an eBPF / XDP Playground

This repository contains a collection of eBPF / XDP programs that I've written while learning about eBPF and XDP. As security is my primary interest, most of these programs are security-related and are intended to be used for security research.

Disclaimer: I condemn the use of these programs for malicious purposes. I am not responsible for any damage caused by the use of these programs. These programs are intended for educational purposes only.

For compiling eBPF programs, you'll need the following:

• Debian, Ubuntu, or other Debian-based Linux distribution

sudo apt install clang llvm libelf-dev gcc-multilib linux-headers-$(uname -r) build-essential

Make sure that the version of clang and llvm installed is >= 10.0.0.

As we are using submodules, you'll need to clone this repository with the --recursive flag:

git clone https://github.com/rphang/evilBPF.git --recursive

If you've already cloned this repository without the --recursive flag, you can run the following command to clone the submodules:

git submodule update --init --recursive

To compile all the programs at once, simply run the Makefile in the root directory:

make

All the compiled programs will be placed in the dst directory.

Each program has its own directory, and each directory has its own Makefile. To compile a program, simply cd into the program's directory and run make:

cd <program>...
make

• Compatible with bpf CO-RE
• Steal nginx passwd, authorization header, and cookie with openssl support (uprobes)
• Shadow reading files (a kind of a kernel MITM sniffer)

Alot of the general resources I've used to learn about eBPF and XDP are listed below:

• libbpf-bootstrap: demo BPF applications by libbpf team
• xdp-tutorial by XDP-project team
• Simple eBPF CO-RE Application by Juraj Vijtiuk (Sartura)