From 05baa8fb8af398df45e97a0eb5e43af917d50203 Mon Sep 17 00:00:00 2001
From: h3xduck <marcossanchezbajo@gmail.com>
Date: Sat, 5 Feb 2022 19:00:25 -0500
Subject: [PATCH] Added new helper program to be used with the execve hijacking
 module

---
 src/ebpf/include/bpf/exec.h |  36 ++++++++++++++++++++++++++++++++++++
 src/helpers/execve_hijack   | Bin 0 -> 16152 bytes
 src/helpers/execve_hijack.c |   9 +++++++++
 3 files changed, 45 insertions(+)
 create mode 100644 src/ebpf/include/bpf/exec.h
 create mode 100755 src/helpers/execve_hijack
 create mode 100644 src/helpers/execve_hijack.c

diff --git a/src/ebpf/include/bpf/exec.h b/src/ebpf/include/bpf/exec.h
new file mode 100644
index 0000000..abc4b35
--- /dev/null
+++ b/src/ebpf/include/bpf/exec.h
@@ -0,0 +1,36 @@
+#ifndef __EXEC_H
+#define __EXEC_H
+
+#include "headervmlinux.h"
+
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include <bpf/bpf_core_read.h>
+
+#include "../../../common/constants.h"
+#include "../../../common/map_common.h"
+#include "defs.h"
+#include "../utils/strings.h"
+
+
+/**
+ * >> cat /sys/kernel/debug/tracing/events/syscalls/sys_enter_open/format
+ */
+struct sys_execve_enter_ctx {
+    unsigned long long unused;
+    int __syscall_nr;
+    unsigned int padding;
+    const char* const *argv;
+    const char* filename;
+    const char* const *envp;
+};
+
+
+SEC("tp/syscalls/sys_enter_execve")
+int tp_sys_enter_execve(struct sys_execve_enter_ctx *ctx) {
+
+}
+
+
+
+#endif
\ No newline at end of file
diff --git a/src/helpers/execve_hijack b/src/helpers/execve_hijack
new file mode 100755
index 0000000000000000000000000000000000000000..abf396c83036556c11992564acd66d573570a282
GIT binary patch
literal 16152
zcmeHOeQX>@6`woDiPI+MOY2Z4De)3wDQV=3oiE(9CU>^a-a}4e5}PKX>E`TP`>x!F
zySLZaRRJTnRZodaR3s=;D})595EZge1?e9M2a~i&fD)uuMir_-iEtpaiD^)PB+GlV
z?_KtmbC3WD{@9W3e)B$lZ)V@l?#<rLd@<V7<@fmnmn!i|fzo);)`ZD$=o3@{2#Z#+
z622S6da)GbB~oYG!#04`F0=k}tRa0BAoA+5QUUL`)q;_Gh={z!ii#bA!YJrCkXMZc
zlHI6NKN;CxYEMBj6h(fQ@OgBA!sz5-SEibzSxmK+<56laNyt1DkvC1eY2q<nq4pR#
zpO_Q;v{F9Z*bFu-jBZ|%cy8>pX@U{kz;f`SnfQ0w>m}a9iVP#%$n7w4d!Gg#om!jt
zFTVLSAE5RYI}g2-e@05L*qTla?Aoz4ooGs@vW3y6(bio}yLN=~xzIM*GWJV>500ts
zef<K$Orws{DE#BL%<<4xM|SjIc;fLh#+v*4zqf4m8()uoM~r;?`rGJ({YDP@V8M7i
zL{P^1GWej6osTa;&DJ5F*MFHoT&#40L8)NGc=uG$V;hz9cwJV~9|gSvA9u-tLUAiW
zUJ0KK74%}HVCKb$k;<AwLemCE<JwRv8&9X6(m{liGpOawxM6CUcq%JU#&fevboa#C
zJG5<~ZK0h)i}mf*61t%er}Cz5^zH3P=dyZVd?1Z6hBLV=#n5cmijJ~xe#pCh7WiEF
z;0%Po#^bE8HnkkjPAeS?U+;XK9bIJ`PSN$udWG~gVcX7nmS^|adOQz!j=0P@^f+#~
z%sce*en*BY4!u2YY{PYj9>*1zw@8mVK4!F?bLe@jGsi<O16~Ha40svvGT>#v%Yc`G
z|Njj9xpw{E)QQVA>hbDdZ-vL^XQxfSbxxi5Y0Zr6ytVU1P%l`GUje9X5a^#o%fhAK
zT9$QE$~ZAyxOARn@P0*l!@~yJK|bP=`<-&jpJK)HkEzAqsS_8j^!D{kR{sDZs*@}C
zNN76^;jPu%fb!u<b+YX+RMg4p0|*aZH&;W~16YTyFSq7u8^*z1%n*YAX6e6k1H$H8
zYVnGC`u#oX>FZUh@2q<MmRSb@F2Y<M1Jqb^L$wXiZ{}nF$J@{>3S0WsiMF3$RV`jL
zSE$F^&Vn$%9FBWF0bggUe+07c2yn~zmyUrE1N8$BlC2a!e_1US=AduS1|Y!fEz5c{
zdIP)t$Cl&K8|q8yWZfAQ)#K4Q)pt%k9t3sqED#DnIEAM9?*nThdcy~nhoYCCep70H
zHZv5eZFmM9;A~O;Baie<w#{r2BJ!D7@tsJ2tavTb7b)K8S0|fZ2lc_8%{Orj%ztpx
zveeTztIUR$cPW28#f6^Y`<=z#N36Q{)QK6N`rvO0f57qa*&~rhBS#{SMYNfr+l}I3
z;>bai<Ek{0WS_h*F9Ti%ybO35@G{_Kz{`M_0WSky2D}V-8TcP%z(;R)R6U)}DaUd~
zI-v|1xs0NZ>Vr?}N;36$eDHI+AtJ_bA){war7@+X@=9a=F5z2O^-vi4jqivqd|+87
zVBHnVdKqvd;Ol^$fR6$;UA3&A1AYteGGN_;W$l2+dweH~#rM<!;TsM5)~#4pbCUG<
zj&Tm+!h<^mS|(q$ZG`F$_#{E!jQT*ZD^UNb+Pja{jEg;McR#RwqkNr+ak1SI@Z)!M
z=#F|5KFC)9xnNr-;By%IEC1h!27=G|J610BYtSQT9&E3{XA0~(py&z&zwD0%>R+ge
z29(Jq(ZHq?)t!On=a#C0)`?}^fp9j^8VNK<0-M?cN_(KbJrHaU)X4XR9|C<A;yB;W
zVMwod8SpaTWx&gTmjN#WUIx4jcp30A;AOy>0bWPQ>jvRbNfvnVD9Z{$UYLmME3q7+
z#hPnuv9um}9m%}za4pHaP7$Aru(18wEh~re6fOSaXPB3kpqAI9!t)K;@3PgRNO(74
zJ>hCX2BL{6T4%^>59PBSIN|df7GA4(pDl`dTGYt;L)0<u_cZyzB28Ji{q-cX-`_3!
z_#m%R1ut3U@wQStc#|t-&O1EDNqGa=|4K3+2ZjHy0j~ph2W+N?+_3Xu*X?u%nb(_k
zcXaGlHuVn_vSvYPX%1}<H8-^sq}Z~V6n6+C*QhQLS1q>>=G_M?)K5@i6mqy1u#!KX
z7e5T*DcA8J5A|~{{dUsxbpfI*G5Ge0wIUd{Wj=4Xy4oi`B6ytJRw15-3dZN_jP=h;
z|J9}IhV`#PrBeSFJFXwfICbKgk8y<CSSijKX<q$L{d`Bpxlg#q!+Ye<>yJ75f~?$I
zT5r$#YDkDr)R(R|*8d9hegStASDx2_{vJ^F(*1;nz1RYJg~<+lQR?BY6Lu(}+AZUh
z>rgrb`k+`-I$!M3i2nXnrTZA`wMF6>i|FycC5-Rx&nuu;IH&_(1N|!h8o}2Go8CY@
zu7D>J-TuT|pvU~o(YkJ(2<HKVFb?a(q#*bz`Hxecw~~Gq^ytsymRT3bKSlAAWVi%+
z?5ErR8t4@!JFpgRtQ#D1sd{kGFk3=7SRfxCNNHw#Sb!pL7GRCXpt!x5UNbY=ATFoR
zgJ&YA4X1Mh@wApOb4Ff^7e>WkE;EwWO+686uIz#9`BPflFydnx{I6(?i6JAN(X~V&
zlNkewL(;(0EOWL0oz(1qC!u4S)^#AVH>ySVb!xDhznqW|TIb<?k-f2wa*NzR04msP
zp+!}SpmrV*T6fR>_DGMmzpLwDv`_1cwD&|Ys@!%km@mk#-*I~Z?p_F&?M2WNaWhUE
z8p<v1-3%@(^6Y&I(1Y?#3tA$d(~|LQ0yi|o_Jda<mDLJ)9gg^RXEAvo59IR{MsAtV
zG}sTp`NEA76?Z?B@4P7MnF!^_GG=@L&@^mJat(HE=*EZ$Wpkz;8qO9%BSvmSH_S1I
zYM_vU-8HEMsUq#MCLC?jJsHm@MJO?rg(hq?4cqdhZsb$BY?+{e&Ct_vBv5T6ZHkaQ
z@DNl(!#NPKlGg`C$kazc#Nh|tIeA_}dXffQG6B(8vSZjI&t`BPnu=#q5X`1SazzM+
zJpMyox|IHt3eL;m(uI4lUEKTRcwR<k>C1J*kHZJ&Ld;)mKN$LA;rWj(39$<*PQH6z
z82%6MEPVfC9sce*`TV=jsIViUoBs&t{{nL<?my2r8M%Gl%i`{T9QZibWIoSF8K=R9
z1^bA3W<JjgQ=r4C3iEk>%UA@PvtSHoc>)BSD>9$whm8EQ%Kc|Q#xDRL=bkL{{F70k
z#@ziUwU~qo=9Kw7A7-2;M{eJJ{9hw}JNfbanz7lz$DFzO-vk}zgyX}HnOz9^xr4N_
zuUtob89q+FLOe!ppE<7Z;#C*FmmC<`e=+`)i+_{|j0zJ8IUeI1F8(+f7~ggc80K-<
zAG`Sc{Km-7b?ooHesJE1P4M{_3V9MfOd<oHKbC(16(@hOeVXj=ZvR~ue_XLW8EY`O
zqqy6@2sT*iTG~&^^I6`<>Go%t@hWg@9ekeWpK1an6!x>F+cN8Kf&s@aKgaProA>4N
z{#(5MurQC$<99)ahsb<>o}HozUN4dyh53w2f$ZdqFgZ8d$n9_l=CQm2$f)D?d0rSK
zzS|$$a+X!pKDn1n%x^4d><aUpSQ>i{-&P99_u-F%4gUk+{_y>GIq10W4!Q{Lu%!oF
X!MR=b#p!V+{%-tXgR<5|aEam{==*>d

literal 0
HcmV?d00001

diff --git a/src/helpers/execve_hijack.c b/src/helpers/execve_hijack.c
new file mode 100644
index 0000000..fa78c8e
--- /dev/null
+++ b/src/helpers/execve_hijack.c
@@ -0,0 +1,9 @@
+#include <stdio.h>
+
+int main(int argc, char* argv[]){
+    printf("Hello world from execve hijacker\n");
+    for(int ii=0; ii<argc; ii++){
+        printf("Argument %i is %s\n", ii, argv[ii]);
+    }
+    return 0;
+}
\ No newline at end of file