chriskalix / hades Goto Github PK

这里编译不通过

https://github.com/chriskaliX/Hades/blob/main/plugins/edriver/bpf/Makefile#L115

Hi, I got a compilation error when I try to make hades_ebpf_driver.o on my ubuntu server.

Environment:

• Kernel: 5.13.0-35-generic x86_64
• Clang: 13.0.0-2
• LLVM: 13.0.0

Error log

make hades_ebpf_driver.o -s --no-print-directory
In file included from src/hades.c:1:
In file included from include/hades_exec.h:7:
In file included from include/utils_buf.h:6:
In file included from include/define.h:18:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/inet_sock.h:22:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/sock.h:59:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/linux/filter.h:27:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/sch_generic.h:21:
/usr/src/linux-headers-5.13.0-35-generic/include/net/flow_offload.h:324:4: error: use of undeclared identifier 'KBUILD_MODNAME'
                        NL_SET_ERR_MSG_MOD(extack, "Mixing HW stats types for actions is not supported");
                        ^
/usr/src/linux-headers-5.13.0-35-generic/include/linux/netlink.h:102:27: note: expanded from macro 'NL_SET_ERR_MSG_MOD'
        NL_SET_ERR_MSG((extack), KBUILD_MODNAME ": " msg)
                                 ^
In file included from src/hades.c:1:
In file included from include/hades_exec.h:7:
In file included from include/utils_buf.h:6:
In file included from include/define.h:18:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/inet_sock.h:22:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/sock.h:59:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/linux/filter.h:27:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/sch_generic.h:21:
/usr/src/linux-headers-5.13.0-35-generic/include/net/flow_offload.h:324:4: error: expected ';' at end of declaration
/usr/src/linux-headers-5.13.0-35-generic/include/linux/netlink.h:102:42: note: expanded from macro 'NL_SET_ERR_MSG_MOD'
        NL_SET_ERR_MSG((extack), KBUILD_MODNAME ": " msg)
                                                ^
In file included from src/hades.c:1:
In file included from include/hades_exec.h:7:
In file included from include/utils_buf.h:6:
In file included from include/define.h:18:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/inet_sock.h:22:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/sock.h:59:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/linux/filter.h:27:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/sch_generic.h:21:
/usr/src/linux-headers-5.13.0-35-generic/include/net/flow_offload.h:359:3: error: use of undeclared identifier 'KBUILD_MODNAME'
                NL_SET_ERR_MSG_MOD(extack, "Driver supports only default HW stats type \"any\"");
                ^
/usr/src/linux-headers-5.13.0-35-generic/include/linux/netlink.h:102:27: note: expanded from macro 'NL_SET_ERR_MSG_MOD'
        NL_SET_ERR_MSG((extack), KBUILD_MODNAME ": " msg)
                                 ^
In file included from src/hades.c:1:
In file included from include/hades_exec.h:7:
In file included from include/utils_buf.h:6:
In file included from include/define.h:18:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/inet_sock.h:22:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/sock.h:59:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/linux/filter.h:27:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/sch_generic.h:21:
/usr/src/linux-headers-5.13.0-35-generic/include/net/flow_offload.h:359:3: error: expected ';' at end of declaration
/usr/src/linux-headers-5.13.0-35-generic/include/linux/netlink.h:102:42: note: expanded from macro 'NL_SET_ERR_MSG_MOD'
        NL_SET_ERR_MSG((extack), KBUILD_MODNAME ": " msg)
                                                ^
In file included from src/hades.c:1:
In file included from include/hades_exec.h:7:
In file included from include/utils_buf.h:6:
In file included from include/define.h:18:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/inet_sock.h:22:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/sock.h:59:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/linux/filter.h:27:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/sch_generic.h:21:
/usr/src/linux-headers-5.13.0-35-generic/include/net/flow_offload.h:363:3: error: use of undeclared identifier 'KBUILD_MODNAME'
                NL_SET_ERR_MSG_MOD(extack, "Driver does not support selected HW stats type");
                ^
/usr/src/linux-headers-5.13.0-35-generic/include/linux/netlink.h:102:27: note: expanded from macro 'NL_SET_ERR_MSG_MOD'
        NL_SET_ERR_MSG((extack), KBUILD_MODNAME ": " msg)
                                 ^
In file included from src/hades.c:1:
In file included from include/hades_exec.h:7:
In file included from include/utils_buf.h:6:
In file included from include/define.h:18:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/inet_sock.h:22:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/sock.h:59:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/linux/filter.h:27:
In file included from /usr/src/linux-headers-5.13.0-35-generic/include/net/sch_generic.h:21:
/usr/src/linux-headers-5.13.0-35-generic/include/net/flow_offload.h:363:3: error: expected ';' at end of declaration
/usr/src/linux-headers-5.13.0-35-generic/include/linux/netlink.h:102:42: note: expanded from macro 'NL_SET_ERR_MSG_MOD'
        NL_SET_ERR_MSG((extack), KBUILD_MODNAME ": " msg)
                                                ^
6 errors generated.
make[2]: *** [Makefile:60: hades_ebpf_driver.o] Error 1
make[1]: *** [Makefile:49: all] Error 2
make[1]: Leaving directory '/root/Hades/plugin/driver/eBPF/kernel'
make: *** [Makefile:2: all] Error 2

Describe the bug
fd name by d_dname(just like kernel function does). For now, anonymous pipe is an empty string in Hades while it's pipe[xxxx] in Elkeid. This is very important when we deal with some reverse shell things. We should look into how d_name works in kernel.
But for now, we can still detect the socket...

Screenshots
In Hades:

{"timestamp":46709062078800,"cgroupid":4294968932,"pns":4026531836,"type":700,"pid":347526,"tid":347526,"uid":0,"gid":0,"ppid":344736,"sessionid":1796,"comm":"cat","pcomm":"bash","nodename":"localhost","retval":0,"md5":"7e9d213e404ad3bb82e4ebb2e1f2c1b3","username":"root","starttime":1657683598,"exe":"/usr/bin/cat","syscall":"execve","cwd":"/tmp/testspace","tty_name":"pts4","stdin":"TCP","stdout":"","dport":"666","dip":"127.0.0.1","pid_tree":"347526.cat<344736.bash<343802.node<343765.node<343756.sh<343645.bash<343640.bash<343503.sshd","cmdline":"cat","priv_esca":0,"ssh_connection":"xxxx 58446 10.0.4.13 22","ld_preload":"-1"}

In Elkeid:

{
  "bootTime":"2022-01-19 19:11:31.000",
  "cmdline":"cat",
  "cwd":"/",
  "exe":"/usr/bin/cat",
  "fd_num":"1",
  "name":"cat",
  "pid":"12778",
  "ppid":"50250",
  "r_addr_ip":"10.71.5.222",
  "r_addr_port":"666",
  "session":"50250",
  "stderr":"/dev/pts/0",
  "stdin":"socket:[583396364]",
  "stdout":"pipe:[583396365]",
  "terminal":"/pts/0",
  "username":"root"
},

In my cloud machine, it spends several minutes to start the ebpfdriver within the cgroups limitation

Describe the bug
Incorrect exe in execve(at) event

Environment
5.4.0-104-generic

To Reproduce
Steps to reproduce the behavior:

1. Run Hades
2. Exec command /usr/bin/../bin/whoami

Expected behavior

1. exe should be /usr/bin/whomai

Screenshots

Additional context
Full testcases should be added to avoid such BUG.

CO-RE support for BTF enabled, just like tracee.

Ordered msgs in perf_event, add a function to sort the msgs in time order, so that a ppid_argv (parent pid argv) can be done properly

[BUG]pod_name is null

{"starttime":1686193822,"cgroupid":1,"pns":0,"pid":64825,"tid":64825,"uid":0,"gid":0,"ppid":0,"pgid":0,"sessionid":4294937234,"comm":"modprobe","pcomm":"","nodename":"","retval":0,"exe_hash":"-1","username":"root","exe":"-1","syscall":"execve","ppid_argv":"-1","pgid_argv":"-1","pod_name":"-1","cwd":"-1","tty_name":"-1","stdin":"-1","stdout":"-1","dport":0,"dip":"0.0.0.0","sport":0,"sip":"0.0.0.0","family":0,"socket_pid":0,"socket_argv":"-1","pid_tree":"","argv":"/sbin/modprobe ip_tables","priv_esca":0,"ssh_connection":"-1","ld_preload":"-1"}

LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: AnolisOS
Description: Anolis OS release 8.8
Release: 8.8
Codename: n/a

{"starttime":1686893499,"cgroupid":1,"pns":1442590160,"pid":12152,"tid":12122,"uid":0,"gid":0,"ppid":0,"pgid":0,"sessionid":0,"comm":"consul-1.1.1-1","pcomm":"","nodename":"","retval":90,"exe_hash":"-1","username":"root","exe":"-1","syscall":"udp_recvmsg","ppid_argv":"-1","pgid_argv":"-1","pod_name":"-1","opcode":7,"rcode":10,"qtype":0,"atype":0,"dns_data":"M�\u0004AP\u0013#\u0017�//TV$����1)\n�p�f)�М%�\u001c��B� I��r�S�8��L7O�P��\u001d\u0007��F\u0014��g7�|\u0008��)�89��","sip":"10.197.192.44","sport":8301,"dip":"0.0.0.0","dport":0}

Describe the bug
As title

Describe the bug
hi, i try to run hades. when i operate commands:

sudo ./driver

and, other window : curl www.baidu.com

if it correct, it will appear, dns_data: www.baidu.com

but, the bug happened, it is no data.

so, i hope , the question will solved soon.thanks !

Is your feature request related to a problem? Please describe.
Nope

Describe the solution you'd like
Inspired by tetragon. In Hades, we could integrate dynamic deny policy in peticular fields, like networking, file_opening, etc. with ebpf. Use iptables to implement dynamic network policy even without ebpf for some incident response situtation.

Describe alternatives you've considered

1. bpf_override_return and use the policy with yaml, since it might be complicated
2. lower kernel version, use iptables or something else.

Additional context
Nope

Is your feature request related to a problem? Please describe.
Deploy eBPF modules in product env.

Describe the solution you'd like

• Compile .o files for common files or using btfhub.(the two methods are the same, essentially)
• Some suitable distribution and version control, and some CI/CD infras.

Additional context
https://github.com/aquasecurity/btfhub
https://github.com/cilium/cilium

Describe the bug

1. context->ts, pay attention it's boottime
2. pay attention to the stdin and stdout, dive in to the kernel function which is used in Elkeid.

Environment

• OS Information: uname -r

To Reproduce
Steps to reproduce the behavior:

1. Run '...'
2. See error

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

use Ringbuf as default map over kernel version 5.8. Since ringbuf get better performance and ordered the msgs

ATT

Describe the bug
my env is:
os: ubuntu20.10
kern: 5.8
clang: clang-11

and i try to :make core, it's normally.
but, when i exec: curl www.baidu.com
i can't any dns relative log.

so, can you slove this problem, i think it's a bug.

hope , the bug can be solved soon. thanks!

In some situation, udp-related syscall is called very frequently. The kprobe itself may become the limitation of the performace. Let the ebpfmanager unload the probe.

Here are some important filters:

1. socket filters
2. pid filters
3. exe/cwd filters

All of the filters should be done in kernel space and interact with userspace by BPF_MAP

OS: debian 11
Kernel version: 5.10

Is your feature request related to a problem? Please describe.
Nope

Describe the solution you'd like
compatible vmlinux.h or generate it.

Describe alternatives you've considered
None

Additional context
Git actions added

1. 不知道有没有遗漏，我看网络行为收集都是基于进程FORK/EXEC的，如果进程在运行过程中新增的网络行为是不是检测不到？
2. 维护进程树的考虑主要是啥？

Describe the bug
dport always 512 in Centos 8(CORE)

Environment

• OS Information: 4.18.0-348.7.1.el8_5.x86_64

To Reproduce
reverse shell

Expected behavior
port just like we use in the command

Describe the bug
特定系统下有乱码

{"starttime":79570157046599,"cgroupid":4294968467,"pns":0,"type":700,"pid":31760,"tid":31760,"uid":0,"gid":0,"ppid":0,"pgid":0,"sessionid":0,"comm":"cat","pcomm":"","nodename":"","retval":0,"exe_hash":"-3","username":"root","timestamp":1660032991,"exe":"-1","syscall":"execve","ppid_argv":"-3","pgid_argv":"-3","pod_name":"-3","cwd":"-1","tty_name":"��(\u0004�����sC�����","stdin":"-1","stdout":"-1","dport":0,"dip":"-1","family":0,"socket_pid":0,"socket_argv":"-3","pid_tree":"4294967295.��\u0007\u0002������\u0007\u0002���","argv":"cat /sys/class/dmi/id/product_serial","priv_esca":0,"ssh_connection":"-1","ld_preload":"-1"}

Environment

• OS Information: Linux 5.4.0-122-generic #138~18.04.1-Ubuntu SMP Fri Jun 24 14:14:03 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

To Reproduce

cd Hades/plugin/driver/eBPF/
go run .

Screenshots

think about this

sys_enter_execveat: load program: invalid argument: unrecognized bpf_ld_imm64 insn , couldn't load eBPF programs

on kernel 4.19

有没有交流群？小白一个，希望技术探讨类的主题还是即时通讯比较方便。

Describe the bug
A clear and concise description of what the bug is.
在700事件的时候经常遭遇字符串大小太长，导致无法正常输出，通常是解码stdout，遇到是socket:时就会报错。请教一下大佬是啥子原因
Environment
5.13.0-1019-gcp

To Reproduce
Steps to reproduce the behavior:

1. go build && ./hades-ebpf --debug
2. 1011 map[level:error msg:decode execve error: string size too long, size: 83901044 source:user/driver.go:272 timestamp:1696933796]

Expected behavior
感觉应该是stdin和stdout处理有些问题，想看具体是socket还是pipe，但由于报错，导致有关socket的事件都展示不出来

Screenshots

Additional context
Add any other context about the problem here.
自己debug到这里【plugins/user/decoder/decoder.go】

可以加一下群不，最近在学习ebpf这块，thx~

Describe the bug
After the push of incorrect execve, the Execve(at) values are incorrect

Environment

• OS Information: uname -r

To Reproduce
Steps to reproduce the behavior:

1. Run '...'
2. See error

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

Is your feature request related to a problem? Please describe.
Nope

Describe the solution you'd like
Test-case for every event and add these into CI/CD

Describe alternatives you've considered

Additional context

Let the plugin collector support windows

connect sport & sip are required
icmp required
return value (ret)
honeypot (port scanning)

closed

需要内核支持BTF，感觉在真正使用上不如elf，是准备在低版本内核机器上使用netlink吗？