From 5bae3436a69ab8aeac0f1e4bcf1c77cb688bf9bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rom=C3=A9o=20Phang?= Date: Wed, 15 May 2024 02:26:26 +0200 Subject: [PATCH] docs: added ssl_sniffer and previews --- .../resources}/hide_pid_demo.gif | Bin .../resources}/ssl_sniffer_demo.gif | Bin README.md | 33 ++++++++++++------ src/hide_pid/README.md | 2 +- src/ssl_sniffer/README.md | 2 +- 5 files changed, 24 insertions(+), 13 deletions(-) rename {resources => .github/resources}/hide_pid_demo.gif (100%) rename {resources => .github/resources}/ssl_sniffer_demo.gif (100%) diff --git a/resources/hide_pid_demo.gif b/.github/resources/hide_pid_demo.gif similarity index 100% rename from resources/hide_pid_demo.gif rename to .github/resources/hide_pid_demo.gif diff --git a/resources/ssl_sniffer_demo.gif b/.github/resources/ssl_sniffer_demo.gif similarity index 100% rename from resources/ssl_sniffer_demo.gif rename to .github/resources/ssl_sniffer_demo.gif diff --git a/README.md b/README.md index 3e6f135..90fa484 100644 --- a/README.md +++ b/README.md @@ -3,30 +3,46 @@ _an eBPF / XDP Playground_ This repository contains a collection of eBPF / XDP programs that I've written while learning about eBPF and XDP. As security is my primary interest, most of these programs are security-related and are intended to be used for security research. +![hider_demo](.github/resources/hide_pid_demo.gif) +*Hide your files and processes from the system* + +![ssl_demo](.github/resources/ssl_sniffer_demo.gif) +*Sniff unencrypted SSL/TLS traffic* + +> [!WARNING] > **Disclaimer:** I condemn the use of these programs for malicious purposes. I am not responsible for any damage caused by the use of these programs. These programs are intended for educational purposes only. -## Programs +## Programs List | Type | Name | Description | Notes | | ---- | ---- | ----------- | ----- | -| XDP | [icmp_pingback](src/icmp_pingback) | Respond to ICMP echo requests with ICMP echo replies within the XDP layer. | multiple demo used to show the features offered by eBPF | -| TP | [hide_pid](src/hide_pid) | Hide a process (pid)/folder/file from the system | Heavily inspired by [bad-bpf](https://github.com/pathtofile/bad-bpf) with some modifications | +| XDP | [icmp_pingback](src/icmp_pingback) | Respond to ICMP echo requests with ICMP echo replies within the XDP layer. | Showcase of XDP program | +| TP | [hide_pid](src/hide_pid) | Hide a process (pid)/folder/file from the system | Inspired by [bad-bpf](https://github.com/pathtofile/bad-bpf) | | TP | [hidden_ssh](src/hidden_ssh) | Give yourself a hidden backdoor in the SSH server | | +| UPROBE | [ssl_sniffer](src/ssl_sniffer) | Sniff unencrypted SSL/TLS traffic | | ## Requirements For compiling eBPF programs, you'll need the following: - Debian, Ubuntu, or other Debian-based Linux distribution +- Linux Kernel 5.8.0 or later +- `clang` and `llvm` (>= 10.0.0) ```bash -sudo apt install clang llvm libelf-dev gcc-multilib linux-headers-$(uname -r) build-essential +sudo apt install clang llvm libelf-dev linux-headers-$(uname -r) build-essential ``` -Make sure that the version of `clang` and `llvm` installed is `>= 10.0.0`. ## Installation +### From releases + +You can download the latest release from the [releases page](https://github.com/rphang/evilBPF/releases). + +> [!NOTE] +> Some programs might not give enough control over the eBPF program, if you need to modify the eBPF program, you'll need to compile the source code. (Or open an issue requesting the feature) + ### Getting the source code As we are using submodules, you'll need to clone this repository with the `--recursive` flag: @@ -57,14 +73,9 @@ All the compiled programs will be placed in the `dst` directory. Each program has its own directory, and each directory has its own `Makefile`. To compile a program, simply `cd` into the program's directory and run `make`: ```bash -cd ... +cd src/... make ``` -## Roadmap - -- [ ] Compatible with [bpf CO-RE](https://nakryiko.com/posts/bpf-core-reference-guide/) -- [ ] Steal nginx passwd, authorization header, and cookie with openssl support (uprobes) -- [ ] Shadow reading files (a kind of a kernel MITM sniffer) ## Resources diff --git a/src/hide_pid/README.md b/src/hide_pid/README.md index d3b81eb..3da9675 100644 --- a/src/hide_pid/README.md +++ b/src/hide_pid/README.md @@ -1,6 +1,6 @@ # hider -![hider_demo](../../resources/hide_pid_demo.gif) +![hider_demo](../../.github/resources/hide_pid_demo.gif) All processes in Linux have a PID (Process IDentifier) that is used to identify them. This is a unique number that is assigned to each process by the kernel. Programs like `ps` and `top` use this PID to identify processes. They work by listing the contents of the `/proc` directory, which contains a directory for each process, named after the PID of the process. diff --git a/src/ssl_sniffer/README.md b/src/ssl_sniffer/README.md index 8106a44..8364f0c 100644 --- a/src/ssl_sniffer/README.md +++ b/src/ssl_sniffer/README.md @@ -2,7 +2,7 @@ `ssl_sniffer` is a simple tool to sniff on-going SSL/TLS traffic on the machine without installing, trusting, or modifying any certificate. It will **intercept the raw decrypted SSL/TLS traffic**, and display it on the fly. -![ssl_demo](../../resources/ssl_sniffer_demo.gif) +![ssl_demo](../../.github/resources/ssl_sniffer_demo.gif) ## Features