Created
April 5, 2025 12:17
-
-
Save cr0nx/1bd6daa7b0cc99320c771da95b203827 to your computer and use it in GitHub Desktop.
Find in-memory modification of kernel.yama.ptrace_scope with bpftrace - PoC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bpftrace | |
| BEGIN | |
| { | |
| // Replace with the actual address from /proc/kallsyms | |
| $data_addr = 0xffffffff83c983b0; // Example: yama_sysctl_table->data address | |
| @last_val = *(int32*)$data_addr; // Initial value | |
| printf("Monitoring kernel.yama.ptrace_scope at address 0x%x (initial value: %d)\n", | |
| $data_addr, @last_val); | |
| } | |
| interval:s:1 | |
| { | |
| $data_addr = 0xffffffff83c983b0; // Same address | |
| $current = *(int32*)$data_addr; | |
| if (@last_val != $current) { | |
| time("%H:%M:%S "); | |
| printf("ALERT: kernel.yama.ptrace_scope changed from %d to %d!\n", | |
| @last_val, $current); | |
| @last_val = $current; | |
| } | |
| } | |
| END | |
| { | |
| clear(@last_val); | |
| printf("Monitoring stopped\n"); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello @cr0nx, first of all, great post, really well explained!
I’ve tested it and it works like a charm on Ubuntu. I’d like to make a small contribution by sharing an improved version of the code that dynamically retrieves the ptrace_scope address using the kaddr function: