Open brant-ruan opened 3 years ago
Hey @brant-ruan 👋🏻
Thank you for the heads up ! I had a really quick look, and I can confirm it doesn't build on Ubuntu Hirsute for me either:
from 3278 to 170: R0=pkt(id=0,off=49,r=54,imm=0) R1=pkt(id=0,off=50,r=-2,imm=0) R2=pkt(id=0,off=0,r=54,imm=0) R3=pkt_end(id=0,off=0,imm=0) R4_w=inv(id=17) R5_w=inv(id=17) R6=ctx(id=0,off=0,imm=0) R7=inv(id=8) R8=inv(id=0) R9=inv(id=5) R10=fp0 fp-8=mmmmmmmm
170: (bf) r2 = r4
171: (57) r2 &= 65535
172: (77) r4 >>= 16
173: (57) r4 &= 65535
174: (0f) r4 += r2
175: (bf) r2 = r4
176: (77) r2 >>= 16
177: (0f) r2 += r4
178: (a7) r2 ^= -1
179: (dc) r2 = be16 r2
180: (6b) *(u16 *)(r1 +0) = r2
R1 offset is outside of the packet
processed 9179 insns (limit 1000000) max_states_per_insn 1 total_states 261 peak_states 261 mark_read 242
Looking at the error, it seems that xdp/ingress/syn_loop
is attempting to access the packet at an offset that is potentially outside of the packet. I'll try to have a look this week, but no guarantees: we built the rootkit with the intent of demoing a PoC, we don't really expect the code we wrote to work on any other setup than the one we used for testing (= Ubuntu Focal) 😅
Hi @Gui774ume , thanks for replying. OK, I will try to figure out how to fix it as well.
Hello, nice rootkit!
I build it successfully on my env:
But when I run
./ebpfkit
, it exits with error:Have you come across such issues? Any helpful suggestions? Thanks : )