Merge pull request #27 from chriskaliX/v1.0.0

Speed up & remove some files

.gitignore

@@ -9,5 +9,4 @@ agent/log/hades*
 agent/main
 cert/
 server/hadeserver
-plugin/driver/eBPF/kernel/hades_ebpf_driver.o
-plugin/driver/driver
+**/*.so

plugin/driver/README.md

@@ -53,6 +53,7 @@
 | security_kernel_read_file                  | ON                                    | 1027 |
 | security_inode_create                      | ON                                    | 1028 |
 | security_sb_mount                          | ON                                    | 1029 |
+| kprobe/call_usermodehelper                 | ON                                    | 1030 |
 
 用户态 Hook
 | Hook 名称 | 状态/说明 | ID |

plugin/driver/eBPF/go.mod

@@ -20,14 +20,17 @@ require (
 	github.com/josharian/native v1.0.0 // indirect
 	github.com/mdlayher/netlink v1.6.0 // indirect
 	github.com/mdlayher/socket v0.2.3 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/vishvananda/netlink v1.1.0 // indirect
 	github.com/vishvananda/netns v0.0.0-20211101163701-50045581ed74 // indirect
 	golang.org/x/net v0.0.0-20220225172249-27dd8689420f // indirect
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
 )
 
 require (
-	github.com/ehids/ebpfmanager v0.2.2
+	github.com/ehids/ebpfmanager v0.2.3-0.20220320163725-b344aabdbaf3
+	github.com/evanphx/json-patch v0.5.2
+	github.com/goccy/go-json v0.9.6
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/hashicorp/golang-lru v0.5.4
 	go.uber.org/atomic v1.9.0 // indirect

plugin/driver/eBPF/go.sum

@@ -13,11 +13,17 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/ehids/ebpfmanager v0.2.2 h1:pvbqWqP0I5gEpu8eXloYAePfJQOBOZYQrkHZCREA2sE=
 github.com/ehids/ebpfmanager v0.2.2/go.mod h1:Na79A/VRPSpzQTvjsz5ui4WoZZufPG/oRIDpjKEjQvE=
+github.com/ehids/ebpfmanager v0.2.3-0.20220320163725-b344aabdbaf3 h1:5sV2vzoAxR6yEmG+qpLMm/vpzhQ7rsHe/LtEFeFWrMQ=
+github.com/ehids/ebpfmanager v0.2.3-0.20220320163725-b344aabdbaf3/go.mod h1:Na79A/VRPSpzQTvjsz5ui4WoZZufPG/oRIDpjKEjQvE=
+github.com/evanphx/json-patch v0.5.2 h1:xVCHIVMUu1wtM/VkR9jVZ45N3FhZfYMMYGorLCR8P3k=
+github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
 github.com/florianl/go-tc v0.4.0 h1:/g8oCl4OUWt1H4pnThn4iz8SJqV78O5VxAh7ykBN09c=
 github.com/florianl/go-tc v0.4.0/go.mod h1:qt66GHXQ60ETsKP1qNg2KljTO28UMNLhfAaB/odORY8=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
 github.com/frankban/quicktest v1.14.0 h1:+cqqvzZV87b4adx/5ayVOaYZ2CrvM4ejQvUdBzPPUss=
 github.com/frankban/quicktest v1.14.0/go.mod h1:NeW+ay9A/U67EYXNFA1nPE8e/tnQv/09mUdL/ijj8og=
+github.com/goccy/go-json v0.9.6 h1:5/4CtRQdtsX0sal8fdVhTaiMN01Ri8BExZZ8iRmHQ6E=
+github.com/goccy/go-json v0.9.6/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -36,6 +42,7 @@ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+l
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
 github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
+github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/josharian/native v0.0.0-20200817173448-b6b71def0850/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/josharian/native v1.0.0 h1:Ts/E8zCSEsG17dUqv7joXJFybuMLjQfWE04tsBODTxk=
 github.com/josharian/native v1.0.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
@@ -74,12 +81,11 @@ github.com/mdlayher/netlink v1.6.0 h1:rOHX5yl7qnlpiVkFWoqccueppMtXzeziFjWAjLg6sz
 github.com/mdlayher/netlink v1.6.0/go.mod h1:0o3PlBmGst1xve7wQ7j/hwpNaFaH4qCRyWCdcZk8/vA=
 github.com/mdlayher/socket v0.0.0-20210307095302-262dc9984e00/go.mod h1:GAFlyu4/XV68LkQKYzKhIo/WW7j3Zi0YRAz/BOoanUc=
 github.com/mdlayher/socket v0.1.1/go.mod h1:mYV5YIZAfHh4dzDVzI8x8tWLWCliuX8Mon5Awbj+qDs=
-github.com/mdlayher/socket v0.2.2 h1:UOh5gQk70kRl1YMLCTRwRF4MvsAQsudjkEA+ZDXS4jo=
-github.com/mdlayher/socket v0.2.2/go.mod h1:IcNFWYJJuSGgnfKie27UfpEDWytPDqy+TrDd9I5hUKQ=
 github.com/mdlayher/socket v0.2.3 h1:XZA2X2TjdOwNoNPVPclRCURoX/hokBY8nkTmRZFEheM=
 github.com/mdlayher/socket v0.2.3/go.mod h1:bz12/FozYNH/VbvC3q7TRIK/Y6dH1kCKsXaUeXi/FmY=
-github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.6.1 h1:/FiVV8dS/e+YqF2JvO3yXRFbBLTIuSDkuC7aBOAvL+k=
@@ -171,9 +177,6 @@ golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220224120231-95c6836cb0e7/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5 h1:y/woIyUBFbpQGKS0u1aHF/40WUDnek3fPOyD08H5Vng=
-golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8 h1:OH54vjqzRWmbJ62fjuhxy7AxFFgoHN0/DPc/UrL8cAs=
 golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=

plugin/driver/eBPF/kernel/include/define.h

@@ -205,11 +205,21 @@ static inline struct mount *real_mount(struct vfsmount *mnt)
 }
 
 /* hook point id */
-// TODO: gather all and update
-#define SYS_ENTER_PTRACE 164
-#define SYS_ENTER_PRCTL 200
-#define SCHED_PROCESS_FORK 317
-#define SYS_ENTER_EXECVEAT 698
-#define SYS_ENTER_EXECVE 700
+#define SYS_ENTER_PTRACE          164
+#define SYS_ENTER_PRCTL           200
+#define SCHED_PROCESS_FORK        317
+#define SYS_ENTER_MEMFD_CREATE    614
+#define SYS_ENTER_EXECVEAT        698
+#define SYS_ENTER_EXECVE          700
+#define COMMIT_CREDS              1011
+#define SECURITY_SOCKET_CONNECT   1022
+#define SECURITY_SOCKET_BIND      1024
+#define UDP_RECVMSG               1025
+#define SECURITY_KERNEL_READ_FILE 1027
+#define SECURITY_INODE_CREATE     1028
+#define SECURITY_SB_MOUNT         1029
+#define CALL_USERMODEHELPER       1030
+// uprobe
+#define BASH_READLINE             2000
 
 #endif //__DEFINE_H

plugin/driver/eBPF/kernel/include/hades_exec.h

@@ -132,7 +132,7 @@ int sys_enter_execveat(struct _sys_enter_execveat *ctx)
     event_data_t data = {};
     if (!init_event_data(&data, ctx))
         return 0;
-    data.context.type = 698;
+    data.context.type = SYS_ENTER_EXECVEAT;
     // filename
     save_str_to_buf(&data, (void *)ctx->filename, 0);
     // cwd
@@ -175,7 +175,7 @@ int sys_enter_prctl(struct _sys_enter_prctl *ctx)
     event_data_t data = {};
     if (!init_event_data(&data, ctx))
         return 0;
-    data.context.type = 200;
+    data.context.type = SYS_ENTER_PRCTL;
     // read the option firstly
     int option;
     bpf_probe_read(&option, sizeof(option), &ctx->option);
@@ -223,7 +223,7 @@ int sys_enter_ptrace(struct _sys_enter_ptrace *ctx)
     event_data_t data = {};
     if (!init_event_data(&data, ctx))
         return 0;
-    data.context.type = 164;
+    data.context.type = SYS_ENTER_PTRACE;
     long request;
     // get the request firstly
     bpf_probe_read(&request, sizeof(request), &ctx->request);
@@ -253,7 +253,7 @@ int sys_enter_memfd_create(struct _sys_enter_memfd_create *ctx)
     event_data_t data = {};
     if (!init_event_data(&data, ctx))
         return 0;
-    data.context.type = 614;
+    data.context.type = SYS_ENTER_MEMFD_CREATE;
     void *exe = get_exe_from_task(data.task);
     save_str_to_buf(&data, exe, 0);
     save_str_to_buf(&data, (char *)ctx->uname, 1);

plugin/driver/eBPF/kernel/include/hades_file.h

@@ -10,7 +10,7 @@ int kprobe_security_inode_create(struct pt_regs *ctx)
     event_data_t data = {};
     if (!init_event_data(&data, ctx))
         return 0;
-    data.context.type = 1028;
+    data.context.type = SECURITY_INODE_CREATE;
     void *exe = get_exe_from_task(data.task);
     save_str_to_buf(&data, exe, 0);
     struct dentry *dentry = (struct dentry *)PT_REGS_PARM2(ctx);
@@ -27,7 +27,7 @@ int kprobe_security_sb_mount(struct pt_regs *ctx)
     event_data_t data = {};
     if (!init_event_data(&data, ctx))
         return 0;
-    data.context.type = 1029;
+    data.context.type = SECURITY_SB_MOUNT;
     const char *dev_name = (const char *)PT_REGS_PARM1(ctx);
     struct path *path = (struct path *)PT_REGS_PARM2(ctx);
     const char *type = (const char *)PT_REGS_PARM3(ctx);

plugin/driver/eBPF/kernel/include/hades_net.h

@@ -12,7 +12,7 @@ int kprobe_security_socket_connect(struct pt_regs *ctx)
     event_data_t data = {};
     if (!init_event_data(&data, ctx))
         return 0;
-    data.context.type = 1022;
+    data.context.type = SECURITY_SOCKET_CONNECT;
 
     struct sockaddr *address = (struct sockaddr *)PT_REGS_PARM2(ctx);
     if (!address)
@@ -47,7 +47,7 @@ int kprobe_security_socket_bind(struct pt_regs *ctx)
     event_data_t data = {};
     if (!init_event_data(&data, ctx))
         return 0;
-    data.context.type = 1024;
+    data.context.type = SECURITY_SOCKET_BIND;
 
     // This is for getting protocol
     // In Elkeid, the protocol is not concerned, only sa_family, sip, sport, res
@@ -198,7 +198,7 @@ int kretprobe_udp_recvmsg(struct pt_regs *ctx)
         event_data_t data = {};
         if (!init_event_data(&data, ctx))
             return 0;
-        data.context.type = 1025;
+        data.context.type = UDP_RECVMSG;
 
         int opcode = (string_p->buf[2] >> 3) & 0x0f;
         int rcode = string_p->buf[3] & 0x0f;

plugin/driver/eBPF/kernel/include/hades_privilege.h

@@ -15,7 +15,7 @@ int kprobe_commit_creds(struct pt_regs *ctx)
     event_data_t data = {};
     if (!init_event_data(&data, ctx))
         return 0;
-    data.context.type = 1011;
+    data.context.type = COMMIT_CREDS;
 
     struct cred *new = (struct cred *)PT_REGS_PARM1(ctx);
     struct cred *old = (struct cred *)READ_KERN(data.task->real_cred);
@@ -37,6 +37,5 @@ int kprobe_commit_creds(struct pt_regs *ctx)
         events_perf_submit(&data);
         return 1;
     }
-
     return 0;
 }

plugin/driver/eBPF/kernel/include/hades_rootkit.h

@@ -69,7 +69,7 @@ int kprobe_security_kernel_read_file(struct pt_regs *ctx)
     event_data_t data = {};
     if (!init_event_data(&data, ctx))
         return 0;
-    data.context.type = 1027;
+    data.context.type = SECURITY_KERNEL_READ_FILE;
     // get the file
     struct file *file = (struct file *)PT_REGS_PARM1(ctx);
     void *file_path = get_path_str(GET_FIELD_ADDR(file->f_path));
@@ -78,7 +78,33 @@ int kprobe_security_kernel_read_file(struct pt_regs *ctx)
     // get the id
     enum kernel_read_file_id type_id = (enum kernel_read_file_id)PT_REGS_PARM2(ctx);
     save_to_submit_buf(&data, &type_id, sizeof(int), 1);
+    return events_perf_submit(&data);
+}
 
+// Add rootkit detection just like in Elkeid.
+// @Notice: this is under full test
+SEC("kprobe/call_usermodehelper")
+int kprobe_call_usermodehelper(struct pt_regs *ctx)
+{
+    event_data_t data = {};
+    if (!init_event_data(&data, ctx))
+        return 0;
+    data.context.type = CALL_USERMODEHELPER;
+    void *path = (void *)PT_REGS_PARM1(ctx);
+    save_str_to_buf(&data, path, 0);
+    unsigned long argv = PT_REGS_PARM2(ctx);
+    save_str_arr_to_buf(&data, (const char *const *)argv , 1);
+    unsigned long envp = PT_REGS_PARM3(ctx);
+    // Think twice about this.
+    // I do not use `save_envp_to_buf` here, since there is not that much
+    // call_usermodehelper called... And since it's very important, it's
+    // good to just get them all.
+    save_str_arr_to_buf(&data, (const char *const *)envp , 2);
+    int wait = PT_REGS_PARM4(ctx);
+    save_to_submit_buf(&data, (void*)&wait, sizeof(int), 3);
+    // Think twice
+    void *exe = get_exe_from_task(data.task);
+    save_str_to_buf(&data, exe, 4);
     return events_perf_submit(&data);
 }
 

plugin/driver/eBPF/kernel/include/hades_uprobe.h

@@ -13,7 +13,7 @@ int uretprobe_bash_readline(struct pt_regs *ctx)
     event_data_t data = {};
     if (!init_event_data(&data, ctx))
         return 0;
-    data.context.type = 2000;
+    data.context.type = BASH_READLINE;
     // exe
     void *exe = get_exe_from_task(data.task);
     save_str_to_buf(&data, exe, 0);

plugin/driver/eBPF/kernel/include/utils_buf.h

@@ -171,6 +171,8 @@ static __always_inline int save_str_to_buf(event_data_t *data, void *ptr, u8 ind
  * @structure: [index][string count][pid1][str1 size][str1][pid2][str2 size][str2]
  * TODO: cache to speed up
  */
+// In Elkeid, a privilege escalation detection is added by checking the creds
+// in here. And also, pid of socket is added in here.
 static __always_inline int save_pid_tree_to_buf(event_data_t *data, int limit, u8 index)
 {
     u8 elem_num = 0;

plugin/driver/eBPF/test/Foo.java

@@ -0,0 +1,73 @@
+import java.io.*;
+import java.net.Socket;
+import java.net.UnknownHostException;
+import java.lang.Thread;
+
+public class Foo {
+    public static void main(String[] args) {
+        // String requestMsg = "client xml or json 数据";
+        // String address = "47.102.155.13";
+        // int port = 22;
+        // send(address,port,requestMsg);
+        for (int i = 0 ; i < 10; i++) {
+            try {
+                Thread.sleep(1000);
+                Runtime.getRuntime().gc();
+                System.out.println("Enforced GC!");
+            } catch (Exception e) {
+
+            }
+        }
+    }
+
+    /**
+     * Socket 客户端请求
+     *
+     * @param address ip地址
+     * @param port 端口
+     * @param requestMsg 请求内容
+     */
+    public static void send(String address,int port, String requestMsg) {
+
+        try {
+            //创建Socket对象
+            Socket socket=new Socket(address,port);
+            /**
+             * 根据输入输出流和服务端连接
+             * 1）获取一个输出流，向服务端发送信息
+             * 2）将输出流包装成打印流
+             * 3）关闭输出流
+             */
+            OutputStream outputStream=socket.getOutputStream();
+            PrintWriter printWriter=new PrintWriter(outputStream);
+            printWriter.print(requestMsg);
+            printWriter.flush();
+            socket.shutdownOutput();
+
+            //获取一个输入流，接收服务端的信息
+            InputStream inputStream=socket.getInputStream();
+            //包装成字符流，提高效率
+            InputStreamReader inputStreamReader=new InputStreamReader(inputStream);
+            //缓冲区
+            BufferedReader bufferedReader=new BufferedReader(inputStreamReader);
+            StringBuffer sb = new StringBuffer();
+            //临时变量
+            String temp=null;
+            while((temp=bufferedReader.readLine())!=null){
+                sb.append(temp).append("\n");
+            }
+            System.out.println("客户端接收服务端发送信息："+sb.toString());
+
+            //关闭相对应的资源
+            bufferedReader.close();
+            inputStream.close();
+            printWriter.close();
+            outputStream.close();
+            socket.close();
+        } catch (UnknownHostException e) {
+            e.printStackTrace();
+        } catch (IOException e) {
+            e.printStackTrace();
+        }
+    }
+}

plugin/driver/eBPF/userspace/decoder/decoder.go

@@ -16,13 +16,7 @@ import (
 // @Reference: https://github.com/aquasecurity/tracee/blob/main/pkg/bufferdecoder/decoder.go
 // As binary.Read accept a interface as a parameter, reflection is frequently used
 // this package is to try to improve this. Also, based on tracee.
-var (
-	bytepool buffer.Pool
-)
-
-func init() {
-	bytepool = buffer.NewPool()
-}
+var bytepool buffer.Pool = buffer.NewPool()
 
 type EbpfDecoder struct {
 	buffer []byte