eBPF-Based-Process-Behavior-Analyzer.sh

1. #!/bin/bash
2.  
3. # =====================================================================
4.  
5. # Linux Malware Analysis Toolkit #1: eBPF-Based Process Behavior Analyzer
6.  
7. # =====================================================================
8.  
9. #
10.  
11. # Description:
12.  
13. # This script utilizes eBPF technology to monitor and analyze process
14.  
15. # behavior in real-time, helping to detect potentially malicious
16.  
17. # activities on Linux systems.
18.  
19. #
20.  
21. # Options:
22.  
23. # 1. Trace system calls by specific process
24.  
25. # 2. Monitor file access activities
26.  
27. # 3. Track network connections
28.  
29. # 4. Detect process execution chains
30.  
31. # 5. Analyze memory mapping operations
32.  
33. # 6. Trace process capabilities changes
34.  
35. # 7. Monitor namespace transitions
36.  
37. # 8. Detect unexpected syscall patterns
38.  
39. # 9. Track process privilege escalation
40.  
41. # 10. Monitor inter-process communications
42.  
43. # 11. Log process credential changes
44.  
45. # 12. Profile process resource usage
46.  
47. # 13. Detect process injection attempts
48.  
49. # 14. Monitor filesystem operations
50.  
51. # 15. Track container escape attempts
52.  
53. # 16. Analyze loaded kernel modules
54.  
55. # 17. Monitor bpf() syscall usage
56.  
57. # 18. Detect hidden process techniques
58.  
59. # 19. Track unauthorized file access attempts
60.  
61. # 20. Monitor syscall argument tampering
62.  
63. #
64.  
65. # Requirements:
66.  
67. # - Linux kernel 4.18+ for full functionality
68.  
69. # - bpftrace installed
70.  
71. # - bcc tools installed
72.  
73. # - root privileges
74.  
75. #
76.  
77. # =====================================================================
78.  
79. set -e
80.  
81. trap 'echo -e "\n[!] Script interrupted. Cleaning up..."; cleanup; exit 1' INT
82.  
83. # Text colors
84.  
85. RED='\033[0;31m'
86.  
87. GREEN='\033[0;32m'
88.  
89. YELLOW='\033[0;33m'
90.  
91. BLUE='\033[0;34m'
92.  
93. PURPLE='\033[0;35m'
94.  
95. NC='\033[0m' # No Color
96.  
97. # Verify required tools
98.  
99. check_requirements() {
100.  
101. echo -e "${BLUE}[*] Checking requirements...${NC}"
102.  
103.  
104.  
105. if [ "$(id -u)" -ne 0 ]; then
106.  
107. echo -e "${RED}[!] This script must be run as root${NC}"
108.  
109. exit 1
110.  
111. fi
112.  
113.  
114.  
115. local kernel_version=$(uname -r | cut -d. -f1,2)
116.  
117. if (( $(echo "$kernel_version < 4.18" | bc -l) )); then
118.  
119. echo -e "${YELLOW}[!] Warning: Some features may not work on kernel
120. $kernel_version (4.18+ recommended)${NC}"
121.  
122. fi
123.  
124.  
125.  
126. for cmd in bpftrace timeout jq ps grep awk; do
127.  
128. if ! command -v $cmd &> /dev/null; then
129.  
130. echo -e "${RED}[!] Required tool not found: $cmd${NC}"
131.  
132. echo -e "${YELLOW}[*] Please install missing dependencies and try again${NC}"
133.  
134. exit 1
135.  
136. fi
137.  
138. done
139.  
140.  
141.  
142. if ! command -v bcc-tools &> /dev/null && ! [ -d "/usr/share/bcc/tools" ]; then
143.  
144. echo -e "${YELLOW}[!] BCC tools not found. Some features may be limited.${NC}"
145.  
146. echo -e "${YELLOW}[*] Install BCC tools for full functionality${NC}"
147.  
148. fi
149.  
150.  
151.  
152. echo -e "${GREEN}[+] All requirements satisfied${NC}"
153.  
154. }
155.  
156. cleanup() {
157.  
158. # Kill any running bpftrace or BCC processes
159.  
160. pkill -f bpftrace &>/dev/null || true
161.  
162. echo -e "${GREEN}[+] Cleanup completed${NC}"
163.  
164. }
165.  
166. # Option 1: Trace system calls by specific process
167.  
168. trace_syscalls() {
169.  
170. echo -e "${BLUE}[*] Trace system calls by process${NC}"
171.  
172. read -p "Enter PID or process name to trace (leave empty to trace all): " target
173.  
174. read -p "Enter duration in seconds (default: 30): " duration
175.  
176. duration=${duration:-30}
177.  
178.  
179.  
180. echo -e "${GREEN}[+] Tracing syscalls for ${target:-all processes} for $duration
181. seconds...${NC}"
182.  
183.  
184.  
185. if [ -z "$target" ]; then
186.  
187. timeout $duration bpftrace -e 'tracepoint:syscalls:sys_enter_* { @[probe, comm,
188. pid] = count(); }' 2>/dev/null
189.  
190. elif [[ "$target" =~ ^[0-9]+$ ]]; then
191.  
192. timeout $duration bpftrace -e "tracepoint:syscalls:sys_enter_* /pid == $target/
193. { @[probe, comm, pid] = count(); }" 2>/dev/null
194.  
195. else
196.  
197. timeout $duration bpftrace -e "tracepoint:syscalls:sys_enter_* /comm ==
198. \"$target\"/ { @[probe, comm, pid] = count(); }" 2>/dev/null
199.  
200. fi
201.  
202.  
203.  
204. echo -e "${GREEN}[+] Syscall tracing completed${NC}"
205.  
206. }
207.  
208. # Option 2: Monitor file access activities
209.  
210. monitor_file_access() {
211.  
212. echo -e "${BLUE}[*] Monitor file access activities${NC}"
213.  
214. read -p "Enter directory to monitor (default: /etc): " directory
215.  
216. directory=${directory:-/etc}
217.  
218. read -p "Enter duration in seconds (default: 30): " duration
219.  
220. duration=${duration:-30}
221.  
222.  
223.  
224. echo -e "${GREEN}[+] Monitoring file access in $directory for $duration
225. seconds...${NC}"
226.  
227.  
228.  
229. timeout $duration bpftrace -e "
230.  
231. #include
232.  
233.  
234.  
235. tracepoint:syscalls:sys_enter_openat {
236.  
237. \$filename = str(args->filename);
238.  
239. if (\$filename != 0 && strncmp(\$filename, \"$directory\", ${#directory}) == 0)
240. {
241.  
242. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d GID: %-6d | OPEN: %s\\n\",
243.  
244. pid, comm, uid, gid, \$filename);
245.  
246. }
247.  
248. }
249.  
250.  
251.  
252. tracepoint:syscalls:sys_enter_read /arg0 > 0/ {
253.  
254. @reads[pid, comm] = count();
255.  
256. }
257.  
258.  
259.  
260. tracepoint:syscalls:sys_enter_write /arg0 > 0/ {
261.  
262. @writes[pid, comm] = count();
263.  
264. }
265.  
266.  
267.  
268. interval:s:5 {
269.  
270. printf(\"\\n--- Read/Write Summary (5s) ---\\n\");
271.  
272. print(@reads, \"\\nReads by Process:\\n\");
273.  
274. print(@writes, \"\\nWrites by Process:\\n\");
275.  
276. clear(@reads);
277.  
278. clear(@writes);
279.  
280. }
281.  
282. " 2>/dev/null
283.  
284.  
285.  
286. echo -e "${GREEN}[+] File access monitoring completed${NC}"
287.  
288. }
289.  
290. # Option 3: Track network connections
291.  
292. track_network_connections() {
293.  
294. echo -e "${BLUE}[*] Track network connections${NC}"
295.  
296. read -p "Enter process name to monitor (leave empty for all): " process
297.  
298. read -p "Enter duration in seconds (default: 30): " duration
299.  
300. duration=${duration:-30}
301.  
302.  
303.  
304. echo -e "${GREEN}[+] Tracking network connections for ${process:-all processes}
305. for $duration seconds...${NC}"
306.  
307.  
308.  
309. if [ -z "$process" ]; then
310.  
311. filter=""
312.  
313. else
314.  
315. filter="/comm == \"$process\"/"
316.  
317. fi
318.  
319.  
320.  
321. timeout $duration bpftrace -e "
322.  
323. #include
324.  
325. #include
326.  
327.  
328.  
329. kprobe:tcp_connect $filter {
330.  
331. \$sk = (struct sock *)arg0;
332.  
333. \$inet_family = \$sk->__sk_common.skc_family;
334.  
335.  
336.  
337. if (\$inet_family == AF_INET || \$inet_family == AF_INET6) {
338.  
339. \$daddr = ntop(\$inet_family, \$sk->__sk_common.skc_daddr);
340.  
341. \$dport = \$sk->__sk_common.skc_dport;
342.  
343. \$saddr = ntop(\$inet_family, \$sk->__sk_common.skc_rcv_saddr);
344.  
345. \$sport = \$sk->__sk_common.skc_num;
346.  
347.  
348.  
349. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | CONNECT: %s:%d -> %s:%d\\n\",
350.  
351. pid, comm, uid, \$saddr, \$sport, \$daddr, \$dport);
352.  
353. }
354.  
355. }
356.  
357.  
358.  
359. kprobe:tcp_accept $filter {
360.  
361. \$sk = (struct sock *)arg0;
362.  
363. \$inet_family = \$sk->__sk_common.skc_family;
364.  
365.  
366.  
367. if (\$inet_family == AF_INET || \$inet_family == AF_INET6) {
368.  
369. \$daddr = ntop(\$inet_family, \$sk->__sk_common.skc_daddr);
370.  
371. \$dport = \$sk->__sk_common.skc_dport;
372.  
373. \$saddr = ntop(\$inet_family, \$sk->__sk_common.skc_rcv_saddr);
374.  
375. \$sport = \$sk->__sk_common.skc_num;
376.  
377.  
378.  
379. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | ACCEPT: %s:%d <- %s:%d\\n\",
380.  
381. pid, comm, uid, \$saddr, \$sport, \$daddr, \$dport);
382.  
383. }
384.  
385. }
386.  
387. " 2>/dev/null
388.  
389.  
390.  
391. echo -e "${GREEN}[+] Network connection tracking completed${NC}"
392.  
393. }
394.  
395. # Option 4: Detect process execution chains
396.  
397. detect_process_chains() {
398.  
399. echo -e "${BLUE}[*] Detect process execution chains${NC}"
400.  
401. read -p "Enter duration in seconds (default: 30): " duration
402.  
403. duration=${duration:-30}
404.  
405.  
406.  
407. echo -e "${GREEN}[+] Monitoring process execution chains for $duration
408. seconds...${NC}"
409.  
410.  
411.  
412. timeout $duration bpftrace -e "
413.  
414. tracepoint:syscalls:sys_enter_execve,
415.  
416. tracepoint:syscalls:sys_enter_execveat {
417.  
418. printf(\"TIME: %-8llu PID: %-6d PPID: %-6d UID: %-6d GID: %-6d | EXEC: %s\\n\",
419.  
420. nsecs, pid, curtask->real_parent->tgid, uid, gid, comm);
421.  
422.  
423.  
424. printf(\" ARGS: \");
425.  
426. \$argp = args->argv;
427.  
428. \$i = 0;
429.  
430. \$arg = user_string(\$argp);
431.  
432. while (\$arg != 0 && \$i < 5) {
433.  
434. printf(\"%s \", \$arg);
435.  
436. \$argp++;
437.  
438. \$arg = user_string(\$argp);
439.  
440. \$i++;
441.  
442. }
443.  
444. if (\$i >= 5) {
445.  
446. printf(\"...\");
447.  
448. }
449.  
450. printf(\"\\n\");
451.  
452.  
453.  
454. @execution_chains[curtask->real_parent->comm, comm] = count();
455.  
456. }
457.  
458.  
459.  
460. interval:s:5 {
461.  
462. printf(\"\\n--- Process Execution Chain Summary (5s) ---\\n\");
463.  
464. printf(\"%-20s -> %-20s | Count\\n\", \"Parent Process\", \"Child Process\");
465.  
466. print(@execution_chains);
467.  
468. }
469.  
470. " 2>/dev/null
471.  
472.  
473.  
474. echo -e "${GREEN}[+] Process chain detection completed${NC}"
475.  
476. }
477.  
478. # Option 5: Analyze memory mapping operations
479.  
480. analyze_memory_mappings() {
481.  
482. echo -e "${BLUE}[*] Analyze memory mapping operations${NC}"
483.  
484. read -p "Enter PID to monitor (leave empty for all): " target_pid
485.  
486. read -p "Enter duration in seconds (default: 30): " duration
487.  
488. duration=${duration:-30}
489.  
490.  
491.  
492. if [ -z "$target_pid" ]; then
493.  
494. pid_filter=""
495.  
496. else
497.  
498. pid_filter="/pid == $target_pid/"
499.  
500. fi
501.  
502.  
503.  
504. echo -e "${GREEN}[+] Analyzing memory mapping operations for ${target_pid:-all
505. processes} for $duration seconds...${NC}"
506.  
507.  
508.  
509. timeout $duration bpftrace -e "
510.  
511. #include
512.  
513.  
514.  
515. tracepoint:syscalls:sys_enter_mmap $pid_filter {
516.  
517. printf(\"PID: %-6d COMM: %-15.15s | MMAP: addr=0x%lx len=%lu prot=%d flags=%d
518. fd=%d off=%lu\\n\",
519.  
520. pid, comm, args->addr, args->len, args->prot, args->flags, args->fd,
521. args->offset);
522.  
523. }
524.  
525.  
526.  
527. tracepoint:syscalls:sys_enter_mprotect $pid_filter {
528.  
529. printf(\"PID: %-6d COMM: %-15.15s | MPROTECT: addr=0x%lx len=%lu prot=%d\\n\",
530.  
531. pid, comm, args->addr, args->len, args->prot);
532.  
533. }
534.  
535.  
536.  
537. kprobe:security_mmap_file $pid_filter {
538.  
539. \$file = (struct file *)arg0;
540.  
541. \$prot = arg1;
542.  
543. \$flags = arg2;
544.  
545.  
546.  
547. if (\$file != 0) {
548.  
549. \$pathname = \$file->f_path.dentry->d_name.name;
550.  
551. if (\$pathname != 0) {
552.  
553. \$name = str(\$pathname);
554.  
555. printf(\"PID: %-6d COMM: %-15.15s | MMAP FILE: %s (prot=%d, flags=%d)\\n\",
556.  
557. pid, comm, \$name, \$prot, \$flags);
558.  
559.  
560.  
561. if ((\$prot & 0x4) && (\$prot & 0x1)) { // PROT_EXEC | PROT_READ
562.  
563. printf(\" [ALERT] Executable memory mapping detected!\\n\");
564.  
565. }
566.  
567. }
568.  
569. }
570.  
571. }
572.  
573.  
574.  
575. tracepoint:syscalls:sys_enter_memfd_create $pid_filter {
576.  
577. printf(\"PID: %-6d COMM: %-15.15s | MEMFD_CREATE: name=%s flags=%d\\n\",
578.  
579. pid, comm, str(args->uname), args->flags);
580.  
581. printf(\" [ALERT] Possible fileless execution technique!\\n\");
582.  
583. }
584.  
585. " 2>/dev/null
586.  
587.  
588.  
589. echo -e "${GREEN}[+] Memory mapping analysis completed${NC}"
590.  
591. }
592.  
593. # Option 6: Trace process capabilities changes
594.  
595. trace_capabilities() {
596.  
597. echo -e "${BLUE}[*] Trace process capabilities changes${NC}"
598.  
599. read -p "Enter duration in seconds (default: 30): " duration
600.  
601. duration=${duration:-30}
602.  
603.  
604.  
605. echo -e "${GREEN}[+] Tracing capability changes for $duration seconds...${NC}"
606.  
607.  
608.  
609. timeout $duration bpftrace -e "
610.  
611. tracepoint:syscalls:sys_enter_capset {
612.  
613. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | CAPSET: header->pid=%d\\n\",
614.  
615. pid, comm, uid, args->header->pid);
616.  
617. }
618.  
619.  
620.  
621. kprobe:cap_capable {
622.  
623. \$cap_id = arg1;
624.  
625. \$cap_name = \"UNKNOWN\";
626.  
627.  
628.  
629. if (\$cap_id == 0) { \$cap_name = \"CAP_CHOWN\"; }
630.  
631. else if (\$cap_id == 1) { \$cap_name = \"CAP_DAC_OVERRIDE\"; }
632.  
633. else if (\$cap_id == 2) { \$cap_name = \"CAP_DAC_READ_SEARCH\"; }
634.  
635. else if (\$cap_id == 3) { \$cap_name = \"CAP_FOWNER\"; }
636.  
637. else if (\$cap_id == 4) { \$cap_name = \"CAP_FSETID\"; }
638.  
639. else if (\$cap_id == 5) { \$cap_name = \"CAP_KILL\"; }
640.  
641. else if (\$cap_id == 6) { \$cap_name = \"CAP_SETGID\"; }
642.  
643. else if (\$cap_id == 7) { \$cap_name = \"CAP_SETUID\"; }
644.  
645. else if (\$cap_id == 8) { \$cap_name = \"CAP_SETPCAP\"; }
646.  
647. else if (\$cap_id == 12) { \$cap_name = \"CAP_NET_ADMIN\"; }
648.  
649. else if (\$cap_id == 13) { \$cap_name = \"CAP_NET_RAW\"; }
650.  
651. else if (\$cap_id == 14) { \$cap_name = \"CAP_IPC_LOCK\"; }
652.  
653. else if (\$cap_id == 16) { \$cap_name = \"CAP_SYS_MODULE\"; }
654.  
655. else if (\$cap_id == 17) { \$cap_name = \"CAP_SYS_RAWIO\"; }
656.  
657. else if (\$cap_id == 18) { \$cap_name = \"CAP_SYS_CHROOT\"; }
658.  
659. else if (\$cap_id == 19) { \$cap_name = \"CAP_SYS_PTRACE\"; }
660.  
661. else if (\$cap_id == 21) { \$cap_name = \"CAP_SYS_ADMIN\"; }
662.  
663. else if (\$cap_id == 23) { \$cap_name = \"CAP_SYS_TIME\"; }
664.  
665. else if (\$cap_id == 24) { \$cap_name = \"CAP_SYS_RESOURCE\"; }
666.  
667. else if (\$cap_id == 25) { \$cap_name = \"CAP_SYS_BOOT\"; }
668.  
669.  
670.  
671. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | CAP CHECK: %s (%d)\\n\",
672.  
673. pid, comm, uid, \$cap_name, \$cap_id);
674.  
675.  
676.  
677. if (\$cap_id == 16 || \$cap_id == 21 || \$cap_id == 19) {
678.  
679. printf(\" [ALERT] Sensitive capability check detected!\\n\");
680.  
681. }
682.  
683.  
684.  
685. @cap_usage[comm, \$cap_name] = count();
686.  
687. }
688.  
689.  
690.  
691. interval:s:5 {
692.  
693. printf(\"\\n--- Capability Usage Summary (5s) ---\\n\");
694.  
695. print(@cap_usage);
696.  
697. }
698.  
699. " 2>/dev/null
700.  
701.  
702.  
703. echo -e "${GREEN}[+] Capability tracing completed${NC}"
704.  
705. }
706.  
707. # Option 7: Monitor namespace transitions
708.  
709. monitor_namespaces() {
710.  
711. echo -e "${BLUE}[*] Monitor namespace transitions${NC}"
712.  
713. read -p "Enter duration in seconds (default: 30): " duration
714.  
715. duration=${duration:-30}
716.  
717.  
718.  
719. echo -e "${GREEN}[+] Monitoring namespace transitions for $duration
720. seconds...${NC}"
721.  
722.  
723.  
724. timeout $duration bpftrace -e "
725.  
726. tracepoint:syscalls:sys_enter_unshare,
727.  
728. tracepoint:syscalls:sys_enter_setns {
729.  
730. printf(\"TIME: %-8llu PID: %-6d PPID: %-6d COMM: %-15.15s | NAMESPACE OPERATION:
731. %s\\n\",
732.  
733. nsecs, pid, curtask->real_parent->tgid, comm, probe);
734.  
735.  
736.  
737. if (comm != \"docker\" && comm != \"containerd\" &&
738.  
739. comm != \"runc\" && comm != \"systemd\" &&
740.  
741. comm != \"lxc\" && comm != \"podman\") {
742.  
743. printf(\" [ALERT] Potential container escape attempt: unexpected namespace
744. operation by %s\\n\", comm);
745.  
746. }
747.  
748. }
749.  
750.  
751.  
752. kprobe:switch_task_namespaces {
753.  
754. printf(\"PID: %-6d COMM: %-15.15s | SWITCH NAMESPACE\\n\", pid, comm);
755.  
756. }
757.  
758. " 2>/dev/null
759.  
760.  
761.  
762. echo -e "${GREEN}[+] Namespace monitoring completed${NC}"
763.  
764. }
765.  
766. # Option 8: Detect unexpected syscall patterns
767.  
768. detect_syscall_patterns() {
769.  
770. echo -e "${BLUE}[*] Detect unexpected syscall patterns${NC}"
771.  
772. read -p "Enter duration in seconds (default: 30): " duration
773.  
774. duration=${duration:-30}
775.  
776.  
777.  
778. echo -e "${GREEN}[+] Detecting unusual syscall patterns for $duration
779. seconds...${NC}"
780.  
781.  
782.  
783. timeout $duration bpftrace -e "
784.  
785. BEGIN {
786.  
787. printf(\"Monitoring for suspicious syscall patterns...\\n\");
788.  
789. }
790.  
791.  
792.  
793. // Detect ptrace syscall (often used for process manipulation)
794.  
795. tracepoint:syscalls:sys_enter_ptrace {
796.  
797. printf(\"[ALERT] PID: %-6d COMM: %-15.15s UID: %-6d | PTRACE detected:
798. request=%d pid=%d\\n\",
799.  
800. pid, comm, uid, args->request, args->pid);
801.  
802. }
803.  
804.  
805.  
806. // Monitor process hiding techniques
807.  
808. tracepoint:syscalls:sys_enter_kill /args->sig == 0/ {
809.  
810. @proc_check[pid, comm] = count();
811.  
812. }
813.  
814.  
815.  
816. // Detect potential shellcode execution patterns
817.  
818. tracepoint:syscalls:sys_enter_mprotect /args->prot & 0x4/ { // PROT_EXEC
819.  
820. @mprotect_exec[pid, comm] = count();
821.  
822. printf(\"PID: %-6d COMM: %-15.15s | MPROTECT with EXEC permissions: addr=0x%lx
823. len=%lu\\n\",
824.  
825. pid, comm, args->addr, args->len);
826.  
827. }
828.  
829.  
830.  
831. tracepoint:syscalls:sys_enter_mmap /args->prot & 0x4/ { // PROT_EXEC
832.  
833. @mmap_exec[pid, comm] = count();
834.  
835. if (args->flags & 0x20) { // MAP_ANONYMOUS
836.  
837. printf(\"[ALERT] PID: %-6d COMM: %-15.15s | Anonymous executable memory mapping
838. detected!\\n\",
839.  
840. pid, comm);
841.  
842. }
843.  
844. }
845.  
846.  
847.  
848. // Detect suspicious file operations in /proc
849.  
850. tracepoint:syscalls:sys_enter_openat /strncmp(str(args->filename), \"/proc\", 5)
851. == 0/ {
852.  
853. @proc_access[pid, comm, str(args->filename)] = count();
854.  
855.  
856.  
857. if (strncmp(str(args->filename), \"/proc/self/mem\", 14) == 0) {
858.  
859. printf(\"[ALERT] PID: %-6d COMM: %-15.15s | Suspicious access to
860. /proc/self/mem\\n\",
861.  
862. pid, comm);
863.  
864. }
865.  
866. }
867.  
868.  
869.  
870. // Detect attempts to load kernel modules
871.  
872. tracepoint:syscalls:sys_enter_init_module,
873.  
874. tracepoint:syscalls:sys_enter_finit_module {
875.  
876. printf(\"[ALERT] PID: %-6d COMM: %-15.15s UID: %-6d | Kernel module operation
877. detected!\\n\",
878.  
879. pid, comm, uid);
880.  
881. }
882.  
883.  
884.  
885. interval:s:5 {
886.  
887. printf(\"\\n--- Suspicious Syscall Summary (5s) ---\\n\");
888.  
889.  
890.  
891. printf(\"\\nExecutable Memory Mappings:\\n\");
892.  
893. print(@mmap_exec);
894.  
895.  
896.  
897. printf(\"\\nExecutable Memory Protection Changes:\\n\");
898.  
899. print(@mprotect_exec);
900.  
901.  
902.  
903. printf(\"\\nProcess Status Checks (possible process hiding):\\n\");
904.  
905. print(@proc_check);
906.  
907.  
908.  
909. printf(\"\\n/proc Filesystem Access Patterns:\\n\");
910.  
911. print(@proc_access);
912.  
913. }
914.  
915. " 2>/dev/null
916.  
917.  
918.  
919. echo -e "${GREEN}[+] Syscall pattern detection completed${NC}"
920.  
921. }
922.  
923. # Option 9: Track process privilege escalation
924.  
925. track_privilege_escalation() {
926.  
927. echo -e "${BLUE}[*] Track process privilege escalation${NC}"
928.  
929. read -p "Enter duration in seconds (default: 30): " duration
930.  
931. duration=${duration:-30}
932.  
933.  
934.  
935. echo -e "${GREEN}[+] Monitoring privilege escalation attempts for $duration
936. seconds...${NC}"
937.  
938.  
939.  
940. timeout $duration bpftrace -e "
941.  
942. // Track set*uid/set*gid syscalls
943.  
944. tracepoint:syscalls:sys_enter_setuid,
945.  
946. tracepoint:syscalls:sys_enter_setgid,
947.  
948. tracepoint:syscalls:sys_enter_setreuid,
949.  
950. tracepoint:syscalls:sys_enter_setregid,
951.  
952. tracepoint:syscalls:sys_enter_setresuid,
953.  
954. tracepoint:syscalls:sys_enter_setresgid {
955.  
956. printf(\"TIME: %-8llu PID: %-6d COMM: %-15.15s UID: %-6d | %s\\n\",
957.  
958. nsecs, pid, comm, uid, probe);
959.  
960.  
961.  
962. if (uid != 0) {
963.  
964. printf(\" [ALERT] Non-root process attempting privilege change!\\n\");
965.  
966. }
967.  
968. }
969.  
970.  
971.  
972. // Track successful UID/GID changes
973.  
974. tracepoint:syscalls:sys_exit_setuid,
975.  
976. tracepoint:syscalls:sys_exit_setgid,
977.  
978. tracepoint:syscalls:sys_exit_setreuid,
979.  
980. tracepoint:syscalls:sys_exit_setregid,
981.  
982. tracepoint:syscalls:sys_exit_setresuid,
983.  
984. tracepoint:syscalls:sys_exit_setresgid /args->ret == 0/ {
985.  
986. printf(\"PID: %-6d COMM: %-15.15s | %s succeeded\\n\",
987.  
988. pid, comm, probe);
989.  
990. }
991.  
992.  
993.  
994. // Monitor privileged file access
995.  
996. tracepoint:syscalls:sys_enter_open,
997.  
998. tracepoint:syscalls:sys_enter_openat {
999.  
1000. \$filename = str(args->filename);
1001.  
1002.  
1003.  
1004. if (\$filename != 0) {
1005.  
1006. if (strncmp(\$filename, \"/etc/passwd\", 11) == 0 ||
1007.  
1008. strncmp(\$filename, \"/etc/shadow\", 11) == 0 ||
1009.  
1010. strncmp(\$filename, \"/etc/sudoers\", 12) == 0) {
1011.  
1012. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | Accessing sensitive file: %s\\n\",
1013.  
1014. pid, comm, uid, \$filename);
1015.  
1016.  
1017.  
1018. if (strncmp(\$filename, \"/etc/shadow\", 11) == 0 && uid != 0) {
1019.  
1020. printf(\" [ALERT] Non-root process accessing shadow password file!\\n\");
1021.  
1022. }
1023.  
1024. }
1025.  
1026. }
1027.  
1028. }
1029.  
1030.  
1031.  
1032. // Track sudo/su execution
1033.  
1034. tracepoint:syscalls:sys_enter_execve,
1035.  
1036. tracepoint:syscalls:sys_enter_execveat {
1037.  
1038. \$argp = args->argv;
1039.  
1040. \$arg0 = user_string(\$argp);
1041.  
1042.  
1043.  
1044. if (\$arg0 != 0) {
1045.  
1046. if (strncmp(\$arg0, \"/usr/bin/sudo\", 13) == 0 ||
1047.  
1048. strncmp(\$arg0, \"/bin/sudo\", 9) == 0 ||
1049.  
1050. strncmp(\$arg0, \"/usr/bin/su\", 11) == 0 ||
1051.  
1052. strncmp(\$arg0, \"/bin/su\", 7) == 0) {
1053.  
1054. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | Privilege escalation tool:
1055. %s\\n\",
1056.  
1057. pid, comm, uid, \$arg0);
1058.  
1059.  
1060.  
1061. \$i = 1;
1062.  
1063. \$argp++;
1064.  
1065. \$arg = user_string(\$argp);
1066.  
1067. printf(\" Command: %s\", \$arg0);
1068.  
1069. while (\$arg != 0 && \$i < 10) {
1070.  
1071. printf(\" %s\", \$arg);
1072.  
1073. \$argp++;
1074.  
1075. \$arg = user_string(\$argp);
1076.  
1077. \$i++;
1078.  
1079. }
1080.  
1081. if (\$i >= 10) {
1082.  
1083. printf(\" ...\");
1084.  
1085. }
1086.  
1087. printf(\"\\n\");
1088.  
1089. }
1090.  
1091. }
1092.  
1093. }
1094.  
1095. " 2>/dev/null
1096.  
1097.  
1098.  
1099. echo -e "${GREEN}[+] Privilege escalation monitoring completed${NC}"
1100.  
1101. }
1102.  
1103. # Option 10: Monitor inter-process communications
1104.  
1105. monitor_ipc() {
1106.  
1107. echo -e "${BLUE}[*] Monitor inter-process communications${NC}"
1108.  
1109. read -p "Enter duration in seconds (default: 30): " duration
1110.  
1111. duration=${duration:-30}
1112.  
1113.  
1114.  
1115. echo -e "${GREEN}[+] Monitoring IPC mechanisms for $duration seconds...${NC}"
1116.  
1117.  
1118.  
1119. timeout $duration bpftrace -e "
1120.  
1121. // Track socket communications
1122.  
1123. tracepoint:syscalls:sys_enter_socket,
1124.  
1125. tracepoint:syscalls:sys_enter_socketpair {
1126.  
1127. printf(\"PID: %-6d COMM: %-15.15s | SOCKET: domain=%d type=%d protocol=%d\\n\",
1128.  
1129. pid, comm, args->family, args->type, args->protocol);
1130.  
1131.  
1132.  
1133. if (args->family == 1) { // AF_UNIX
1134.  
1135. @unix_sockets[pid, comm] = count();
1136.  
1137. }
1138.  
1139. }
1140.  
1141.  
1142.  
1143. // Track shared memory operations
1144.  
1145. tracepoint:syscalls:sys_enter_shmget,
1146.  
1147. tracepoint:syscalls:sys_enter_shmat,
1148.  
1149. tracepoint:syscalls:sys_enter_shmdt,
1150.  
1151. tracepoint:syscalls:sys_enter_shmctl {
1152.  
1153. printf(\"PID: %-6d COMM: %-15.15s | SHARED MEMORY: %s\\n\",
1154.  
1155. pid, comm, probe);
1156.  
1157. @shm_ops[pid, comm, probe] = count();
1158.  
1159. }
1160.  
1161.  
1162.  
1163. // Track message queues
1164.  
1165. tracepoint:syscalls:sys_enter_msgget,
1166.  
1167. tracepoint:syscalls:sys_enter_msgsnd,
1168.  
1169. tracepoint:syscalls:sys_enter_msgrcv,
1170.  
1171. tracepoint:syscalls:sys_enter_msgctl {
1172.  
1173. printf(\"PID: %-6d COMM: %-15.15s | MESSAGE QUEUE: %s\\n\",
1174.  
1175. pid, comm, probe);
1176.  
1177. @msg_ops[pid, comm, probe] = count();
1178.  
1179. }
1180.  
1181.  
1182.  
1183. // Track named pipes
1184.  
1185. tracepoint:syscalls:sys_enter_mkfifo {
1186.  
1187. printf(\"PID: %-6d COMM: %-15.15s | CREATE NAMED PIPE: %s\\n\",
1188.  
1189. pid, comm, str(args->pathname));
1190.  
1191. }
1192.  
1193.  
1194.  
1195. // Track pipe creation
1196.  
1197. tracepoint:syscalls:sys_enter_pipe,
1198.  
1199. tracepoint:syscalls:sys_enter_pipe2 {
1200.  
1201. printf(\"PID: %-6d COMM: %-15.15s | CREATE PIPE\\n\", pid, comm);
1202.  
1203. @pipe_create[pid, comm] = count();
1204.  
1205. }
1206.  
1207.  
1208.  
1209. // Monitor memfd communication (often used in fileless malware)
1210.  
1211. tracepoint:syscalls:sys_enter_memfd_create {
1212.  
1213. printf(\"PID: %-6d COMM: %-15.15s | MEMFD_CREATE: name=%s flags=%d\\n\",
1214.  
1215. pid, comm, str(args->uname), args->flags);
1216.  
1217. printf(\" [ALERT] Potential fileless malware technique detected!\\n\");
1218.  
1219. }
1220.  
1221.  
1222.  
1223. interval:s:5 {
1224.  
1225. printf(\"\\n--- IPC Summary (5s) ---\\n\");
1226.  
1227.  
1228.  
1229. printf(\"\\nUNIX Socket Usage:\\n\");
1230.  
1231. print(@unix_sockets);
1232.  
1233.  
1234.  
1235. printf(\"\\nShared Memory Operations:\\n\");
1236.  
1237. print(@shm_ops);
1238.  
1239.  
1240.  
1241. printf(\"\\nMessage Queue Operations:\\n\");
1242.  
1243. print(@msg_ops);
1244.  
1245.  
1246.  
1247. printf(\"\\nPipe Creation:\\n\");
1248.  
1249. print(@pipe_create);
1250.  
1251. }
1252.  
1253. " 2>/dev/null
1254.  
1255.  
1256.  
1257. echo -e "${GREEN}[+] IPC monitoring completed${NC}"
1258.  
1259. }
1260.  
1261. # Option 11: Log process credential changes
1262.  
1263. log_credential_changes() {
1264.  
1265. echo -e "${BLUE}[*] Log process credential changes${NC}"
1266.  
1267. read -p "Enter duration in seconds (default: 30): " duration
1268.  
1269. duration=${duration:-30}
1270.  
1271.  
1272.  
1273. echo -e "${GREEN}[+] Monitoring credential changes for $duration
1274. seconds...${NC}"
1275.  
1276.  
1277.  
1278. timeout $duration bpftrace -e "
1279.  
1280. // Track all credential change functions
1281.  
1282. kprobe:commit_creds {
1283.  
1284. printf(\"PID: %-6d COMM: %-15.15s | CREDENTIAL CHANGE\\n\", pid, comm);
1285.  
1286.  
1287.  
1288. // Get the new credentials structure
1289.  
1290. \$cred = (struct cred *)arg0;
1291.  
1292. if (\$cred != 0) {
1293.  
1294. printf(\" New UID: %d GID: %d EUID: %d EGID: %d\\n\",
1295.  
1296. \$cred->uid.val, \$cred->gid.val,
1297.  
1298. \$cred->euid.val, \$cred->egid.val);
1299.  
1300.  
1301.  
1302. // Alert on certain patterns
1303.  
1304. if ((\$cred->uid.val == 0 || \$cred->euid.val == 0) && uid != 0) {
1305.  
1306. printf(\" [ALERT] Process gained root credentials from non-root context!\\n\");
1307.  
1308. }
1309.  
1310. }
1311.  
1312. }
1313.  
1314.  
1315.  
1316. // Track security operations related to credentials
1317.  
1318. kprobe:security_task_fix_setuid {
1319.  
1320. printf(\"PID: %-6d COMM: %-15.15s | SECURITY CHECK: task_fix_setuid\\n\",
1321.  
1322. pid, comm);
1323.  
1324. }
1325.  
1326.  
1327.  
1328. // Track capabilities that might be assigned
1329.  
1330. kprobe:cap_bprm_set_creds {
1331.  
1332. printf(\"PID: %-6d COMM: %-15.15s | CAPABILITY ASSIGNMENT during execve\\n\",
1333.  
1334. pid, comm);
1335.  
1336. }
1337.  
1338.  
1339.  
1340. // Track changes to process security context (SELinux)
1341.  
1342. kprobe:security_task_setpgid,
1343.  
1344. kprobe:security_task_kill {
1345.  
1346. printf(\"PID: %-6d COMM: %-15.15s | SECURITY CONTEXT OPERATION: %s\\n\",
1347.  
1348. pid, comm, probe);
1349.  
1350. }
1351.  
1352. " 2>/dev/null
1353.  
1354.  
1355.  
1356. echo -e "${GREEN}[+] Credential change monitoring completed${NC}"
1357.  
1358. }
1359.  
1360. # Option 12: Profile process resource usage
1361.  
1362. profile_resource_usage() {
1363.  
1364. echo -e "${BLUE}[*] Profile process resource usage${NC}"
1365.  
1366. read -p "Enter PID to monitor (leave empty for all): " target_pid
1367.  
1368. read -p "Enter duration in seconds (default: 30): " duration
1369.  
1370. duration=${duration:-30}
1371.  
1372.  
1373.  
1374. if [ -z "$target_pid" ]; then
1375.  
1376. pid_filter=""
1377.  
1378. else
1379.  
1380. pid_filter="/pid == $target_pid/"
1381.  
1382. fi
1383.  
1384.  
1385.  
1386. echo -e "${GREEN}[+] Profiling resource usage for ${target_pid:-all processes}
1387. for $duration seconds...${NC}"
1388.  
1389.  
1390.  
1391. timeout $duration bpftrace -e "
1392.  
1393. // Track CPU usage by sampling
1394.  
1395. profile:hz:99 $pid_filter {
1396.  
1397. @cpu[pid, comm] = count();
1398.  
1399. }
1400.  
1401.  
1402.  
1403. // Track I/O operations
1404.  
1405. tracepoint:syscalls:sys_enter_read,
1406.  
1407. tracepoint:syscalls:sys_enter_pread64,
1408.  
1409. tracepoint:syscalls:sys_enter_readv $pid_filter {
1410.  
1411. @reads[pid, comm] = count();
1412.  
1413. @read_bytes[pid, comm] = sum(args->count);
1414.  
1415. }
1416.  
1417.  
1418.  
1419. tracepoint:syscalls:sys_enter_write,
1420.  
1421. tracepoint:syscalls:sys_enter_pwrite64,
1422.  
1423. tracepoint:syscalls:sys_enter_writev $pid_filter {
1424.  
1425. @writes[pid, comm] = count();
1426.  
1427. @write_bytes[pid, comm] = sum(args->count);
1428.  
1429. }
1430.  
1431.  
1432.  
1433. // Track memory allocations
1434.  
1435. kretprobe:kmalloc $pid_filter {
1436.  
1437. @kmalloc[pid, comm] = count();
1438.  
1439. @kmem_bytes[pid, comm] = sum(retval);
1440.  
1441. }
1442.  
1443.  
1444.  
1445. // Track process creation
1446.  
1447. tracepoint:syscalls:sys_enter_clone,
1448.  
1449. tracepoint:syscalls:sys_enter_fork,
1450.  
1451. tracepoint:syscalls:sys_enter_vfork $pid_filter {
1452.  
1453. @process_create[pid, comm] = count();
1454.  
1455. }
1456.  
1457.  
1458.  
1459. interval:s:5 {
1460.  
1461. printf(\"\\n--- Resource Usage Summary (5s) ---\\n\");
1462.  
1463.  
1464.  
1465. printf(\"\\nCPU Usage (sample count):\\n\");
1466.  
1467. print(@cpu);
1468.  
1469. clear(@cpu);
1470.  
1471.  
1472.  
1473. printf(\"\\nRead Operations:\\n\");
1474.  
1475. print(@reads);
1476.  
1477. printf(\"\\nBytes Read:\\n\");
1478.  
1479. print(@read_bytes);
1480.  
1481. clear(@reads);
1482.  
1483. clear(@read_bytes);
1484.  
1485.  
1486.  
1487. printf(\"\\nWrite Operations:\\n\");
1488.  
1489. print(@writes);
1490.  
1491. printf(\"\\nBytes Written:\\n\");
1492.  
1493. print(@write_bytes);
1494.  
1495. clear(@writes);
1496.  
1497. clear(@write_bytes);
1498.  
1499.  
1500.  
1501. printf(\"\\nKernel Memory Allocations:\\n\");
1502.  
1503. print(@kmalloc);
1504.  
1505. printf(\"\\nKernel Bytes Allocated:\\n\");
1506.  
1507. print(@kmem_bytes);
1508.  
1509. clear(@kmalloc);
1510.  
1511. clear(@kmem_bytes);
1512.  
1513.  
1514.  
1515. printf(\"\\nProcess Creation:\\n\");
1516.  
1517. print(@process_create);
1518.  
1519. clear(@process_create);
1520.  
1521. }
1522.  
1523. " 2>/dev/null
1524.  
1525.  
1526.  
1527. echo -e "${GREEN}[+] Resource usage profiling completed${NC}"
1528.  
1529. }
1530.  
1531. # Option 13: Detect process injection attempts
1532.  
1533. detect_process_injection() {
1534.  
1535. echo -e "${BLUE}[*] Detect process injection attempts${NC}"
1536.  
1537. read -p "Enter duration in seconds (default: 30): " duration
1538.  
1539. duration=${duration:-30}
1540.  
1541.  
1542.  
1543. echo -e "${GREEN}[+] Monitoring for process injection techniques for $duration
1544. seconds...${NC}"
1545.  
1546.  
1547.  
1548. timeout $duration bpftrace -e "
1549.  
1550. // Track ptrace usage (common for code injection)
1551.  
1552. tracepoint:syscalls:sys_enter_ptrace {
1553.  
1554. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | PTRACE: request=%d pid=%d\\n\",
1555.  
1556. pid, comm, uid, args->request, args->pid);
1557.  
1558.  
1559.  
1560. // PTRACE_POKETEXT/PTRACE_POKEDATA (4) is used for writing to process memory
1561.  
1562. if (args->request == 4) {
1563.  
1564. printf(\" [ALERT] Process memory modification detected via ptrace!\\n\");
1565.  
1566. }
1567.  
1568.  
1569.  
1570. // PTRACE_ATTACH (16) is used to attach to a process
1571.  
1572. if (args->request == 16) {
1573.  
1574. printf(\" Process %d (%s) is attaching to PID %d\\n\", pid, comm, args->pid);
1575.  
1576. }
1577.  
1578. }
1579.  
1580.  
1581.  
1582. // Track process_vm_writev (direct process memory writing)
1583.  
1584. tracepoint:syscalls:sys_enter_process_vm_writev {
1585.  
1586. printf(\"PID: %-6d COMM: %-15.15s | PROCESS_VM_WRITEV: pid=%d\\n\",
1587.  
1588. pid, comm, args->pid);
1589.  
1590. printf(\" [ALERT] Direct process memory write detected!\\n\");
1591.  
1592. }
1593.  
1594.  
1595.  
1596. // Monitor /proc/pid/mem access for writing
1597.  
1598. tracepoint:syscalls:sys_enter_open,
1599.  
1600. tracepoint:syscalls:sys_enter_openat {
1601.  
1602. \$filename = str(args->filename);
1603.  
1604.  
1605.  
1606. if (\$filename != 0 && strncmp(\$filename, \"/proc/\", 6) == 0) {
1607.  
1608. if (strstr(\$filename, \"/mem\") != 0) {
1609.  
1610. \$flags = args->flags;
1611.  
1612. // Check if file is opened for writing
1613.  
1614. if (\$flags & 0x1 || \$flags & 0x2) { // O_WRONLY or O_RDWR
1615.  
1616. printf(\"PID: %-6d COMM: %-15.15s | Opening %s for writing\\n\",
1617.  
1618. pid, comm, \$filename);
1619.  
1620. printf(\" [ALERT] Process memory manipulation via /proc detected!\\n\");
1621.  
1622. }
1623.  
1624. }
1625.  
1626. }
1627.  
1628. }
1629.  
1630.  
1631.  
1632. // Monitor shared memory with executable permissions (potential code injection)
1633.  
1634. tracepoint:syscalls:sys_enter_mmap {
1635.  
1636. if ((args->prot & 0x4) && (args->flags & 0x1)) { // PROT_EXEC and MAP_SHARED
1637.  
1638. printf(\"PID: %-6d COMM: %-15.15s | MMAP: Creating shared executable
1639. memory\\n\",
1640.  
1641. pid, comm);
1642.  
1643. printf(\" [ALERT] Potential shared memory code injection vector!\\n\");
1644.  
1645. }
1646.  
1647. }
1648.  
1649.  
1650.  
1651. // Monitor debugfs access (which can be used for memory manipulation)
1652.  
1653. tracepoint:syscalls:sys_enter_open,
1654.  
1655. tracepoint:syscalls:sys_enter_openat {
1656.  
1657. \$filename = str(args->filename);
1658.  
1659.  
1660.  
1661. if (\$filename != 0 && strncmp(\$filename, \"/sys/kernel/debug\", 17) == 0) {
1662.  
1663. printf(\"PID: %-6d COMM: %-15.15s | Accessing debugfs: %s\\n\",
1664.  
1665. pid, comm, \$filename);
1666.  
1667.  
1668.  
1669. if (comm != \"systemd\" && comm != \"udevd\" &&
1670.  
1671. comm != \"snapd\" && comm != \"kernel\") {
1672.  
1673. printf(\" [ALERT] Suspicious debugfs access!\\n\");
1674.  
1675. }
1676.  
1677. }
1678.  
1679. }
1680.  
1681.  
1682.  
1683. // Detect shellcode-like behavior (syscall instruction)
1684.  
1685. kprobe:__x64_sys_execve {
1686.  
1687. // Get the instruction pointer that caused the syscall
1688.  
1689. \$ip = reg(\"ip\");
1690.  
1691.  
1692.  
1693. // Check if it's in a mapped executable area rather than in .text segment
1694.  
1695. @exec_syscalls[pid, comm, \$ip] = count();
1696.  
1697. }
1698.  
1699.  
1700.  
1701. interval:s:5 {
1702.  
1703. printf(\"\\n--- Process Injection Detection Summary (5s) ---\\n\");
1704.  
1705. printf(\"\\nExecve Syscall Origins:\\n\");
1706.  
1707. print(@exec_syscalls);
1708.  
1709. }
1710.  
1711. " 2>/dev/null
1712.  
1713.  
1714.  
1715. echo -e "${GREEN}[+] Process injection detection completed${NC}"
1716.  
1717. }
1718.  
1719. # Option 14: Monitor filesystem operations
1720.  
1721. monitor_filesystem() {
1722.  
1723. echo -e "${BLUE}[*] Monitor filesystem operations${NC}"
1724.  
1725. read -p "Enter specific directory to monitor (leave empty for all): " target_dir
1726.  
1727. read -p "Enter duration in seconds (default: 30): " duration
1728.  
1729. duration=${duration:-30}
1730.  
1731.  
1732.  
1733. if [ -z "$target_dir" ]; then
1734.  
1735. dir_filter=""
1736.  
1737. dir_msg="all filesystem"
1738.  
1739. else
1740.  
1741. dir_filter="/strncmp(str(args->filename), \"$target_dir\", ${#target_dir}) ==
1742. 0/"
1743.  
1744. dir_msg="$target_dir"
1745.  
1746. fi
1747.  
1748.  
1749.  
1750. echo -e "${GREEN}[+] Monitoring $dir_msg operations for $duration
1751. seconds...${NC}"
1752.  
1753.  
1754.  
1755. timeout $duration bpftrace -e "
1756.  
1757. // Track file creation
1758.  
1759. tracepoint:syscalls:sys_enter_creat,
1760.  
1761. tracepoint:syscalls:sys_enter_open,
1762.  
1763. tracepoint:syscalls:sys_enter_openat /args->flags & 0x40/ $dir_filter { //
1764. O_CREAT
1765.  
1766. \$filename = str(args->filename);
1767.  
1768. if (\$filename != 0) {
1769.  
1770. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | CREATE: %s\\n\",
1771.  
1772. pid, comm, uid, \$filename);
1773.  
1774. }
1775.  
1776. }
1777.  
1778.  
1779.  
1780. // Track file deletion
1781.  
1782. tracepoint:syscalls:sys_enter_unlink,
1783.  
1784. tracepoint:syscalls:sys_enter_unlinkat $dir_filter {
1785.  
1786. \$filename = str(args->filename);
1787.  
1788. if (\$filename != 0) {
1789.  
1790. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | DELETE: %s\\n\",
1791.  
1792. pid, comm, uid, \$filename);
1793.  
1794.  
1795.  
1796. if (strstr(\$filename, \".bash_history\") != 0 ||
1797.  
1798. strstr(\$filename, \".zsh_history\") != 0 ||
1799.  
1800. strstr(\$filename, \".mysql_history\") != 0 ||
1801.  
1802. strstr(\$filename, \"/var/log/\") != 0 ||
1803.  
1804. strstr(\$filename, \"/var/audit/\") != 0) {
1805.  
1806. printf(\" [ALERT] Potential log/history file deletion!\\n\");
1807.  
1808. }
1809.  
1810. }
1811.  
1812. }
1813.  
1814.  
1815.  
1816. // Track file modifications
1817.  
1818. tracepoint:syscalls:sys_enter_rename,
1819.  
1820. tracepoint:syscalls:sys_enter_renameat,
1821.  
1822. tracepoint:syscalls:sys_enter_renameat2 $dir_filter {
1823.  
1824. \$oldname = str(args->oldname);
1825.  
1826. \$newname = str(args->newname);
1827.  
1828. if (\$oldname != 0 && \$newname != 0) {
1829.  
1830. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | RENAME: %s -> %s\\n\",
1831.  
1832. pid, comm, uid, \$oldname, \$newname);
1833.  
1834.  
1835.  
1836. if ((strstr(\$newname, \".so\") != 0 || strstr(\$newname, \"lib\") != 0) &&
1837.  
1838. uid != 0) {
1839.  
1840. printf(\" [ALERT] Non-root process modifying library file!\\n\");
1841.  
1842. }
1843.  
1844. }
1845.  
1846. }
1847.  
1848.  
1849.  
1850. // Track permission changes
1851.  
1852. tracepoint:syscalls:sys_enter_chmod,
1853.  
1854. tracepoint:syscalls:sys_enter_fchmod,
1855.  
1856. tracepoint:syscalls:sys_enter_fchmodat $dir_filter {
1857.  
1858. \$filename = str(args->filename);
1859.  
1860. \$mode = args->mode;
1861.  
1862. if (\$filename != 0) {
1863.  
1864. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | CHMOD: %s mode=0%o\\n\",
1865.  
1866. pid, comm, uid, \$filename, \$mode);
1867.  
1868.  
1869.  
1870. if (\$mode & 0111) { // executable bit
1871.  
1872. printf(\" Setting executable permission\\n\");
1873.  
1874. }
1875.  
1876. }
1877.  
1878. }
1879.  
1880.  
1881.  
1882. // Track ownership changes
1883.  
1884. tracepoint:syscalls:sys_enter_chown,
1885.  
1886. tracepoint:syscalls:sys_enter_fchown,
1887.  
1888. tracepoint:syscalls:sys_enter_lchown,
1889.  
1890. tracepoint:syscalls:sys_enter_fchownat $dir_filter {
1891.  
1892. \$filename = str(args->filename);
1893.  
1894. if (\$filename != 0) {
1895.  
1896. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | CHOWN: %s uid=%d gid=%d\\n\",
1897.  
1898. pid, comm, uid, \$filename, args->user, args->group);
1899.  
1900. }
1901.  
1902. }
1903.  
1904.  
1905.  
1906. // Track suspicious file access
1907.  
1908. tracepoint:syscalls:sys_enter_open,
1909.  
1910. tracepoint:syscalls:sys_enter_openat $dir_filter {
1911.  
1912. \$filename = str(args->filename);
1913.  
1914. if (\$filename != 0) {
1915.  
1916. // Check for sensitive files
1917.  
1918. if (strstr(\$filename, \"passwd\") != 0 ||
1919.  
1920. strstr(\$filename, \"shadow\") != 0 ||
1921.  
1922. strstr(\$filename, \"/etc/ssh/\") != 0 ||
1923.  
1924. strstr(\$filename, \"/root/.ssh/\") != 0 ||
1925.  
1926. strstr(\$filename, \"id_rsa\") != 0 ||
1927.  
1928. strstr(\$filename, \"authorized_keys\") != 0) {
1929.  
1930. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | ACCESS SENSITIVE: %s\\n\",
1931.  
1932. pid, comm, uid, \$filename);
1933.  
1934.  
1935.  
1936. if (uid != 0 && (strstr(\$filename, \"shadow\") != 0 ||
1937.  
1938. strstr(\$filename, \"/root/.ssh/\") != 0)) {
1939.  
1940. printf(\" [ALERT] Non-root process accessing highly sensitive file!\\n\");
1941.  
1942. }
1943.  
1944. }
1945.  
1946. }
1947.  
1948. }
1949.  
1950.  
1951.  
1952. // Track writes to /dev/mem or /dev/kmem (direct memory manipulation)
1953.  
1954. tracepoint:syscalls:sys_enter_open,
1955.  
1956. tracepoint:syscalls:sys_enter_openat {
1957.  
1958. \$filename = str(args->filename);
1959.  
1960. \$flags = args->flags;
1961.  
1962.  
1963.  
1964. if (\$filename != 0 &&
1965.  
1966. (\$flags & 0x1 || \$flags & 0x2) && // O_WRONLY or O_RDWR
1967.  
1968. (strncmp(\$filename, \"/dev/mem\", 8) == 0 ||
1969.  
1970. strncmp(\$filename, \"/dev/kmem\", 9) == 0 ||
1971.  
1972. strncmp(\$filename, \"/dev/port\", 9) == 0)) {
1973.  
1974. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | DIRECT MEMORY ACCESS: %s\\n\",
1975.  
1976. pid, comm, uid, \$filename);
1977.  
1978. printf(\" [ALERT] Direct hardware memory manipulation detected!\\n\");
1979.  
1980. }
1981.  
1982. }
1983.  
1984. " 2>/dev/null
1985.  
1986.  
1987.  
1988. echo -e "${GREEN}[+] Filesystem monitoring completed${NC}"
1989.  
1990. }
1991.  
1992. # Option 15: Track container escape attempts
1993.  
1994. track_container_escapes() {
1995.  
1996. echo -e "${BLUE}[*] Track container escape attempts${NC}"
1997.  
1998. read -p "Enter duration in seconds (default: 30): " duration
1999.  
2000. duration=${duration:-30}
2001.  
2002.  
2003.  
2004. echo -e "${GREEN}[+] Monitoring for container escape techniques for $duration
2005. seconds...${NC}"
2006.  
2007.  
2008.  
2009. timeout $duration bpftrace -e "
2010.  
2011. // Monitor privileged container capabilities
2012.  
2013. kprobe:cap_capable {
2014.  
2015. \$cap_id = arg1;
2016.  
2017.  
2018.  
2019. if (\$cap_id == 16 || \$cap_id == 21) { // CAP_SYS_MODULE or CAP_SYS_ADMIN
2020.  
2021. printf(\"PID: %-6d COMM: %-15.15s | Privileged capability check: %d\\n\",
2022.  
2023. pid, comm, \$cap_id);
2024.  
2025.  
2026.  
2027. if (\$cap_id == 21) { // CAP_SYS_ADMIN
2028.  
2029. printf(\" [ALERT] Process checking for CAP_SYS_ADMIN (potential container
2030. escape)\\n\");
2031.  
2032. }
2033.  
2034. }
2035.  
2036. }
2037.  
2038.  
2039.  
2040. // Monitor mount namespace escapes
2041.  
2042. tracepoint:syscalls:sys_enter_mount {
2043.  
2044. printf(\"PID: %-6d COMM: %-15.15s | MOUNT: src=%s dst=%s type=%s\\n\",
2045.  
2046. pid, comm, str(args->source_name), str(args->target_name),
2047. str(args->filesystemtype));
2048.  
2049.  
2050.  
2051. if (strncmp(str(args->filesystemtype), \"proc\", 4) == 0 ||
2052.  
2053. strncmp(str(args->filesystemtype), \"sysfs\", 5) == 0) {
2054.  
2055. printf(\" [ALERT] Potential container escape via %s mount\\n\",
2056. str(args->filesystemtype));
2057.  
2058. }
2059.  
2060. }
2061.  
2062.  
2063.  
2064. // Monitor device mounting (common escape technique)
2065.  
2066. tracepoint:syscalls:sys_enter_mount {
2067.  
2068. \$src = str(args->source_name);
2069.  
2070. \$dst = str(args->target_name);
2071.  
2072.  
2073.  
2074. if (\$src != 0 && \$dst != 0) {
2075.  
2076. if (strncmp(\$src, \"/dev\", 4) == 0) {
2077.  
2078. printf(\"PID: %-6d COMM: %-15.15s | Device mount: %s -> %s\\n\",
2079.  
2080. pid, comm, \$src, \$dst);
2081.  
2082. printf(\" [ALERT] Potential container escape via device mount\\n\");
2083.  
2084. }
2085.  
2086. }
2087.  
2088. }
2089.  
2090.  
2091.  
2092. // Monitor access to host devices
2093.  
2094. tracepoint:syscalls:sys_enter_open,
2095.  
2096. tracepoint:syscalls:sys_enter_openat {
2097.  
2098. \$filename = str(args->filename);
2099.  
2100.  
2101.  
2102. if (\$filename != 0) {
2103.  
2104. if (strncmp(\$filename, \"/dev/\", 5) == 0 &&
2105.  
2106. (strstr(\$filename, \"mem\") != 0 ||
2107.  
2108. strstr(\$filename, \"kmem\") != 0 ||
2109.  
2110. strstr(\$filename, \"port\") != 0 ||
2111.  
2112. strncmp(\$filename, \"/dev/sd\", 7) == 0 ||
2113.  
2114. strncmp(\$filename, \"/dev/nvme\", 9) == 0)) {
2115.  
2116. printf(\"PID: %-6d COMM: %-15.15s | Access to sensitive device: %s\\n\",
2117.  
2118. pid, comm, \$filename);
2119.  
2120. printf(\" [ALERT] Potential container escape via device access\\n\");
2121.  
2122. }
2123.  
2124. }
2125.  
2126. }
2127.  
2128.  
2129.  
2130. // Monitor cgroup manipulation (common for escapes)
2131.  
2132. tracepoint:syscalls:sys_enter_open,
2133.  
2134. tracepoint:syscalls:sys_enter_openat {
2135.  
2136. \$filename = str(args->filename);
2137.  
2138. \$flags = args->flags;
2139.  
2140.  
2141.  
2142. if (\$filename != 0 && (\$flags & 0x1 || \$flags & 0x2)) { // O_WRONLY or O_RDWR
2143.  
2144. if (strncmp(\$filename, \"/sys/fs/cgroup\", 14) == 0 ||
2145.  
2146. strncmp(\$filename, \"/proc/sys\", 9) == 0) {
2147.  
2148. printf(\"PID: %-6d COMM: %-15.15s | Writing to sensitive path: %s\\n\",
2149.  
2150. pid, comm, \$filename);
2151.  
2152. printf(\" [ALERT] Potential container escape via cgroup/sysctl
2153. manipulation\\n\");
2154.  
2155. }
2156.  
2157. }
2158.  
2159. }
2160.  
2161.  
2162.  
2163. // Monitor for core_pattern manipulation (CVE-2019-5736)
2164.  
2165. tracepoint:syscalls:sys_enter_open,
2166.  
2167. tracepoint:syscalls:sys_enter_openat {
2168.  
2169. \$filename = str(args->filename);
2170.  
2171. \$flags = args->flags;
2172.  
2173.  
2174.  
2175. if (\$filename != 0 && (\$flags & 0x1 || \$flags & 0x2)) { // O_WRONLY or O_RDWR
2176.  
2177. if (strncmp(\$filename, \"/proc/sys/kernel/core_pattern\", 28) == 0) {
2178.  
2179. printf(\"PID: %-6d COMM: %-15.15s | Writing to core_pattern: %s\\n\",
2180.  
2181. pid, comm, \$filename);
2182.  
2183. printf(\" [ALERT] Potential container escape via core_pattern\\n\");
2184.  
2185. }
2186.  
2187. }
2188.  
2189. }
2190.  
2191.  
2192.  
2193. // Monitor for potential runC container escape attempts
2194.  
2195. tracepoint:syscalls:sys_enter_open,
2196.  
2197. tracepoint:syscalls:sys_enter_openat {
2198.  
2199. \$filename = str(args->filename);
2200.  
2201.  
2202.  
2203. if (\$filename != 0) {
2204.  
2205. if (strstr(\$filename, \"docker\") != 0 ||
2206.  
2207. strstr(\$filename, \"containerd\") != 0 ||
2208.  
2209. strstr(\$filename, \"runc\") != 0) {
2210.  
2211. if (strstr(\$filename, \"/proc/self/exe\") != 0) {
2212.  
2213. printf(\"PID: %-6d COMM: %-15.15s | Suspicious container binary access: %s\\n\",
2214.  
2215. pid, comm, \$filename);
2216.  
2217. printf(\" [ALERT] Potential runC container escape attempt (CVE-2019-5736)\\n\");
2218.  
2219. }
2220.  
2221. }
2222.  
2223. }
2224.  
2225. }
2226.  
2227. " 2>/dev/null
2228.  
2229.  
2230.  
2231. echo -e "${GREEN}[+] Container escape monitoring completed${NC}"
2232.  
2233. }
2234.  
2235. # Option 16: Analyze loaded kernel modules
2236.  
2237. analyze_kernel_modules() {
2238.  
2239. echo -e "${BLUE}[*] Analyze loaded kernel modules${NC}"
2240.  
2241. read -p "Enter duration in seconds (default: 30): " duration
2242.  
2243. duration=${duration:-30}
2244.  
2245.  
2246.  
2247. echo -e "${GREEN}[+] Monitoring kernel module operations for $duration
2248. seconds...${NC}"
2249.  
2250.  
2251.  
2252. timeout $duration bpftrace -e "
2253.  
2254. // Monitor module loading
2255.  
2256. tracepoint:syscalls:sys_enter_init_module {
2257.  
2258. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | LOADING KERNEL MODULE\\n\",
2259.  
2260. pid, comm, uid);
2261.  
2262.  
2263.  
2264. if (uid != 0) {
2265.  
2266. printf(\" [ALERT] Non-root user attempting to load kernel module!\\n\");
2267.  
2268. }
2269.  
2270. }
2271.  
2272.  
2273.  
2274. // Monitor module removal
2275.  
2276. tracepoint:syscalls:sys_enter_delete_module {
2277.  
2278. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | REMOVING KERNEL MODULE: %s\\n\",
2279.  
2280. pid, comm, uid, str(args->name));
2281.  
2282.  
2283.  
2284. if (uid != 0) {
2285.  
2286. printf(\" [ALERT] Non-root user attempting to remove kernel module!\\n\");
2287.  
2288. }
2289.  
2290. }
2291.  
2292.  
2293.  
2294. // Monitor kernel module file operations
2295.  
2296. tracepoint:syscalls:sys_enter_open,
2297.  
2298. tracepoint:syscalls:sys_enter_openat {
2299.  
2300. \$filename = str(args->filename);
2301.  
2302.  
2303.  
2304. if (\$filename != 0) {
2305.  
2306. if (strstr(\$filename, \".ko\") != 0 ||
2307.  
2308. strncmp(\$filename, \"/lib/modules/\", 13) == 0) {
2309.  
2310. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | KERNEL MODULE FILE ACCESS:
2311. %s\\n\",
2312.  
2313. pid, comm, uid, \$filename);
2314.  
2315. }
2316.  
2317. }
2318.  
2319. }
2320.  
2321.  
2322.  
2323. // Monitor kmod execution (used for module operations)
2324.  
2325. tracepoint:syscalls:sys_enter_execve,
2326.  
2327. tracepoint:syscalls:sys_enter_execveat {
2328.  
2329. \$argp = args->argv;
2330.  
2331. \$arg0 = user_string(\$argp);
2332.  
2333.  
2334.  
2335. if (\$arg0 != 0) {
2336.  
2337. if (strstr(\$arg0, \"insmod\") != 0 ||
2338.  
2339. strstr(\$arg0, \"modprobe\") != 0 ||
2340.  
2341. strstr(\$arg0, \"rmmod\") != 0 ||
2342.  
2343. strstr(\$arg0, \"modinfo\") != 0) {
2344.  
2345. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | MODULE TOOL EXECUTION: %s\\n\",
2346.  
2347. pid, comm, uid, \$arg0);
2348.  
2349.  
2350.  
2351. \$i = 1;
2352.  
2353. \$argp++;
2354.  
2355. \$arg = user_string(\$argp);
2356.  
2357. printf(\" Command: %s\", \$arg0);
2358.  
2359. while (\$arg != 0 && \$i < 10) {
2360.  
2361. printf(\" %s\", \$arg);
2362.  
2363. \$argp++;
2364.  
2365. \$arg = user_string(\$argp);
2366.  
2367. \$i++;
2368.  
2369. }
2370.  
2371. if (\$i >= 10) {
2372.  
2373. printf(\" ...\");
2374.  
2375. }
2376.  
2377. printf(\"\\n\");
2378.  
2379. }
2380.  
2381. }
2382.  
2383. }
2384.  
2385.  
2386.  
2387. // Monitor debugfs/sysfs manipulation (used in rootkits)
2388.  
2389. tracepoint:syscalls:sys_enter_open,
2390.  
2391. tracepoint:syscalls:sys_enter_openat {
2392.  
2393. \$filename = str(args->filename);
2394.  
2395. \$flags = args->flags;
2396.  
2397.  
2398.  
2399. if (\$filename != 0 && (\$flags & 0x1 || \$flags & 0x2)) { // O_WRONLY or O_RDWR
2400.  
2401. if (strncmp(\$filename, \"/sys/kernel\", 11) == 0 ||
2402.  
2403. strncmp(\$filename, \"/sys/module\", 11) == 0 ||
2404.  
2405. strncmp(\$filename, \"/proc/kallsyms\", 14) == 0) {
2406.  
2407. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | KERNEL STRUCTURE WRITE: %s\\n\",
2408.  
2409. pid, comm, uid, \$filename);
2410.  
2411. printf(\" [ALERT] Potential rootkit or LKM manipulation activity!\\n\");
2412.  
2413. }
2414.  
2415. }
2416.  
2417. }
2418.  
2419. " 2>/dev/null
2420.  
2421.  
2422.  
2423. echo -e "${GREEN}[+] Kernel module analysis completed${NC}"
2424.  
2425. }
2426.  
2427. # Option 17: Monitor bpf() syscall usage
2428.  
2429. monitor_bpf() {
2430.  
2431. echo -e "${BLUE}[*] Monitor bpf() syscall usage${NC}"
2432.  
2433. read -p "Enter duration in seconds (default: 30): " duration
2434.  
2435. duration=${duration:-30}
2436.  
2437.  
2438.  
2439. echo -e "${GREEN}[+] Monitoring BPF operations for $duration seconds...${NC}"
2440.  
2441.  
2442.  
2443. timeout $duration bpftrace -e "
2444.  
2445. // Monitor BPF syscall usage
2446.  
2447. tracepoint:syscalls:sys_enter_bpf {
2448.  
2449. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | BPF: cmd=%d\\n\",
2450.  
2451. pid, comm, uid, args->cmd);
2452.  
2453.  
2454.  
2455. // BPF commands
2456.  
2457. if (args->cmd == 0) {
2458.  
2459. printf(\" BPF_MAP_CREATE\\n\");
2460.  
2461. } else if (args->cmd == 1) {
2462.  
2463. printf(\" BPF_MAP_LOOKUP_ELEM\\n\");
2464.  
2465. } else if (args->cmd == 2) {
2466.  
2467. printf(\" BPF_MAP_UPDATE_ELEM\\n\");
2468.  
2469. } else if (args->cmd == 3) {
2470.  
2471. printf(\" BPF_MAP_DELETE_ELEM\\n\");
2472.  
2473. } else if (args->cmd == 4) {
2474.  
2475. printf(\" BPF_MAP_GET_NEXT_KEY\\n\");
2476.  
2477. } else
2478.  
2479.  
2480.  
2481. // BPF commands (continued)
2482.  
2483. } else if (args->cmd == 5) {
2484.  
2485. printf(\" BPF_PROG_LOAD\\n\");
2486.  
2487. printf(\" [ALERT] BPF program being loaded - potential for kernel
2488. manipulation!\\n\");
2489.  
2490. } else if (args->cmd == 6) {
2491.  
2492. printf(\" BPF_OBJ_PIN\\n\");
2493.  
2494. } else if (args->cmd == 7) {
2495.  
2496. printf(\" BPF_OBJ_GET\\n\");
2497.  
2498. } else if (args->cmd == 8) {
2499.  
2500. printf(\" BPF_PROG_ATTACH\\n\");
2501.  
2502. printf(\" [ALERT] BPF program being attached!\\n\");
2503.  
2504. } else if (args->cmd == 9) {
2505.  
2506. printf(\" BPF_PROG_DETACH\\n\");
2507.  
2508. }
2509.  
2510.  
2511.  
2512. @bpf_cmds[pid, comm, args->cmd] = count();
2513.  
2514. }
2515.  
2516.  
2517.  
2518. // Track successful BPF operations
2519.  
2520. tracepoint:syscalls:sys_exit_bpf /args->ret >= 0/ {
2521.  
2522. printf(\" Result: SUCCESS (fd/id=%d)\\n\", args->ret);
2523.  
2524. }
2525.  
2526.  
2527.  
2528. // Monitor kprobe and tracepoint operations (often used with BPF)
2529.  
2530. kprobe:security_bpf {
2531.  
2532. printf(\"PID: %-6d COMM: %-15.15s | BPF security check\\n\",
2533.  
2534. pid, comm);
2535.  
2536. }
2537.  
2538.  
2539.  
2540. // Monitor direct BPF map operations
2541.  
2542. kprobe:bpf_map_update_elem,
2543.  
2544. kprobe:bpf_map_lookup_elem {
2545.  
2546. printf(\"PID: %-6d COMM: %-15.15s | BPF map operation: %s\\n\",
2547.  
2548. pid, comm, probe);
2549.  
2550. }
2551.  
2552.  
2553.  
2554. interval:s:5 {
2555.  
2556. printf(\"\\n--- BPF Operations Summary (5s) ---\\n\");
2557.  
2558. printf(\"%-6s %-15s %-20s | %s\\n\", \"PID\", \"COMM\", \"CMD\", \"COUNT\");
2559.  
2560. print(@bpf_cmds);
2561.  
2562. }
2563.  
2564. " 2>/dev/null
2565.  
2566.  
2567.  
2568. echo -e "${GREEN}[+] BPF usage monitoring completed${NC}"
2569.  
2570. }
2571.  
2572. # Option 18: Detect hidden process techniques
2573.  
2574. detect_hidden_processes() {
2575.  
2576. echo -e "${BLUE}[*] Detect hidden process techniques${NC}"
2577.  
2578. read -p "Enter duration in seconds (default: 30): " duration
2579.  
2580. duration=${duration:-30}
2581.  
2582.  
2583.  
2584. echo -e "${GREEN}[+] Monitoring for process hiding techniques for $duration
2585. seconds...${NC}"
2586.  
2587.  
2588.  
2589. timeout $duration bpftrace -e "
2590.  
2591. // Monitor /proc traversal
2592.  
2593. kprobe:proc_pid_readdir {
2594.  
2595. @proc_readdir[pid, comm] = count();
2596.  
2597. }
2598.  
2599.  
2600.  
2601. // Monitor getdents/getdents64 syscalls (directory listing)
2602.  
2603. tracepoint:syscalls:sys_enter_getdents,
2604.  
2605. tracepoint:syscalls:sys_enter_getdents64 {
2606.  
2607. @getdents[pid, comm] = count();
2608.  
2609. }
2610.  
2611.  
2612.  
2613. // Monitor specific process hiding techniques
2614.  
2615. kprobe:proc_readdir {
2616.  
2617. @proc_read[pid, comm, \"proc_readdir\"] = count();
2618.  
2619. }
2620.  
2621.  
2622.  
2623. tracepoint:syscalls:sys_enter_ptrace /args->request == 31/ { // PTRACE_ATTACH
2624.  
2625. printf(\"PID: %-6d COMM: %-15.15s | PTRACE_ATTACH to PID %d\\n\",
2626.  
2627. pid, comm, args->pid);
2628.  
2629.  
2630.  
2631. // Try to detect if the target process exists
2632.  
2633. @ptrace_targets[pid, comm, args->pid] = count();
2634.  
2635. }
2636.  
2637.  
2638.  
2639. // Detect changes to task struct links (potential unlink from task_struct)
2640.  
2641. kprobe:find_task_by_vpid {
2642.  
2643. @find_task[pid, comm, arg0] = count();
2644.  
2645. }
2646.  
2647.  
2648.  
2649. kretprobe:find_task_by_vpid /retval == 0/ {
2650.  
2651. \$vpid = arg0;
2652.  
2653. // Non-zero PID should return a valid task
2654.  
2655. if (\$vpid > 0 && \$vpid < 4000000) {
2656.  
2657. printf(\"PID: %-6d COMM: %-15.15s | Process %d not found (potential hidden
2658. process)\\n\",
2659.  
2660. pid, comm, \$vpid);
2661.  
2662. }
2663.  
2664. }
2665.  
2666.  
2667.  
2668. // Monitor process creation/exit to track active PIDs
2669.  
2670. tracepoint:sched:sched_process_fork {
2671.  
2672. @pids[args->child_pid] = nsecs;
2673.  
2674. printf(\"PID: %-6d COMM: %-15.15s | PROCESS CREATED: %d\\n\",
2675.  
2676. pid, comm, args->child_pid);
2677.  
2678. }
2679.  
2680.  
2681.  
2682. tracepoint:sched:sched_process_exit {
2683.  
2684. @exit_pids[pid] = nsecs;
2685.  
2686. delete(@pids[pid]);
2687.  
2688. printf(\"PID: %-6d COMM: %-15.15s | PROCESS EXIT\\n\", pid, comm);
2689.  
2690. }
2691.  
2692.  
2693.  
2694. // Monitor tasks that manipulate the pidns number
2695.  
2696. kprobe:copy_process {
2697.  
2698. @new_task[pid, comm] = count();
2699.  
2700. }
2701.  
2702.  
2703.  
2704. tracepoint:syscalls:sys_enter_clone /args->clone_flags & 0x20000000/ { //
2705. CLONE_NEWPID
2706.  
2707. printf(\"PID: %-6d COMM: %-15.15s | Creating new PID namespace\\n\",
2708.  
2709. pid, comm);
2710.  
2711. }
2712.  
2713.  
2714.  
2715. interval:s:5 {
2716.  
2717. printf(\"\\n--- Process Hiding Detection Summary (5s) ---\\n\");
2718.  
2719.  
2720.  
2721. printf(\"\\n/proc Directory Reads:\\n\");
2722.  
2723. print(@proc_readdir);
2724.  
2725.  
2726.  
2727. printf(\"\\nDirectory Entry Reads:\\n\");
2728.  
2729. print(@getdents);
2730.  
2731.  
2732.  
2733. printf(\"\\nProcess Lookups (find_task_by_vpid):\\n\");
2734.  
2735. print(@find_task);
2736.  
2737.  
2738.  
2739. clear(@proc_readdir);
2740.  
2741. clear(@getdents);
2742.  
2743. clear(@find_task);
2744.  
2745. }
2746.  
2747. " 2>/dev/null
2748.  
2749.  
2750.  
2751. echo -e "${GREEN}[+] Hidden process detection completed${NC}"
2752.  
2753. }
2754.  
2755. # Option 19: Track unauthorized file access attempts
2756.  
2757. track_unauthorized_access() {
2758.  
2759. echo -e "${BLUE}[*] Track unauthorized file access attempts${NC}"
2760.  
2761. read -p "Enter duration in seconds (default: 30): " duration
2762.  
2763. duration=${duration:-30}
2764.  
2765.  
2766.  
2767. echo -e "${GREEN}[+] Monitoring for unauthorized file access attempts for
2768. $duration seconds...${NC}"
2769.  
2770.  
2771.  
2772. timeout $duration bpftrace -e "
2773.  
2774. // Monitor permission denied errors
2775.  
2776. tracepoint:syscalls:sys_exit_open,
2777.  
2778. tracepoint:syscalls:sys_exit_openat /args->ret == -13/ { // -EACCES
2779.  
2780. @access_denied[pid, comm] = count();
2781.  
2782. }
2783.  
2784.  
2785.  
2786. // Track specific patterns of file access
2787.  
2788. kprobe:security_file_permission {
2789.  
2790. \$file = (struct file *)arg0;
2791.  
2792. if (\$file != 0) {
2793.  
2794. \$path = \$file->f_path.dentry->d_name.name;
2795.  
2796. if (\$path != 0) {
2797.  
2798. \$name = str(\$path);
2799.  
2800. \$mask = arg1;
2801.  
2802.  
2803.  
2804. // MAY_READ = 0x4, MAY_WRITE = 0x2, MAY_EXEC = 0x1
2805.  
2806. if ((\$mask & 0x2) &&
2807.  
2808. (\$name != 0)) {
2809.  
2810. @file_write_check[pid, comm, \$name] = count();
2811.  
2812. }
2813.  
2814. }
2815.  
2816. }
2817.  
2818. }
2819.  
2820.  
2821.  
2822. kretprobe:security_file_permission /retval != 0/ {
2823.  
2824. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | Permission denied for file
2825. operation\\n\",
2826.  
2827. pid, comm, uid);
2828.  
2829. }
2830.  
2831.  
2832.  
2833. // Monitor access control checks
2834.  
2835. kprobe:security_path_truncate,
2836.  
2837. kprobe:security_path_mkdir,
2838.  
2839. kprobe:security_path_rmdir,
2840.  
2841. kprobe:security_path_symlink,
2842.  
2843. kprobe:security_path_link,
2844.  
2845. kprobe:security_path_rename,
2846.  
2847. kprobe:security_path_chmod,
2848.  
2849. kprobe:security_path_chown {
2850.  
2851. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | Security check: %s\\n\",
2852.  
2853. pid, comm, uid, probe);
2854.  
2855. }
2856.  
2857.  
2858.  
2859. kretprobe:security_path_truncate,
2860.  
2861. kretprobe:security_path_mkdir,
2862.  
2863. kretprobe:security_path_rmdir,
2864.  
2865. kretprobe:security_path_symlink,
2866.  
2867. kretprobe:security_path_link,
2868.  
2869. kretprobe:security_path_rename,
2870.  
2871. kretprobe:security_path_chmod,
2872.  
2873. kretprobe:security_path_chown /retval != 0/ {
2874.  
2875. printf(\" Result: DENIED (potential unauthorized access)\\n\");
2876.  
2877. @security_denied[pid, comm, probe] = count();
2878.  
2879. }
2880.  
2881.  
2882.  
2883. // Monitor dac_override capability use (bypassing permissions)
2884.  
2885. kprobe:cap_capable /arg1 == 1/ { // CAP_DAC_OVERRIDE
2886.  
2887. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | DAC_OVERRIDE capability
2888. check\\n\",
2889.  
2890. pid, comm, uid);
2891.  
2892.  
2893.  
2894. if (uid != 0) {
2895.  
2896. printf(\" [ALERT] Non-root process checking for permission bypass
2897. capability!\\n\");
2898.  
2899. }
2900.  
2901. }
2902.  
2903.  
2904.  
2905. // Monitor suspicious chmod operations
2906.  
2907. tracepoint:syscalls:sys_enter_chmod,
2908.  
2909. tracepoint:syscalls:sys_enter_fchmod,
2910.  
2911. tracepoint:syscalls:sys_enter_fchmodat {
2912.  
2913. \$mode = args->mode;
2914.  
2915.  
2916.  
2917. // Check if setting root setuid/setgid bits or wide permissions
2918.  
2919. if ((\$mode & 0x800) || (\$mode & 0x400) || (\$mode & 0x777) == 0x777) {
2920.  
2921. \$filename = args->filename ? str(args->filename) : \"(unknown)\";
2922.  
2923.  
2924.  
2925. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | Suspicious chmod: %s
2926. mode=0%o\\n\",
2927.  
2928. pid, comm, uid, \$filename, \$mode);
2929.  
2930.  
2931.  
2932. if (\$mode & 0x800) {
2933.  
2934. printf(\" [ALERT] Setting setuid bit on file!\\n\");
2935.  
2936. }
2937.  
2938. if (\$mode & 0x400) {
2939.  
2940. printf(\" [ALERT] Setting setgid bit on file!\\n\");
2941.  
2942. }
2943.  
2944. if ((\$mode & 0x777) == 0x777) {
2945.  
2946. printf(\" [ALERT] Setting wide open permissions (777)!\\n\");
2947.  
2948. }
2949.  
2950. }
2951.  
2952. }
2953.  
2954.  
2955.  
2956. interval:s:5 {
2957.  
2958. printf(\"\\n--- File Access Control Violations Summary (5s) ---\\n\");
2959.  
2960.  
2961.  
2962. printf(\"\\nPermission Denied Events:\\n\");
2963.  
2964. print(@access_denied);
2965.  
2966.  
2967.  
2968. printf(\"\\nSecurity Subsystem Denials:\\n\");
2969.  
2970. print(@security_denied);
2971.  
2972.  
2973.  
2974. printf(\"\\nFile Write Security Checks:\\n\");
2975.  
2976. print(@file_write_check);
2977.  
2978.  
2979.  
2980. clear(@access_denied);
2981.  
2982. clear(@security_denied);
2983.  
2984. clear(@file_write_check);
2985.  
2986. }
2987.  
2988. " 2>/dev/null
2989.  
2990.  
2991.  
2992. echo -e "${GREEN}[+] Unauthorized access monitoring completed${NC}"
2993.  
2994. }
2995.  
2996. # Option 20: Monitor syscall argument tampering
2997.  
2998. monitor_syscall_tampering() {
2999.  
3000. echo -e "${BLUE}[*] Monitor syscall argument tampering${NC}"
3001.  
3002. read -p "Enter target process name or PID (leave empty for all): " target
3003.  
3004. read -p "Enter duration in seconds (default: 30): " duration
3005.  
3006. duration=${duration:-30}
3007.  
3008.  
3009.  
3010. if [[ "$target" =~ ^[0-9]+$ ]]; then
3011.  
3012. filter="/pid == $target/"
3013.  
3014. target_desc="PID $target"
3015.  
3016. elif [ -n "$target" ]; then
3017.  
3018. filter="/comm == \"$target\"/"
3019.  
3020. target_desc="process $target"
3021.  
3022. else
3023.  
3024. filter=""
3025.  
3026. target_desc="all processes"
3027.  
3028. fi
3029.  
3030.  
3031.  
3032. echo -e "${GREEN}[+] Monitoring syscall arguments for $target_desc for $duration
3033. seconds...${NC}"
3034.  
3035.  
3036.  
3037. timeout $duration bpftrace -e "
3038.  
3039. // Monitor key syscalls with security implications
3040.  
3041. // execve with argument checks
3042.  
3043. tracepoint:syscalls:sys_enter_execve $filter {
3044.  
3045. \$filename = str(args->filename);
3046.  
3047. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | EXECVE: %s\\n\",
3048.  
3049. pid, comm, uid, \$filename);
3050.  
3051.  
3052.  
3053. \$i = 0;
3054.  
3055. \$argp = args->argv;
3056.  
3057. \$arg = user_string(\$argp);
3058.  
3059. printf(\" ARGS: \");
3060.  
3061. while (\$arg != 0 && \$i < 10) {
3062.  
3063. printf(\"%s \", \$arg);
3064.  
3065. \$argp++;
3066.  
3067. \$arg = user_string(\$argp);
3068.  
3069. \$i++;
3070.  
3071. }
3072.  
3073. if (\$i >= 10) {
3074.  
3075. printf(\"...\");
3076.  
3077. }
3078.  
3079. printf(\"\\n\");
3080.  
3081. }
3082.  
3083.  
3084.  
3085. // connect with address validation
3086.  
3087. tracepoint:syscalls:sys_enter_connect $filter {
3088.  
3089. \$sa = (struct sockaddr *)args->uservaddr;
3090.  
3091. if (\$sa->sa_family == 2) { // AF_INET
3092.  
3093. \$in = (struct sockaddr_in *)\$sa;
3094.  
3095. \$addr = ntop(2, \$in->sin_addr.s_addr);
3096.  
3097. \$port = (\$in->sin_port >> 8) | ((\$in->sin_port << 8) & 0xff00);
3098.  
3099. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | CONNECT: %s:%d\\n\",
3100.  
3101. pid, comm, uid, \$addr, \$port);
3102.  
3103.  
3104.  
3105. // Check for connections to common C2 ports or suspicious IPs
3106.  
3107. if (\$port == 4444 || \$port == 8080 || \$port == 8443 ||
3108.  
3109. \$port == 1337 || \$port == 31337) {
3110.  
3111. printf(\" [ALERT] Connection to suspicious port %d detected!\\n\", \$port);
3112.  
3113. }
3114.  
3115. }
3116.  
3117. }
3118.  
3119.  
3120.  
3121. // open with path normalization check (detect path traversal)
3122.  
3123. tracepoint:syscalls:sys_enter_open,
3124.  
3125. tracepoint:syscalls:sys_enter_openat $filter {
3126.  
3127. \$filename = str(args->filename);
3128.  
3129. if (\$filename != 0) {
3130.  
3131. if (strstr(\$filename, \"../\") != 0 || strstr(\$filename, \"./\") != 0) {
3132.  
3133. printf(\"PID: %-6d COMM: %-15.15s UID: %-6d | PATH TRAVERSAL: %s\\n\",
3134.  
3135. pid, comm, uid, \$filename);
3136.  
3137. printf(\" [ALERT] Potential path traversal attempt detected!\\n\");
3138.  
3139. }
3140.  
3141. }
3142.  
3143. }
3144.  
3145.  
3146.  
3147. // prctl with specific codes (often used to hide processes)
3148.  
3149. tracepoint:syscalls:sys_enter_prctl $filter {
3150.  
3151. printf(\"PID: %-6d COMM: %-15.15s | PRCTL: option=%d arg2=0x%lx\\n\",
3152.  
3153. pid, comm, args->option, args->arg2);
3154.  
3155.  
3156.  
3157. if (args->option == 15) { // PR_SET_NAME
3158.  
3159. printf(\" Process renaming itself\\n\");
3160.  
3161. }
3162.  
3163. if (args->option == 31) { // PR_SET_SECCOMP
3164.  
3165. printf(\" [ALERT] Process enabling seccomp filtering!\\n\");
3166.  
3167. }
3168.  
3169. }
3170.  
3171.  
3172.  
3173. // ioctl with specific device checks
3174.  
3175. tracepoint:syscalls:sys_enter_ioctl $filter {
3176.  
3177. printf(\"PID: %-6d COMM: %-15.15s | IOCTL: fd=%d cmd=0x%x arg=0x%lx\\n\",
3178.  
3179. pid, comm, args->fd, args->cmd, args->arg);
3180.  
3181.  
3182.  
3183. if (args->cmd == 0x5401) { // TCGETS - terminal check (often for tty detection)
3184.  
3185. printf(\" Terminal device check\\n\");
3186.  
3187. }
3188.  
3189. }
3190.  
3191.  
3192.  
3193. // mmap suspicious flags
3194.  
3195. tracepoint:syscalls:sys_enter_mmap $filter {
3196.  
3197. if ((args->flags & 0x20) && (args->prot & 0x4)) { // MAP_ANONYMOUS | PROT_EXEC
3198.  
3199. printf(\"PID: %-6d COMM: %-15.15s | MMAP: Anonymous executable memory!\\n\",
3200.  
3201. pid, comm);
3202.  
3203. printf(\" [ALERT] Potential shellcode loading detected!\\n\");
3204.  
3205. }
3206.  
3207. }
3208.  
3209.  
3210.  
3211. // sendto with data inspection
3212.  
3213. tracepoint:syscalls:sys_enter_sendto $filter {
3214.  
3215. @sendto_count[pid, comm] = count();
3216.  
3217. @sendto_bytes[pid, comm] = sum(args->len);
3218.  
3219. }
3220.  
3221.  
3222.  
3223. // recvfrom with data inspection
3224.  
3225. tracepoint:syscalls:sys_enter_recvfrom $filter {
3226.  
3227. @recvfrom_count[pid, comm] = count();
3228.  
3229. @recvfrom_bytes[pid, comm] = sum(args->len);
3230.  
3231. }
3232.  
3233.  
3234.  
3235. // dup2/dup3 (often used for stdin/stdout/stderr redirection)
3236.  
3237. tracepoint:syscalls:sys_enter_dup2,
3238.  
3239. tracepoint:syscalls:sys_enter_dup3 $filter {
3240.  
3241. printf(\"PID: %-6d COMM: %-15.15s | %s: oldfd=%d newfd=%d\\n\",
3242.  
3243. pid, comm, probe, args->oldfd, args->newfd);
3244.  
3245.  
3246.  
3247. if (args->newfd < 3) { // stdout, stdin, stderr
3248.  
3249. printf(\" [NOTE] Process redirecting standard file descriptors\\n\");
3250.  
3251.  
3252.  
3253. if (comm != \"bash\" && comm != \"sh\" && comm != \"zsh\" &&
3254.  
3255. comm != \"sshd\" && comm != \"sudo\") {
3256.  
3257. printf(\" [ALERT] Suspicious standard I/O redirection!\\n\");
3258.  
3259. }
3260.  
3261. }
3262.  
3263. }
3264.  
3265.  
3266.  
3267. // setuid/setgid checks
3268.  
3269. tracepoint:syscalls:sys_enter_setuid,
3270.  
3271. tracepoint:syscalls:sys_enter_setgid $filter {
3272.  
3273. printf(\"PID: %-6d COMM: %-15.15s | %s: uid/gid=%d\\n\",
3274.  
3275. pid, comm, probe, args->uid);
3276.  
3277.  
3278.  
3279. if (uid != 0 && args->uid == 0) {
3280.  
3281. printf(\" [ALERT] Process attempting to gain root privileges!\\n\");
3282.  
3283. }
3284.  
3285. }
3286.  
3287.  
3288.  
3289. interval:s:5 {
3290.  
3291. printf(\"\\n--- Network Communication Summary (5s) ---\\n\");
3292.  
3293.  
3294.  
3295. printf(\"\\nSend Operations (count):\\n\");
3296.  
3297. print(@sendto_count);
3298.  
3299.  
3300.  
3301. printf(\"\\nSend Operations (bytes):\\n\");
3302.  
3303. print(@sendto_bytes);
3304.  
3305.  
3306.  
3307. printf(\"\\nReceive Operations (count):\\n\");
3308.  
3309. print(@recvfrom_count);
3310.  
3311.  
3312.  
3313. printf(\"\\nReceive Operations (bytes):\\n\");
3314.  
3315. print(@recvfrom_bytes);
3316.  
3317.  
3318.  
3319. clear(@sendto_count);
3320.  
3321. clear(@sendto_bytes);
3322.  
3323. clear(@recvfrom_count);
3324.  
3325. clear(@recvfrom_bytes);
3326.  
3327. }
3328.  
3329. " 2>/dev/null
3330.  
3331.  
3332.  
3333. echo -e "${GREEN}[+] Syscall argument monitoring completed${NC}"
3334.  
3335. }
3336.  
3337. # Main menu
3338.  
3339. show_menu() {
3340.  
3341. echo -e
3342. "\n${PURPLE}=====================================================================\n"
3343.  
3344. echo -e " Linux Malware Analysis Toolkit #1 "
3345.  
3346. echo -e " eBPF-Based Process Behavior Analyzer "
3347.  
3348. echo -e
3349. "\n=====================================================================${NC}\n"
3350.  
3351. echo -e "${BLUE}Select an option:${NC}"
3352.  
3353. echo -e " ${GREEN}1.${NC} Trace system calls by specific process"
3354.  
3355. echo -e " ${GREEN}2.${NC} Monitor file access activities"
3356.  
3357. echo -e " ${GREEN}3.${NC} Track network connections"
3358.  
3359. echo -e " ${GREEN}4.${NC} Detect process execution chains"
3360.  
3361. echo -e " ${GREEN}5.${NC} Analyze memory mapping operations"
3362.  
3363. echo -e " ${GREEN}6.${NC} Trace process capabilities changes"
3364.  
3365. echo -e " ${GREEN}7.${NC} Monitor namespace transitions"
3366.  
3367. echo -e " ${GREEN}8.${NC} Detect unexpected syscall patterns"
3368.  
3369. echo -e " ${GREEN}9.${NC} Track process privilege escalation"
3370.  
3371. echo -e " ${GREEN}10.${NC} Monitor inter-process communications"
3372.  
3373. echo -e " ${GREEN}11.${NC} Log process credential changes"
3374.  
3375. echo -e " ${GREEN}12.${NC} Profile process resource usage"
3376.  
3377. echo -e " ${GREEN}13.${NC} Detect process injection attempts"
3378.  
3379. echo -e " ${GREEN}14.${NC} Monitor filesystem operations"
3380.  
3381. echo -e " ${GREEN}15.${NC} Track container escape attempts"
3382.  
3383. echo -e " ${GREEN}16.${NC} Analyze loaded kernel modules"
3384.  
3385. echo -e " ${GREEN}17.${NC} Monitor bpf() syscall usage"
3386.  
3387. echo -e " ${GREEN}18.${NC} Detect hidden process techniques"
3388.  
3389. echo -e " ${GREEN}19.${NC} Track unauthorized file access attempts"
3390.  
3391. echo -e " ${GREEN}20.${NC} Monitor syscall argument tampering"
3392.  
3393. echo -e " ${RED}0.${NC} Exit"
3394.  
3395.  
3396.  
3397. echo -e "\n"
3398.  
3399. }
3400.  
3401. main() {
3402.  
3403. check_requirements
3404.  
3405.  
3406.  
3407. while true; do
3408.  
3409. show_menu
3410.  
3411. read -p "Enter your choice [0-20]: " choice
3412.  
3413.  
3414.  
3415. case $choice in
3416.  
3417. 1) trace_syscalls ;;
3418.  
3419. 2) monitor_file_access ;;
3420.  
3421. 3) track_network_connections ;;
3422.  
3423. 4) detect_process_chains ;;
3424.  
3425. 5) analyze_memory_mappings ;;
3426.  
3427. 6) trace_capabilities ;;
3428.  
3429. 7) monitor_namespaces ;;
3430.  
3431. 8) detect_syscall_patterns ;;
3432.  
3433. 9) track_privilege_escalation ;;
3434.  
3435. 10) monitor_ipc ;;
3436.  
3437. 11) log_credential_changes ;;
3438.  
3439. 12) profile_resource_usage ;;
3440.  
3441. 13) detect_process_injection ;;
3442.  
3443. 14) monitor_filesystem ;;
3444.  
3445. 15) track_container_escapes ;;
3446.  
3447. 16) analyze_kernel_modules ;;
3448.  
3449. 17) monitor_bpf ;;
3450.  
3451. 18) detect_hidden_processes ;;
3452.  
3453. 19) track_unauthorized_access ;;
3454.  
3455. 20) monitor_syscall_tampering ;;
3456.  
3457. 0)
3458.  
3459. echo -e "${GREEN}[+] Exiting. Goodbye!${NC}"
3460.  
3461. cleanup
3462.  
3463. exit 0
3464.  
3465. ;;
3466.  
3467. *)
3468.  
3469. echo -e "${RED}[!] Invalid option. Please try again.${NC}"
3470.  
3471. ;;
3472.  
3473. esac
3474.  
3475.  
3476.  
3477. echo -e "\n${BLUE}Press Enter to continue...${NC}"
3478.  
3479. read
3480.  
3481. done
3482.  
3483. }
3484.  
3485. # Run the main function
3486.  
3487. main
3488.  
3489.