Dectect syscall hooking using eBPF

Overview

BPF-HookDetect

Detect Kernel Rootkits hooking syscalls

Overview

Kernel Rootkits such as Diamorphine hook various syscall functions so they can either:

  • Hide files and processes from usermode applications, by altering the data returned from the Kernel
  • Facilitate a covert channel from usermode-kernel to trigger actions such as priliege escallation

This project attempts to detect this syscall hooking using eBPF, and it's ability to get kernel stack traces. HookDetect monitors the following syscalls:

  • kill
    • Used to send signals to other processes
  • getdents and getdents64
    • Used to list files and folders

HookDetect will check every use of these syscalls to check two things:

  • How many stack frames are there between the initial kernel entrypoint and the actual syscall function
    • This detects when a hook interposes on the function to alter it's return data
  • After the kernel detected the processes making a syscall, was the read function actually called?
    • This detect for the covert-channel uses where the real syscall is not actually run

Details

For more details, see this blog: Detecting kernel hooking using eBPF

This code has been tested on:

  • Ubuntu 21.04, Kernel 5.11.0-17
  • RHEL 7.6, Kernel 3.10.0-957

Build

To use pre-build binaries, grab them from the Releases page.

To build from source, do the following:

Dependecies

As this code makes use of CO-RE, it requires a recent version of Linux that has BTF Type information. See these notes in the libbpf README for more information. For example Ubuntu requries Ubuntu 20.10+.

To build it requires these dependecies:

  • zlib
  • libelf
  • libbfd
  • clang 11
  • make

On Ubuntu these can be installed by

sudo apt install build-essential clang-11 libelf-dev zlib1g-dev libbfd-dev libcap-dev libfd-dev

Build

To Build from source, recusivly clone the respository the run make in the src directory to build:

git clone --recusrive https://github.com/pathtofile/bpf-hookdetect.git
cd bpf-hookdetect/src
make

The binaries will built into bpf-hookdetect/src/bin.

Run

To run, run the hookdetect binary as root. If the program detects a function was hooked, it will print the syscall name, along with the process and PID:

$> sudo ./bpf-hookdetect/src/bin/hookdetect
sys_getdents64 is hooked for PID 2584743 (ls) - Real function called but data possibly altered
sys_kill is hooked for PID 2584087 (bash) - Real function not called

To print out the stack traces from each syscall logged, run hookdetect with --verbose:

$> sudo ./bpf-hookdetect/src/bin/hookdetect --verbose
sys_kill:
    0xffffffff886b88e1 -> __x64_sys_kill
    0xffffffff89234d38 -> do_syscall_64
    0xffffffff8940008c -> entry_SYSCALL_64_after_hwframe
sys_kill is hooked for PID 2584087 (bash) - Real function called but data possibly altered

Example Test

To test, download, make, and install the Diamorphine rootkit. Once rootkit is installed, start hookdetect and run:

# Sending signal 63 is intercepted by Diamorphine, and real syscall function is not called
kill -63 0

# But when sending other signals the real function is called
kill -s 23 $$

Resources

The project's skeleton is adapted from libbpf-bootstrap

The code to convert stack addresses to function names is taken from the BCC Project

Issues
  • Recursive misspelled

    Recursive misspelled

    Minor issue with misspelling of git clone --recusrive https://github.com/pathtofile/bpf-hookdetect.git

    Change to git clone --recursive https://github.com/pathtofile/bpf-hookdetect.git

    opened by morrowd 0
libsinsp, libscap, the kernel module driver, and the eBPF driver sources

falcosecurity/libs As per the OSS Libraries Contribution Plan, this repository has been chosen to be the new home for libsinsp, libscap, the kernel mo

Falco 108 Aug 5, 2022
Linux Application Level Firewall based on eBPF and NFQUEUE.

eBPFSnitch eBPFSnitch is a Linux Application Level Firewall based on eBPF and NFQUEUE. It is inspired by OpenSnitch, and Douane, but utilizing modern

Harpo Roeder 650 Aug 3, 2022
eBPF bytecode assembler and compiler

An eBPF bytecode assembler and compiler that * Assembles the bytecode to object code. * Compiles the bytecode to C macro preprocessors. Symbolic

Emil Masoumi 6 Jan 23, 2022
A Rust crate that simplifies the integration of Rust and eBPF programs written in C.

This crate simplifies the compilation of eBPF programs written in C integrating clang with Rust and the cargo build system with functions that can be

Simone Margaritelli 19 Mar 16, 2022
eBPF implementation that runs on top of Windows

eBPF for Windows eBPF is a well-known technology for providing programmability and agility, especially for extending an OS kernel, for use cases such

Microsoft 1.5k Jul 31, 2022
ebpfkit-monitor is a tool that detects and protects against eBPF powered rootkits

ebpfkit-monitor ebpfkit-monitor is an utility that you can use to statically analyse eBPF bytecode or monitor suspicious eBPF activity at runtime. It

Guillaume Fournier 63 Jul 26, 2022
A very basic eBPF Load Balancer in a few lines of C

An eBPF Load Balancer from scratch As seen at eBPF Summit 2021. This is not production ready :-) This uses libbpf as a git submodule. If you clone thi

Liz Rice 140 Jul 16, 2022
skbtracer on ebpf

skbtracer skbtracer 基于 ebpf 技术的 skb 网络包路径追踪利器, 实现代码基于 BCC (required Linux Kernel 4.15+) 使用样例 skbtracer.py # trace

DavadDi 45 Jun 18, 2022
some experiments with ebpf

Learning eBPF and some kernel tracing, probe DNS + TCP connection with portable bpf prog. DevEnv Ubuntu 20.04 Install go Install make, clang, llvm Ins

null 10 Jul 2, 2022
Small utility that leverages eBPF to dump the traffic of a unix domain socket

UnixDump UnixDump is a small eBPF powered utility that can be used to dump unix socket traffic. System requirements This project was developed on a Ub

Guillaume Fournier 5 Dec 1, 2021
Tool for Preventing Data Exfiltration with eBPF

bouheki: Tool for Preventing Data Exfiltration with eBPF bouheki is a KSRI implementation using LSM Hook by eBPF. Flexibility to apply restricted netw

mrtc0 44 Aug 3, 2022
The Beginner's Guide to eBPF Programming for Networking

The Beginner's Guide to eBPF Programming for Networking As seen at Cloud Native eBPF Day 2021. Setup Create a container that we can issue curl request

Liz Rice 71 Jul 28, 2022
pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities.

pwru (packet, where are you?) pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities. It allo

Cilium 844 Aug 7, 2022
A collection of eBPF programs demonstrating bad behavior

Bad BPF A collection of malicious eBPF programs that make use of eBPF's ability to read and write user data in between the usermode program and the ke

pat_h/to/file 232 Jul 30, 2022
bpflock - eBPF driven security for locking and auditing Linux machines

bpflock - Lock Linux machines bpflock - eBPF driven security for locking and auditing Linux machines. This is a Work In Progress: bpflock is currently

The Linux lock machine projects 88 Aug 9, 2022
A list of network measurement sketch algorithms implemented in eBPF

eBPF Sketches This repository contains a list of the most famous sketches implemented within the eBPF/XDP subsystem. In particular, we have: Count Ske

null 11 May 22, 2022
A Linux Host-based Intrusion Detection System based on eBPF.

eHIDS 介绍 eBPF内核技术实现的HIDS demo. 功能实现: TCP网络数据捕获 UDP网络数据捕获 uprobe方式的DNS信息捕获 进程数据捕获 uprobe方式实现JAVA的RASP命令执行场景事件捕获 eBPF的go框架实现,针对kprobe\uprobe挂载方式,多类型even

CFC4N 255 Aug 7, 2022
eBPF-based EDR for Linux

ebpf-edr A proof-of-concept eBPF-based EDR for Linux Seems to be working fine with the 20 basic rules implemented. Logs the alerts to stdout at the mo

null 15 Aug 3, 2022
Parca-agent - eBPF based always-on profiler auto-discovering targets in Kubernetes and systemd, zero code changes or restarts needed!

Parca Agent Parca Agent is an always-on sampling profiler that uses eBPF to capture raw profiling data with very low overhead. It observes user-space

Parca 170 Aug 2, 2022