hook pam_get_authtok_internal with ebpf

Question

I try to do hook to pam_get_authtok_internal with ebpf and its not work

from bcc import BPF

# Define the BPF program code to print the password
bpf_text = """
#include <uapi/linux/ptrace.h>
int print_password (pam_handle_t *pamh, int item,const char **authtok, const char *prompt,unsigned int flags)
{
    char buf[256];
    bpf_probe_read_str(buf, sizeof(buf), (void *)authtok);
    bpf_trace_printk("Password: %s\\n", buf);
    return 0;
}
"""

b = BPF(text=bpf_text)

b.attach_uprobe(name=sudo_path,sym="pam_get_authtok_internal", fn_name="print_password")

def print_password(cpu, data, size):
    pid = b["passwords"].Key(data).value
    password = data + size - 1
    print(f"PID {pid} Password: {password.decode()}")

can someone help me with this please

Answer 1

You wouldn't be able to attach this uprobe because there is no such symbol in sudo binary. Before trying to attach uprobe or uretprobe try first checking which symbols available via objdump -tT <file> or readelf -s <file>.

The second issue is that the function pam_get_authtok_internal is defined as static, because of that, most likely it wouldn't appear in a symbol table of a proper file (which should be libpam.so). You can check which symbols available objdump -tT /usr/lib/libpam.so.

Doing debug build might fix this, also another option might be installing debug symbols and using information provided from debug symbols to pinpoint the correct location for this function. You can use objdump -e or objdump -g to get info from debug symbols, and then use this address instead of the symbol.