make all error~

[0x7e-1sq]

Hey, I have this error when I make all, how can I solve it, my environment is kali Thank you

libbpf: elf: skipping unrecognized data section(17) .rodata.str1.1
CC .output/kit.o
user/kit.c:29:10: fatal error: include/utils/files/path.h: No such file or directory
29 | #include "include/utils/files/path.h"
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
make: *** [Makefile:97: .output/kit.o] Error 1
rm .output/kit.bpf.o

[h3xduck]

Hey, that's my fault, my build had some extra files with other stuff we removed from the repo in the final release.

I'll push a fix in some hours, for now remove the following includes from src/user/kit.c

#include "include/utils/files/path.h"
#include "include/utils/strings/regex.h"
#include "include/utils/structures/fdlist.h"

That should make the trick for the compilation, but since you mentioned to be using Kali, note that this rootkit has been developed and tested in Ubuntu 21.04, so I cannot guarantee all rootkit modules to work (in particular, the library injection one).

You can check the Ubuntu and kernel versions we tested in section 1.2 of the thesis document, I'll write it on the README too.

[0x7e-1sq]

Hello, I tried to compile on ubuntu21.04 today, but the problem still occurs, please help me, thanks.

[h3xduck]

It should be working now (and also before with the modification I suggested). Are you getting a different build error?

[0x7e-1sq]

At present, I still fail to compile. I have tried other systems, and the problem is still the same. Did you encounter it when compiling?

It may be that one of my dependencies has not been downloaded. Please help me to see if it is a dependency problem~ thnks！

[h3xduck]

It looks like you are still on the previous version. Could you pull the latest changes or remove your build and clone the project again? I just tried it from a clean clone and it works for me.

[0x7e-1sq]

Thanks, the compilation passed, but executed under /src/bin
sudo tc filter add dev enp0s3 egress bpf direct - action obj bin/tc.o sec classifier/egress
will prompt:
what mode is "-"?
unable to parse bpf command line
Are bpf and bpftool the same tool?

[yasindce1998]

Currently I am having this error

➜  src git:(master) make all
  MKDIR    .output
  MKDIR    .output/libbpf
  LIB      libbpf.a
  MKDIR    /home/u1tron/TripleCross/src/.output//libbpf/staticobjs
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/bpf.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/btf.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/libbpf.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/libbpf_errno.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/netlink.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/nlattr.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/str_error.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/libbpf_probes.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/bpf_prog_linfo.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/xsk.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/btf_dump.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/hashmap.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/ringbuf.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/strset.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/linker.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/gen_loader.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/relo_core.o
  AR       /home/u1tron/TripleCross/src/.output//libbpf/libbpf.a
  INSTALL  bpf.h libbpf.h btf.h libbpf_common.h libbpf_legacy.h xsk.h bpf_helpers.h bpf_helper_defs.h bpf_tracing.h bpf_endian.h bpf_core_read.h skel_internal.h libbpf_version.h
  INSTALL  /home/u1tron/TripleCross/src/.output//libbpf/libbpf.pc
  INSTALL  /home/u1tron/TripleCross/src/.output//libbpf/libbpf.a 
  BPF      .output/kit.bpf.o
  GEN-SKEL .output/kit.skel.h
libbpf: elf: skipping unrecognized data section(17) .rodata.str1.1
  CC       .output/kit.o
  CC       /home/u1tron/TripleCross/src/user/include/modules/module_manager.o
  BINARY   kit
clang -O2 -emit-llvm -g -c /home/u1tron/TripleCross/src/ebpf/include/bpf/tc.c -o - | \
llc -march=bpf -mcpu=probe -filetype=obj -o bin/tc.o
error: <unknown>:0:0: in function classifier_egress i32 (%struct.__sk_buff*): A call to built-in function '__stack_chk_fail' is not supported.

make: *** [Makefile:107: tckit] Error 1
rm .output/kit.bpf.o

Any help would be truly appreciated?
@0x7e-1sq How did the compilation passed if I may know?

[0x7e-1sq]

apt install build-essential libncurses5-dev make g++ gcc zlib zlib-dev libelf libelf-dev libclang-dev clang-11 lldb-11 lld-11 libc++-11-dev libc++abi-11-dev libc6-dev-i386 llvm openssl libssl-dev libbpf-dev

This is the dependency package I used when compiling, you can take a look

@yasindce1998

[h3xduck]

@yasindce1998 I am moving your issue to a separate thread (#41 ), since it is an unrelated problem

[h3xduck]

Apologies for the issue, there was an extra space in the command. I just updated the README with the correct tc command (tc should be available by default in your system).

For the record, the tc command is:

sudo tc filter add dev <NETWORK_INTERFACE> egress bpf direct-action obj <TC_PROGRAM> sec classifier/egress

@0x7e-1sq

[0x7e-1sq]

I am very happy. According to your prompt, I have completed the compilation and run it, but I did not understand the instructions in your document. Do I want to upload a file to the test server? Then do nc listening on my rookit server?

@h3xduck

[h3xduck]

I'm assuming you want to test the backdoor here:

1. You install the rootkit in the target machine. The backdoor starts automatically.
2. From the rootkit client you can connect to the backdoor by specifying its address.

I am closing the issue since the original problem it has been solved.