Skip to content

cnwangjihe/ebpf-rootkit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
bpftool @ 02e62fe
bpftool @ 02e62fe
 
 
libbpf @ cf46d44
libbpf @ cf46d44
 
 
src
src
 
 
vmlinux
vmlinux
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

EBPF Rootkit

A simple rootkit written in ebpf.

This project was used by me to practice writing ebpf programs, and many parts were referenced from TripleCross, xdp-tutorial and libbpf-bootstrap.
The code is only for research and study use, any illegal use is prohibited, and the consequences will be borne by you.
Only works on Linux systems with sudo installed.

Usage

cd src
make
sudo ./rootkit

After loading it, you can execute any program as uid 0 using run_prog_as_root YOUR_PROGRAM.
In my test, the rootkit only 100% works on zsh and dash. In bash or fish, you have to use bash/fish -c "run_prog_as_root XXX" to achieve a high success rate.

Technical Details

I use ebpf tracepoint hook enter_execve, change execve filename from run_prog_as_root to sudo and save the pid to map.
At the same time, it hooks enter_read and exit_read. If a program with pid in map, try to read file named sudoers, ebpf rootkit will modify read buf content, adding the following lines to it:

User_Alias HARUKA = #UID
HARUKA ALL=(ALL:ALL) NOPASSWD:ALL

UID is the current user's uid, ebpf rootkit will fill it dynamically.

About

A simple rootkit written in ebpf.

Resources

Readme

License

GPL-3.0 license
Activity

Stars

2 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages