Skip to content

Commit

Permalink
edriver: issue 82 fix
Browse files Browse the repository at this point in the history
  • Loading branch information
chriskaliX committed Nov 28, 2024
1 parent 4c067b6 commit 788c330
Show file tree
Hide file tree
Showing 34 changed files with 189 additions and 161 deletions.
2 changes: 1 addition & 1 deletion plugins/edriver-rust/src/process/process.rs
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,4 @@ impl ProcessInfo {
pub fn read_cmdline(&mut self) -> Option<String> {
format!("/proc/{}/cmdline", self::pid);
}
}
}
22 changes: 20 additions & 2 deletions plugins/edriver/bpf/include/hades_net.h
Original file line number Diff line number Diff line change
Expand Up @@ -174,7 +174,16 @@ int BPF_KPROBE(kprobe_udp_recvmsg)
// https://github.com/trichimtrich/dns-tcp-ebpf, they judge by the
// (type != ITER_IOVEC). But just as I said, be careful about the name of
// `type` or `iter_type`
struct iovec *iov = NULL;
#if CORE
if (bpf_core_field_exists(msg->msg_iter.__iov))
iov = (struct iovec *)READ_KERN(msg->msg_iter.__iov);
else if (bpf_core_field_exists(msg->msg_iter.iov))
iov = (struct iovec *)READ_KERN(msg->msg_iter.iov);
#else
// TODO: need to add kernel version check here
struct iovec *iov = (struct iovec *)READ_KERN(msg->msg_iter.iov);
#endif
if (iov == NULL)
return 0;
unsigned long iov_len = READ_KERN(iov->iov_len);
Expand Down Expand Up @@ -225,14 +234,23 @@ int BPF_KRETPROBE(kretprobe_udp_recvmsg, long retval)
// By the way this struct(msghdr) is defined in socket.h
struct msghdr *msg = dns_context->msg;
// Check the msghdr length
// issue #39 BUG fix:
// due to wrong usage of READ_KERN
// issue #39 BUG fix: due to wrong usage of READ_KERN
int ret = 0;
struct iov_iter msg_iter = {};
struct iovec iov;

msg_iter = READ_KERN(msg->msg_iter);

#if CORE
if (bpf_core_field_exists(msg_iter.__iov))
ret = bpf_probe_read(&iov, sizeof(iov), msg_iter.__iov);
else if (bpf_core_field_exists(msg_iter.iov))
ret = bpf_probe_read(&iov, sizeof(iov), msg_iter.iov);
#else
// TODO: need to add kernel version check here
ret = bpf_probe_read(&iov, sizeof(iov), msg_iter.iov);
#endif

if (ret != 0)
goto delete;
unsigned long iov_len = iov.iov_len;
Expand Down
11 changes: 10 additions & 1 deletion plugins/edriver/bpf/include/hades_rootkit.h
Original file line number Diff line number Diff line change
Expand Up @@ -493,8 +493,16 @@ int BPF_KPROBE(kprobe_security_file_permission)

// kernel version 4.10 iterate_shared
unsigned long iterate_shared_addr = (unsigned long) READ_KERN(fops->iterate_shared);
unsigned long iterate_addr = 0;

#if CORE
if (bpf_core_field_exists(fops->iterate))
unsigned long iterate_addr = (unsigned long) READ_KERN(fops->iterate);
#else
// TODO: need to add kernel version check here
unsigned long iterate_addr = (unsigned long) READ_KERN(fops->iterate);

#endif

if (iterate_shared_addr == 0 && iterate_addr == 0)
return 0;

Expand All @@ -518,6 +526,7 @@ int BPF_KPROBE(kprobe_security_file_permission)
return 0;
}
}

if (iterate_addr > 0) {
if (iterate_addr >= *stext && iterate_addr <= *etext) {
return 0;
Expand Down
64 changes: 33 additions & 31 deletions plugins/edriver/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -2,61 +2,63 @@ module hades-ebpf

replace github.com/chriskaliX/SDK => ../../SDK/go

go 1.18
go 1.22.0

toolchain go1.22.2

require (
github.com/aquasecurity/libbpfgo/helpers v0.4.5
github.com/bytedance/sonic v1.9.2
github.com/bytedance/sonic v1.12.5
github.com/chriskaliX/SDK v1.0.0
github.com/cilium/ebpf v0.11.0
github.com/ehids/ebpfmanager v0.4.0
github.com/cilium/ebpf v0.16.0
github.com/gojue/ebpfmanager v0.4.6
github.com/mitchellh/hashstructure/v2 v2.0.2
github.com/robfig/cron/v3 v3.0.1
github.com/shirou/gopsutil v3.21.11+incompatible
github.com/spf13/cobra v1.7.0
github.com/stretchr/testify v1.8.1
go.uber.org/zap v1.24.0
golang.org/x/exp v0.0.0-20230626212559-97b1e661b5df
golang.org/x/time v0.3.0
k8s.io/apimachinery v0.27.3
k8s.io/utils v0.0.0-20230505201702-9f6742963106
github.com/spf13/cobra v1.8.1
github.com/stretchr/testify v1.10.0
go.uber.org/zap v1.27.0
golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f
golang.org/x/time v0.8.0
k8s.io/apimachinery v0.31.3
k8s.io/utils v0.0.0-20241104163129-6fe5fd82f078
)

require (
github.com/avast/retry-go v3.0.0+incompatible // indirect
github.com/benbjohnson/clock v1.3.0 // indirect
github.com/cespare/xxhash/v2 v2.2.0 // indirect
github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/florianl/go-tc v0.4.2 // indirect
github.com/go-ole/go-ole v1.2.6 // indirect
github.com/google/go-cmp v0.5.9 // indirect
github.com/bytedance/sonic/loader v0.2.1 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/cloudwego/base64x v0.1.4 // indirect
github.com/cloudwego/iasm v0.2.0 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/florianl/go-tc v0.4.4 // indirect
github.com/go-ole/go-ole v1.3.0 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-multierror v1.1.1 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/josharian/native v1.1.0 // indirect
github.com/klauspost/cpuid/v2 v2.2.5 // indirect
github.com/klauspost/cpuid/v2 v2.2.9 // indirect
github.com/mdlayher/netlink v1.7.2 // indirect
github.com/mdlayher/socket v0.4.1 // indirect
github.com/mdlayher/socket v0.5.1 // indirect
github.com/nightlyone/lockfile v1.0.0 // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/tklauser/go-sysconf v0.3.11 // indirect
github.com/tklauser/numcpus v0.6.1 // indirect
github.com/tklauser/go-sysconf v0.3.14 // indirect
github.com/tklauser/numcpus v0.9.0 // indirect
github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
github.com/vishvananda/netlink v1.1.0 // indirect
github.com/vishvananda/netns v0.0.4 // indirect
github.com/yusufpapurcu/wmi v1.2.3 // indirect
golang.org/x/arch v0.4.0 // indirect
golang.org/x/net v0.12.0 // indirect
golang.org/x/sync v0.3.0 // indirect
github.com/vishvananda/netlink v1.3.0 // indirect
github.com/vishvananda/netns v0.0.5 // indirect
github.com/yusufpapurcu/wmi v1.2.4 // indirect
golang.org/x/arch v0.12.0 // indirect
golang.org/x/net v0.31.0 // indirect
golang.org/x/sync v0.9.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)

require (
github.com/gogo/protobuf v1.3.2 // indirect
go.uber.org/atomic v1.11.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
golang.org/x/sys v0.10.0
golang.org/x/sys v0.27.0
gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
)
Loading

0 comments on commit 788c330

Please sign in to comment.