Add device_add event (aquasecurity#1690)

This event indicates a device creation often used by rootkits as a communication method to their userland malware Co-authored-by: itamar maouda <[email protected]>
EBWi11 · May 1, 2022 · b1f7c29 · b1f7c29
1 parent 0d3a743
commit b1f7c29
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 0 deletions.
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -216,6 +216,7 @@ enum event_id_e {
     DEBUGFS_CREATE_FILE,
     PRINT_SYSCALL_TABLE,
     DEBUGFS_CREATE_DIR,
+    DEVICE_ADD,
     MAX_EVENT_ID,
 
     // Net events IDs
@@ -679,6 +680,12 @@ BPF_PERF_OUTPUT(net_events);                            // network events submis
 
 /*================ KERNEL VERSION DEPENDANT HELPER FUNCTIONS =================*/
 
+static __always_inline const char * get_device_name(struct device *dev)
+{
+    struct kobject kobj = READ_KERN(dev->kobj);
+    return kobj.name;
+}
+
 static __always_inline u32 get_mnt_ns_id(struct nsproxy *ns)
 {
     struct mnt_namespace* mntns = READ_KERN(ns->mnt_ns);
@@ -4772,6 +4779,29 @@ int BPF_KPROBE(trace_security_inode_mknod)
     return events_perf_submit(&data, SECURITY_INODE_MKNOD, 0);
 }
 
+SEC("kprobe/device_add")
+int BPF_KPROBE(trace_device_add)
+{
+    event_data_t data = {};
+    if (!init_event_data(&data, ctx))
+        return 0;
+
+    if (!should_trace(&data.context))
+        return 0;
+
+    struct device *dev = (struct device*)PT_REGS_PARM1(ctx);
+    const char *name = get_device_name(dev);
+
+    struct device *parent_dev = READ_KERN(dev->parent);
+    const char *parent_name = get_device_name(parent_dev);
+
+    save_str_to_buf(&data, (void *)name, 0);
+    save_str_to_buf(&data, (void *)parent_name, 1);
+
+    return events_perf_submit(&data, DEVICE_ADD, 0);
+}
+
+
 SEC("kprobe/do_splice")
 TRACE_ENT_FUNC(do_splice, DIRTY_PIPE_SPLICE);
 

diff --git a/pkg/ebpf/c/vmlinux.h b/pkg/ebpf/c/vmlinux.h
@@ -476,6 +476,15 @@ struct sock_common {
 	struct in6_addr skc_v6_rcv_saddr;
 };
 
+struct kobject {
+	const char  *name;
+};
+
+struct device {
+	struct device	*parent;
+	struct kobject  kobj;
+};
+
 struct sock {
 	struct sock_common __sk_common;
 	u16 sk_protocol;

diff --git a/pkg/ebpf/events_definitions.go b/pkg/ebpf/events_definitions.go
@@ -88,6 +88,7 @@ const (
 	DebugfsCreateFileEventID
 	PrintSyscallTableEventID
 	DebugfsCreateDirEventID
+	DeviceAddEventID
 	MaxCommonEventID
 )
 
@@ -6333,4 +6334,16 @@ var EventsDefinitions = map[int32]EventDefinition{
 			{Type: "const char*", Name: "path"},
 		},
 	},
+	DeviceAddEventID: {
+		ID32Bit: sys32undefined,
+		Name:    "device_add",
+		Probes: []probe{
+			{event: "device_add", attach: kprobe, fn: "trace_device_add"},
+		},
+		Sets: []string{},
+		Params: []trace.ArgMeta{
+			{Type: "const char*", Name: "name"},
+			{Type: "const char*", Name: "parent_name"},
+		},
+	},
 }