README.md

# TripleCross
Instructions soon!
For now, you can read the paper at docs/ebpf_offensive_rootkit

TripleCross is an eBPF rootkit for Linux featuring the following capabilities:
1. A library injection module to execute malicious code by writing at a process' virtual memory.
2. An execution hijacking module that modifies data passed to the kernel to execute malicious programs.
3. A local privilege escalation module that allows for running malicious programs with root privileges.
4. A backdoor with C2 capabilities that can monitor the network and execute commands sent from a remote rootkit client. It incorporates multiple activation triggers so that these actions are transmitted stealthy.
5. A rootkit client that allows an attacker to establish 3 different types of shell-like connections to send commands and actions that control the rootkit state remotely.
6. A persistence module that ensures the rootkit remains installed maintaining full privileges even after a reboot event.
7. A stealth module that hides rootkit-related files and directories from the user.


<!---
## Build and run
```bash
cd src
make
sudo ./bin/kit -t <network interface>
```
Network interface used for PoC: lo

## PoC 0 - Modifying incoming traffic
### Option 1: With netcat
Terminal 1:
```bash
nc -l 9000
```
Terminal 2:
```bash
echo -n "XDP_PoC_0" | nc 127.0.0.1 9000
```
### Option 2: With the in-built client
```bash
cd src/client
sudo ./injector -S 127.0.0.1
```

------------------
## PoC 1 - Modifying arguments of read syscalls
```bash
echo "This won't be seen" > /tmp/txt.txt
cat /tmp/txt.txt
```
---!>
Changed the repository (and the rootkit!) name with TripleCross: https://dictionary.cambridge.org/dictionary/english/double-cross. This is 'triple' because it is a BPF program that betrays you at the userspace, at the kernel, and at the network. 2022-06-15 20:33:07 -04:00			`# TripleCross`
Update README.md 2022-06-23 22:01:50 +02:00			`Instructions soon!`
			`For now, you can read the paper at docs/ebpf_offensive_rootkit`
Update README.md 2022-07-01 16:07:31 +02:00
			`TripleCross is an eBPF rootkit for Linux featuring the following capabilities:`
			`1. A library injection module to execute malicious code by writing at a process' virtual memory.`
			`2. An execution hijacking module that modifies data passed to the kernel to execute malicious programs.`
			`3. A local privilege escalation module that allows for running malicious programs with root privileges.`
			`4. A backdoor with C2 capabilities that can monitor the network and execute commands sent from a remote rootkit client. It incorporates multiple activation triggers so that these actions are transmitted stealthy.`
			`5. A rootkit client that allows an attacker to establish 3 different types of shell-like connections to send commands and actions that control the rootkit state remotely.`
			`6. A persistence module that ensures the rootkit remains installed maintaining full privileges even after a reboot event.`
			`7. A stealth module that hides rootkit-related files and directories from the user.`


Update README.md 2022-06-23 22:01:50 +02:00			`<!---`
Update README.md 2021-11-28 02:01:32 +01:00			`## Build and run`
			```bash
			`cd src`
			`make`
Updated file names and directory structure to the new multi-modules rootkit 2022-01-16 06:56:54 -05:00			`sudo ./bin/kit -t <network interface>`
Update README.md 2021-11-28 02:01:32 +01:00			```
			`Network interface used for PoC: lo`

Fix typo 2021-11-28 02:01:56 +01:00			`## PoC 0 - Modifying incoming traffic`
Update README.md 2021-11-28 02:01:32 +01:00			`### Option 1: With netcat`
			`Terminal 1:`
			```bash
			`nc -l 9000`
			```
			`Terminal 2:`
			```bash
			`echo -n "XDP_PoC_0" \| nc 127.0.0.1 9000`
			```
			`### Option 2: With the in-built client`
			```bash
			`cd src/client`
			`sudo ./injector -S 127.0.0.1`
			```
Updated readme with new PoC 2022-01-16 07:03:07 -05:00
			`------------------`
			`## PoC 1 - Modifying arguments of read syscalls`
			```bash
			`echo "This won't be seen" > /tmp/txt.txt`
			`cat /tmp/txt.txt`
			```
Update README.md 2022-06-23 22:01:50 +02:00			`---!>`