QAX-A-Team/ptrace

a PoC for Linux to get around agents that log commands being executed, without root privilege.

Linux低权限模糊化执行的程序名和参数，避开基于execve系统调用监控的命令日志
程序仅作原理演示使用

ylbhz@hk:~/work/c/ptrace$ gcc --version
gcc (Ubuntu 5.4.0-6ubuntu1~16.04.10) 5.4.0 20160609

ylbhz@hk:~/work/c/ptrace$ make
gcc -Wall -c ptrace.c -o ptrace.o
gcc -Wall -c anonyexec.c -o anonyexec.o
gcc -o ptrace ptrace.o anonyexec.o elfreader.o 

ylbhz@hk:~/work/c/ptrace$ ./ptrace 
child pid = 3763
EIP: _start 4049a0 
RSP: 7ffc4f394e60
RSP + 8 => RDX(char **ubp_av) to __libc_start_main
argc: 3
src: ubp_av[1]: 3abb6677��@
dst: upb_av[1]: -a
src: ubp_av[2]: 3abb6677��@
dst: upb_av[2]: -l
ylbhz@hk:~/work/c/ptrace$ total 76
drwxrwxr-x  2 ylbhz ylbhz  4096 Jan  7 10:34 .
drwx------ 16 ylbhz ylbhz  4096 Dec 29 15:08 ..
-rw-rw-r--  1 ylbhz ylbhz   349 Jan  3 18:39 Makefile
-rw-rw-r--  1 ylbhz ylbhz     1 Jan  7 10:31 README
-rw-rw-r--  1 ylbhz ylbhz   681 Jan  3 18:24 anonyexec.c
-rw-rw-r--  1 ylbhz ylbhz   226 Jan  3 17:59 anonyexec.h
-rw-rw-r--  1 ylbhz ylbhz  2680 Jan  7 10:34 anonyexec.o
-rw-rw-r--  1 ylbhz ylbhz   527 Jan  3 18:05 common.h
-rw-rw-r--  1 ylbhz ylbhz   230 Jan  3 19:00 elfreader.c
-rw-rw-r--  1 ylbhz ylbhz   142 Jan  3 18:59 elfreader.h
-rw-rw-r--  1 ylbhz ylbhz  1656 Jan  3 19:00 elfreader.o
-rwxrwxr-x  1 ylbhz ylbhz 13992 Jan  7 10:34 ptrace
-rw-rw-r--  1 ylbhz ylbhz  2123 Jan  4 11:24 ptrace.c
-rw-rw-r--  1 ylbhz ylbhz   328 Jan  4 10:38 ptrace.h
-rw-rw-r--  1 ylbhz ylbhz  4768 Jan  7 10:34 ptrace.o


================= AUDITD execve test =========================
type=PATH msg=audit(1546831731.460:100): item=0 name="./ptrace" inode=11017404 dev=08:06 mode=0100775 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1546831731.460:100): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=1835390 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1546831731.460:100): proctitle="./ptrace"
type=SYSCALL msg=audit(1546831731.464:101): arch=c000003e syscall=59 success=yes exit=0 a0=7ffd846ee3d0 a1=7ffd846ee660 a2=0 a3=598 items=2 ppid=7971 pid=7972 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts4 ses=4294967295 comm="3" exe=2F6D656D66643A656C66202864656C6574656429 key="rule01_exec"
type=EXECVE msg=audit(1546831731.464:101): argc=3 a0="/proc/self/fd/3" a1="3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686" a2="3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686"