· 5 months ago · Apr 27, 2025, 09:45 AM
1#!/bin/bash
2
3# =====================================================================
4
5# Linux Malware Analysis Toolkit #1: eBPF-Based Process Behavior Analyzer
6
7# =====================================================================
8
9#
10
11# Description:
12
13# This script utilizes eBPF technology to monitor and analyze process
14
15# behavior in real-time, helping to detect potentially malicious
16
17# activities on Linux systems.
18
19#
20
21# Options:
22
23# 1. Trace system calls by specific process
24
25# 2. Monitor file access activities
26
27# 3. Track network connections
28
29# 4. Detect process execution chains
30
31# 5. Analyze memory mapping operations
32
33# 6. Trace process capabilities changes
34
35# 7. Monitor namespace transitions
36
37# 8. Detect unexpected syscall patterns
38
39# 9. Track process privilege escalation
40
41# 10. Monitor inter-process communications
42
43# 11. Log process credential changes
44
45# 12. Profile process resource usage
46
47# 13. Detect process injection attempts
48
49# 14. Monitor filesystem operations
50
51# 15. Track container escape attempts
52
53# 16. Analyze loaded kernel modules
54
55# 17. Monitor bpf() syscall usage
56
57# 18. Detect hidden process techniques
58
59# 19. Track unauthorized file access attempts
60
61# 20. Monitor syscall argument tampering
62
63#
64
65# Requirements:
66
67# - Linux kernel 4.18+ for full functionality
68
69# - bpftrace installed
70
71# - bcc tools installed
72
73# - root privileges
74
75#
76
77# =====================================================================
78
79set -e
80
81trap 'echo -e "\n[!] Script interrupted. Cleaning up..."; cleanup; exit 1' INT
82
83# Text colors
84
85RED='\033[0;31m'
86
87GREEN='\033[0;32m'
88
89YELLOW='\033[0;33m'
90
91BLUE='\033[0;34m'
92
93PURPLE='\033[0;35m'
94
95NC='\033[0m' # No Color
96
97# Verify required tools
98
99check_requirements() {
100
101echo -e "${BLUE}[*] Checking requirements...${NC}"
102
103
104
105if [ "$(id -u)" -ne 0 ]; then
106
107echo -e "${RED}[!] This script must be run as root${NC}"
108
109exit 1
110
111fi
112
113
114
115local kernel_version=$(uname -r | cut -d. -f1,2)
116
117if (( $(echo "$kernel_version < 4.18" | bc -l) )); then
118
119echo -e "${YELLOW}[!] Warning: Some features may not work on kernel
120$kernel_version (4.18+ recommended)${NC}"
121
122fi
123
124
125
126for cmd in bpftrace timeout jq ps grep awk; do
127
128if ! command -v $cmd &> /dev/null; then
129
130echo -e "${RED}[!] Required tool not found: $cmd${NC}"
131
132echo -e "${YELLOW}[*] Please install missing dependencies and try again${NC}"
133
134exit 1
135
136fi
137
138done
139
140
141
142if ! command -v bcc-tools &> /dev/null && ! [ -d "/usr/share/bcc/tools" ]; then
143
144echo -e "${YELLOW}[!] BCC tools not found. Some features may be limited.${NC}"
145
146echo -e "${YELLOW}[*] Install BCC tools for full functionality${NC}"
147
148fi
149
150
151
152echo -e "${GREEN}[+] All requirements satisfied${NC}"
153
154}
155
156cleanup() {
157
158# Kill any running bpftrace or BCC processes
159
160pkill -f bpftrace &>/dev/null || true
161
162echo -e "${GREEN}[+] Cleanup completed${NC}"
163
164}
165
166# Option 1: Trace system calls by specific process
167
168trace_syscalls() {
169
170echo -e "${BLUE}[*] Trace system calls by process${NC}"
171
172read -p "Enter PID or process name to trace (leave empty to trace all): " target
173
174read -p "Enter duration in seconds (default: 30): " duration
175
176duration=${duration:-30}
177
178
179
180echo -e "${GREEN}[+] Tracing syscalls for ${target:-all processes} for $duration
181seconds...${NC}"
182
183
184
185if [ -z "$target" ]; then
186
187timeout $duration bpftrace -e 'tracepoint:syscalls:sys_enter_* { @[probe, comm,
188pid] = count(); }' 2>/dev/null
189
190elif [[ "$target" =~ ^[0-9]+$ ]]; then
191
192timeout $duration bpftrace -e "tracepoint:syscalls:sys_enter_* /pid == $target/
193{ @[probe, comm, pid] = count(); }" 2>/dev/null
194
195else
196
197timeout $duration bpftrace -e "tracepoint:syscalls:sys_enter_* /comm ==
198\"$target\"/ { @[probe, comm, pid] = count(); }" 2>/dev/null
199
200fi
201
202
203
204echo -e "${GREEN}[+] Syscall tracing completed${NC}"
205
206}
207
208# Option 2: Monitor file access activities
209
210monitor_file_access() {
211
212echo -e "${BLUE}[*] Monitor file access activities${NC}"
213
214read -p "Enter directory to monitor (default: /etc): " directory
215
216directory=${directory:-/etc}
217
218read -p "Enter duration in seconds (default: 30): " duration
219
220duration=${duration:-30}
221
222
223
224echo -e "${GREEN}[+] Monitoring file access in $directory for $duration
225seconds...${NC}"
226
227
228
229timeout $duration bpftrace -e "
230
231#include
232
233
234
235tracepoint:syscalls:sys_enter_openat {
236
237\$filename = str(args->filename);
238
239if (\$filename != 0 && strncmp(\$filename, \"$directory\", ${#directory}) == 0)
240{
241
242printf(\"PID: %-6d COMM: %-15.15s UID: %-6d GID: %-6d | OPEN: %s\\n\",
243
244pid, comm, uid, gid, \$filename);
245
246}
247
248}
249
250
251
252tracepoint:syscalls:sys_enter_read /arg0 > 0/ {
253
254@reads[pid, comm] = count();
255
256}
257
258
259
260tracepoint:syscalls:sys_enter_write /arg0 > 0/ {
261
262@writes[pid, comm] = count();
263
264}
265
266
267
268interval:s:5 {
269
270printf(\"\\n--- Read/Write Summary (5s) ---\\n\");
271
272print(@reads, \"\\nReads by Process:\\n\");
273
274print(@writes, \"\\nWrites by Process:\\n\");
275
276clear(@reads);
277
278clear(@writes);
279
280}
281
282" 2>/dev/null
283
284
285
286echo -e "${GREEN}[+] File access monitoring completed${NC}"
287
288}
289
290# Option 3: Track network connections
291
292track_network_connections() {
293
294echo -e "${BLUE}[*] Track network connections${NC}"
295
296read -p "Enter process name to monitor (leave empty for all): " process
297
298read -p "Enter duration in seconds (default: 30): " duration
299
300duration=${duration:-30}
301
302
303
304echo -e "${GREEN}[+] Tracking network connections for ${process:-all processes}
305for $duration seconds...${NC}"
306
307
308
309if [ -z "$process" ]; then
310
311filter=""
312
313else
314
315filter="/comm == \"$process\"/"
316
317fi
318
319
320
321timeout $duration bpftrace -e "
322
323#include
324
325#include
326
327
328
329kprobe:tcp_connect $filter {
330
331\$sk = (struct sock *)arg0;
332
333\$inet_family = \$sk->__sk_common.skc_family;
334
335
336
337if (\$inet_family == AF_INET || \$inet_family == AF_INET6) {
338
339\$daddr = ntop(\$inet_family, \$sk->__sk_common.skc_daddr);
340
341\$dport = \$sk->__sk_common.skc_dport;
342
343\$saddr = ntop(\$inet_family, \$sk->__sk_common.skc_rcv_saddr);
344
345\$sport = \$sk->__sk_common.skc_num;
346
347
348
349printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | CONNECT: %s:%d -> %s:%d\\n\",
350
351pid, comm, uid, \$saddr, \$sport, \$daddr, \$dport);
352
353}
354
355}
356
357
358
359kprobe:tcp_accept $filter {
360
361\$sk = (struct sock *)arg0;
362
363\$inet_family = \$sk->__sk_common.skc_family;
364
365
366
367if (\$inet_family == AF_INET || \$inet_family == AF_INET6) {
368
369\$daddr = ntop(\$inet_family, \$sk->__sk_common.skc_daddr);
370
371\$dport = \$sk->__sk_common.skc_dport;
372
373\$saddr = ntop(\$inet_family, \$sk->__sk_common.skc_rcv_saddr);
374
375\$sport = \$sk->__sk_common.skc_num;
376
377
378
379printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | ACCEPT: %s:%d <- %s:%d\\n\",
380
381pid, comm, uid, \$saddr, \$sport, \$daddr, \$dport);
382
383}
384
385}
386
387" 2>/dev/null
388
389
390
391echo -e "${GREEN}[+] Network connection tracking completed${NC}"
392
393}
394
395# Option 4: Detect process execution chains
396
397detect_process_chains() {
398
399echo -e "${BLUE}[*] Detect process execution chains${NC}"
400
401read -p "Enter duration in seconds (default: 30): " duration
402
403duration=${duration:-30}
404
405
406
407echo -e "${GREEN}[+] Monitoring process execution chains for $duration
408seconds...${NC}"
409
410
411
412timeout $duration bpftrace -e "
413
414tracepoint:syscalls:sys_enter_execve,
415
416tracepoint:syscalls:sys_enter_execveat {
417
418printf(\"TIME: %-8llu PID: %-6d PPID: %-6d UID: %-6d GID: %-6d | EXEC: %s\\n\",
419
420nsecs, pid, curtask->real_parent->tgid, uid, gid, comm);
421
422
423
424printf(\" ARGS: \");
425
426\$argp = args->argv;
427
428\$i = 0;
429
430\$arg = user_string(\$argp);
431
432while (\$arg != 0 && \$i < 5) {
433
434printf(\"%s \", \$arg);
435
436\$argp++;
437
438\$arg = user_string(\$argp);
439
440\$i++;
441
442}
443
444if (\$i >= 5) {
445
446printf(\"...\");
447
448}
449
450printf(\"\\n\");
451
452
453
454@execution_chains[curtask->real_parent->comm, comm] = count();
455
456}
457
458
459
460interval:s:5 {
461
462printf(\"\\n--- Process Execution Chain Summary (5s) ---\\n\");
463
464printf(\"%-20s -> %-20s | Count\\n\", \"Parent Process\", \"Child Process\");
465
466print(@execution_chains);
467
468}
469
470" 2>/dev/null
471
472
473
474echo -e "${GREEN}[+] Process chain detection completed${NC}"
475
476}
477
478# Option 5: Analyze memory mapping operations
479
480analyze_memory_mappings() {
481
482echo -e "${BLUE}[*] Analyze memory mapping operations${NC}"
483
484read -p "Enter PID to monitor (leave empty for all): " target_pid
485
486read -p "Enter duration in seconds (default: 30): " duration
487
488duration=${duration:-30}
489
490
491
492if [ -z "$target_pid" ]; then
493
494pid_filter=""
495
496else
497
498pid_filter="/pid == $target_pid/"
499
500fi
501
502
503
504echo -e "${GREEN}[+] Analyzing memory mapping operations for ${target_pid:-all
505processes} for $duration seconds...${NC}"
506
507
508
509timeout $duration bpftrace -e "
510
511#include
512
513
514
515tracepoint:syscalls:sys_enter_mmap $pid_filter {
516
517printf(\"PID: %-6d COMM: %-15.15s | MMAP: addr=0x%lx len=%lu prot=%d flags=%d
518fd=%d off=%lu\\n\",
519
520pid, comm, args->addr, args->len, args->prot, args->flags, args->fd,
521args->offset);
522
523}
524
525
526
527tracepoint:syscalls:sys_enter_mprotect $pid_filter {
528
529printf(\"PID: %-6d COMM: %-15.15s | MPROTECT: addr=0x%lx len=%lu prot=%d\\n\",
530
531pid, comm, args->addr, args->len, args->prot);
532
533}
534
535
536
537kprobe:security_mmap_file $pid_filter {
538
539\$file = (struct file *)arg0;
540
541\$prot = arg1;
542
543\$flags = arg2;
544
545
546
547if (\$file != 0) {
548
549\$pathname = \$file->f_path.dentry->d_name.name;
550
551if (\$pathname != 0) {
552
553\$name = str(\$pathname);
554
555printf(\"PID: %-6d COMM: %-15.15s | MMAP FILE: %s (prot=%d, flags=%d)\\n\",
556
557pid, comm, \$name, \$prot, \$flags);
558
559
560
561if ((\$prot & 0x4) && (\$prot & 0x1)) { // PROT_EXEC | PROT_READ
562
563printf(\" [ALERT] Executable memory mapping detected!\\n\");
564
565}
566
567}
568
569}
570
571}
572
573
574
575tracepoint:syscalls:sys_enter_memfd_create $pid_filter {
576
577printf(\"PID: %-6d COMM: %-15.15s | MEMFD_CREATE: name=%s flags=%d\\n\",
578
579pid, comm, str(args->uname), args->flags);
580
581printf(\" [ALERT] Possible fileless execution technique!\\n\");
582
583}
584
585" 2>/dev/null
586
587
588
589echo -e "${GREEN}[+] Memory mapping analysis completed${NC}"
590
591}
592
593# Option 6: Trace process capabilities changes
594
595trace_capabilities() {
596
597echo -e "${BLUE}[*] Trace process capabilities changes${NC}"
598
599read -p "Enter duration in seconds (default: 30): " duration
600
601duration=${duration:-30}
602
603
604
605echo -e "${GREEN}[+] Tracing capability changes for $duration seconds...${NC}"
606
607
608
609timeout $duration bpftrace -e "
610
611tracepoint:syscalls:sys_enter_capset {
612
613printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | CAPSET: header->pid=%d\\n\",
614
615pid, comm, uid, args->header->pid);
616
617}
618
619
620
621kprobe:cap_capable {
622
623\$cap_id = arg1;
624
625\$cap_name = \"UNKNOWN\";
626
627
628
629if (\$cap_id == 0) { \$cap_name = \"CAP_CHOWN\"; }
630
631else if (\$cap_id == 1) { \$cap_name = \"CAP_DAC_OVERRIDE\"; }
632
633else if (\$cap_id == 2) { \$cap_name = \"CAP_DAC_READ_SEARCH\"; }
634
635else if (\$cap_id == 3) { \$cap_name = \"CAP_FOWNER\"; }
636
637else if (\$cap_id == 4) { \$cap_name = \"CAP_FSETID\"; }
638
639else if (\$cap_id == 5) { \$cap_name = \"CAP_KILL\"; }
640
641else if (\$cap_id == 6) { \$cap_name = \"CAP_SETGID\"; }
642
643else if (\$cap_id == 7) { \$cap_name = \"CAP_SETUID\"; }
644
645else if (\$cap_id == 8) { \$cap_name = \"CAP_SETPCAP\"; }
646
647else if (\$cap_id == 12) { \$cap_name = \"CAP_NET_ADMIN\"; }
648
649else if (\$cap_id == 13) { \$cap_name = \"CAP_NET_RAW\"; }
650
651else if (\$cap_id == 14) { \$cap_name = \"CAP_IPC_LOCK\"; }
652
653else if (\$cap_id == 16) { \$cap_name = \"CAP_SYS_MODULE\"; }
654
655else if (\$cap_id == 17) { \$cap_name = \"CAP_SYS_RAWIO\"; }
656
657else if (\$cap_id == 18) { \$cap_name = \"CAP_SYS_CHROOT\"; }
658
659else if (\$cap_id == 19) { \$cap_name = \"CAP_SYS_PTRACE\"; }
660
661else if (\$cap_id == 21) { \$cap_name = \"CAP_SYS_ADMIN\"; }
662
663else if (\$cap_id == 23) { \$cap_name = \"CAP_SYS_TIME\"; }
664
665else if (\$cap_id == 24) { \$cap_name = \"CAP_SYS_RESOURCE\"; }
666
667else if (\$cap_id == 25) { \$cap_name = \"CAP_SYS_BOOT\"; }
668
669
670
671printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | CAP CHECK: %s (%d)\\n\",
672
673pid, comm, uid, \$cap_name, \$cap_id);
674
675
676
677if (\$cap_id == 16 || \$cap_id == 21 || \$cap_id == 19) {
678
679printf(\" [ALERT] Sensitive capability check detected!\\n\");
680
681}
682
683
684
685@cap_usage[comm, \$cap_name] = count();
686
687}
688
689
690
691interval:s:5 {
692
693printf(\"\\n--- Capability Usage Summary (5s) ---\\n\");
694
695print(@cap_usage);
696
697}
698
699" 2>/dev/null
700
701
702
703echo -e "${GREEN}[+] Capability tracing completed${NC}"
704
705}
706
707# Option 7: Monitor namespace transitions
708
709monitor_namespaces() {
710
711echo -e "${BLUE}[*] Monitor namespace transitions${NC}"
712
713read -p "Enter duration in seconds (default: 30): " duration
714
715duration=${duration:-30}
716
717
718
719echo -e "${GREEN}[+] Monitoring namespace transitions for $duration
720seconds...${NC}"
721
722
723
724timeout $duration bpftrace -e "
725
726tracepoint:syscalls:sys_enter_unshare,
727
728tracepoint:syscalls:sys_enter_setns {
729
730printf(\"TIME: %-8llu PID: %-6d PPID: %-6d COMM: %-15.15s | NAMESPACE OPERATION:
731%s\\n\",
732
733nsecs, pid, curtask->real_parent->tgid, comm, probe);
734
735
736
737if (comm != \"docker\" && comm != \"containerd\" &&
738
739comm != \"runc\" && comm != \"systemd\" &&
740
741comm != \"lxc\" && comm != \"podman\") {
742
743printf(\" [ALERT] Potential container escape attempt: unexpected namespace
744operation by %s\\n\", comm);
745
746}
747
748}
749
750
751
752kprobe:switch_task_namespaces {
753
754printf(\"PID: %-6d COMM: %-15.15s | SWITCH NAMESPACE\\n\", pid, comm);
755
756}
757
758" 2>/dev/null
759
760
761
762echo -e "${GREEN}[+] Namespace monitoring completed${NC}"
763
764}
765
766# Option 8: Detect unexpected syscall patterns
767
768detect_syscall_patterns() {
769
770echo -e "${BLUE}[*] Detect unexpected syscall patterns${NC}"
771
772read -p "Enter duration in seconds (default: 30): " duration
773
774duration=${duration:-30}
775
776
777
778echo -e "${GREEN}[+] Detecting unusual syscall patterns for $duration
779seconds...${NC}"
780
781
782
783timeout $duration bpftrace -e "
784
785BEGIN {
786
787printf(\"Monitoring for suspicious syscall patterns...\\n\");
788
789}
790
791
792
793// Detect ptrace syscall (often used for process manipulation)
794
795tracepoint:syscalls:sys_enter_ptrace {
796
797printf(\"[ALERT] PID: %-6d COMM: %-15.15s UID: %-6d | PTRACE detected:
798request=%d pid=%d\\n\",
799
800pid, comm, uid, args->request, args->pid);
801
802}
803
804
805
806// Monitor process hiding techniques
807
808tracepoint:syscalls:sys_enter_kill /args->sig == 0/ {
809
810@proc_check[pid, comm] = count();
811
812}
813
814
815
816// Detect potential shellcode execution patterns
817
818tracepoint:syscalls:sys_enter_mprotect /args->prot & 0x4/ { // PROT_EXEC
819
820@mprotect_exec[pid, comm] = count();
821
822printf(\"PID: %-6d COMM: %-15.15s | MPROTECT with EXEC permissions: addr=0x%lx
823len=%lu\\n\",
824
825pid, comm, args->addr, args->len);
826
827}
828
829
830
831tracepoint:syscalls:sys_enter_mmap /args->prot & 0x4/ { // PROT_EXEC
832
833@mmap_exec[pid, comm] = count();
834
835if (args->flags & 0x20) { // MAP_ANONYMOUS
836
837printf(\"[ALERT] PID: %-6d COMM: %-15.15s | Anonymous executable memory mapping
838detected!\\n\",
839
840pid, comm);
841
842}
843
844}
845
846
847
848// Detect suspicious file operations in /proc
849
850tracepoint:syscalls:sys_enter_openat /strncmp(str(args->filename), \"/proc\", 5)
851== 0/ {
852
853@proc_access[pid, comm, str(args->filename)] = count();
854
855
856
857if (strncmp(str(args->filename), \"/proc/self/mem\", 14) == 0) {
858
859printf(\"[ALERT] PID: %-6d COMM: %-15.15s | Suspicious access to
860/proc/self/mem\\n\",
861
862pid, comm);
863
864}
865
866}
867
868
869
870// Detect attempts to load kernel modules
871
872tracepoint:syscalls:sys_enter_init_module,
873
874tracepoint:syscalls:sys_enter_finit_module {
875
876printf(\"[ALERT] PID: %-6d COMM: %-15.15s UID: %-6d | Kernel module operation
877detected!\\n\",
878
879pid, comm, uid);
880
881}
882
883
884
885interval:s:5 {
886
887printf(\"\\n--- Suspicious Syscall Summary (5s) ---\\n\");
888
889
890
891printf(\"\\nExecutable Memory Mappings:\\n\");
892
893print(@mmap_exec);
894
895
896
897printf(\"\\nExecutable Memory Protection Changes:\\n\");
898
899print(@mprotect_exec);
900
901
902
903printf(\"\\nProcess Status Checks (possible process hiding):\\n\");
904
905print(@proc_check);
906
907
908
909printf(\"\\n/proc Filesystem Access Patterns:\\n\");
910
911print(@proc_access);
912
913}
914
915" 2>/dev/null
916
917
918
919echo -e "${GREEN}[+] Syscall pattern detection completed${NC}"
920
921}
922
923# Option 9: Track process privilege escalation
924
925track_privilege_escalation() {
926
927echo -e "${BLUE}[*] Track process privilege escalation${NC}"
928
929read -p "Enter duration in seconds (default: 30): " duration
930
931duration=${duration:-30}
932
933
934
935echo -e "${GREEN}[+] Monitoring privilege escalation attempts for $duration
936seconds...${NC}"
937
938
939
940timeout $duration bpftrace -e "
941
942// Track set*uid/set*gid syscalls
943
944tracepoint:syscalls:sys_enter_setuid,
945
946tracepoint:syscalls:sys_enter_setgid,
947
948tracepoint:syscalls:sys_enter_setreuid,
949
950tracepoint:syscalls:sys_enter_setregid,
951
952tracepoint:syscalls:sys_enter_setresuid,
953
954tracepoint:syscalls:sys_enter_setresgid {
955
956printf(\"TIME: %-8llu PID: %-6d COMM: %-15.15s UID: %-6d | %s\\n\",
957
958nsecs, pid, comm, uid, probe);
959
960
961
962if (uid != 0) {
963
964printf(\" [ALERT] Non-root process attempting privilege change!\\n\");
965
966}
967
968}
969
970
971
972// Track successful UID/GID changes
973
974tracepoint:syscalls:sys_exit_setuid,
975
976tracepoint:syscalls:sys_exit_setgid,
977
978tracepoint:syscalls:sys_exit_setreuid,
979
980tracepoint:syscalls:sys_exit_setregid,
981
982tracepoint:syscalls:sys_exit_setresuid,
983
984tracepoint:syscalls:sys_exit_setresgid /args->ret == 0/ {
985
986printf(\"PID: %-6d COMM: %-15.15s | %s succeeded\\n\",
987
988pid, comm, probe);
989
990}
991
992
993
994// Monitor privileged file access
995
996tracepoint:syscalls:sys_enter_open,
997
998tracepoint:syscalls:sys_enter_openat {
999
1000\$filename = str(args->filename);
1001
1002
1003
1004if (\$filename != 0) {
1005
1006if (strncmp(\$filename, \"/etc/passwd\", 11) == 0 ||
1007
1008strncmp(\$filename, \"/etc/shadow\", 11) == 0 ||
1009
1010strncmp(\$filename, \"/etc/sudoers\", 12) == 0) {
1011
1012printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | Accessing sensitive file: %s\\n\",
1013
1014pid, comm, uid, \$filename);
1015
1016
1017
1018if (strncmp(\$filename, \"/etc/shadow\", 11) == 0 && uid != 0) {
1019
1020printf(\" [ALERT] Non-root process accessing shadow password file!\\n\");
1021
1022}
1023
1024}
1025
1026}
1027
1028}
1029
1030
1031
1032// Track sudo/su execution
1033
1034tracepoint:syscalls:sys_enter_execve,
1035
1036tracepoint:syscalls:sys_enter_execveat {
1037
1038\$argp = args->argv;
1039
1040\$arg0 = user_string(\$argp);
1041
1042
1043
1044if (\$arg0 != 0) {
1045
1046if (strncmp(\$arg0, \"/usr/bin/sudo\", 13) == 0 ||
1047
1048strncmp(\$arg0, \"/bin/sudo\", 9) == 0 ||
1049
1050strncmp(\$arg0, \"/usr/bin/su\", 11) == 0 ||
1051
1052strncmp(\$arg0, \"/bin/su\", 7) == 0) {
1053
1054printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | Privilege escalation tool:
1055%s\\n\",
1056
1057pid, comm, uid, \$arg0);
1058
1059
1060
1061\$i = 1;
1062
1063\$argp++;
1064
1065\$arg = user_string(\$argp);
1066
1067printf(\" Command: %s\", \$arg0);
1068
1069while (\$arg != 0 && \$i < 10) {
1070
1071printf(\" %s\", \$arg);
1072
1073\$argp++;
1074
1075\$arg = user_string(\$argp);
1076
1077\$i++;
1078
1079}
1080
1081if (\$i >= 10) {
1082
1083printf(\" ...\");
1084
1085}
1086
1087printf(\"\\n\");
1088
1089}
1090
1091}
1092
1093}
1094
1095" 2>/dev/null
1096
1097
1098
1099echo -e "${GREEN}[+] Privilege escalation monitoring completed${NC}"
1100
1101}
1102
1103# Option 10: Monitor inter-process communications
1104
1105monitor_ipc() {
1106
1107echo -e "${BLUE}[*] Monitor inter-process communications${NC}"
1108
1109read -p "Enter duration in seconds (default: 30): " duration
1110
1111duration=${duration:-30}
1112
1113
1114
1115echo -e "${GREEN}[+] Monitoring IPC mechanisms for $duration seconds...${NC}"
1116
1117
1118
1119timeout $duration bpftrace -e "
1120
1121// Track socket communications
1122
1123tracepoint:syscalls:sys_enter_socket,
1124
1125tracepoint:syscalls:sys_enter_socketpair {
1126
1127printf(\"PID: %-6d COMM: %-15.15s | SOCKET: domain=%d type=%d protocol=%d\\n\",
1128
1129pid, comm, args->family, args->type, args->protocol);
1130
1131
1132
1133if (args->family == 1) { // AF_UNIX
1134
1135@unix_sockets[pid, comm] = count();
1136
1137}
1138
1139}
1140
1141
1142
1143// Track shared memory operations
1144
1145tracepoint:syscalls:sys_enter_shmget,
1146
1147tracepoint:syscalls:sys_enter_shmat,
1148
1149tracepoint:syscalls:sys_enter_shmdt,
1150
1151tracepoint:syscalls:sys_enter_shmctl {
1152
1153printf(\"PID: %-6d COMM: %-15.15s | SHARED MEMORY: %s\\n\",
1154
1155pid, comm, probe);
1156
1157@shm_ops[pid, comm, probe] = count();
1158
1159}
1160
1161
1162
1163// Track message queues
1164
1165tracepoint:syscalls:sys_enter_msgget,
1166
1167tracepoint:syscalls:sys_enter_msgsnd,
1168
1169tracepoint:syscalls:sys_enter_msgrcv,
1170
1171tracepoint:syscalls:sys_enter_msgctl {
1172
1173printf(\"PID: %-6d COMM: %-15.15s | MESSAGE QUEUE: %s\\n\",
1174
1175pid, comm, probe);
1176
1177@msg_ops[pid, comm, probe] = count();
1178
1179}
1180
1181
1182
1183// Track named pipes
1184
1185tracepoint:syscalls:sys_enter_mkfifo {
1186
1187printf(\"PID: %-6d COMM: %-15.15s | CREATE NAMED PIPE: %s\\n\",
1188
1189pid, comm, str(args->pathname));
1190
1191}
1192
1193
1194
1195// Track pipe creation
1196
1197tracepoint:syscalls:sys_enter_pipe,
1198
1199tracepoint:syscalls:sys_enter_pipe2 {
1200
1201printf(\"PID: %-6d COMM: %-15.15s | CREATE PIPE\\n\", pid, comm);
1202
1203@pipe_create[pid, comm] = count();
1204
1205}
1206
1207
1208
1209// Monitor memfd communication (often used in fileless malware)
1210
1211tracepoint:syscalls:sys_enter_memfd_create {
1212
1213printf(\"PID: %-6d COMM: %-15.15s | MEMFD_CREATE: name=%s flags=%d\\n\",
1214
1215pid, comm, str(args->uname), args->flags);
1216
1217printf(\" [ALERT] Potential fileless malware technique detected!\\n\");
1218
1219}
1220
1221
1222
1223interval:s:5 {
1224
1225printf(\"\\n--- IPC Summary (5s) ---\\n\");
1226
1227
1228
1229printf(\"\\nUNIX Socket Usage:\\n\");
1230
1231print(@unix_sockets);
1232
1233
1234
1235printf(\"\\nShared Memory Operations:\\n\");
1236
1237print(@shm_ops);
1238
1239
1240
1241printf(\"\\nMessage Queue Operations:\\n\");
1242
1243print(@msg_ops);
1244
1245
1246
1247printf(\"\\nPipe Creation:\\n\");
1248
1249print(@pipe_create);
1250
1251}
1252
1253" 2>/dev/null
1254
1255
1256
1257echo -e "${GREEN}[+] IPC monitoring completed${NC}"
1258
1259}
1260
1261# Option 11: Log process credential changes
1262
1263log_credential_changes() {
1264
1265echo -e "${BLUE}[*] Log process credential changes${NC}"
1266
1267read -p "Enter duration in seconds (default: 30): " duration
1268
1269duration=${duration:-30}
1270
1271
1272
1273echo -e "${GREEN}[+] Monitoring credential changes for $duration
1274seconds...${NC}"
1275
1276
1277
1278timeout $duration bpftrace -e "
1279
1280// Track all credential change functions
1281
1282kprobe:commit_creds {
1283
1284printf(\"PID: %-6d COMM: %-15.15s | CREDENTIAL CHANGE\\n\", pid, comm);
1285
1286
1287
1288// Get the new credentials structure
1289
1290\$cred = (struct cred *)arg0;
1291
1292if (\$cred != 0) {
1293
1294printf(\" New UID: %d GID: %d EUID: %d EGID: %d\\n\",
1295
1296\$cred->uid.val, \$cred->gid.val,
1297
1298\$cred->euid.val, \$cred->egid.val);
1299
1300
1301
1302// Alert on certain patterns
1303
1304if ((\$cred->uid.val == 0 || \$cred->euid.val == 0) && uid != 0) {
1305
1306printf(\" [ALERT] Process gained root credentials from non-root context!\\n\");
1307
1308}
1309
1310}
1311
1312}
1313
1314
1315
1316// Track security operations related to credentials
1317
1318kprobe:security_task_fix_setuid {
1319
1320printf(\"PID: %-6d COMM: %-15.15s | SECURITY CHECK: task_fix_setuid\\n\",
1321
1322pid, comm);
1323
1324}
1325
1326
1327
1328// Track capabilities that might be assigned
1329
1330kprobe:cap_bprm_set_creds {
1331
1332printf(\"PID: %-6d COMM: %-15.15s | CAPABILITY ASSIGNMENT during execve\\n\",
1333
1334pid, comm);
1335
1336}
1337
1338
1339
1340// Track changes to process security context (SELinux)
1341
1342kprobe:security_task_setpgid,
1343
1344kprobe:security_task_kill {
1345
1346printf(\"PID: %-6d COMM: %-15.15s | SECURITY CONTEXT OPERATION: %s\\n\",
1347
1348pid, comm, probe);
1349
1350}
1351
1352" 2>/dev/null
1353
1354
1355
1356echo -e "${GREEN}[+] Credential change monitoring completed${NC}"
1357
1358}
1359
1360# Option 12: Profile process resource usage
1361
1362profile_resource_usage() {
1363
1364echo -e "${BLUE}[*] Profile process resource usage${NC}"
1365
1366read -p "Enter PID to monitor (leave empty for all): " target_pid
1367
1368read -p "Enter duration in seconds (default: 30): " duration
1369
1370duration=${duration:-30}
1371
1372
1373
1374if [ -z "$target_pid" ]; then
1375
1376pid_filter=""
1377
1378else
1379
1380pid_filter="/pid == $target_pid/"
1381
1382fi
1383
1384
1385
1386echo -e "${GREEN}[+] Profiling resource usage for ${target_pid:-all processes}
1387for $duration seconds...${NC}"
1388
1389
1390
1391timeout $duration bpftrace -e "
1392
1393// Track CPU usage by sampling
1394
1395profile:hz:99 $pid_filter {
1396
1397@cpu[pid, comm] = count();
1398
1399}
1400
1401
1402
1403// Track I/O operations
1404
1405tracepoint:syscalls:sys_enter_read,
1406
1407tracepoint:syscalls:sys_enter_pread64,
1408
1409tracepoint:syscalls:sys_enter_readv $pid_filter {
1410
1411@reads[pid, comm] = count();
1412
1413@read_bytes[pid, comm] = sum(args->count);
1414
1415}
1416
1417
1418
1419tracepoint:syscalls:sys_enter_write,
1420
1421tracepoint:syscalls:sys_enter_pwrite64,
1422
1423tracepoint:syscalls:sys_enter_writev $pid_filter {
1424
1425@writes[pid, comm] = count();
1426
1427@write_bytes[pid, comm] = sum(args->count);
1428
1429}
1430
1431
1432
1433// Track memory allocations
1434
1435kretprobe:kmalloc $pid_filter {
1436
1437@kmalloc[pid, comm] = count();
1438
1439@kmem_bytes[pid, comm] = sum(retval);
1440
1441}
1442
1443
1444
1445// Track process creation
1446
1447tracepoint:syscalls:sys_enter_clone,
1448
1449tracepoint:syscalls:sys_enter_fork,
1450
1451tracepoint:syscalls:sys_enter_vfork $pid_filter {
1452
1453@process_create[pid, comm] = count();
1454
1455}
1456
1457
1458
1459interval:s:5 {
1460
1461printf(\"\\n--- Resource Usage Summary (5s) ---\\n\");
1462
1463
1464
1465printf(\"\\nCPU Usage (sample count):\\n\");
1466
1467print(@cpu);
1468
1469clear(@cpu);
1470
1471
1472
1473printf(\"\\nRead Operations:\\n\");
1474
1475print(@reads);
1476
1477printf(\"\\nBytes Read:\\n\");
1478
1479print(@read_bytes);
1480
1481clear(@reads);
1482
1483clear(@read_bytes);
1484
1485
1486
1487printf(\"\\nWrite Operations:\\n\");
1488
1489print(@writes);
1490
1491printf(\"\\nBytes Written:\\n\");
1492
1493print(@write_bytes);
1494
1495clear(@writes);
1496
1497clear(@write_bytes);
1498
1499
1500
1501printf(\"\\nKernel Memory Allocations:\\n\");
1502
1503print(@kmalloc);
1504
1505printf(\"\\nKernel Bytes Allocated:\\n\");
1506
1507print(@kmem_bytes);
1508
1509clear(@kmalloc);
1510
1511clear(@kmem_bytes);
1512
1513
1514
1515printf(\"\\nProcess Creation:\\n\");
1516
1517print(@process_create);
1518
1519clear(@process_create);
1520
1521}
1522
1523" 2>/dev/null
1524
1525
1526
1527echo -e "${GREEN}[+] Resource usage profiling completed${NC}"
1528
1529}
1530
1531# Option 13: Detect process injection attempts
1532
1533detect_process_injection() {
1534
1535echo -e "${BLUE}[*] Detect process injection attempts${NC}"
1536
1537read -p "Enter duration in seconds (default: 30): " duration
1538
1539duration=${duration:-30}
1540
1541
1542
1543echo -e "${GREEN}[+] Monitoring for process injection techniques for $duration
1544seconds...${NC}"
1545
1546
1547
1548timeout $duration bpftrace -e "
1549
1550// Track ptrace usage (common for code injection)
1551
1552tracepoint:syscalls:sys_enter_ptrace {
1553
1554printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | PTRACE: request=%d pid=%d\\n\",
1555
1556pid, comm, uid, args->request, args->pid);
1557
1558
1559
1560// PTRACE_POKETEXT/PTRACE_POKEDATA (4) is used for writing to process memory
1561
1562if (args->request == 4) {
1563
1564printf(\" [ALERT] Process memory modification detected via ptrace!\\n\");
1565
1566}
1567
1568
1569
1570// PTRACE_ATTACH (16) is used to attach to a process
1571
1572if (args->request == 16) {
1573
1574printf(\" Process %d (%s) is attaching to PID %d\\n\", pid, comm, args->pid);
1575
1576}
1577
1578}
1579
1580
1581
1582// Track process_vm_writev (direct process memory writing)
1583
1584tracepoint:syscalls:sys_enter_process_vm_writev {
1585
1586printf(\"PID: %-6d COMM: %-15.15s | PROCESS_VM_WRITEV: pid=%d\\n\",
1587
1588pid, comm, args->pid);
1589
1590printf(\" [ALERT] Direct process memory write detected!\\n\");
1591
1592}
1593
1594
1595
1596// Monitor /proc/pid/mem access for writing
1597
1598tracepoint:syscalls:sys_enter_open,
1599
1600tracepoint:syscalls:sys_enter_openat {
1601
1602\$filename = str(args->filename);
1603
1604
1605
1606if (\$filename != 0 && strncmp(\$filename, \"/proc/\", 6) == 0) {
1607
1608if (strstr(\$filename, \"/mem\") != 0) {
1609
1610\$flags = args->flags;
1611
1612// Check if file is opened for writing
1613
1614if (\$flags & 0x1 || \$flags & 0x2) { // O_WRONLY or O_RDWR
1615
1616printf(\"PID: %-6d COMM: %-15.15s | Opening %s for writing\\n\",
1617
1618pid, comm, \$filename);
1619
1620printf(\" [ALERT] Process memory manipulation via /proc detected!\\n\");
1621
1622}
1623
1624}
1625
1626}
1627
1628}
1629
1630
1631
1632// Monitor shared memory with executable permissions (potential code injection)
1633
1634tracepoint:syscalls:sys_enter_mmap {
1635
1636if ((args->prot & 0x4) && (args->flags & 0x1)) { // PROT_EXEC and MAP_SHARED
1637
1638printf(\"PID: %-6d COMM: %-15.15s | MMAP: Creating shared executable
1639memory\\n\",
1640
1641pid, comm);
1642
1643printf(\" [ALERT] Potential shared memory code injection vector!\\n\");
1644
1645}
1646
1647}
1648
1649
1650
1651// Monitor debugfs access (which can be used for memory manipulation)
1652
1653tracepoint:syscalls:sys_enter_open,
1654
1655tracepoint:syscalls:sys_enter_openat {
1656
1657\$filename = str(args->filename);
1658
1659
1660
1661if (\$filename != 0 && strncmp(\$filename, \"/sys/kernel/debug\", 17) == 0) {
1662
1663printf(\"PID: %-6d COMM: %-15.15s | Accessing debugfs: %s\\n\",
1664
1665pid, comm, \$filename);
1666
1667
1668
1669if (comm != \"systemd\" && comm != \"udevd\" &&
1670
1671comm != \"snapd\" && comm != \"kernel\") {
1672
1673printf(\" [ALERT] Suspicious debugfs access!\\n\");
1674
1675}
1676
1677}
1678
1679}
1680
1681
1682
1683// Detect shellcode-like behavior (syscall instruction)
1684
1685kprobe:__x64_sys_execve {
1686
1687// Get the instruction pointer that caused the syscall
1688
1689\$ip = reg(\"ip\");
1690
1691
1692
1693// Check if it's in a mapped executable area rather than in .text segment
1694
1695@exec_syscalls[pid, comm, \$ip] = count();
1696
1697}
1698
1699
1700
1701interval:s:5 {
1702
1703printf(\"\\n--- Process Injection Detection Summary (5s) ---\\n\");
1704
1705printf(\"\\nExecve Syscall Origins:\\n\");
1706
1707print(@exec_syscalls);
1708
1709}
1710
1711" 2>/dev/null
1712
1713
1714
1715echo -e "${GREEN}[+] Process injection detection completed${NC}"
1716
1717}
1718
1719# Option 14: Monitor filesystem operations
1720
1721monitor_filesystem() {
1722
1723echo -e "${BLUE}[*] Monitor filesystem operations${NC}"
1724
1725read -p "Enter specific directory to monitor (leave empty for all): " target_dir
1726
1727read -p "Enter duration in seconds (default: 30): " duration
1728
1729duration=${duration:-30}
1730
1731
1732
1733if [ -z "$target_dir" ]; then
1734
1735dir_filter=""
1736
1737dir_msg="all filesystem"
1738
1739else
1740
1741dir_filter="/strncmp(str(args->filename), \"$target_dir\", ${#target_dir}) ==
17420/"
1743
1744dir_msg="$target_dir"
1745
1746fi
1747
1748
1749
1750echo -e "${GREEN}[+] Monitoring $dir_msg operations for $duration
1751seconds...${NC}"
1752
1753
1754
1755timeout $duration bpftrace -e "
1756
1757// Track file creation
1758
1759tracepoint:syscalls:sys_enter_creat,
1760
1761tracepoint:syscalls:sys_enter_open,
1762
1763tracepoint:syscalls:sys_enter_openat /args->flags & 0x40/ $dir_filter { //
1764O_CREAT
1765
1766\$filename = str(args->filename);
1767
1768if (\$filename != 0) {
1769
1770printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | CREATE: %s\\n\",
1771
1772pid, comm, uid, \$filename);
1773
1774}
1775
1776}
1777
1778
1779
1780// Track file deletion
1781
1782tracepoint:syscalls:sys_enter_unlink,
1783
1784tracepoint:syscalls:sys_enter_unlinkat $dir_filter {
1785
1786\$filename = str(args->filename);
1787
1788if (\$filename != 0) {
1789
1790printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | DELETE: %s\\n\",
1791
1792pid, comm, uid, \$filename);
1793
1794
1795
1796if (strstr(\$filename, \".bash_history\") != 0 ||
1797
1798strstr(\$filename, \".zsh_history\") != 0 ||
1799
1800strstr(\$filename, \".mysql_history\") != 0 ||
1801
1802strstr(\$filename, \"/var/log/\") != 0 ||
1803
1804strstr(\$filename, \"/var/audit/\") != 0) {
1805
1806printf(\" [ALERT] Potential log/history file deletion!\\n\");
1807
1808}
1809
1810}
1811
1812}
1813
1814
1815
1816// Track file modifications
1817
1818tracepoint:syscalls:sys_enter_rename,
1819
1820tracepoint:syscalls:sys_enter_renameat,
1821
1822tracepoint:syscalls:sys_enter_renameat2 $dir_filter {
1823
1824\$oldname = str(args->oldname);
1825
1826\$newname = str(args->newname);
1827
1828if (\$oldname != 0 && \$newname != 0) {
1829
1830printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | RENAME: %s -> %s\\n\",
1831
1832pid, comm, uid, \$oldname, \$newname);
1833
1834
1835
1836if ((strstr(\$newname, \".so\") != 0 || strstr(\$newname, \"lib\") != 0) &&
1837
1838uid != 0) {
1839
1840printf(\" [ALERT] Non-root process modifying library file!\\n\");
1841
1842}
1843
1844}
1845
1846}
1847
1848
1849
1850// Track permission changes
1851
1852tracepoint:syscalls:sys_enter_chmod,
1853
1854tracepoint:syscalls:sys_enter_fchmod,
1855
1856tracepoint:syscalls:sys_enter_fchmodat $dir_filter {
1857
1858\$filename = str(args->filename);
1859
1860\$mode = args->mode;
1861
1862if (\$filename != 0) {
1863
1864printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | CHMOD: %s mode=0%o\\n\",
1865
1866pid, comm, uid, \$filename, \$mode);
1867
1868
1869
1870if (\$mode & 0111) { // executable bit
1871
1872printf(\" Setting executable permission\\n\");
1873
1874}
1875
1876}
1877
1878}
1879
1880
1881
1882// Track ownership changes
1883
1884tracepoint:syscalls:sys_enter_chown,
1885
1886tracepoint:syscalls:sys_enter_fchown,
1887
1888tracepoint:syscalls:sys_enter_lchown,
1889
1890tracepoint:syscalls:sys_enter_fchownat $dir_filter {
1891
1892\$filename = str(args->filename);
1893
1894if (\$filename != 0) {
1895
1896printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | CHOWN: %s uid=%d gid=%d\\n\",
1897
1898pid, comm, uid, \$filename, args->user, args->group);
1899
1900}
1901
1902}
1903
1904
1905
1906// Track suspicious file access
1907
1908tracepoint:syscalls:sys_enter_open,
1909
1910tracepoint:syscalls:sys_enter_openat $dir_filter {
1911
1912\$filename = str(args->filename);
1913
1914if (\$filename != 0) {
1915
1916// Check for sensitive files
1917
1918if (strstr(\$filename, \"passwd\") != 0 ||
1919
1920strstr(\$filename, \"shadow\") != 0 ||
1921
1922strstr(\$filename, \"/etc/ssh/\") != 0 ||
1923
1924strstr(\$filename, \"/root/.ssh/\") != 0 ||
1925
1926strstr(\$filename, \"id_rsa\") != 0 ||
1927
1928strstr(\$filename, \"authorized_keys\") != 0) {
1929
1930printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | ACCESS SENSITIVE: %s\\n\",
1931
1932pid, comm, uid, \$filename);
1933
1934
1935
1936if (uid != 0 && (strstr(\$filename, \"shadow\") != 0 ||
1937
1938strstr(\$filename, \"/root/.ssh/\") != 0)) {
1939
1940printf(\" [ALERT] Non-root process accessing highly sensitive file!\\n\");
1941
1942}
1943
1944}
1945
1946}
1947
1948}
1949
1950
1951
1952// Track writes to /dev/mem or /dev/kmem (direct memory manipulation)
1953
1954tracepoint:syscalls:sys_enter_open,
1955
1956tracepoint:syscalls:sys_enter_openat {
1957
1958\$filename = str(args->filename);
1959
1960\$flags = args->flags;
1961
1962
1963
1964if (\$filename != 0 &&
1965
1966(\$flags & 0x1 || \$flags & 0x2) && // O_WRONLY or O_RDWR
1967
1968(strncmp(\$filename, \"/dev/mem\", 8) == 0 ||
1969
1970strncmp(\$filename, \"/dev/kmem\", 9) == 0 ||
1971
1972strncmp(\$filename, \"/dev/port\", 9) == 0)) {
1973
1974printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | DIRECT MEMORY ACCESS: %s\\n\",
1975
1976pid, comm, uid, \$filename);
1977
1978printf(\" [ALERT] Direct hardware memory manipulation detected!\\n\");
1979
1980}
1981
1982}
1983
1984" 2>/dev/null
1985
1986
1987
1988echo -e "${GREEN}[+] Filesystem monitoring completed${NC}"
1989
1990}
1991
1992# Option 15: Track container escape attempts
1993
1994track_container_escapes() {
1995
1996echo -e "${BLUE}[*] Track container escape attempts${NC}"
1997
1998read -p "Enter duration in seconds (default: 30): " duration
1999
2000duration=${duration:-30}
2001
2002
2003
2004echo -e "${GREEN}[+] Monitoring for container escape techniques for $duration
2005seconds...${NC}"
2006
2007
2008
2009timeout $duration bpftrace -e "
2010
2011// Monitor privileged container capabilities
2012
2013kprobe:cap_capable {
2014
2015\$cap_id = arg1;
2016
2017
2018
2019if (\$cap_id == 16 || \$cap_id == 21) { // CAP_SYS_MODULE or CAP_SYS_ADMIN
2020
2021printf(\"PID: %-6d COMM: %-15.15s | Privileged capability check: %d\\n\",
2022
2023pid, comm, \$cap_id);
2024
2025
2026
2027if (\$cap_id == 21) { // CAP_SYS_ADMIN
2028
2029printf(\" [ALERT] Process checking for CAP_SYS_ADMIN (potential container
2030escape)\\n\");
2031
2032}
2033
2034}
2035
2036}
2037
2038
2039
2040// Monitor mount namespace escapes
2041
2042tracepoint:syscalls:sys_enter_mount {
2043
2044printf(\"PID: %-6d COMM: %-15.15s | MOUNT: src=%s dst=%s type=%s\\n\",
2045
2046pid, comm, str(args->source_name), str(args->target_name),
2047str(args->filesystemtype));
2048
2049
2050
2051if (strncmp(str(args->filesystemtype), \"proc\", 4) == 0 ||
2052
2053strncmp(str(args->filesystemtype), \"sysfs\", 5) == 0) {
2054
2055printf(\" [ALERT] Potential container escape via %s mount\\n\",
2056str(args->filesystemtype));
2057
2058}
2059
2060}
2061
2062
2063
2064// Monitor device mounting (common escape technique)
2065
2066tracepoint:syscalls:sys_enter_mount {
2067
2068\$src = str(args->source_name);
2069
2070\$dst = str(args->target_name);
2071
2072
2073
2074if (\$src != 0 && \$dst != 0) {
2075
2076if (strncmp(\$src, \"/dev\", 4) == 0) {
2077
2078printf(\"PID: %-6d COMM: %-15.15s | Device mount: %s -> %s\\n\",
2079
2080pid, comm, \$src, \$dst);
2081
2082printf(\" [ALERT] Potential container escape via device mount\\n\");
2083
2084}
2085
2086}
2087
2088}
2089
2090
2091
2092// Monitor access to host devices
2093
2094tracepoint:syscalls:sys_enter_open,
2095
2096tracepoint:syscalls:sys_enter_openat {
2097
2098\$filename = str(args->filename);
2099
2100
2101
2102if (\$filename != 0) {
2103
2104if (strncmp(\$filename, \"/dev/\", 5) == 0 &&
2105
2106(strstr(\$filename, \"mem\") != 0 ||
2107
2108strstr(\$filename, \"kmem\") != 0 ||
2109
2110strstr(\$filename, \"port\") != 0 ||
2111
2112strncmp(\$filename, \"/dev/sd\", 7) == 0 ||
2113
2114strncmp(\$filename, \"/dev/nvme\", 9) == 0)) {
2115
2116printf(\"PID: %-6d COMM: %-15.15s | Access to sensitive device: %s\\n\",
2117
2118pid, comm, \$filename);
2119
2120printf(\" [ALERT] Potential container escape via device access\\n\");
2121
2122}
2123
2124}
2125
2126}
2127
2128
2129
2130// Monitor cgroup manipulation (common for escapes)
2131
2132tracepoint:syscalls:sys_enter_open,
2133
2134tracepoint:syscalls:sys_enter_openat {
2135
2136\$filename = str(args->filename);
2137
2138\$flags = args->flags;
2139
2140
2141
2142if (\$filename != 0 && (\$flags & 0x1 || \$flags & 0x2)) { // O_WRONLY or O_RDWR
2143
2144if (strncmp(\$filename, \"/sys/fs/cgroup\", 14) == 0 ||
2145
2146strncmp(\$filename, \"/proc/sys\", 9) == 0) {
2147
2148printf(\"PID: %-6d COMM: %-15.15s | Writing to sensitive path: %s\\n\",
2149
2150pid, comm, \$filename);
2151
2152printf(\" [ALERT] Potential container escape via cgroup/sysctl
2153manipulation\\n\");
2154
2155}
2156
2157}
2158
2159}
2160
2161
2162
2163// Monitor for core_pattern manipulation (CVE-2019-5736)
2164
2165tracepoint:syscalls:sys_enter_open,
2166
2167tracepoint:syscalls:sys_enter_openat {
2168
2169\$filename = str(args->filename);
2170
2171\$flags = args->flags;
2172
2173
2174
2175if (\$filename != 0 && (\$flags & 0x1 || \$flags & 0x2)) { // O_WRONLY or O_RDWR
2176
2177if (strncmp(\$filename, \"/proc/sys/kernel/core_pattern\", 28) == 0) {
2178
2179printf(\"PID: %-6d COMM: %-15.15s | Writing to core_pattern: %s\\n\",
2180
2181pid, comm, \$filename);
2182
2183printf(\" [ALERT] Potential container escape via core_pattern\\n\");
2184
2185}
2186
2187}
2188
2189}
2190
2191
2192
2193// Monitor for potential runC container escape attempts
2194
2195tracepoint:syscalls:sys_enter_open,
2196
2197tracepoint:syscalls:sys_enter_openat {
2198
2199\$filename = str(args->filename);
2200
2201
2202
2203if (\$filename != 0) {
2204
2205if (strstr(\$filename, \"docker\") != 0 ||
2206
2207strstr(\$filename, \"containerd\") != 0 ||
2208
2209strstr(\$filename, \"runc\") != 0) {
2210
2211if (strstr(\$filename, \"/proc/self/exe\") != 0) {
2212
2213printf(\"PID: %-6d COMM: %-15.15s | Suspicious container binary access: %s\\n\",
2214
2215pid, comm, \$filename);
2216
2217printf(\" [ALERT] Potential runC container escape attempt (CVE-2019-5736)\\n\");
2218
2219}
2220
2221}
2222
2223}
2224
2225}
2226
2227" 2>/dev/null
2228
2229
2230
2231echo -e "${GREEN}[+] Container escape monitoring completed${NC}"
2232
2233}
2234
2235# Option 16: Analyze loaded kernel modules
2236
2237analyze_kernel_modules() {
2238
2239echo -e "${BLUE}[*] Analyze loaded kernel modules${NC}"
2240
2241read -p "Enter duration in seconds (default: 30): " duration
2242
2243duration=${duration:-30}
2244
2245
2246
2247echo -e "${GREEN}[+] Monitoring kernel module operations for $duration
2248seconds...${NC}"
2249
2250
2251
2252timeout $duration bpftrace -e "
2253
2254// Monitor module loading
2255
2256tracepoint:syscalls:sys_enter_init_module {
2257
2258printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | LOADING KERNEL MODULE\\n\",
2259
2260pid, comm, uid);
2261
2262
2263
2264if (uid != 0) {
2265
2266printf(\" [ALERT] Non-root user attempting to load kernel module!\\n\");
2267
2268}
2269
2270}
2271
2272
2273
2274// Monitor module removal
2275
2276tracepoint:syscalls:sys_enter_delete_module {
2277
2278printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | REMOVING KERNEL MODULE: %s\\n\",
2279
2280pid, comm, uid, str(args->name));
2281
2282
2283
2284if (uid != 0) {
2285
2286printf(\" [ALERT] Non-root user attempting to remove kernel module!\\n\");
2287
2288}
2289
2290}
2291
2292
2293
2294// Monitor kernel module file operations
2295
2296tracepoint:syscalls:sys_enter_open,
2297
2298tracepoint:syscalls:sys_enter_openat {
2299
2300\$filename = str(args->filename);
2301
2302
2303
2304if (\$filename != 0) {
2305
2306if (strstr(\$filename, \".ko\") != 0 ||
2307
2308strncmp(\$filename, \"/lib/modules/\", 13) == 0) {
2309
2310printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | KERNEL MODULE FILE ACCESS:
2311%s\\n\",
2312
2313pid, comm, uid, \$filename);
2314
2315}
2316
2317}
2318
2319}
2320
2321
2322
2323// Monitor kmod execution (used for module operations)
2324
2325tracepoint:syscalls:sys_enter_execve,
2326
2327tracepoint:syscalls:sys_enter_execveat {
2328
2329\$argp = args->argv;
2330
2331\$arg0 = user_string(\$argp);
2332
2333
2334
2335if (\$arg0 != 0) {
2336
2337if (strstr(\$arg0, \"insmod\") != 0 ||
2338
2339strstr(\$arg0, \"modprobe\") != 0 ||
2340
2341strstr(\$arg0, \"rmmod\") != 0 ||
2342
2343strstr(\$arg0, \"modinfo\") != 0) {
2344
2345printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | MODULE TOOL EXECUTION: %s\\n\",
2346
2347pid, comm, uid, \$arg0);
2348
2349
2350
2351\$i = 1;
2352
2353\$argp++;
2354
2355\$arg = user_string(\$argp);
2356
2357printf(\" Command: %s\", \$arg0);
2358
2359while (\$arg != 0 && \$i < 10) {
2360
2361printf(\" %s\", \$arg);
2362
2363\$argp++;
2364
2365\$arg = user_string(\$argp);
2366
2367\$i++;
2368
2369}
2370
2371if (\$i >= 10) {
2372
2373printf(\" ...\");
2374
2375}
2376
2377printf(\"\\n\");
2378
2379}
2380
2381}
2382
2383}
2384
2385
2386
2387// Monitor debugfs/sysfs manipulation (used in rootkits)
2388
2389tracepoint:syscalls:sys_enter_open,
2390
2391tracepoint:syscalls:sys_enter_openat {
2392
2393\$filename = str(args->filename);
2394
2395\$flags = args->flags;
2396
2397
2398
2399if (\$filename != 0 && (\$flags & 0x1 || \$flags & 0x2)) { // O_WRONLY or O_RDWR
2400
2401if (strncmp(\$filename, \"/sys/kernel\", 11) == 0 ||
2402
2403strncmp(\$filename, \"/sys/module\", 11) == 0 ||
2404
2405strncmp(\$filename, \"/proc/kallsyms\", 14) == 0) {
2406
2407printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | KERNEL STRUCTURE WRITE: %s\\n\",
2408
2409pid, comm, uid, \$filename);
2410
2411printf(\" [ALERT] Potential rootkit or LKM manipulation activity!\\n\");
2412
2413}
2414
2415}
2416
2417}
2418
2419" 2>/dev/null
2420
2421
2422
2423echo -e "${GREEN}[+] Kernel module analysis completed${NC}"
2424
2425}
2426
2427# Option 17: Monitor bpf() syscall usage
2428
2429monitor_bpf() {
2430
2431echo -e "${BLUE}[*] Monitor bpf() syscall usage${NC}"
2432
2433read -p "Enter duration in seconds (default: 30): " duration
2434
2435duration=${duration:-30}
2436
2437
2438
2439echo -e "${GREEN}[+] Monitoring BPF operations for $duration seconds...${NC}"
2440
2441
2442
2443timeout $duration bpftrace -e "
2444
2445// Monitor BPF syscall usage
2446
2447tracepoint:syscalls:sys_enter_bpf {
2448
2449printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | BPF: cmd=%d\\n\",
2450
2451pid, comm, uid, args->cmd);
2452
2453
2454
2455// BPF commands
2456
2457if (args->cmd == 0) {
2458
2459printf(\" BPF_MAP_CREATE\\n\");
2460
2461} else if (args->cmd == 1) {
2462
2463printf(\" BPF_MAP_LOOKUP_ELEM\\n\");
2464
2465} else if (args->cmd == 2) {
2466
2467printf(\" BPF_MAP_UPDATE_ELEM\\n\");
2468
2469} else if (args->cmd == 3) {
2470
2471printf(\" BPF_MAP_DELETE_ELEM\\n\");
2472
2473} else if (args->cmd == 4) {
2474
2475printf(\" BPF_MAP_GET_NEXT_KEY\\n\");
2476
2477} else
2478
2479
2480
2481// BPF commands (continued)
2482
2483} else if (args->cmd == 5) {
2484
2485printf(\" BPF_PROG_LOAD\\n\");
2486
2487printf(\" [ALERT] BPF program being loaded - potential for kernel
2488manipulation!\\n\");
2489
2490} else if (args->cmd == 6) {
2491
2492printf(\" BPF_OBJ_PIN\\n\");
2493
2494} else if (args->cmd == 7) {
2495
2496printf(\" BPF_OBJ_GET\\n\");
2497
2498} else if (args->cmd == 8) {
2499
2500printf(\" BPF_PROG_ATTACH\\n\");
2501
2502printf(\" [ALERT] BPF program being attached!\\n\");
2503
2504} else if (args->cmd == 9) {
2505
2506printf(\" BPF_PROG_DETACH\\n\");
2507
2508}
2509
2510
2511
2512@bpf_cmds[pid, comm, args->cmd] = count();
2513
2514}
2515
2516
2517
2518// Track successful BPF operations
2519
2520tracepoint:syscalls:sys_exit_bpf /args->ret >= 0/ {
2521
2522printf(\" Result: SUCCESS (fd/id=%d)\\n\", args->ret);
2523
2524}
2525
2526
2527
2528// Monitor kprobe and tracepoint operations (often used with BPF)
2529
2530kprobe:security_bpf {
2531
2532printf(\"PID: %-6d COMM: %-15.15s | BPF security check\\n\",
2533
2534pid, comm);
2535
2536}
2537
2538
2539
2540// Monitor direct BPF map operations
2541
2542kprobe:bpf_map_update_elem,
2543
2544kprobe:bpf_map_lookup_elem {
2545
2546printf(\"PID: %-6d COMM: %-15.15s | BPF map operation: %s\\n\",
2547
2548pid, comm, probe);
2549
2550}
2551
2552
2553
2554interval:s:5 {
2555
2556printf(\"\\n--- BPF Operations Summary (5s) ---\\n\");
2557
2558printf(\"%-6s %-15s %-20s | %s\\n\", \"PID\", \"COMM\", \"CMD\", \"COUNT\");
2559
2560print(@bpf_cmds);
2561
2562}
2563
2564" 2>/dev/null
2565
2566
2567
2568echo -e "${GREEN}[+] BPF usage monitoring completed${NC}"
2569
2570}
2571
2572# Option 18: Detect hidden process techniques
2573
2574detect_hidden_processes() {
2575
2576echo -e "${BLUE}[*] Detect hidden process techniques${NC}"
2577
2578read -p "Enter duration in seconds (default: 30): " duration
2579
2580duration=${duration:-30}
2581
2582
2583
2584echo -e "${GREEN}[+] Monitoring for process hiding techniques for $duration
2585seconds...${NC}"
2586
2587
2588
2589timeout $duration bpftrace -e "
2590
2591// Monitor /proc traversal
2592
2593kprobe:proc_pid_readdir {
2594
2595@proc_readdir[pid, comm] = count();
2596
2597}
2598
2599
2600
2601// Monitor getdents/getdents64 syscalls (directory listing)
2602
2603tracepoint:syscalls:sys_enter_getdents,
2604
2605tracepoint:syscalls:sys_enter_getdents64 {
2606
2607@getdents[pid, comm] = count();
2608
2609}
2610
2611
2612
2613// Monitor specific process hiding techniques
2614
2615kprobe:proc_readdir {
2616
2617@proc_read[pid, comm, \"proc_readdir\"] = count();
2618
2619}
2620
2621
2622
2623tracepoint:syscalls:sys_enter_ptrace /args->request == 31/ { // PTRACE_ATTACH
2624
2625printf(\"PID: %-6d COMM: %-15.15s | PTRACE_ATTACH to PID %d\\n\",
2626
2627pid, comm, args->pid);
2628
2629
2630
2631// Try to detect if the target process exists
2632
2633@ptrace_targets[pid, comm, args->pid] = count();
2634
2635}
2636
2637
2638
2639// Detect changes to task struct links (potential unlink from task_struct)
2640
2641kprobe:find_task_by_vpid {
2642
2643@find_task[pid, comm, arg0] = count();
2644
2645}
2646
2647
2648
2649kretprobe:find_task_by_vpid /retval == 0/ {
2650
2651\$vpid = arg0;
2652
2653// Non-zero PID should return a valid task
2654
2655if (\$vpid > 0 && \$vpid < 4000000) {
2656
2657printf(\"PID: %-6d COMM: %-15.15s | Process %d not found (potential hidden
2658process)\\n\",
2659
2660pid, comm, \$vpid);
2661
2662}
2663
2664}
2665
2666
2667
2668// Monitor process creation/exit to track active PIDs
2669
2670tracepoint:sched:sched_process_fork {
2671
2672@pids[args->child_pid] = nsecs;
2673
2674printf(\"PID: %-6d COMM: %-15.15s | PROCESS CREATED: %d\\n\",
2675
2676pid, comm, args->child_pid);
2677
2678}
2679
2680
2681
2682tracepoint:sched:sched_process_exit {
2683
2684@exit_pids[pid] = nsecs;
2685
2686delete(@pids[pid]);
2687
2688printf(\"PID: %-6d COMM: %-15.15s | PROCESS EXIT\\n\", pid, comm);
2689
2690}
2691
2692
2693
2694// Monitor tasks that manipulate the pidns number
2695
2696kprobe:copy_process {
2697
2698@new_task[pid, comm] = count();
2699
2700}
2701
2702
2703
2704tracepoint:syscalls:sys_enter_clone /args->clone_flags & 0x20000000/ { //
2705CLONE_NEWPID
2706
2707printf(\"PID: %-6d COMM: %-15.15s | Creating new PID namespace\\n\",
2708
2709pid, comm);
2710
2711}
2712
2713
2714
2715interval:s:5 {
2716
2717printf(\"\\n--- Process Hiding Detection Summary (5s) ---\\n\");
2718
2719
2720
2721printf(\"\\n/proc Directory Reads:\\n\");
2722
2723print(@proc_readdir);
2724
2725
2726
2727printf(\"\\nDirectory Entry Reads:\\n\");
2728
2729print(@getdents);
2730
2731
2732
2733printf(\"\\nProcess Lookups (find_task_by_vpid):\\n\");
2734
2735print(@find_task);
2736
2737
2738
2739clear(@proc_readdir);
2740
2741clear(@getdents);
2742
2743clear(@find_task);
2744
2745}
2746
2747" 2>/dev/null
2748
2749
2750
2751echo -e "${GREEN}[+] Hidden process detection completed${NC}"
2752
2753}
2754
2755# Option 19: Track unauthorized file access attempts
2756
2757track_unauthorized_access() {
2758
2759echo -e "${BLUE}[*] Track unauthorized file access attempts${NC}"
2760
2761read -p "Enter duration in seconds (default: 30): " duration
2762
2763duration=${duration:-30}
2764
2765
2766
2767echo -e "${GREEN}[+] Monitoring for unauthorized file access attempts for
2768$duration seconds...${NC}"
2769
2770
2771
2772timeout $duration bpftrace -e "
2773
2774// Monitor permission denied errors
2775
2776tracepoint:syscalls:sys_exit_open,
2777
2778tracepoint:syscalls:sys_exit_openat /args->ret == -13/ { // -EACCES
2779
2780@access_denied[pid, comm] = count();
2781
2782}
2783
2784
2785
2786// Track specific patterns of file access
2787
2788kprobe:security_file_permission {
2789
2790\$file = (struct file *)arg0;
2791
2792if (\$file != 0) {
2793
2794\$path = \$file->f_path.dentry->d_name.name;
2795
2796if (\$path != 0) {
2797
2798\$name = str(\$path);
2799
2800\$mask = arg1;
2801
2802
2803
2804// MAY_READ = 0x4, MAY_WRITE = 0x2, MAY_EXEC = 0x1
2805
2806if ((\$mask & 0x2) &&
2807
2808(\$name != 0)) {
2809
2810@file_write_check[pid, comm, \$name] = count();
2811
2812}
2813
2814}
2815
2816}
2817
2818}
2819
2820
2821
2822kretprobe:security_file_permission /retval != 0/ {
2823
2824printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | Permission denied for file
2825operation\\n\",
2826
2827pid, comm, uid);
2828
2829}
2830
2831
2832
2833// Monitor access control checks
2834
2835kprobe:security_path_truncate,
2836
2837kprobe:security_path_mkdir,
2838
2839kprobe:security_path_rmdir,
2840
2841kprobe:security_path_symlink,
2842
2843kprobe:security_path_link,
2844
2845kprobe:security_path_rename,
2846
2847kprobe:security_path_chmod,
2848
2849kprobe:security_path_chown {
2850
2851printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | Security check: %s\\n\",
2852
2853pid, comm, uid, probe);
2854
2855}
2856
2857
2858
2859kretprobe:security_path_truncate,
2860
2861kretprobe:security_path_mkdir,
2862
2863kretprobe:security_path_rmdir,
2864
2865kretprobe:security_path_symlink,
2866
2867kretprobe:security_path_link,
2868
2869kretprobe:security_path_rename,
2870
2871kretprobe:security_path_chmod,
2872
2873kretprobe:security_path_chown /retval != 0/ {
2874
2875printf(\" Result: DENIED (potential unauthorized access)\\n\");
2876
2877@security_denied[pid, comm, probe] = count();
2878
2879}
2880
2881
2882
2883// Monitor dac_override capability use (bypassing permissions)
2884
2885kprobe:cap_capable /arg1 == 1/ { // CAP_DAC_OVERRIDE
2886
2887printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | DAC_OVERRIDE capability
2888check\\n\",
2889
2890pid, comm, uid);
2891
2892
2893
2894if (uid != 0) {
2895
2896printf(\" [ALERT] Non-root process checking for permission bypass
2897capability!\\n\");
2898
2899}
2900
2901}
2902
2903
2904
2905// Monitor suspicious chmod operations
2906
2907tracepoint:syscalls:sys_enter_chmod,
2908
2909tracepoint:syscalls:sys_enter_fchmod,
2910
2911tracepoint:syscalls:sys_enter_fchmodat {
2912
2913\$mode = args->mode;
2914
2915
2916
2917// Check if setting root setuid/setgid bits or wide permissions
2918
2919if ((\$mode & 0x800) || (\$mode & 0x400) || (\$mode & 0x777) == 0x777) {
2920
2921\$filename = args->filename ? str(args->filename) : \"(unknown)\";
2922
2923
2924
2925printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | Suspicious chmod: %s
2926mode=0%o\\n\",
2927
2928pid, comm, uid, \$filename, \$mode);
2929
2930
2931
2932if (\$mode & 0x800) {
2933
2934printf(\" [ALERT] Setting setuid bit on file!\\n\");
2935
2936}
2937
2938if (\$mode & 0x400) {
2939
2940printf(\" [ALERT] Setting setgid bit on file!\\n\");
2941
2942}
2943
2944if ((\$mode & 0x777) == 0x777) {
2945
2946printf(\" [ALERT] Setting wide open permissions (777)!\\n\");
2947
2948}
2949
2950}
2951
2952}
2953
2954
2955
2956interval:s:5 {
2957
2958printf(\"\\n--- File Access Control Violations Summary (5s) ---\\n\");
2959
2960
2961
2962printf(\"\\nPermission Denied Events:\\n\");
2963
2964print(@access_denied);
2965
2966
2967
2968printf(\"\\nSecurity Subsystem Denials:\\n\");
2969
2970print(@security_denied);
2971
2972
2973
2974printf(\"\\nFile Write Security Checks:\\n\");
2975
2976print(@file_write_check);
2977
2978
2979
2980clear(@access_denied);
2981
2982clear(@security_denied);
2983
2984clear(@file_write_check);
2985
2986}
2987
2988" 2>/dev/null
2989
2990
2991
2992echo -e "${GREEN}[+] Unauthorized access monitoring completed${NC}"
2993
2994}
2995
2996# Option 20: Monitor syscall argument tampering
2997
2998monitor_syscall_tampering() {
2999
3000echo -e "${BLUE}[*] Monitor syscall argument tampering${NC}"
3001
3002read -p "Enter target process name or PID (leave empty for all): " target
3003
3004read -p "Enter duration in seconds (default: 30): " duration
3005
3006duration=${duration:-30}
3007
3008
3009
3010if [[ "$target" =~ ^[0-9]+$ ]]; then
3011
3012filter="/pid == $target/"
3013
3014target_desc="PID $target"
3015
3016elif [ -n "$target" ]; then
3017
3018filter="/comm == \"$target\"/"
3019
3020target_desc="process $target"
3021
3022else
3023
3024filter=""
3025
3026target_desc="all processes"
3027
3028fi
3029
3030
3031
3032echo -e "${GREEN}[+] Monitoring syscall arguments for $target_desc for $duration
3033seconds...${NC}"
3034
3035
3036
3037timeout $duration bpftrace -e "
3038
3039// Monitor key syscalls with security implications
3040
3041// execve with argument checks
3042
3043tracepoint:syscalls:sys_enter_execve $filter {
3044
3045\$filename = str(args->filename);
3046
3047printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | EXECVE: %s\\n\",
3048
3049pid, comm, uid, \$filename);
3050
3051
3052
3053\$i = 0;
3054
3055\$argp = args->argv;
3056
3057\$arg = user_string(\$argp);
3058
3059printf(\" ARGS: \");
3060
3061while (\$arg != 0 && \$i < 10) {
3062
3063printf(\"%s \", \$arg);
3064
3065\$argp++;
3066
3067\$arg = user_string(\$argp);
3068
3069\$i++;
3070
3071}
3072
3073if (\$i >= 10) {
3074
3075printf(\"...\");
3076
3077}
3078
3079printf(\"\\n\");
3080
3081}
3082
3083
3084
3085// connect with address validation
3086
3087tracepoint:syscalls:sys_enter_connect $filter {
3088
3089\$sa = (struct sockaddr *)args->uservaddr;
3090
3091if (\$sa->sa_family == 2) { // AF_INET
3092
3093\$in = (struct sockaddr_in *)\$sa;
3094
3095\$addr = ntop(2, \$in->sin_addr.s_addr);
3096
3097\$port = (\$in->sin_port >> 8) | ((\$in->sin_port << 8) & 0xff00);
3098
3099printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | CONNECT: %s:%d\\n\",
3100
3101pid, comm, uid, \$addr, \$port);
3102
3103
3104
3105// Check for connections to common C2 ports or suspicious IPs
3106
3107if (\$port == 4444 || \$port == 8080 || \$port == 8443 ||
3108
3109\$port == 1337 || \$port == 31337) {
3110
3111printf(\" [ALERT] Connection to suspicious port %d detected!\\n\", \$port);
3112
3113}
3114
3115}
3116
3117}
3118
3119
3120
3121// open with path normalization check (detect path traversal)
3122
3123tracepoint:syscalls:sys_enter_open,
3124
3125tracepoint:syscalls:sys_enter_openat $filter {
3126
3127\$filename = str(args->filename);
3128
3129if (\$filename != 0) {
3130
3131if (strstr(\$filename, \"../\") != 0 || strstr(\$filename, \"./\") != 0) {
3132
3133printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | PATH TRAVERSAL: %s\\n\",
3134
3135pid, comm, uid, \$filename);
3136
3137printf(\" [ALERT] Potential path traversal attempt detected!\\n\");
3138
3139}
3140
3141}
3142
3143}
3144
3145
3146
3147// prctl with specific codes (often used to hide processes)
3148
3149tracepoint:syscalls:sys_enter_prctl $filter {
3150
3151printf(\"PID: %-6d COMM: %-15.15s | PRCTL: option=%d arg2=0x%lx\\n\",
3152
3153pid, comm, args->option, args->arg2);
3154
3155
3156
3157if (args->option == 15) { // PR_SET_NAME
3158
3159printf(\" Process renaming itself\\n\");
3160
3161}
3162
3163if (args->option == 31) { // PR_SET_SECCOMP
3164
3165printf(\" [ALERT] Process enabling seccomp filtering!\\n\");
3166
3167}
3168
3169}
3170
3171
3172
3173// ioctl with specific device checks
3174
3175tracepoint:syscalls:sys_enter_ioctl $filter {
3176
3177printf(\"PID: %-6d COMM: %-15.15s | IOCTL: fd=%d cmd=0x%x arg=0x%lx\\n\",
3178
3179pid, comm, args->fd, args->cmd, args->arg);
3180
3181
3182
3183if (args->cmd == 0x5401) { // TCGETS - terminal check (often for tty detection)
3184
3185printf(\" Terminal device check\\n\");
3186
3187}
3188
3189}
3190
3191
3192
3193// mmap suspicious flags
3194
3195tracepoint:syscalls:sys_enter_mmap $filter {
3196
3197if ((args->flags & 0x20) && (args->prot & 0x4)) { // MAP_ANONYMOUS | PROT_EXEC
3198
3199printf(\"PID: %-6d COMM: %-15.15s | MMAP: Anonymous executable memory!\\n\",
3200
3201pid, comm);
3202
3203printf(\" [ALERT] Potential shellcode loading detected!\\n\");
3204
3205}
3206
3207}
3208
3209
3210
3211// sendto with data inspection
3212
3213tracepoint:syscalls:sys_enter_sendto $filter {
3214
3215@sendto_count[pid, comm] = count();
3216
3217@sendto_bytes[pid, comm] = sum(args->len);
3218
3219}
3220
3221
3222
3223// recvfrom with data inspection
3224
3225tracepoint:syscalls:sys_enter_recvfrom $filter {
3226
3227@recvfrom_count[pid, comm] = count();
3228
3229@recvfrom_bytes[pid, comm] = sum(args->len);
3230
3231}
3232
3233
3234
3235// dup2/dup3 (often used for stdin/stdout/stderr redirection)
3236
3237tracepoint:syscalls:sys_enter_dup2,
3238
3239tracepoint:syscalls:sys_enter_dup3 $filter {
3240
3241printf(\"PID: %-6d COMM: %-15.15s | %s: oldfd=%d newfd=%d\\n\",
3242
3243pid, comm, probe, args->oldfd, args->newfd);
3244
3245
3246
3247if (args->newfd < 3) { // stdout, stdin, stderr
3248
3249printf(\" [NOTE] Process redirecting standard file descriptors\\n\");
3250
3251
3252
3253if (comm != \"bash\" && comm != \"sh\" && comm != \"zsh\" &&
3254
3255comm != \"sshd\" && comm != \"sudo\") {
3256
3257printf(\" [ALERT] Suspicious standard I/O redirection!\\n\");
3258
3259}
3260
3261}
3262
3263}
3264
3265
3266
3267// setuid/setgid checks
3268
3269tracepoint:syscalls:sys_enter_setuid,
3270
3271tracepoint:syscalls:sys_enter_setgid $filter {
3272
3273printf(\"PID: %-6d COMM: %-15.15s | %s: uid/gid=%d\\n\",
3274
3275pid, comm, probe, args->uid);
3276
3277
3278
3279if (uid != 0 && args->uid == 0) {
3280
3281printf(\" [ALERT] Process attempting to gain root privileges!\\n\");
3282
3283}
3284
3285}
3286
3287
3288
3289interval:s:5 {
3290
3291printf(\"\\n--- Network Communication Summary (5s) ---\\n\");
3292
3293
3294
3295printf(\"\\nSend Operations (count):\\n\");
3296
3297print(@sendto_count);
3298
3299
3300
3301printf(\"\\nSend Operations (bytes):\\n\");
3302
3303print(@sendto_bytes);
3304
3305
3306
3307printf(\"\\nReceive Operations (count):\\n\");
3308
3309print(@recvfrom_count);
3310
3311
3312
3313printf(\"\\nReceive Operations (bytes):\\n\");
3314
3315print(@recvfrom_bytes);
3316
3317
3318
3319clear(@sendto_count);
3320
3321clear(@sendto_bytes);
3322
3323clear(@recvfrom_count);
3324
3325clear(@recvfrom_bytes);
3326
3327}
3328
3329" 2>/dev/null
3330
3331
3332
3333echo -e "${GREEN}[+] Syscall argument monitoring completed${NC}"
3334
3335}
3336
3337# Main menu
3338
3339show_menu() {
3340
3341echo -e
3342"\n${PURPLE}=====================================================================\n"
3343
3344echo -e " Linux Malware Analysis Toolkit #1 "
3345
3346echo -e " eBPF-Based Process Behavior Analyzer "
3347
3348echo -e
3349"\n=====================================================================${NC}\n"
3350
3351echo -e "${BLUE}Select an option:${NC}"
3352
3353echo -e " ${GREEN}1.${NC} Trace system calls by specific process"
3354
3355echo -e " ${GREEN}2.${NC} Monitor file access activities"
3356
3357echo -e " ${GREEN}3.${NC} Track network connections"
3358
3359echo -e " ${GREEN}4.${NC} Detect process execution chains"
3360
3361echo -e " ${GREEN}5.${NC} Analyze memory mapping operations"
3362
3363echo -e " ${GREEN}6.${NC} Trace process capabilities changes"
3364
3365echo -e " ${GREEN}7.${NC} Monitor namespace transitions"
3366
3367echo -e " ${GREEN}8.${NC} Detect unexpected syscall patterns"
3368
3369echo -e " ${GREEN}9.${NC} Track process privilege escalation"
3370
3371echo -e " ${GREEN}10.${NC} Monitor inter-process communications"
3372
3373echo -e " ${GREEN}11.${NC} Log process credential changes"
3374
3375echo -e " ${GREEN}12.${NC} Profile process resource usage"
3376
3377echo -e " ${GREEN}13.${NC} Detect process injection attempts"
3378
3379echo -e " ${GREEN}14.${NC} Monitor filesystem operations"
3380
3381echo -e " ${GREEN}15.${NC} Track container escape attempts"
3382
3383echo -e " ${GREEN}16.${NC} Analyze loaded kernel modules"
3384
3385echo -e " ${GREEN}17.${NC} Monitor bpf() syscall usage"
3386
3387echo -e " ${GREEN}18.${NC} Detect hidden process techniques"
3388
3389echo -e " ${GREEN}19.${NC} Track unauthorized file access attempts"
3390
3391echo -e " ${GREEN}20.${NC} Monitor syscall argument tampering"
3392
3393echo -e " ${RED}0.${NC} Exit"
3394
3395
3396
3397echo -e "\n"
3398
3399}
3400
3401main() {
3402
3403check_requirements
3404
3405
3406
3407while true; do
3408
3409show_menu
3410
3411read -p "Enter your choice [0-20]: " choice
3412
3413
3414
3415case $choice in
3416
34171) trace_syscalls ;;
3418
34192) monitor_file_access ;;
3420
34213) track_network_connections ;;
3422
34234) detect_process_chains ;;
3424
34255) analyze_memory_mappings ;;
3426
34276) trace_capabilities ;;
3428
34297) monitor_namespaces ;;
3430
34318) detect_syscall_patterns ;;
3432
34339) track_privilege_escalation ;;
3434
343510) monitor_ipc ;;
3436
343711) log_credential_changes ;;
3438
343912) profile_resource_usage ;;
3440
344113) detect_process_injection ;;
3442
344314) monitor_filesystem ;;
3444
344515) track_container_escapes ;;
3446
344716) analyze_kernel_modules ;;
3448
344917) monitor_bpf ;;
3450
345118) detect_hidden_processes ;;
3452
345319) track_unauthorized_access ;;
3454
345520) monitor_syscall_tampering ;;
3456
34570)
3458
3459echo -e "${GREEN}[+] Exiting. Goodbye!${NC}"
3460
3461cleanup
3462
3463exit 0
3464
3465;;
3466
3467*)
3468
3469echo -e "${RED}[!] Invalid option. Please try again.${NC}"
3470
3471;;
3472
3473esac
3474
3475
3476
3477echo -e "\n${BLUE}Press Enter to continue...${NC}"
3478
3479read
3480
3481done
3482
3483}
3484
3485# Run the main function
3486
3487main
3488
3489