forked from aquasecurity/tracee
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Revert "revert: revert recently changed hooked_syscall event (aquasec…
…urity#3597)" This reverts commit 1ecedcc.
- Loading branch information
1 parent
cc534be
commit 43a3eac
Showing
21 changed files
with
1,196 additions
and
379 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# hooked_syscall | ||
|
||
## Intro | ||
`hooked_syscall` is an event that checks syscall table for any syscall hooking. | ||
|
||
## Description | ||
The purpose of the `hooked_syscall` event is to monitor for system call hooking in the Linux kernel. It verifies each sys call points to its corresponding sys call function symbol. This helps identify instances of kernel code modifications, often used for malicious activities such as hiding processes, files, or network connections. | ||
|
||
## Hooks | ||
### Various system calls | ||
#### Type | ||
Uprobe | ||
#### Purpose | ||
Detection of syscall hooking. | ||
|
||
## Example Use Case | ||
The `hooked_syscall` event could be used as part of a broader system integrity monitoring solution. For example, a security engineer could use it to raise alerts or run further investigations if unexpected syscall hooking activities are detected. This could aid in the early detection and mitigation of malware or rootkit infections. | ||
|
||
```console | ||
tracee -e hooked_syscall | ||
``` | ||
|
||
## Issues | ||
|
||
## Related Events | ||
|
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
package ebpf | ||
|
||
import ( | ||
gocontext "context" | ||
"runtime" | ||
"strings" | ||
"time" | ||
"unsafe" | ||
|
||
bpf "github.com/aquasecurity/libbpfgo" | ||
|
||
"github.com/aquasecurity/tracee/pkg/events" | ||
"github.com/aquasecurity/tracee/pkg/events/derive" | ||
"github.com/aquasecurity/tracee/pkg/logger" | ||
"github.com/aquasecurity/tracee/pkg/utils" | ||
) | ||
|
||
var expectedSyscallTableInit = false | ||
|
||
// hookedSyscallTableRoutine the main routine that checks if there's a hooked syscall in the syscall table. | ||
// It runs on tracee's startup and from time to time. | ||
func (t *Tracee) hookedSyscallTableRoutine(ctx gocontext.Context) { | ||
logger.Debugw("Starting hookedSyscallTable goroutine") | ||
defer logger.Debugw("Stopped hookedSyscallTable goroutine") | ||
|
||
if t.eventsState[events.HookedSyscall].Emit == 0 { | ||
return | ||
} | ||
|
||
if runtime.GOARCH != "amd64" && runtime.GOARCH != "arm64" { | ||
logger.Debugw("hooked syscall table: unsupported architecture") | ||
return | ||
} | ||
|
||
err := derive.InitHookedSyscall() | ||
if err != nil { | ||
logger.Errorw("Error occurred InitHookedSyscall: " + err.Error()) | ||
return | ||
} | ||
|
||
expectedSyscallTableMap, err := t.bpfModule.GetMap("expected_sys_call_table") | ||
if err != nil { | ||
logger.Errorw("Error occurred GetMap: " + err.Error()) | ||
return | ||
} | ||
|
||
if err := t.populateExpectedSyscallTableArray(expectedSyscallTableMap); err != nil { | ||
logger.Errorw("Error populating expected syscall table array: " + err.Error()) | ||
return | ||
} | ||
|
||
expectedSyscallTableInit = true | ||
|
||
t.triggerSyscallTableIntegrityCheckCall() // First time run immediately | ||
|
||
// Run from time to time | ||
for { | ||
select { | ||
case <-ctx.Done(): | ||
return | ||
case <-time.After(utils.GenerateRandomDuration(10, 300)): | ||
t.triggerSyscallTableIntegrityCheckCall() | ||
} | ||
} | ||
} | ||
|
||
// populateExpectedSyscallTableArray fills the expected values of the syscall table | ||
func (t *Tracee) populateExpectedSyscallTableArray(tableMap *bpf.BPFMap) error { | ||
// Get address to the function that defines the not implemented sys call | ||
niSyscallSymbol, err := t.kernelSymbols.GetSymbolByName("system", events.SyscallPrefix+"ni_syscall") | ||
if err != nil { | ||
return err | ||
} | ||
niSyscallAddress := niSyscallSymbol.Address | ||
|
||
for i, syscallName := range events.SyscallSymbolNames { | ||
var index = uint32(i) | ||
|
||
if strings.HasPrefix(syscallName, events.SyscallNotImplemented) { | ||
err = tableMap.Update(unsafe.Pointer(&index), unsafe.Pointer(&niSyscallAddress)) | ||
if err != nil { | ||
return err | ||
} | ||
continue | ||
} | ||
|
||
kernelSymbol, err := t.kernelSymbols.GetSymbolByName("system", events.SyscallPrefix+syscallName) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
var expectedAddress = kernelSymbol.Address | ||
err = tableMap.Update(unsafe.Pointer(&index), unsafe.Pointer(&expectedAddress)) | ||
if err != nil { | ||
return err | ||
} | ||
} | ||
|
||
return nil | ||
} | ||
|
||
//go:noinline | ||
func (t *Tracee) triggerSyscallTableIntegrityCheckCall() { | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.