- Empire Hacking talk
- Slides: TODO
- Linux kernel >= 4.15
- glibc >= 2.12
Dependency list
- CMake >= 3.16.2
- C++ compiler supporting the c++14 standard
- LLVM libraries built with BPF support enabled
With system packages, on Ubuntu/Debian-based distributions
sudo apt install cmake clang llvm-dev
With the osquery-toolchain, on any distribution (preferred)
The generic osquery-toolchain includes Clang, LLVM and libc++ libraries and can be used instead of the system packages. Both the toolchain itself and the binaries it builds can be run on any distribution above Ubuntu 14.04/CentOS 6 (although this program still requires a Linux kernel >= 4.15).
CMake: download the 'tar.gz' archive from the 'Binary distributions' section. Extract it and add the binary folder to the PATH environment variable.
The preferred build method is with the osquery-toolchain
- Clone the repository
- Download the osquery-toolchain and extract it
- Install CMake (use a binary from the CMake homepage if you are on an old distribution)
- Create a build directory
- Configure the project, from within the build folder:
cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo -DSYSPROF_TOOLCHAIN_PATH=/path/to/osquery/toolchain /path/to/source/folder - Start the build:
cmake --build . -j $(nproc)
Example
# Install cURL and CMake
sudo apt update && sudo apt install curl cmake -y
# Download and extract the osquery-toolchain
curl -O -L 'https://github.com/osquery/osquery-toolchain/releases/download/1.1.0/osquery-toolchain-1.1.0-x86_64.tar.xz'
tar xf osquery-toolchain-1.1.0-x86_64.tar.xz
export SYSPROF_TOOLCHAIN_PATH="$(realpath osquery-toolchain)"
# Clone the repository
git clone https://github.com/trailofbits/monitoring_linux_events
# Configure the project
mkdir build && cd build
cmake "-DSYSPROF_TOOLCHAIN_PATH=${SYSPROF_TOOLCHAIN_PATH}" ../monitoring_linux_events
# Start the build
cmake --build . -j $(nproc)
# Start the binary
sudo ./syscall_profiler