ChriskaliX Hades Versions Save

Hades agent part very first release.

Warning Default grpc address is: grpc.hades.store, which is owned by Hades-team and always points to 127.0.0.1. Change the code or add internal dns if used in prod env.

Features

• #58 Support of some port-scanning detection, adding sport, sip in some network-related hooks.
• #38 Arm64 supported now
• bump ebpfmanager to v0.4.0, so that higher kernel version like v6.0.0+ should be supported now
• change the codes of BPF-bytecode, for now, in production, the BPF-bytecode should be downloaded
• Testcases enhanced
• Ratelimit in both kernel space(UDP) and userspace(sys_connection) for better performance
• Clean the old uprobe_bash_history

Bugs fix

• #63 #64 by @spoock1024
• Other fixes by @chriskaliX

Feature

• Anti rootkit: hidden module scan added

Bugs

• Anti rootkit: sys_call_table & idt_table check upgrade
• call_usermodehelper panic patch

Contributers

• @chriskaliX

Feature

• Driver is now compatible to Elkeid

Bugs

• High memory usage mitigation

CI/CD

• release-driver.yml is available now

Contributers

• @chriskaliX contributed #55

Note

CO-RE version is available. You can run on your machine if BTF is supported.

Features

• kernel hook detection (by comparing the address)
• 14 hooks for security detection
• many helpful fields almost like Elkeid

Contributors

• @rockingl contributed multiple patches #44 #45 #48 #50 #51
• @dark-lbp made his first contribution #47

Checksum

md5 8381c509f2bc7bad341a5f31720ae426

• BUG fix
  • sb_mount userspace decode error
  • data_context inproper size decode
• Others
  • Set "-1" as default NULL for save_str_to_buf
  • Format code, delete extra code
  • Fix sshd bugs in plugin/collector

Release for plugin/eBPF 目前内核态支持 13 个 Hook，uprobe 一个。pre-release 部分代码较为清晰，可根据自己需要做修改