thinkycx · February 23, 2023 15:22 · thinkycx · Feb 24, 2023
diff --git a/install-elkeid-lkm-driver-20230223.sh b/install-elkeid-lkm-driver-20230223.sh
 # date: 2023-02-23
 # author: thinkycx
 # usage: 
 #       use this script to install lkm and driver 
 #       get the lkm output on your linux 

 # download link:
 #       https://github.com/bytedance/Elkeid/releases/tag/v1.7.0.10-driver-ko-20230221_1

 export WORKDIR=/root/Elkeid/


 # target1 安装内核模块
 # 准备工作，安装头文件
 yum install kernel-devel
 ls -al /usr/src/kernels/
 # 编译安装
 cd $WORKDIR/driver/LKM

 # 开启sandbox模式（当前问题，开启sandbox模式后，输出日志报错）
 sed -i 's/SANDBOX 1/SANDBOX 0/' src/smith_hook.c
 sed -i 's/SANDBOX 0/SANDBOX 1/' src/smith_hook.c
 cat src/smith_hook.c |grep SANDBOX

 # 手动修改 init.c
 sed -i 's/1.7.0.10/1.7.0.6/' src/init.c
 cat src/init.c |grep 1.7.0.6

 make clean && make
 rmmod hids_driver.ko & insmod hids_driver.ko
 dmesg | tail -n 20

 cat /sys/module/hids_driver/version  # 查看内核模块板本
 #     test/rst -q # 测试直接解析内核数据   


 # target2 安装debug模式的解析driver
 # 参考： https://elkeid.bytedance.com/Chinese/elkeid/driver.html

 # 1. 准备工作 安装 rust和依赖（包括musl-gcc）
 curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
 source "$HOME/.cargo/env"

 rustup target add x86_64-unknown-linux-musl
 rustup target add aarch64-unknown-linux-musl


 # 2. 开始编译driver
 cd $WORKDIR/plugins/driver

 rm -rf target
 # 替换 driver中的 版本信息（否则会导致driver下载新的插件），文档中的 BUILD_VERSION=1.7.0.10 bash build.sh 没用

 # 更换版本，不推荐：
 #sed -i 's/1.7.0.6/1.7.0.10/g' src/config.rs | cat src/config.rs |grep 1.7.0.10
 #sed -i 's/1.7.0.10/1.7.0.6/g' src/config.rs | cat src/config.rs |grep 1.7.0.6

 # build 参考编译脚本 build.sh
 export RUSTFLAGS='-C link-arg=-s'
 cargo build --features debug --target x86_64-unknown-linux-musl

 # 生成的文件：./target/x86_64-unknown-linux-musl/debug/driver
	# date: 2023-02-23
	# author: thinkycx
	# usage:
	# use this script to install lkm and driver
	# get the lkm output on your linux

	# download link:
	# https://github.com/bytedance/Elkeid/releases/tag/v1.7.0.10-driver-ko-20230221_1

	export WORKDIR=/root/Elkeid/


	# target1 安装内核模块
	# 准备工作，安装头文件
	yum install kernel-devel
	ls -al /usr/src/kernels/
	# 编译安装
	cd $WORKDIR/driver/LKM

	# 开启sandbox模式（当前问题，开启sandbox模式后，输出日志报错）
	sed -i 's/SANDBOX 1/SANDBOX 0/' src/smith_hook.c
	sed -i 's/SANDBOX 0/SANDBOX 1/' src/smith_hook.c
	cat src/smith_hook.c \|grep SANDBOX

	# 手动修改 init.c
	sed -i 's/1.7.0.10/1.7.0.6/' src/init.c
	cat src/init.c \|grep 1.7.0.6

	make clean && make
	rmmod hids_driver.ko & insmod hids_driver.ko
	dmesg \| tail -n 20

	cat /sys/module/hids_driver/version # 查看内核模块板本
	# test/rst -q # 测试直接解析内核数据


	# target2 安装debug模式的解析driver
	# 参考： https://elkeid.bytedance.com/Chinese/elkeid/driver.html

	# 1. 准备工作安装 rust和依赖（包括musl-gcc）
	curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \| sh
	source "$HOME/.cargo/env"

	rustup target add x86_64-unknown-linux-musl
	rustup target add aarch64-unknown-linux-musl


	# 2. 开始编译driver
	cd $WORKDIR/plugins/driver

	rm -rf target
	# 替换 driver中的版本信息（否则会导致driver下载新的插件），文档中的 BUILD_VERSION=1.7.0.10 bash build.sh 没用

	# 更换版本，不推荐：
	#sed -i 's/1.7.0.6/1.7.0.10/g' src/config.rs \| cat src/config.rs \|grep 1.7.0.10
	#sed -i 's/1.7.0.10/1.7.0.6/g' src/config.rs \| cat src/config.rs \|grep 1.7.0.6

	# build 参考编译脚本 build.sh
	export RUSTFLAGS='-C link-arg=-s'
	cargo build --features debug --target x86_64-unknown-linux-musl

	# 生成的文件：./target/x86_64-unknown-linux-musl/debug/driver