admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2026-01-06 08:23:08 +08:00
Code Issues Packages Projects Releases Wiki Activity

New explanation for the injection technique (alternative scanning process) and added flow diagram with full process.

Browse Source
This commit is contained in:
h3xduck
2022-06-13 10:57:32 -04:00
parent 050684c4d7
commit 99ad9c5548
15 changed files with 30 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
docs/chapters/chapter3.tex
View File

@@ -26,7 +26,7 @@ Therefore, a malicious privileged eBPF program can access and modify other progr
\section{Abusing tracing programs}
eBPF tracing programs (kprobes, uprobes and tracepoints) are hooked to specific points in the kernel or in the user space, and call probe functions once the flow of execution reaches the instruction to which they are attached. This section details the main security concerns regarding this type of programs.
\subsection{Access to function arguments}
\subsection{Access to function arguments} \label{subsection:tracing_arguments}
As we saw in section \ref{section:ebpf_prog_types}, tracing programs receive as a parameter those arguments with which the hooked function originally was called. These parameters are read-only and thus, in principle, they cannot be modified inside the tracing program (we will show this is not entirely true in section \ref{section:mem_corruption}). The next code snippets show the format in which parameters are received when using libbpf (Note that libbpf also includes some macros that offer an alternative format, but the parameters are the same).
\begin{lstlisting}[language=C, caption={Probe function for a kprobe on the kernel function vfs\_write.}, label={code:format_kprobe}]