Skip to content

SuzumiyaAsahi/aya-bad-ebpf-process-hid

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

55 Commits
.cargo
.cargo
 
 
.vim
.vim
 
 
.vscode
.vscode
 
 
hide-me-common
hide-me-common
 
 
hide-me-ebpf
hide-me-ebpf
 
 
hide-me
hide-me
 
 
img
img
 
 
xtask
xtask
 
 
.gitignore
.gitignore
 
 
Cargo.toml
Cargo.toml
 
 
README.md
README.md
 
 
hello.py
hello.py
 
 

Repository files navigation

process hide

Prerequisites

# It should be excuted in root
cargo install bpf-linker

# Maybe you will encounter that the cc is missing
# Just install it 
apt update
apt install build-essential

Build eBPF

cargo xtask build

To perform a release build you can use the --release flag. You may also change the target architecture with the --target flag.

Run

RUST_LOG=info cargo xtask run -- --pid 123456

It will also help you open the LOG functions.

Description and filtering methods of pid and tgid(Although we not use them this time)

如何在 BPF 程序中正确地按照 PID 过滤?

How to check paramaters in system call

cat /sys/kernel/debug/tracing/events/syscalls/sys_enter_getdents64/format

cat /sys/kernel/debug/tracing/events/syscalls/sys_exit_getdents64/format

Function of this project

It can hide the pid of our rootkits. Although it is just a toy now.

1 2 3

Thanks

Aya Discord members, I couldn't finish this job without your selfness help and patient answers.

ChatGpt, Thanks for your company, Thanks for you help resolving terrbile problems with me.

Doc.ChongHaoRen, Thanks for your scientific methodology view, which makes me overcome some narrow viewpoints, makes me solve problems more flexibly.

Reference

如何借助eBPF打造隐蔽的后门

bad ebpf

About

ebpf Rootkits which hides target process.

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages