||||
bpf_printk("Read a file");
|
||||
return 0;
|
||||
}
|
||||
|
||||
SEC("kprobe/compat_sys_read")
|
||||
int __attribute__((always_inline)) kprobe__64_compat_sys_read(struct pt_regs *ctx) {
|
||||
struct pt_regs *rctx = ctx; if (!rctx) return 0;
|
||||
int fd = (int) PT_REGS_PARM1(ctx);
|
||||
char * buf = (char *) PT_REGS_PARM2(ctx);
|
||||
return kprobe__sys_read(ctx ,fd ,buf);
|
||||
}
|
||||
|
||||
SEC("kprobe/sys_read")
|
||||
int kprobe__64_sys_read(struct pt_regs *ctx) {
|
||||
struct pt_regs *rctx = ctx;
|
||||
if (!rctx) return 0;
|
||||
int fd = (int) PT_REGS_PARM1(ctx);
|
||||
char * buf = (char *) PT_REGS_PARM2(ctx);
|
||||
return kprobe__sys_read(ctx ,fd ,buf);
|
||||
}
|
||||
|
||||
|
||||
#endif
|
||||
@@ -1,5 +1,5 @@
|
||||
#ifndef __FS_H
|
||||
#define __FS_H
|
||||
#ifndef __SCHED_H
|
||||
#define __SCHED_H
|
||||
|
||||
#include <stdio.h>
|
||||
#include <linux/types.h>
|
||||
@@ -34,9 +34,9 @@ int handle_sched_process_exec(struct trace_event_raw_sched_process_exec *ctx){
|
||||
char message[] = "PROCESS ACTIVATED";
|
||||
|
||||
//Just deactivated for now, but working
|
||||
if(ring_buffer_send(&rb_comm, pid, INFO, 0, message, sizeof(message))<0){
|
||||
/*if(ring_buffer_send(&rb_comm, pid, INFO, 0, message, sizeof(message))<0){
|
||||
bpf_printk("ERROR printing in RB_COMM at fs module");
|
||||
}
|
||||
}*/
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user