Skip to content
a PoC for Linux to get around agents that log commands being executed, without root privilege. Linux低权限模糊化执行的程序名和参数,避开基于execve系统调用监控的命令日志
C Makefile
Branch: master
Clone or download
Latest commit c126751 May 8, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
libptrace Add files via upload May 8, 2019
1.c Add files via upload May 8, 2019
Makefile Add files via upload Jan 7, 2019
README Update README Jan 7, 2019
anonyexec.c Add files via upload Jan 7, 2019
anonyexec.h Add files via upload Jan 7, 2019
common.h Add files via upload Jan 7, 2019
elfreader.c Add files via upload Jan 7, 2019
elfreader.h Add files via upload Jan 7, 2019
ptrace.c Add files via upload Jan 7, 2019
ptrace.h Add files via upload Jan 7, 2019

README

a PoC for Linux to get around agents that log commands being executed, without root privilege.

Linux低权限模糊化执行的程序名和参数,避开基于execve系统调用监控的命令日志
程序仅作原理演示使用

ylbhz@hk:~/work/c/ptrace$ gcc --version
gcc (Ubuntu 5.4.0-6ubuntu1~16.04.10) 5.4.0 20160609

ylbhz@hk:~/work/c/ptrace$ make
gcc -Wall -c ptrace.c -o ptrace.o
gcc -Wall -c anonyexec.c -o anonyexec.o
gcc -o ptrace ptrace.o anonyexec.o elfreader.o 

ylbhz@hk:~/work/c/ptrace$ ./ptrace 
child pid = 3763
EIP: _start 4049a0 
RSP: 7ffc4f394e60
RSP + 8 => RDX(char **ubp_av) to __libc_start_main
argc: 3
src: ubp_av[1]: 3abb6677��@
dst: upb_av[1]: -a
src: ubp_av[2]: 3abb6677��@
dst: upb_av[2]: -l
ylbhz@hk:~/work/c/ptrace$ total 76
drwxrwxr-x  2 ylbhz ylbhz  4096 Jan  7 10:34 .
drwx------ 16 ylbhz ylbhz  4096 Dec 29 15:08 ..
-rw-rw-r--  1 ylbhz ylbhz   349 Jan  3 18:39 Makefile
-rw-rw-r--  1 ylbhz ylbhz     1 Jan  7 10:31 README
-rw-rw-r--  1 ylbhz ylbhz   681 Jan  3 18:24 anonyexec.c
-rw-rw-r--  1 ylbhz ylbhz   226 Jan  3 17:59 anonyexec.h
-rw-rw-r--  1 ylbhz ylbhz  2680 Jan  7 10:34 anonyexec.o
-rw-rw-r--  1 ylbhz ylbhz   527 Jan  3 18:05 common.h
-rw-rw-r--  1 ylbhz ylbhz   230 Jan  3 19:00 elfreader.c
-rw-rw-r--  1 ylbhz ylbhz   142 Jan  3 18:59 elfreader.h
-rw-rw-r--  1 ylbhz ylbhz  1656 Jan  3 19:00 elfreader.o
-rwxrwxr-x  1 ylbhz ylbhz 13992 Jan  7 10:34 ptrace
-rw-rw-r--  1 ylbhz ylbhz  2123 Jan  4 11:24 ptrace.c
-rw-rw-r--  1 ylbhz ylbhz   328 Jan  4 10:38 ptrace.h
-rw-rw-r--  1 ylbhz ylbhz  4768 Jan  7 10:34 ptrace.o


================= AUDITD execve test =========================
type=PATH msg=audit(1546831731.460:100): item=0 name="./ptrace" inode=11017404 dev=08:06 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1546831731.460:100): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=1835390 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1546831731.460:100): proctitle="./ptrace"
type=SYSCALL msg=audit(1546831731.464:101): arch=c000003e syscall=59 success=yes exit=0 a0=7ffd846ee3d0 a1=7ffd846ee660 a2=0 a3=598 items=2 ppid=7971 pid=7972 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts4 ses=4294967295 comm="3" exe=2F6D656D66643A656C66202864656C6574656429 key="rule01_exec"
type=EXECVE msg=audit(1546831731.464:101): argc=3 a0="/proc/self/fd/3" a1="3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686" a2="3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686"
You can’t perform that action at this time.