New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Change hooked syscall event #3544
feat: Change hooked syscall event #3544
Conversation
419ff80
to
4f78a42
Compare
ee618b4
to
6f0cc84
Compare
6f0cc84
to
e05dd2c
Compare
Some preliminary comments (you said this was ready on your side but its DRAFT so I didn't know). I'm getting:
Because of the signature metadata "Data" field wrong type conversion in some case. |
When mocking the error, you're missing the following syscalls:
From the string slice in core_amd64.go, so the initial bpf map population isn't complete. Also, I think a map indexed by syscall id would be better there. |
I have tested hooking a syscall with: https://github.com/rafaeldtinoco/hijack/blob/main/hijack.c and, despite being able to:
I could not get a detection. Is the command line:
enough ? |
e05dd2c
to
e4dbe79
Compare
e4dbe79
to
3aace46
Compare
The event is periodic. If you don't want to wait a few minutes, try running it AFTER the table is hooked, as it runs immediately when tracee starts up. |
Do we support 32bit? these are only 32 bit system syscalls |
0d645ae
to
cee8e51
Compare
cee8e51
to
d7d385c
Compare
Yep, but maybe because of internal system call version routing logic (32-bit userland vs 64-bit userland) the 64-bit symbols need to exist as well (I suppose, not sure, just a guess). I do have them enabled:
Either way, I get "fake" hook detections for those syscalls. If you decide to consider, blacklist, etc, up to you. |
Sorry, I missed the timer logic for the detection earlier on. Now: $ sudo ./dist/tracee --output json --events hooked_syscall
{"timestamp":1697762297084454645,"threadStartTime":1697762293432704767,"processorId":2,"processId":306503,"cgroupId":4846,"threadId":306515,"parentProcessId":306502,"hostProcessId":306503,"hostThreadId":306515,"hostParentProcessId":306502,"userId":0,"mountNamespace":4026531841,"pidNamespace":4026531836,"processName":"tracee","executable":{"path":""},"hostName":"rugged","containerId":"","container":{},"kubernetes":{},"eventId":"2017","eventName":"hooked_syscall","matchedPolicies":[""],"argsNum":4,"returnValue":0,"syscall":"","stackAddresses":[0],"contextFlags":{"containerStarted":false,"isCompat":false},"threadEntityId":2644688824,"processEntityId":1587116564,"parentEntityId":4262210630,"args":[{"name":"syscall_name","type":"const char*","value":"uname"},{"name":"hooked.address","type":"const char*","value":"ffffffffc1758000"},{"name":"hooked.function_name","type":"const char*","value":"hooked_uname"},{"name":"hooked.owner","type":"const char*","value":"hijack"}]} looks good for amd64 (haven't tested yet arm64, just the tracee execution). I need to check why the check-code logic isn't passing (its passing locally so it has probably something to do with the runner picked). |
Now sure why tests are broken here (checking format), but after a rebase they pass (#3592). Also, there is an eBPF fix for kernels 6.5+ so this PR would need a rebase either way. I'll close this PR and merge that one if tests pass there (based on an offline msg of you saying you were done with this PR). |
Being merged at #3592 because of rebase needs and small test fix. |
1. Explain what the PR does
change hooked_syscall event
2. Explain how to test it
tracee -e=hooked_syscall
3. Other comments