admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-24 18:33:08 +08:00
Code Issues Packages Projects Releases Wiki Activity

New diagrams, completed rootkit architecture

Browse Source
This commit is contained in:
h3xduck
2022-06-12 08:16:59 -04:00
parent c14b407644
commit 0aec74e024
15 changed files with 463 additions and 335 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
docs/document.aux
View File

@@ -474,49 +474,53 @@
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {4.1}Rootkit architecture}{64}{section.4.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {4.2}Library injection attacks}{64}{section.4.2}\protected@file@percent }
\abx@aux@cite{evil_ebpf_p6974}
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
\abx@aux@cite{evil_ebpf_p6974}
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.1}{\ignorespaces Overview of the rootkit subsystems and components.\relax }}{65}{figure.caption.60}\protected@file@percent }
\newlabel{fig:rootkit}{{4.1}{65}{Overview of the rootkit subsystems and components.\relax }{figure.caption.60}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.1}ROP with eBPF}{65}{subsection.4.2.1}\protected@file@percent }
\newlabel{subsection:rop_ebpf}{{4.2.1}{65}{ROP with eBPF}{subsection.4.2.1}{}}
\abx@aux@cite{rawtcp_lib}
\abx@aux@segm{0}{0}{rawtcp_lib}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.2}{\ignorespaces Rootkit programs and scripts.\relax }}{67}{figure.caption.61}\protected@file@percent }
\newlabel{fig:rootkit_files}{{4.2}{67}{Rootkit programs and scripts.\relax }{figure.caption.61}{}}
\abx@aux@cite{evil_ebpf_p6974}
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
\abx@aux@cite{evil_ebpf_p6974}
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {4.2}Library injection attacks}{68}{section.4.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.1}ROP with eBPF}{68}{subsection.4.2.1}\protected@file@percent }
\newlabel{subsection:rop_ebpf}{{4.2.1}{68}{ROP with eBPF}{subsection.4.2.1}{}}
\abx@aux@cite{glibc}
\abx@aux@segm{0}{0}{glibc}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.2}{\ignorespaces Initial setup for the ROP with eBPF technique.\relax }}{66}{figure.caption.61}\protected@file@percent }
\newlabel{fig:rop_evil_ebpf_1}{{4.2}{66}{Initial setup for the ROP with eBPF technique.\relax }{figure.caption.61}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.3}{\ignorespaces Process memory after syscall exits and ROP code overwrites the stack.\relax }}{67}{figure.caption.62}\protected@file@percent }
\newlabel{fig:rop_evil_ebpf_2}{{4.3}{67}{Process memory after syscall exits and ROP code overwrites the stack.\relax }{figure.caption.62}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.3}{\ignorespaces Initial setup for the ROP with eBPF technique.\relax }}{69}{figure.caption.62}\protected@file@percent }
\newlabel{fig:rop_evil_ebpf_1}{{4.3}{69}{Initial setup for the ROP with eBPF technique.\relax }{figure.caption.62}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.4}{\ignorespaces Process memory after syscall exits and ROP code overwrites the stack.\relax }}{70}{figure.caption.63}\protected@file@percent }
\newlabel{fig:rop_evil_ebpf_2}{{4.4}{70}{Process memory after syscall exits and ROP code overwrites the stack.\relax }{figure.caption.63}{}}
\abx@aux@cite{canary_exploit}
\abx@aux@segm{0}{0}{canary_exploit}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.4}{\ignorespaces Stack data is restored and program continues its execution.\relax }}{68}{figure.caption.63}\protected@file@percent }
\newlabel{fig:rop_evil_ebpf_3}{{4.4}{68}{Stack data is restored and program continues its execution.\relax }{figure.caption.63}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.2}Bypassing hardening features in ELFs}{68}{subsection.4.2.2}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.5}{\ignorespaces Stack data is restored and program continues its execution.\relax }}{71}{figure.caption.64}\protected@file@percent }
\newlabel{fig:rop_evil_ebpf_3}{{4.5}{71}{Stack data is restored and program continues its execution.\relax }{figure.caption.64}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.2}Bypassing hardening features in ELFs}{71}{subsection.4.2.2}\protected@file@percent }
\abx@aux@cite{pie_exploit}
\abx@aux@segm{0}{0}{pie_exploit}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.5}{\ignorespaces Two runs of the same executable using ASLR, showing a library and two symbols.\relax }}{69}{figure.caption.64}\protected@file@percent }
\newlabel{fig:alsr_offset}{{4.5}{69}{Two runs of the same executable using ASLR, showing a library and two symbols.\relax }{figure.caption.64}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.3}Library injection via GOT hijacking}{70}{subsection.4.2.3}\protected@file@percent }
\newlabel{subsection:got_attack}{{4.2.3}{70}{Library injection via GOT hijacking}{subsection.4.2.3}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.6}{\ignorespaces Call to the glibc function, using objdump\relax }}{71}{figure.caption.65}\protected@file@percent }
\newlabel{fig:firstcall}{{4.6}{71}{Call to the glibc function, using objdump\relax }{figure.caption.65}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Evaluation}{72}{chapter.5}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.6}{\ignorespaces Two runs of the same executable using ASLR, showing a library and two symbols.\relax }}{72}{figure.caption.65}\protected@file@percent }
\newlabel{fig:alsr_offset}{{4.6}{72}{Two runs of the same executable using ASLR, showing a library and two symbols.\relax }{figure.caption.65}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.3}Library injection via GOT hijacking}{73}{subsection.4.2.3}\protected@file@percent }
\newlabel{subsection:got_attack}{{4.2.3}{73}{Library injection via GOT hijacking}{subsection.4.2.3}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.7}{\ignorespaces Call to the glibc function, using objdump\relax }}{74}{figure.caption.66}\protected@file@percent }
\newlabel{fig:firstcall}{{4.7}{74}{Call to the glibc function, using objdump\relax }{figure.caption.66}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Evaluation}{75}{chapter.5}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {5.1}Developed capabilities}{72}{section.5.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {5.2}Rootkit use cases}{72}{section.5.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Related work}{73}{chapter.6}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {5.1}Developed capabilities}{75}{section.5.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {5.2}Rootkit use cases}{75}{section.5.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Related work}{76}{chapter.6}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{74}{chapter.6}\protected@file@percent }
\newlabel{annex:bpftool_flags_kernel}{{6}{}{Appendix A - Bpftool commands}{chapter*.67}{}}
\newlabel{annex:readelf_commands}{{6}{}{Appendix B - Readelf commands}{chapter*.68}{}}
\newlabel{annexsec:readelf_sec_headers}{{6}{}{}{chapter*.68}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{77}{chapter.6}\protected@file@percent }
\newlabel{annex:bpftool_flags_kernel}{{6}{}{Appendix A - Bpftool commands}{chapter*.68}{}}
\newlabel{annex:readelf_commands}{{6}{}{Appendix B - Readelf commands}{chapter*.69}{}}
\newlabel{annexsec:readelf_sec_headers}{{6}{}{}{chapter*.69}{}}
\newlabel{code:elf_sections}{{6.1}{}{List of ELF section headers with readelf tool of a program compiled with GCC}{lstlisting.6.1}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {6.1}List of ELF section headers with readelf tool of a program compiled with GCC.}{}{lstlisting.6.1}\protected@file@percent }
\abx@aux@read@bbl@mdfivesum{29EDBEBA551C78783A4E376AB79D67BE}
\abx@aux@read@bbl@mdfivesum{F3AD89EA79E7C7C7226521F437E57B7C}
\abx@aux@refcontextdefaultsdone
\abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{rootkit_ptsecurity}{none/global//global/global}
@@ -604,8 +608,9 @@
\abx@aux@defaultrefcontext{0}{code_vfs_read}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{evil_ebpf_p6974}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{8664_params_abi_p1922}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{rawtcp_lib}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{glibc}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{canary_exploit}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{pie_exploit}{none/global//global/global}
\ttl@finishall
\gdef \@abspage@last{101}
\gdef \@abspage@last{104}