{"id":15057001,"url":"https://github.com/rphang/evilbpf","last_synced_at":"2025-04-10T05:06:18.232Z","repository":{"id":218945840,"uuid":"744145927","full_name":"rphang/evilBPF","owner":"rphang","description":"Weaponizing the Linux Kernel (Hide Files/PID, SSH backdoors, SSL Sniffer, ...) by poking around eBPF/XDP","archived":false,"fork":false,"pushed_at":"2024-09-03T14:37:51.000Z","size":1883,"stargazers_count":50,"open_issues_count":3,"forks_count":13,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-04-10T05:06:11.984Z","etag":null,"topics":["ebpf","kernel","linux-kernel-hacking","offensive-security","rootkit","security","sshd","xdp"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rphang.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-01-16T17:58:35.000Z","updated_at":"2025-04-01T06:12:47.000Z","dependencies_parsed_at":"2024-03-20T09:49:53.093Z","dependency_job_id":"b2879a6e-4ff1-4ee9-99c8-ccee3ca4bfea","html_url":"https://github.com/rphang/evilBPF","commit_stats":null,"previous_names":["rphang/ebpf-playground"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rphang%2FevilBPF","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rphang%2FevilBPF/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rphang%2FevilBPF/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rphang%2FevilBPF/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rphang","download_url":"https://codeload.github.com/rphang/evilBPF/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248161275,"owners_count":21057555,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ebpf","kernel","linux-kernel-hacking","offensive-security","rootkit","security","sshd","xdp"],"created_at":"2024-09-24T21:59:53.455Z","updated_at":"2025-04-10T05:06:18.196Z","avatar_url":"https://github.com/rphang.png","language":"C","readme":"# evilBPF\n_an eBPF / XDP Playground_\n\nThis repository contains a collection of eBPF / XDP programs that I've written while learning about eBPF and XDP. As security is my primary interest, most of these programs are security-related and are intended to be used for security research.\n\n![hider_demo](.github/resources/hide_pid_demo.gif)\n*Hide your files and processes from the system*\n\n![ssl_demo](.github/resources/ssl_sniffer_demo.gif)\n*Sniff unencrypted SSL/TLS traffic*\n\n\u003e [!WARNING]\n\u003e **Disclaimer:** I condemn the use of these programs for malicious purposes. I am not responsible for any damage caused by the use of these programs. These programs are intended for educational purposes only.\n\n## Programs List\n\n| Type | Name | Description | Notes |\n| ---- | ---- | ----------- | ----- |\n| XDP | [icmp_pingback](src/icmp_pingback) | Respond to ICMP echo requests with ICMP echo replies within the XDP layer. | Showcase of XDP program |\n| TP | [hide_pid](src/hide_pid) | Hide a process (pid)/folder/file from the system | Inspired by [bad-bpf](https://github.com/pathtofile/bad-bpf) |\n| TP | [hidden_ssh](src/hidden_ssh) | Give yourself a hidden backdoor in the SSH server | |\n| UPROBE | [ssl_sniffer](src/ssl_sniffer) | Sniff unencrypted SSL/TLS traffic | |\n\n## Requirements\n\nFor compiling eBPF programs, you'll need the following:\n\n- Debian, Ubuntu, or other Debian-based Linux distribution\n- Linux Kernel 5.8.0 or later\n- `clang` and `llvm` (\u003e= 10.0.0)\n\n```bash\nsudo apt install clang llvm libelf-dev linux-headers-$(uname -r) build-essential\n```\n\n\n## Installation\n\n### From releases\n\nYou can download the latest release from the [releases page](https://github.com/rphang/evilBPF/releases).\n\n\u003e [!NOTE]\n\u003e Some programs might not give enough control over the eBPF program, if you need to modify the eBPF program, you'll need to compile the source code. (Or open an issue requesting the feature)\n\n### Getting the source code\n\nAs we are using submodules, you'll need to clone this repository with the `--recursive` flag:\n\n```bash\ngit clone https://github.com/rphang/evilBPF.git --recursive\n```\n\nIf you've already cloned this repository without the `--recursive` flag, you can run the following command to clone the submodules:\n\n```bash\ngit submodule update --init --recursive\n```\n\n### Compiling the programs\n\n#### All at once\n\nTo compile all the programs at once, simply run the `Makefile` in the root directory:\n\n```bash\nmake\n```\n\nAll the compiled programs will be placed in the `dst` directory.\n\n#### Individually\nEach program has its own directory, and each directory has its own `Makefile`. To compile a program, simply `cd` into the program's directory and run `make`:\n\n```bash\ncd src/\u003cprogram\u003e...\nmake\n```\n\n## Resources\n\nAlot of the general resources I've used to learn about eBPF and XDP are listed below:\n\n- [libbpf-bootstrap: demo BPF applications](https://github.com/libbpf/libbpf-bootstrap) by [libbpf team](https://github.com/libbpf)\n- [xdp-tutorial](https://github.com/xdp-project/xdp-tutorial) by [XDP-project team](https://github.com/xdp-project)\n- [Simple eBPF CO-RE Application](https://www.sartura.hr/blog/simple-ebpf-core-application/) by Juraj Vijtiuk ([Sartura](https://www.sartura.hr/))","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frphang%2Fevilbpf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frphang%2Fevilbpf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frphang%2Fevilbpf/lists"}