Skip to content
/ evilBPF Public

Weaponizing the Linux Kernel (Hide Files/PID, SSH backdoors, SSL Sniffer, ...) by poking around eBPF/XDP

Notifications You must be signed in to change notification settings

rphang/evilBPF

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

64 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

evilBPF

an eBPF / XDP Playground

This repository contains a collection of eBPF / XDP programs that I've written while learning about eBPF and XDP. As security is my primary interest, most of these programs are security-related and are intended to be used for security research.

hider_demo Hide your files and processes from the system

ssl_demo Sniff unencrypted SSL/TLS traffic

Warning

Disclaimer: I condemn the use of these programs for malicious purposes. I am not responsible for any damage caused by the use of these programs. These programs are intended for educational purposes only.

Programs List

Type Name Description Notes
XDP icmp_pingback Respond to ICMP echo requests with ICMP echo replies within the XDP layer. Showcase of XDP program
TP hide_pid Hide a process (pid)/folder/file from the system Inspired by bad-bpf
TP hidden_ssh Give yourself a hidden backdoor in the SSH server
UPROBE ssl_sniffer Sniff unencrypted SSL/TLS traffic

Requirements

For compiling eBPF programs, you'll need the following:

  • Debian, Ubuntu, or other Debian-based Linux distribution
  • Linux Kernel 5.8.0 or later
  • clang and llvm (>= 10.0.0)
sudo apt install clang llvm libelf-dev linux-headers-$(uname -r) build-essential

Installation

From releases

You can download the latest release from the releases page.

Note

Some programs might not give enough control over the eBPF program, if you need to modify the eBPF program, you'll need to compile the source code. (Or open an issue requesting the feature)

Getting the source code

As we are using submodules, you'll need to clone this repository with the --recursive flag:

git clone https://github.com/rphang/evilBPF.git --recursive

If you've already cloned this repository without the --recursive flag, you can run the following command to clone the submodules:

git submodule update --init --recursive

Compiling the programs

All at once

To compile all the programs at once, simply run the Makefile in the root directory:

make

All the compiled programs will be placed in the dst directory.

Individually

Each program has its own directory, and each directory has its own Makefile. To compile a program, simply cd into the program's directory and run make:

cd src/<program>...
make

Resources

Alot of the general resources I've used to learn about eBPF and XDP are listed below:

About

Weaponizing the Linux Kernel (Hide Files/PID, SSH backdoors, SSL Sniffer, ...) by poking around eBPF/XDP

Topics

Resources

Stars

Watchers

Forks

Packages

No packages published