[BUG] incorrect stdout/stdin name #46
Comments
dark-lbp
added a commit
to dark-lbp/Hades
that referenced
this issue
Jul 13, 2022
chriskaliX
pushed a commit
that referenced
this issue
Jul 14, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
fd name by d_dname(just like kernel function does). For now, anonymous pipe is an empty string in
Hadeswhile it'spipe[xxxx]in Elkeid. This is very important when we deal with some reverse shell things. We should look into how d_name works in kernel.But for now, we can still detect the socket...
Screenshots
In Hades:
{"timestamp":46709062078800,"cgroupid":4294968932,"pns":4026531836,"type":700,"pid":347526,"tid":347526,"uid":0,"gid":0,"ppid":344736,"sessionid":1796,"comm":"cat","pcomm":"bash","nodename":"localhost","retval":0,"md5":"7e9d213e404ad3bb82e4ebb2e1f2c1b3","username":"root","starttime":1657683598,"exe":"/usr/bin/cat","syscall":"execve","cwd":"/tmp/testspace","tty_name":"pts4","stdin":"TCP","stdout":"","dport":"666","dip":"127.0.0.1","pid_tree":"347526.cat<344736.bash<343802.node<343765.node<343756.sh<343645.bash<343640.bash<343503.sshd","cmdline":"cat","priv_esca":0,"ssh_connection":"xxxx 58446 10.0.4.13 22","ld_preload":"-1"}In Elkeid:
{ "bootTime":"2022-01-19 19:11:31.000", "cmdline":"cat", "cwd":"/", "exe":"/usr/bin/cat", "fd_num":"1", "name":"cat", "pid":"12778", "ppid":"50250", "r_addr_ip":"10.71.5.222", "r_addr_port":"666", "session":"50250", "stderr":"/dev/pts/0", "stdin":"socket:[583396364]", "stdout":"pipe:[583396365]", "terminal":"/pts/0", "username":"root" },The text was updated successfully, but these errors were encountered: