Common Troubleshooting and QA

[Esonhugh]

Not Work when empty or small /root/.ssh/authorized_keys file

This ebpf program will modify the buffer (send to read syscall) last max_payload_len bytes data to our ssh public key.
The ebpf itself can't change the tracepoint ret val.
Read syscall is return a size of bytes that we read. This size can't be updated. This means you need content (size more than max_payload_len) in /root/.ssh/authorized_keys file. why?
So I do a check. if read syscall ret val is less then max_payload_size, the ebpf program will return 0 and change nothing.
This Program Logic is in this file syscall_read

change max_payload_len

max_payload_len macro definition is configurable.
Change it definition in common header. This file will be included in other header file as dependency.
make generate command to generate the BPF Object File.
And you need fix the size problem in go file. https://github.com/Esonhugh/sshd_backdoor/blob/Skyworship/pkg/ebpf-new/sendkey.go
and make again to build backdoor file.

if you want to find out how small can this definition works. Checkout this

find what the sshd will read

Checkout this folder
command make test_sshd will compile the fake sshd process to read the /root/.ssh/authorized_keys file.

Lost Definition in vmlinux.h

vmlinux.h is too big to put on github. First, Make sure your kernel version can running this. And try define manually in vmlinux.h or common.h.
And Lost definition are similar. They can find in linux kernel code easily. Searching the identifier should works.

#define TASK_COMM_LEN 16
#define BPF_ANY 0

Happy Hacking.