{"id":15057010,"url":"https://github.com/gojue/ehids-agent","last_synced_at":"2025-04-05T07:05:22.121Z","repository":{"id":39375198,"uuid":"433800944","full_name":"gojue/ehids-agent","owner":"gojue","description":"A Linux Host-based Intrusion Detection System based on eBPF.","archived":false,"fork":false,"pushed_at":"2023-12-20T16:03:51.000Z","size":9562,"stargazers_count":437,"open_issues_count":1,"forks_count":82,"subscribers_count":11,"default_branch":"master","last_synced_at":"2025-03-29T06:07:32.171Z","etag":null,"topics":["ebpf","ebpf-sec","golang","hids","security-audit"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gojue.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-12-01T11:33:40.000Z","updated_at":"2025-03-21T06:02:06.000Z","dependencies_parsed_at":"2024-06-20T16:32:39.022Z","dependency_job_id":"e80ad853-64a8-4fac-8767-a02136327335","html_url":"https://github.com/gojue/ehids-agent","commit_stats":null,"previous_names":["ehids/ehids-agent"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gojue%2Fehids-agent","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gojue%2Fehids-agent/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gojue%2Fehids-agent/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gojue%2Fehids-agent/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gojue","download_url":"https://codeload.github.com/gojue/ehids-agent/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247299832,"owners_count":20916190,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ebpf","ebpf-sec","golang","hids","security-audit"],"created_at":"2024-09-24T22:00:22.986Z","updated_at":"2025-04-05T07:05:22.103Z","avatar_url":"https://github.com/gojue.png","language":"C","funding_links":[],"categories":["BPF and eBPF Projects"],"sub_categories":["Notes"],"readme":"![](./images/ehids-logo-1.png)\n\nEnglish | [中文介绍](./README_CN.md)\n\n# Introduction to eHIDS\n\nHIDS `demo` implemented by eBPF kernel technology.\n\n\u003e **Warning**\n\u003e Just a eBPF-based DEMO, please use [Tetragon](https://github.com/cilium/tetragon)\n\u003e /  [Tracee](https://github.com/aquasecurity/tracee) / [falco](https://github.com/falcosecurity/falco) instead.\n\nImplementations \u0026 Functionalities：\n\n1. TCP network data capture\n2. UDP network data capture\n3. DNS information capture in uprobe mode\n4. Process data capture\n5. Uprobe way to achieve JAVA RASP command execution scene event capture\n6. Go framework implementation of eBPF, abstract implementation of multi-type events for the kprobe\\uprobe mounting\n   method.\n7. Developers only need to implement three files:\n    * The kernel-mode C file.\n    * The user-mode go file.\n    * The user-mode event message structure, and the framework will automatically load and execute.\n8. Users can implement data reporting and processing according to the logger interface, such as reporting to ES\\kafka and other log centers.\n\n\n# Principle\n\nReference : [eBPF Official Website](https://ebpf.io)\n\n![](https://ebpf.io/static/overview-bf463455a5666fc3fb841b9240d588ff.png)\n\n1. In the kernel mode, eBPF code is written in C, and llvm is compiled into eBPF bytecode.\n2. User mode is written in golang, cilium/ebpf pure go class library, kernel loading of eBPF bytecode, kprobe/uprobe HOOK corresponding function.\n3. User mode uses golang for event reading, decoding, and processing.\n\n# Planning\n## Scheduling\nThe author is analyzing the runtime security protection products implemented by cloud-native eBPF technologies such as cilium, datadog, tracee, falco, and kubeArmor from the perspective of source code. \nAfter the analysis is completed, I will continue to share the design, ideas, and functions of this product.\n\nCurrent progress \u0026 Changes\n\n* 【DONE】2021-12-09 [Source code analysis of Cilium eBPF implementation mechanism](https://www.cnxct.com/how-does-cilium-use-ebpf-with-go-and-c/?f=g_ehids)\n* 【DONE】2021-12-19 [Analysis of datadog's eBPF security detection mechanism](https://www.cnxct.com/how-does-datadog-use-ebpf-in-runtime-security/?f=g_ehids)\n* 【DONE】2021-12-30 [Kernel state eBPF program to implement container escape and hide account rootkit](https://mp.weixin.qq.com/s?__biz=MzUyMDM0OTY5NA==\u0026mid=2247483773\u0026idx=1\u0026sn=d9a6233f2ec94b63304209246b1b6a3b\u0026chksm=f9eaf3ecce9d7afa8c539e47ddd0250874859bc4e81e6206a0d1b3fdaffd712bf81389ced579\u0026token=1909106120\u0026lang=zh_CN#rd)\n* 【DING】2022-1-31 tracee Source code analysis of eBPF implementation mechanism\n* ...\n\n## Product Features\n1. Complete functions (network, process, file, event)\n2. Monitoring\n3. Alert\n4. Fusing\n5. Statistics\n6. Reconciliation\n7. Unified management and control\n\n# Instructions\n\n1. The kernel mode part is the ebpf programming code implemented by the linux native class library, and uses clang (llvm) for bytecode compilation.\n2. The user mode part is written for golang's cilium/ebpf class library, which implements functions such as loading eBPF bytecodes to the kernel, mounting to hook points, and event reading.\n3. This project uses kprobe and uprobe respectively to realize the network event capture of TCP and UDP.\n  \n\n# Development Environment\n\n* UBUNTU 21.04 server\n* go version go1.17.2 linux/amd64\n* Ubuntu clang version 12.0.0-3ubuntu1~21.04.2\n* openjdk version \"1.8.0_292\"\n\n## Environment installation steps\n\nSee also : [CFC4N's eBPF development environment](https://www.cnxct.com/lessons-using-ebpf-accelerating-cloud-native-zh/?f=github#i-3)\n\n* sudo apt-get install -y make gcc libssl-dev bc libelf-dev libcap-dev clang gcc-multilib llvm libncurses5-dev git\n  pkg-config libmnl-dev bison flex graphviz\n* sudo apt-get install -y make gcc clang llvm git pkg-config dpkg-dev gcc-multilib\n* cd ~/download/\n* sudo apt update\n* sudo apt-get source linux-image-$(uname -r)\n* sudo apt-get source linux-image-unsigned-$(uname -r)\n* sudo apt install libbfd-dev libcap-dev zlib1g-dev libelf-dev libssl-dev\n\n# Compiling and running\n\n## Compilation\n\n```shell\ngit clone https://github.com/ehids/ehids-agent.git\ncd ehids\nmake\n./bin/ehids-agent\n```\n\n## Runnig\n\nOpen another shell, execute network commands, and trigger network behavior\n```shell\nwget www.cnxct.com\n```\n\nOr compile and run the java command execution example to test the function of java RASP.\nUprobe mounts the JDK_execvpe function of libjava.so, and the corresponding offset address offset is 0x19C30. \nFor other versions, please locate the offset address by yourself.\n```shell\ncd examples\njavac Main.java\njava Main\n```\nJAVA JDK version information\n\u003e ~$java -version\n\u003e \n\u003e openjdk version \"1.8.0_292\" \n\u003e\n\u003e OpenJDK Runtime Environment (build 1.8.0_292-8u292-b10-0ubuntu1-b10)\n\u003e \n\u003e OpenJDK 64-Bit Server VM (build 25.292-b10, mixed mode)\n## Results\n\n```shell\nroot@vmubuntu:/home/cfc4n/project/ehids# ./bin/ehids\n2021/12/01 19:27:08 start to run EBPFProbeUJavaRASP probe\n2021/12/01 19:27:08 start to run EBPFProbeKTCP probe\n2021/12/01 19:27:08 start to run EBPFProbeKTCPSec probe\n2021/12/01 19:27:08 start to run EBPFProbeKUDP probe\n2021/12/01 19:27:08 start to run EBPFProbeUDNS probe\n2021/12/01 19:27:08 probeName:EBPFProbeKTCPSec, probeTpye:kprobe, start time:07:23:49, PID:864, UID:101, AF:2, TASK:5systemd-resolv\n2021/12/01 19:27:08 probeName:EBPFProbeKUDP, probeTpye:kprobe, PID:0, comm:systemd-resolve, qname:57.22.91.101.in-addr.arpa, qclass:1, qtype:12.\n2021/12/01 19:27:09 probeName:EBPFProbeKTCP, probeTpye:kprobe, start time:19:31:19, family:AF_INET, PID:409744, command:curl, UID:0, rx:67408, tx:79, dest:118.31.44.218:20480, source:172.16.71.4, type:OUT, result:True\n2021/12/01 19:27:10 probeName:EBPFProbeUJavaRASP, probeTpye:uprobe, JAVA RASP exec and fork. PID:409049, command:ifconfig, mode:MODE_VFORK\n```\n\n# References\n\n* https://ebpf.io\n* https://github.com/trichimtrich/dns-tcp-ebpf\n* https://github.com/p-/socket-connect-bpf\n\n# Malicious exploitation and detection mechanism of eBPF\n\nThe article on malicious exploitation and detection mechanism based on eBPF has been shared on the WeChat public account of `Meituan Security Emergency Response Center`，[Malicious utilization and detection mechanism of eBPF](https://mp.weixin.qq.com/s/-1GiCncNTqtfO_grQT7cGw)\n\n![](./images/ebpf-evil-use-detect-kernel-space.png)\n\n# Wechat Group \n\n![](./images/wechat-group.jpg)\n\n# Notes\n\nIt is not the official warehouse of Meituan, and is only contributed by engineers.\n\nThe repository does not contain the full HIDS version in use by **Meituan**, for the streamlined demo, if you need to see the full source code in detail, please click：[https://www.cnxct.com/jobs/](https://www.cnxct.com/jobs/?f=ehids-github)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgojue%2Fehids-agent","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgojue%2Fehids-agent","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgojue%2Fehids-agent/lists"}