add: BPFDoor sample

This commit is contained in:
Quentin JEROME 2024-07-01 13:58:36 +02:00
parent 7a8f88dd9d
commit 1ebad0e981
Signed by: qjerome
SSH key fingerprint: SHA256:OQtDLu0eOg5WcidNQCaVrZiOANoA9Rp7H5aASBrNtPk
8 changed files with 147 additions and 0 deletions

View file

@ -0,0 +1,14 @@
analysis:
duration_sec: 60
timestamp: '2024-07-01T11:36:15.019084+00:00'
kunai:
args:
- --include=all
- --send-data-min-len=0
version: kunai 0.2.4
sample:
args: []
system:
kernel: 5.10.0-30-cloud-amd64
uname: 'Linux kunai-sandbox 5.10.0-30-cloud-amd64 #1 SMP Debian 5.10.218-1 (2024-06-01)
x86_64 GNU/Linux'

View file

@ -0,0 +1,2 @@
[2024-06-17T10:05:51Z WARN kunai] syscalls_sys_exit_execve probe is not compatible with current kernel: min=KernelVersion::MIN max=5.9.0 current=5.10.0
[2024-06-17T10:05:52Z WARN kunai] syscalls_sys_exit_execveat probe is not compatible with current kernel: min=KernelVersion::MIN max=5.9.0 current=5.10.0

View file

@ -0,0 +1,131 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<!-- Generated by graphviz version 2.43.0 (0)
-->
<!-- Title: %3 Pages: 1 -->
<svg width="581pt" height="417pt"
viewBox="0.00 0.00 581.00 417.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 413)">
<title>%3</title>
<polygon fill="white" stroke="transparent" points="-4,4 -4,-413 577,-413 577,4 -4,4"/>
<!-- guuid=8af8dc2d&#45;0b00&#45;0000&#45;2952&#45;45d858040000 pid=1112 -->
<g id="node1" class="node">
<title>guuid=8af8dc2d&#45;0b00&#45;0000&#45;2952&#45;45d858040000 pid=1112</title>
<path fill="white" stroke="black" d="M213.5,-372.5C213.5,-372.5 283.5,-372.5 283.5,-372.5 289.5,-372.5 295.5,-378.5 295.5,-384.5 295.5,-384.5 295.5,-396.5 295.5,-396.5 295.5,-402.5 289.5,-408.5 283.5,-408.5 283.5,-408.5 213.5,-408.5 213.5,-408.5 207.5,-408.5 201.5,-402.5 201.5,-396.5 201.5,-396.5 201.5,-384.5 201.5,-384.5 201.5,-378.5 207.5,-372.5 213.5,-372.5"/>
<text text-anchor="middle" x="248.5" y="-386.8" font-family="Arial" font-size="14.00">/usr/bin/sudo</text>
</g>
<!-- guuid=94f0922e&#45;0b00&#45;0000&#45;2952&#45;45d859040000 pid=1113 -->
<g id="node2" class="node">
<title>guuid=94f0922e&#45;0b00&#45;0000&#45;2952&#45;45d859040000 pid=1113</title>
<path fill="white" stroke="black" d="M204,-284.5C204,-284.5 293,-284.5 293,-284.5 299,-284.5 305,-290.5 305,-296.5 305,-296.5 305,-308.5 305,-308.5 305,-314.5 299,-320.5 293,-320.5 293,-320.5 204,-320.5 204,-320.5 198,-320.5 192,-314.5 192,-308.5 192,-308.5 192,-296.5 192,-296.5 192,-290.5 198,-284.5 204,-284.5"/>
<text text-anchor="middle" x="248.5" y="-298.8" font-family="Arial" font-size="14.00">/tmp/sample.bin</text>
</g>
<!-- guuid=8af8dc2d&#45;0b00&#45;0000&#45;2952&#45;45d858040000 pid=1112&#45;&gt;guuid=94f0922e&#45;0b00&#45;0000&#45;2952&#45;45d859040000 pid=1113 -->
<g id="edge1" class="edge">
<title>guuid=8af8dc2d&#45;0b00&#45;0000&#45;2952&#45;45d858040000 pid=1112&#45;&gt;guuid=94f0922e&#45;0b00&#45;0000&#45;2952&#45;45d859040000 pid=1113</title>
<path fill="none" stroke="black" d="M248.5,-372.1C248.5,-360.25 248.5,-344.32 248.5,-330.79"/>
<polygon fill="black" stroke="black" points="252,-330.58 248.5,-320.58 245,-330.58 252,-330.58"/>
<text text-anchor="middle" x="270" y="-342.8" font-family="Arial" font-size="14.00">execve</text>
</g>
<!-- guuid=d01fa62e&#45;0b00&#45;0000&#45;2952&#45;45d85a040000 pid=1114 -->
<g id="node3" class="node">
<title>guuid=d01fa62e&#45;0b00&#45;0000&#45;2952&#45;45d85a040000 pid=1114</title>
<path fill="white" stroke="black" d="M213.5,-196.5C213.5,-196.5 283.5,-196.5 283.5,-196.5 289.5,-196.5 295.5,-202.5 295.5,-208.5 295.5,-208.5 295.5,-220.5 295.5,-220.5 295.5,-226.5 289.5,-232.5 283.5,-232.5 283.5,-232.5 213.5,-232.5 213.5,-232.5 207.5,-232.5 201.5,-226.5 201.5,-220.5 201.5,-220.5 201.5,-208.5 201.5,-208.5 201.5,-202.5 207.5,-196.5 213.5,-196.5"/>
<text text-anchor="middle" x="248.5" y="-210.8" font-family="Arial" font-size="14.00">/usr/bin/dash</text>
</g>
<!-- guuid=94f0922e&#45;0b00&#45;0000&#45;2952&#45;45d859040000 pid=1113&#45;&gt;guuid=d01fa62e&#45;0b00&#45;0000&#45;2952&#45;45d85a040000 pid=1114 -->
<g id="edge2" class="edge">
<title>guuid=94f0922e&#45;0b00&#45;0000&#45;2952&#45;45d859040000 pid=1113&#45;&gt;guuid=d01fa62e&#45;0b00&#45;0000&#45;2952&#45;45d85a040000 pid=1114</title>
<path fill="none" stroke="black" d="M248.5,-284.1C248.5,-272.25 248.5,-256.32 248.5,-242.79"/>
<polygon fill="black" stroke="black" points="252,-242.58 248.5,-232.58 245,-242.58 252,-242.58"/>
<text text-anchor="middle" x="270" y="-254.8" font-family="Arial" font-size="14.00">execve</text>
</g>
<!-- guuid=a5f4b62e&#45;0b00&#45;0000&#45;2952&#45;45d85b040000 pid=1115 -->
<g id="node4" class="node">
<title>guuid=a5f4b62e&#45;0b00&#45;0000&#45;2952&#45;45d85b040000 pid=1115</title>
<path fill="white" stroke="black" d="M12,-103.5C12,-103.5 69,-103.5 69,-103.5 75,-103.5 81,-109.5 81,-115.5 81,-115.5 81,-127.5 81,-127.5 81,-133.5 75,-139.5 69,-139.5 69,-139.5 12,-139.5 12,-139.5 6,-139.5 0,-133.5 0,-127.5 0,-127.5 0,-115.5 0,-115.5 0,-109.5 6,-103.5 12,-103.5"/>
<text text-anchor="middle" x="40.5" y="-117.8" font-family="Arial" font-size="14.00">/usr/bin/rm</text>
</g>
<!-- guuid=d01fa62e&#45;0b00&#45;0000&#45;2952&#45;45d85a040000 pid=1114&#45;&gt;guuid=a5f4b62e&#45;0b00&#45;0000&#45;2952&#45;45d85b040000 pid=1115 -->
<g id="edge3" class="edge">
<title>guuid=d01fa62e&#45;0b00&#45;0000&#45;2952&#45;45d85a040000 pid=1114&#45;&gt;guuid=a5f4b62e&#45;0b00&#45;0000&#45;2952&#45;45d85b040000 pid=1115</title>
<path fill="none" stroke="black" d="M201.25,-200.78C181.23,-194.78 157.87,-186.97 137.5,-178 116.33,-168.68 93.84,-156.01 75.85,-145.12"/>
<polygon fill="black" stroke="black" points="77.24,-141.87 66.89,-139.62 73.58,-147.83 77.24,-141.87"/>
<text text-anchor="middle" x="159" y="-166.8" font-family="Arial" font-size="14.00">execve</text>
</g>
<!-- guuid=a7a2c72e&#45;0b00&#45;0000&#45;2952&#45;45d85c040000 pid=1116 -->
<g id="node5" class="node">
<title>guuid=a7a2c72e&#45;0b00&#45;0000&#45;2952&#45;45d85c040000 pid=1116</title>
<path fill="#ffbfbf" stroke="black" d="M111,-98.5C111,-98.5 166,-98.5 166,-98.5 172,-98.5 178,-104.5 178,-110.5 178,-110.5 178,-132.5 178,-132.5 178,-138.5 172,-144.5 166,-144.5 166,-144.5 111,-144.5 111,-144.5 105,-144.5 99,-138.5 99,-132.5 99,-132.5 99,-110.5 99,-110.5 99,-104.5 105,-98.5 111,-98.5"/>
<text text-anchor="middle" x="138.5" y="-129.3" font-family="Arial" font-size="14.00">/usr/bin/cp</text>
<polyline fill="none" stroke="black" points="99,-121.5 178,-121.5 "/>
<text text-anchor="middle" x="138.5" y="-106.3" font-family="Arial" font-size="14.00">write&#45;file</text>
</g>
<!-- guuid=d01fa62e&#45;0b00&#45;0000&#45;2952&#45;45d85a040000 pid=1114&#45;&gt;guuid=a7a2c72e&#45;0b00&#45;0000&#45;2952&#45;45d85c040000 pid=1116 -->
<g id="edge4" class="edge">
<title>guuid=d01fa62e&#45;0b00&#45;0000&#45;2952&#45;45d85a040000 pid=1114&#45;&gt;guuid=a7a2c72e&#45;0b00&#45;0000&#45;2952&#45;45d85c040000 pid=1116</title>
<path fill="none" stroke="black" d="M224.8,-196.15C217.26,-190.48 208.95,-184.08 201.5,-178 191.16,-169.56 180.17,-160.07 170.3,-151.34"/>
<polygon fill="black" stroke="black" points="172.46,-148.58 162.66,-144.55 167.81,-153.81 172.46,-148.58"/>
<text text-anchor="middle" x="223" y="-166.8" font-family="Arial" font-size="14.00">execve</text>
</g>
<!-- guuid=0c9a2d2f&#45;0b00&#45;0000&#45;2952&#45;45d85d040000 pid=1117 -->
<g id="node6" class="node">
<title>guuid=0c9a2d2f&#45;0b00&#45;0000&#45;2952&#45;45d85d040000 pid=1117</title>
<path fill="white" stroke="black" d="M207.5,-103.5C207.5,-103.5 289.5,-103.5 289.5,-103.5 295.5,-103.5 301.5,-109.5 301.5,-115.5 301.5,-115.5 301.5,-127.5 301.5,-127.5 301.5,-133.5 295.5,-139.5 289.5,-139.5 289.5,-139.5 207.5,-139.5 207.5,-139.5 201.5,-139.5 195.5,-133.5 195.5,-127.5 195.5,-127.5 195.5,-115.5 195.5,-115.5 195.5,-109.5 201.5,-103.5 207.5,-103.5"/>
<text text-anchor="middle" x="248.5" y="-117.8" font-family="Arial" font-size="14.00">/usr/bin/chmod</text>
</g>
<!-- guuid=d01fa62e&#45;0b00&#45;0000&#45;2952&#45;45d85a040000 pid=1114&#45;&gt;guuid=0c9a2d2f&#45;0b00&#45;0000&#45;2952&#45;45d85d040000 pid=1117 -->
<g id="edge5" class="edge">
<title>guuid=d01fa62e&#45;0b00&#45;0000&#45;2952&#45;45d85a040000 pid=1114&#45;&gt;guuid=0c9a2d2f&#45;0b00&#45;0000&#45;2952&#45;45d85d040000 pid=1117</title>
<path fill="none" stroke="black" d="M248.5,-196.38C248.5,-183.29 248.5,-164.98 248.5,-149.86"/>
<polygon fill="black" stroke="black" points="252,-149.54 248.5,-139.54 245,-149.54 252,-149.54"/>
<text text-anchor="middle" x="270" y="-166.8" font-family="Arial" font-size="14.00">execve</text>
</g>
<!-- guuid=7b5b402f&#45;0b00&#45;0000&#45;2952&#45;45d85e040000 pid=1118 -->
<g id="node7" class="node">
<title>guuid=7b5b402f&#45;0b00&#45;0000&#45;2952&#45;45d85e040000 pid=1118</title>
<path fill="white" stroke="black" d="M331.5,-103.5C331.5,-103.5 461.5,-103.5 461.5,-103.5 467.5,-103.5 473.5,-109.5 473.5,-115.5 473.5,-115.5 473.5,-127.5 473.5,-127.5 473.5,-133.5 467.5,-139.5 461.5,-139.5 461.5,-139.5 331.5,-139.5 331.5,-139.5 325.5,-139.5 319.5,-133.5 319.5,-127.5 319.5,-127.5 319.5,-115.5 319.5,-115.5 319.5,-109.5 325.5,-103.5 331.5,-103.5"/>
<text text-anchor="middle" x="396.5" y="-117.8" font-family="Arial" font-size="14.00">/dev/shm/kdmtmpflush</text>
</g>
<!-- guuid=d01fa62e&#45;0b00&#45;0000&#45;2952&#45;45d85a040000 pid=1114&#45;&gt;guuid=7b5b402f&#45;0b00&#45;0000&#45;2952&#45;45d85e040000 pid=1118 -->
<g id="edge6" class="edge">
<title>guuid=d01fa62e&#45;0b00&#45;0000&#45;2952&#45;45d85a040000 pid=1114&#45;&gt;guuid=7b5b402f&#45;0b00&#45;0000&#45;2952&#45;45d85e040000 pid=1118</title>
<path fill="none" stroke="black" d="M276.34,-196.38C300.01,-181.83 334.17,-160.83 360.02,-144.93"/>
<polygon fill="black" stroke="black" points="362.1,-147.76 368.79,-139.54 358.44,-141.8 362.1,-147.76"/>
<text text-anchor="middle" x="349" y="-166.8" font-family="Arial" font-size="14.00">execve</text>
</g>
<!-- guuid=9204502f&#45;0b00&#45;0000&#45;2952&#45;45d860040000 pid=1120 -->
<g id="node9" class="node">
<title>guuid=9204502f&#45;0b00&#45;0000&#45;2952&#45;45d860040000 pid=1120</title>
<path fill="#ffbfbf" stroke="black" d="M504,-98.5C504,-98.5 561,-98.5 561,-98.5 567,-98.5 573,-104.5 573,-110.5 573,-110.5 573,-132.5 573,-132.5 573,-138.5 567,-144.5 561,-144.5 561,-144.5 504,-144.5 504,-144.5 498,-144.5 492,-138.5 492,-132.5 492,-132.5 492,-110.5 492,-110.5 492,-104.5 498,-98.5 504,-98.5"/>
<text text-anchor="middle" x="532.5" y="-129.3" font-family="Arial" font-size="14.00">/usr/bin/rm</text>
<polyline fill="none" stroke="black" points="492,-121.5 573,-121.5 "/>
<text text-anchor="middle" x="532.5" y="-106.3" font-family="Arial" font-size="14.00">delete&#45;file</text>
</g>
<!-- guuid=d01fa62e&#45;0b00&#45;0000&#45;2952&#45;45d85a040000 pid=1114&#45;&gt;guuid=9204502f&#45;0b00&#45;0000&#45;2952&#45;45d860040000 pid=1120 -->
<g id="edge8" class="edge">
<title>guuid=d01fa62e&#45;0b00&#45;0000&#45;2952&#45;45d85a040000 pid=1114&#45;&gt;guuid=9204502f&#45;0b00&#45;0000&#45;2952&#45;45d860040000 pid=1120</title>
<path fill="none" stroke="black" d="M295.79,-201.88C341.5,-190.16 412.66,-170.61 482.37,-144.85"/>
<polygon fill="black" stroke="black" points="483.61,-148.13 491.75,-141.34 481.15,-141.57 483.61,-148.13"/>
<text text-anchor="middle" x="448" y="-166.8" font-family="Arial" font-size="14.00">execve</text>
</g>
<!-- guuid=08274e2f&#45;0b00&#45;0000&#45;2952&#45;45d85f040000 pid=1119 -->
<g id="node8" class="node">
<title>guuid=08274e2f&#45;0b00&#45;0000&#45;2952&#45;45d85f040000 pid=1119</title>
<path fill="#3b5741" stroke="black" d="M301,-0.5C301,-0.5 492,-0.5 492,-0.5 498,-0.5 504,-6.5 504,-12.5 504,-12.5 504,-34.5 504,-34.5 504,-40.5 498,-46.5 492,-46.5 492,-46.5 301,-46.5 301,-46.5 295,-46.5 289,-40.5 289,-34.5 289,-34.5 289,-12.5 289,-12.5 289,-6.5 295,-0.5 301,-0.5"/>
<text text-anchor="middle" x="366" y="-31.3" font-family="Arial" font-size="14.00" fill="#fff000">/dev/shm/kdmtmpflush</text>
<polyline fill="none" stroke="black" points="289,-23.5 443,-23.5 "/>
<text text-anchor="middle" x="366" y="-8.3" font-family="Arial" font-size="14.00" fill="#fff000">bpf&#45;socket&#45;filter</text>
<polyline fill="none" stroke="black" points="443,-0.5 443,-46.5 "/>
<text text-anchor="middle" x="473.5" y="-19.8" font-family="Arial" font-size="14.00" fill="#fff000">zombie</text>
</g>
<!-- guuid=7b5b402f&#45;0b00&#45;0000&#45;2952&#45;45d85e040000 pid=1118&#45;&gt;guuid=08274e2f&#45;0b00&#45;0000&#45;2952&#45;45d85f040000 pid=1119 -->
<g id="edge7" class="edge">
<title>guuid=7b5b402f&#45;0b00&#45;0000&#45;2952&#45;45d85e040000 pid=1118&#45;&gt;guuid=08274e2f&#45;0b00&#45;0000&#45;2952&#45;45d85f040000 pid=1119</title>
<path fill="none" stroke="black" stroke-dasharray="1,5" d="M396.5,-103.34C396.5,-90.45 396.5,-72.43 396.5,-56.87"/>
<polygon fill="black" stroke="black" points="400,-56.58 396.5,-46.58 393,-56.58 400,-56.58"/>
<text text-anchor="middle" x="413" y="-68.8" font-family="Arial" font-size="14.00">clone</text>
</g>
</g>
</svg>

After

Width:  |  Height:  |  Size: 12 KiB