Skip to content
/ evilBPF Public

Weaponizing the Linux Kernel (Hide Files/PID, SSH backdoors, SSL Sniffer, ...) by poking around eBPF/XDP

35 stars 11 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

rphang/evilBPF

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

64 Commits
.github
.github
 
 
lib
lib
 
 
scripts
scripts
 
 
src
src
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

Repository files navigation

evilBPF

an eBPF / XDP Playground

This repository contains a collection of eBPF / XDP programs that I've written while learning about eBPF and XDP. As security is my primary interest, most of these programs are security-related and are intended to be used for security research.

hider_demo Hide your files and processes from the system

ssl_demo Sniff unencrypted SSL/TLS traffic

Warning

Disclaimer: I condemn the use of these programs for malicious purposes. I am not responsible for any damage caused by the use of these programs. These programs are intended for educational purposes only.

Programs List

Type Name Description Notes
XDP icmp_pingback Respond to ICMP echo requests with ICMP echo replies within the XDP layer. Showcase of XDP program
TP hide_pid Hide a process (pid)/folder/file from the system Inspired by bad-bpf
TP hidden_ssh Give yourself a hidden backdoor in the SSH server
UPROBE ssl_sniffer Sniff unencrypted SSL/TLS traffic

Requirements

For compiling eBPF programs, you'll need the following:

  • Debian, Ubuntu, or other Debian-based Linux distribution
  • Linux Kernel 5.8.0 or later
  • clang and llvm (>= 10.0.0)
sudo apt install clang llvm libelf-dev linux-headers-$(uname -r) build-essential

Installation

From releases

You can download the latest release from the releases page.

Note

Some programs might not give enough control over the eBPF program, if you need to modify the eBPF program, you'll need to compile the source code. (Or open an issue requesting the feature)

Getting the source code

As we are using submodules, you'll need to clone this repository with the --recursive flag:

git clone https://github.com/rphang/evilBPF.git --recursive

If you've already cloned this repository without the --recursive flag, you can run the following command to clone the submodules:

git submodule update --init --recursive

Compiling the programs

All at once

To compile all the programs at once, simply run the Makefile in the root directory:

make

All the compiled programs will be placed in the dst directory.

Individually

Each program has its own directory, and each directory has its own Makefile. To compile a program, simply cd into the program's directory and run make:

cd src/<program>...
make

Resources

Alot of the general resources I've used to learn about eBPF and XDP are listed below:

About

Weaponizing the Linux Kernel (Hide Files/PID, SSH backdoors, SSL Sniffer, ...) by poking around eBPF/XDP

Topics

security kernel rootkit sshd ebpf xdp offensive-security linux-kernel-hacking

Resources

Readme
Activity

Stars

35 stars

Watchers

2 watching

Forks

11 forks
Report repository

Releases 2

Release v1.1.0 Latest
May 14, 2024
+ 1 release

Packages

No packages published

Languages