ebpfkit-monitor is a tool that detects and protects against eBPF powered rootkits
APACHE-2.0 License
ebpfkit-monitor
is an utility that you can use to statically analyse eBPF bytecode or monitor suspicious eBPF activity at runtime. It was specifically designed to detect ebpfkit
.
This project is not an official Datadog product (experimental or otherwise), it is just code that happens to be developed by Datadog employees as part of an independent security research project. The rootkit herein is provided for educational purposes only and for those who are willing and curious to learn about ethical hacking, security and penetration testing with eBPF.
Do not attempt to use these tools to violate the law. The author is not responsible for any illegal action. Misuse of the provided information can result in criminal charges.
lib/modules/$(uname -r)
(see Makefile
)go get -u github.com/shuLhan/go-bindata/...
)ebpfkit-monitor
, run:# ~ make
ebpfkit-monitor
(copies ebpfkit-monitor
to /usr/bin/ebpfkit-monitor
) run:# ~ make install
Run ebpfkit-monitor -h
to get help.
# ~ ebpfkit-monitor -h
Usage:
ebpfkit-monitor [command]
Available Commands:
graph graph generates a graphviz representation of the ELF file
help Help about any command
map prints information about one or multiple maps
prog prints information about one or multiple programs
report prints summarized information about the maps and programs
start start monitoring the bpf syscall at runtime
Flags:
-h, --help help for ebpfkit-monitor
-l, --log-level string log level (options: panic, fatal, error, warn, info, debug or trace). Set to "debug" to see bpf events. (default "info")
Use "ebpfkit-monitor [command] --help" for more information about a command.
# ~ ebpfkit-monitor prog --asset my_elf_file.o
# ~ ebpfkit-monitor prog --asset my_elf_file.o --section kprobe/my_program --dump
# ~ ebpfkit-monitor prog --asset my_elf_file.o --helper BpfProbeWriteUser
# ~ ebpfkit-monitor prog --asset my_elf_file.o --map piped_progs
# ~ ebpfkit-monitor map --asset my_elf_file.o
# ~ sudo ebpfkit-monitor start --log-level debug
# ~ sudo ebpfkit-monitor start --output /tmp
# ~ sudo ebpfkit-monitor start --output /tmp --allowed-processes "/usr/sbin/bpftool"
# ~ ebpfkit-monitor graph -a my_elf_file.o
INFO[2021-08-03T13:19:12Z] Graph generated: /tmp/ebpfkit-monitor-graph-4104912074
# ~ fdp -Tsvg /tmp/ebpfkit-monitor-graph-4104912074 > ./graphs/output.svg
lsm
eBPF programs instead of bpf_override_return
for access control