Merge pull request #5 from whoismz/main

Add real eBPF XDP fallback for memory reading

Author: IridiumXOR

capabilities.c

@@ -12,7 +12,7 @@
  * 
  *  Capabilities needed in some cases
  *  
- *  CAP_SYS_ADMIN   ->  needed to change /proc/sys/kernel/kptr_restrict from 2 to 0 (not needed if set to 1 or 0), needed to access
+ *  CAP_SYS_ADMIN    -> needed to change /proc/sys/kernel/kptr_restrict from 2 to 0 (not needed if set to 1 or 0), needed to access
  *                      /proc/iomem if CONFIG_KALLSYMS_ALL is not active and so iomem_resources is not available, needed on old kernels
  *  CAP_DAC_OVERRIDE -> needed to create a brand new dump file in the case the directory is not owned by the user running LEMON
  */
@@ -54,4 +54,4 @@ int check_capability(const cap_value_t cap) {
 
     if(!ret) ret = (cap_flag == CAP_SET);
     return ret;
-}
+}

cpu_stealer.c

@@ -29,7 +29,7 @@ typedef struct {
  * @param priority: The priority to set for the current process.
  * @return 0 on success, -1 on failure.
  */
-static int set_priority(const int priority){
+static int set_priority(const int priority) {
     const struct sched_param sparam = {
         .sched_priority = priority
     };

dump.c

@@ -30,8 +30,7 @@ static int dump_region(const uintptr_t region_start, const uintptr_t region_end,
     unsigned char *read_data = NULL;
 
     chunk_start = region_start;
-    while (chunk_start <= region_end)
-    {
+    while (chunk_start <= region_end) {
         /* Read memory region in chunks of maximum granule bytes */
         chunk_end = (region_end - chunk_start + 1 > granule) ? chunk_start + granule - 1 : region_end;
         chunk_size = chunk_end - chunk_start + 1;

ebpf/mem.ebpf.c

@@ -1,13 +1,26 @@
 #ifdef CORE
     #include "../vmlinux.h"
     #include <bpf/bpf_core_read.h>
+
+    #ifndef ETH_P_IP
+        #define ETH_P_IP 0x0800
+    #endif
+
+    #ifndef IPPROTO_UDP
+        #define IPPROTO_UDP 17
+    #endif
 #else
-    #include <linux/bpf.h>
     #include <asm/ptrace.h>
+    #include <linux/bpf.h>
+    #include <linux/if_ether.h>
+    #include <linux/in.h>
+    #include <linux/ip.h>
+    #include <linux/udp.h>
 #endif
 
 #include <bpf/bpf_helpers.h>
 #include <bpf/bpf_tracing.h>
+#include <bpf/bpf_endian.h>
 
 #include "../lemon.h"
 
@@ -113,32 +126,79 @@ int read_kernel_memory_uprobe(struct pt_regs *ctx)
     return read_memory(address, dump_size);
 }
 
+#define TRIGGER_PACKET_PORT 9999
+#define TRIGGER_PACKET_ADDR 0x7f000001 /* 127.0.0.1 */
+
 /*
  * read_kernel_memory_xdp() - XDP program to trigger a kernel memory read
  * @ctx: Pointer to the XDP context containing packet metadata
  *
- * Parses a synthetic packet containing address and size parameters used to 
- * perform a kernel memory read.
+ * Parses a UDP packet containing address and size parameters used to
+ * perform a kernel memory read. Expects UDP packets to 127.0.0.1:9999.
  */
 SEC("xdp")
- int read_kernel_memory_xdp(struct xdp_md* ctx) {
-    int ret;
-
-    /* Validate data in fake network packet (needed to bypass eBPF validator )*/
+int read_kernel_memory_xdp(struct xdp_md* ctx) {
     void* data = (void*)(long)ctx->data;
     void* data_end = (void*)(long)ctx->data_end;
-    if((data + sizeof(struct read_mem_args)> data_end)) return XDP_DROP;
 
-    /* Extract arguments from fake packet */
-    struct read_mem_args *args = data;
+    /* Validate Ethernet header */
+    struct ethhdr *eth = data;
+    if ((void*)(eth + 1) > data_end) {
+        return XDP_DROP;
+    }
+
+    /* Check if this is an IP packet */
+    if (eth->h_proto != bpf_htons(ETH_P_IP)) {
+        return XDP_PASS;
+    }
+
+    /* Validate and parse IP header */
+    struct iphdr *ip = (struct iphdr*)(eth + 1);
+    if ((void*)(ip + 1) > data_end) {
+        return XDP_DROP;
+    }
+
+    /* Check if this is a UDP packet */
+    if (ip->protocol != IPPROTO_UDP) {
+        return XDP_PASS;
+    }
+
+    /* Check if source/dest is loopback */
+    if (ip->saddr != bpf_htonl(TRIGGER_PACKET_ADDR) ||  ip->daddr != bpf_htonl(TRIGGER_PACKET_ADDR)) {
+        return XDP_PASS;
+    }
+
+    /* Validate IP header length */
+    if (ip->ihl < 5) {
+        return XDP_DROP;
+    }
+
+    /* Validate UDP header */
+    struct udphdr *udp = (struct udphdr*)((char*)ip + (ip->ihl * 4));
+    if ((void*)(udp + 1) > data_end) {
+        return XDP_DROP;
+    }
+
+    /* Check destination port */
+    if (udp->dest != bpf_htons(TRIGGER_PACKET_PORT)) {
+        return XDP_PASS;
+    }
+
+    /* Validate payload */
+    struct read_mem_args *args = (struct read_mem_args*)(udp + 1);
+    if ((void*)(args + 1) > data_end) {
+        return XDP_DROP;
+    }
+
     __u64 address = args->addr;
-    __u64 dump_size =  args->size;
+    __u64 dump_size = args->size;
 
     /* Read memory! */
-    ret = read_memory(address, dump_size);
-    if(ret) return XDP_DROP;
+    if (read_memory(address, dump_size)) {
+        return XDP_DROP;
+    }
 
     return XDP_PASS;
 }
 
-char _license[] SEC("license") = "GPL";
+char _license[] SEC("license") = "GPL";

lemon.c

@@ -119,8 +119,7 @@ static int check_kernel_version() {
     return (major > MIN_MAJOR_LINUX) || ((major == MIN_MAJOR_LINUX) && (minor >= MIN_MINOR_LINUX));
 }
 
-int main(int argc, char **argv)
-{
+int main(int argc, char **argv) {
     struct ram_regions ram_regions;
     struct options opts = {0};
     struct argp argp = {options, parse_opt, "", doc};

lemon.h

@@ -4,7 +4,7 @@
 #include <stdbool.h>
 #include <errno.h>
 
-#define MIN_MAJOR_LINUX         5 /* Minimium kernel version supported */
+#define MIN_MAJOR_LINUX         5                       /* Minimium kernel version supported */
 #define MIN_MINOR_LINUX         5
 
 #define HUGE_PAGE_SIZE          2 * 1024 * 1024         /* Same for huge pages */