Skip to content

Instantly share code, notes, and snippets.

@thinkycx
Created February 23, 2023 15:22
Show Gist options
  • Save thinkycx/8facd6fdf9092e5859c21ab31c1c4c1c to your computer and use it in GitHub Desktop.
Save thinkycx/8facd6fdf9092e5859c21ab31c1c4c1c to your computer and use it in GitHub Desktop.
use this script to install lkm and driver, get the lkm output in your linux
# date: 2023-02-23
# author: thinkycx
# usage:
# use this script to install lkm and driver
# get the lkm output on your linux
# download link:
# https://github.com/bytedance/Elkeid/releases/tag/v1.7.0.10-driver-ko-20230221_1
export WORKDIR=/root/Elkeid/
# target1 安装内核模块
# 准备工作,安装头文件
yum install kernel-devel
ls -al /usr/src/kernels/
# 编译安装
cd $WORKDIR/driver/LKM
# 开启sandbox模式(当前问题,开启sandbox模式后,输出日志报错)
sed -i 's/SANDBOX 1/SANDBOX 0/' src/smith_hook.c
sed -i 's/SANDBOX 0/SANDBOX 1/' src/smith_hook.c
cat src/smith_hook.c |grep SANDBOX
# 手动修改 init.c
sed -i 's/1.7.0.10/1.7.0.6/' src/init.c
cat src/init.c |grep 1.7.0.6
make clean && make
rmmod hids_driver.ko & insmod hids_driver.ko
dmesg | tail -n 20
cat /sys/module/hids_driver/version # 查看内核模块板本
# test/rst -q # 测试直接解析内核数据
# target2 安装debug模式的解析driver
# 参考: https://elkeid.bytedance.com/Chinese/elkeid/driver.html
# 1. 准备工作 安装 rust和依赖(包括musl-gcc)
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source "$HOME/.cargo/env"
rustup target add x86_64-unknown-linux-musl
rustup target add aarch64-unknown-linux-musl
# 2. 开始编译driver
cd $WORKDIR/plugins/driver
rm -rf target
# 替换 driver中的 版本信息(否则会导致driver下载新的插件),文档中的 BUILD_VERSION=1.7.0.10 bash build.sh 没用
# 更换版本,不推荐:
#sed -i 's/1.7.0.6/1.7.0.10/g' src/config.rs | cat src/config.rs |grep 1.7.0.10
#sed -i 's/1.7.0.10/1.7.0.6/g' src/config.rs | cat src/config.rs |grep 1.7.0.6
# build 参考编译脚本 build.sh
export RUSTFLAGS='-C link-arg=-s'
cargo build --features debug --target x86_64-unknown-linux-musl
# 生成的文件:./target/x86_64-unknown-linux-musl/debug/driver
@thinkycx
Copy link
Author

elkeid lkm sandbox模式的解析代码没有push,sandbox模式无法解析:bytedance/Elkeid#449

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment