➜ ./ebpfkit
Error: couldn't start: couldn't start main manager: couldn't init main manager: couldn't load eBPF programs: program xdp/ingress/syn_loop: can't load program: invalid argument: 0: (bf) r6 = r1
1: (b7) r9 = 2
2: (61) r1 = *(u32 *)(r6 +4)
3: (61) r8 = *(u32 *)(r6 +0)
4: (bf) r2 = r8
5: (07) r2 += 14
6: (2d) if r2 > r1 goto pc+358
R1_w=pkt_end(id=0,off=0,imm=0) R2_w=pkt(id=0,off=14,r=14,imm=0) R6_w=ctx(id=0,off=0,imm=0) R8_w=pkt(id=0,off=0,r=14,imm=0) R9_w=inv2 R10=fp0
7: (15) if r8 == 0x0 goto pc+357
R1_w=pkt_end(id=0,off=0,imm=0) R2_w=pkt(id=0,off=14,r=14,imm=0) R6_w=ctx(id=0,off=0,imm=0) R8_w=pkt(id=0,off=0,r=14,imm=0) R9_w=inv2 R10=fp0
8: (71) r3 = *(u8 *)(r8 +12)
9: (71) r4 = *(u8 *)(r8 +13)
10: (67) r4 <<= 8
11: (4f) r4 |= r3
12: (55) if r4 != 0x8 goto pc+352
R1=pkt_end(id=0,off=0,imm=0) R2=pkt(id=0,off=14,r=14,imm=0) R3=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R4=inv8 R6=ctx(id=0,off=0,imm=0) R8=pkt(id=0,off=0,r=14,imm=0) R9=inv2 R10=fp0
13: (bf) r7 = r8
14: (07) r7 += 34
15: (2d) if r7 > r1 goto pc+349
R1=pkt_end(id=0,off=0,imm=0) R2=pkt(id=0,off=14,r=34,imm=0) R3=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R4=inv8
......
Usage:
ebpfkit [flags]
Flags:
--append (file override feature only) when set, the content of the source file will be appended to the content of the target file
--comm string (file override feature only) comm of the process for which the file override should apply
--disable-bpf-obfuscation when set, ebpfkit will not hide itself from the bpf syscall
--disable-network-probes when set, ebpfkit will not try to load its network related probes
--docker string path to the Docker daemon executable (default "/usr/bin/dockerd")
-e, --egress string egress interface name (default "enp0s3")
-h, --help help for ebpfkit
-i, --ingress string ingress interface name (default "enp0s3")
-l, --log-level string log level, options: panic, fatal, error, warn, info, debug or trace (default "info")
--postgres string path to the Postgres daemon executable (default "/usr/lib/postgresql/12/bin/postgres")
--src string (file override feature only) source file which content will be used to override the content of the target file
--target string (file override feature only) target file to override
-p, --target-http-server-port int Target HTTP server port used for Command and Control (default 8000)
--webapp-rasp string path to the webapp on which the RASP is installed
Hello, nice rootkit!
I build it successfully on my env:
But when I run
./ebpfkit, it exits with error:Have you come across such issues? Any helpful suggestions? Thanks : )