admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-16 23:33:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

FINAL VERSION

Browse Source
This commit is contained in:
h3xduck
2022-06-23 14:04:48 -04:00
parent 51c4391c97
commit 559136e92e
8 changed files with 258 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
docs/.gitignore vendored
View File

@@ -3,6 +3,7 @@ bibliography/texput.log
!.gitignore !.gitignore
document.pdf document.pdf
!document.tex !document.tex
!*.xmpdata
!Makefile !Makefile
!original_template/ !original_template/
!images/ !images/

201
docs/bibliography/bibliography.bib
View File

File diff suppressed because it is too large Load Diff

8
docs/chapters/annex.tex
View File

@@ -5,10 +5,9 @@
% %
%Including bpftool commands here to be referenced. Is it a good idea? %Including bpftool commands here to be referenced. Is it a good idea?
\appendix
\chapter* {Appendix A - Bpftool commands} \label{annex:bpftool_flags_kernel} \chapter* {Appendix A - eBPF-related kernel compilation flags} \label{annex:bpftool_flags_kernel}
\pagenumbering{gobble} % Las páginas de los anexos no se numeran \pagenumbering{gobble} % Las páginas de los anexos no se numeran
\section*{eBPF-related kernel compilation flags}
\begin{lstlisting}[language=bash] \begin{lstlisting}[language=bash]
$ bpftool feature $ bpftool feature
\end{lstlisting} \end{lstlisting}
@@ -50,9 +49,8 @@ CONFIG_HZ is set to 250
\end{verbatim} \end{verbatim}
\chapter* {Appendix B - Readelf commands} \label{annex:readelf_commands} \chapter* {Appendix B - Section headers in ELF file} \label{annex:readelf_commands}
\pagenumbering{gobble} % Las páginas de los anexos no se numeran \pagenumbering{gobble} % Las páginas de los anexos no se numeran
\section*{Section headers in ELF file} \label{annexsec:readelf_sec_headers}
\begin{lstlisting}[language=bash, caption={List of ELF section headers with readelf tool of a program compiled with GCC.}, label={code:elf_sections}] \begin{lstlisting}[language=bash, caption={List of ELF section headers with readelf tool of a program compiled with GCC.}, label={code:elf_sections}]
$ readelf -S simple_timer $ readelf -S simple_timer
There are 36 section headers, starting at offset 0x4120: There are 36 section headers, starting at offset 0x4120:

28
docs/chapters/chapter2.tex
View File

@@ -352,7 +352,7 @@ BPF\_PROG\_TYPE\_XDP & Program to filter, redirect and monitor network events fr
BPF\_PROG\_TYPE\_SCHED\_CLS & Program to filter, redirect and monitor events using the Traffic Control classifier\\ BPF\_PROG\_TYPE\_SCHED\_CLS & Program to filter, redirect and monitor events using the Traffic Control classifier\\
\hline \hline
\end{tabular} \end{tabular}
\caption{Types of eBPF programs. Only those relevant to our research are shown. The full list and attribute details can be consulted in the man page \cite{bpf_syscall}.} \caption{Relevant types of eBPF programs. Full list and attribute details can be consulted in the man page \cite{bpf_syscall}.}
\label{table:ebpf_prog_types} \label{table:ebpf_prog_types}
\end{table} \end{table}
@@ -396,7 +396,7 @@ bpf\_ringbuf\_submit() & Submit data to an specific eBPF ring buffer, and notify
bpf\_tail\_call() & Jump to another eBPF program preserving the current stack\\ bpf\_tail\_call() & Jump to another eBPF program preserving the current stack\\
\hline \hline
\end{tabular} \end{tabular}
\caption{Relevant common eBPF helpers. Those helpers exclusive to an specific program type are not listed. Full list and attribute details can be consulted in the man page \cite{ebpf_helpers}.} \caption{Relevant common eBPF helpers. Helpers exclusive to an specific program type are not listed. Full list and attribute details can be consulted in the man page \cite{ebpf_helpers}.}
\label{table:ebpf_helpers} \label{table:ebpf_helpers}
\end{table} \end{table}
@@ -625,25 +625,25 @@ As we have shown in Section \ref{section:modern_ebpf}, eBPF has been an active p
\textbf{FLAG} & \textbf{VALUE} & \textbf{DESCRIPTION}\\ \textbf{FLAG} & \textbf{VALUE} & \textbf{DESCRIPTION}\\
\hline \hline
\hline \hline
\multicolumn{1}{|c|}{CONFIG\_BPF} & \multicolumn{1}{|c|}{y} & \multirow{2}{*}{Basic BPF compilation (mandatory)}\\ \multicolumn{1}{|c|}{CONFIG\_BPF} & \multicolumn{1}{c|}{y} & \multirow{2}{*}{Basic BPF compilation (mandatory)}\\
\cline{1-2} \cline{1-2}
\multicolumn{1}{|c|}{CONFIG\_BPF\_SYSCALL} & \multicolumn{1}{|c|}{m} & \\ \multicolumn{1}{|c|}{CONFIG\_BPF\_SYSCALL} & \multicolumn{1}{c|}{m} & \\
\hline \hline
\multicolumn{1}{|c|}{CONFIG\_NET\_ACT\_BPF} & \multicolumn{1}{|c|}{m} & \multirow{2}{*}{Traffic Control functionality}\\ \multicolumn{1}{|c|}{CONFIG\_NET\_ACT\_BPF} & \multicolumn{1}{c|}{m} & \multirow{2}{*}{Traffic Control functionality}\\
\cline{1-2} \cline{1-2}
\multicolumn{1}{|c|}{CONFIG\_NET\_CLS\_BPF} & \multicolumn{1}{|c|}{y} & \\ \multicolumn{1}{|c|}{CONFIG\_NET\_CLS\_BPF} & \multicolumn{1}{c|}{y} & \\
\hline \hline
\multicolumn{1}{|c|}{CONFIG\_BPF\_JIT} & \multicolumn{1}{|c|}{y} & \multirow{2}{*}{Enable JIT compliation}\\ \multicolumn{1}{|c|}{CONFIG\_BPF\_JIT} & \multicolumn{1}{c|}{y} & \multirow{2}{*}{Enable JIT compliation}\\
\cline{1-2} \cline{1-2}
\multicolumn{1}{|c|}{CONFIG\_HAVE\_BPF\_JIT} & \multicolumn{1}{|c|}{y} & \\ \multicolumn{1}{|c|}{CONFIG\_HAVE\_BPF\_JIT} & \multicolumn{1}{c|}{y} & \\
\hline \hline
\multicolumn{1}{|c|}{CONFIG\_BPF\_EVENTS} & \multicolumn{1}{|c|}{y} & \multirow{4}{*}{Enable kprobes, uprobes and tracepoints}\\ \multicolumn{1}{|c|}{CONFIG\_BPF\_EVENTS} & \multicolumn{1}{c|}{y} & \multirow{4}{*}{Enable kprobes, uprobes and tracepoints}\\
\cline{1-2} \cline{1-2}
\multicolumn{1}{|c|}{CONFIG\_KPROBE\_EVENTS} & \multicolumn{1}{|c|}{y} & \\ \multicolumn{1}{|c|}{CONFIG\_KPROBE\_EVENTS} & \multicolumn{1}{c|}{y} & \\
\cline{1-2} \cline{1-2}
\multicolumn{1}{|c|}{CONFIG\_UPROBE\_EVENTS} & \multicolumn{1}{|c|}{y} & \\ \multicolumn{1}{|c|}{CONFIG\_UPROBE\_EVENTS} & \multicolumn{1}{c|}{y} & \\
\cline{1-2} \cline{1-2}
\multicolumn{1}{|c|}{CONFIG\_TRACING} & \multicolumn{1}{|c|}{y} & \\ \multicolumn{1}{|c|}{CONFIG\_TRACING} & \multicolumn{1}{c|}{y} & \\
\hline \hline
CONFIG\_XDP\_SOCKETS & y & Enable XDP\\ CONFIG\_XDP\_SOCKETS & y & Enable XDP\\
\hline \hline
@@ -652,7 +652,7 @@ CONFIG\_XDP\_SOCKETS & y & Enable XDP\\
\label{table:ebpf_kernel_flags} \label{table:ebpf_kernel_flags}
\end{table} \end{table}
Table \ref{table:ebpf_kernel_flags} is based on BCC's documentation, but the full list of eBPF-related flags can be extracted in a live system via bpftool, as detailed in Annex \ref{annex:bpftool_flags_kernel}. Nowadays, all mainstream Linux distributions include kernels with full support for eBPF. Table \ref{table:ebpf_kernel_flags} is based on BCC's documentation, but the full list of eBPF-related flags can be extracted in a live system via bpftool, as detailed in \nameref{annex:bpftool_flags_kernel}. Nowadays, all mainstream Linux distributions include kernels with full support for eBPF.
\subsection{Access control} \label{subsection:access_control} \subsection{Access control} \label{subsection:access_control}
@@ -1066,7 +1066,7 @@ GDB-peda & The Python Exploit Development Assistance for GDB, allows for multipl
Firstly, we will analyse the main sections we can find in an ELF executable. We will approach this study using a sample program that has been compiled using Clang/LLVM, and that consists on a simple timer that counts twice up to number 3, available at our repository \cite{repo_simple_timer}. Firstly, we will analyse the main sections we can find in an ELF executable. We will approach this study using a sample program that has been compiled using Clang/LLVM, and that consists on a simple timer that counts twice up to number 3, available at our repository \cite{repo_simple_timer}.
The commands used for this analysis and complete list of headers can be found in Annex \ref{annexsec:readelf_sec_headers}. The most relevant sections we found at the program are described in Table \ref{table:elf_sec_headers}: The commands used for this analysis and complete list of headers can be found in \nameref{annex:readelf_commands}. The most relevant sections we found at the program are described in Table \ref{table:elf_sec_headers}:
\begin{table}[htbp] \begin{table}[htbp]
\begin{tabular}{|>{\centering\arraybackslash}p{1cm}|>{\centering\arraybackslash}p{9cm}|>{\centering\arraybackslash}p{2cm}|} \begin{tabular}{|>{\centering\arraybackslash}p{1cm}|>{\centering\arraybackslash}p{9cm}|>{\centering\arraybackslash}p{2cm}|}

6
docs/chapters/chapter3.tex
View File

@@ -78,7 +78,7 @@ By observing the value of the registers, we can extract the parameters of the or
\begin{table}[H] \begin{table}[H]
\begin{tabular}{|>{\centering\arraybackslash}p{2cm}|>{\centering\arraybackslash}p{3cm}|} \begin{tabular}{|>{\centering\arraybackslash}p{2cm}|>{\centering\arraybackslash}p{3cm}|}
\hline \hline
\multicolumn{2}{|c|}{User interface}\\ \multicolumn{2}{|c|}{\textbf{USER INTERFACE}}\\
\hline \hline
\textbf{REGISTER} & \textbf{PURPOSE}\\ \textbf{REGISTER} & \textbf{PURPOSE}\\
\hline \hline
@@ -101,9 +101,9 @@ rax & Return value\\
\quad \quad
\begin{tabular}{|>{\centering\arraybackslash}p{2cm}|>{\centering\arraybackslash}p{3cm}|} \begin{tabular}{|>{\centering\arraybackslash}p{2cm}|>{\centering\arraybackslash}p{3cm}|}
\hline \hline
\multicolumn{2}{|c|}{Kernel interface}\\ \multicolumn{2}{|c|}{\textbf{KERNEL INTERFACE}}\\
\hline \hline
Register & Purpose\\ \textbf{REGISTER} & \textbf{PURPOSE}\\
\hline \hline
\hline \hline
rdi & 1st argument\\ rdi & 1st argument\\

8
docs/chapters/chapter4.tex
View File

@@ -310,13 +310,13 @@ Once we know the address of the functions we want our shellcode to call, we can
\item Restore the original value of the registers, and jump back to the original system call which the glibc function intended to call. \item Restore the original value of the registers, and jump back to the original system call which the glibc function intended to call.
\end{enumerate} \end{enumerate}
The complete developed shellcode and its opcodes can be found in Appendix \ref{annex:shellcode}. The complete developed shellcode and its opcodes can be found in \nameref{annex:shellcode}.
\textbf{Stage 3: Injecting shellcode in a code cave}\\ \textbf{Stage 3: Injecting shellcode in a code cave}\\
Once we have developed our shellcode, and before overwriting the value of GOT, we need to find a memory section where to write our shellcode, so that we can executing the necessary instructions to inject our malicious library. This area must be large enough to fit our shellcode, and it must be marked as executable. Once we have developed our shellcode, and before overwriting the value of GOT, we need to find a memory section where to write our shellcode, so that we can executing the necessary instructions to inject our malicious library. This area must be large enough to fit our shellcode, and it must be marked as executable.
Because of DEP/NX, we cannot use the stack for executing code. On top of that, as we can observe in the section header dump at Appendix \ref{annexsec:readelf_sec_headers}, for security reasons all sections are nowadays marked either writeable or executable, but never both simultaneously. Because of DEP/NX, we cannot use the stack for executing code. On top of that, as we can observe in the section header dump at \nameref{annex:readelf_commands}, for security reasons all sections are nowadays marked either writeable or executable, but never both simultaneously.
Therefore, we will use the proc filesystem which we introduced in Section \ref{section:proc_filesystem}. By using the file under \textit{/proc/<pid>/maps}, we will easily identify the address range of those memory sections marked as executable, and by using the file \textit{/proc/<pid>/mem}, we will write our shellcode into that memory section, bypassing the absence of a write flag. Therefore, we will use the proc filesystem which we introduced in Section \ref{section:proc_filesystem}. By using the file under \textit{/proc/<pid>/maps}, we will easily identify the address range of those memory sections marked as executable, and by using the file \textit{/proc/<pid>/mem}, we will write our shellcode into that memory section, bypassing the absence of a write flag.
@@ -1470,6 +1470,8 @@ SECRETDIR & DT\_REG (4) & Secret directory where the rootkit hides its files.\\
% Just ran out of time to implement this case properly, realized too late this was a thing. Still mentioning it here % Just ran out of time to implement this case properly, realized too late this was a thing. Still mentioning it here
Also, it is of interest to study what would happen if the directory entry to hide was not in the middle of the buffer, but rather it was the first one to be written. In this case, we cannot modify the d\_reclen of the previous entry to trick the user into skipping an entry. In order to illustrate this case, we are providing another technique (although this functionality is not available in the rootkit currently). Figure \ref{fig:getdents_firstentry} illustrates this alternative process. Also, it is of interest to study what would happen if the directory entry to hide was not in the middle of the buffer, but rather it was the first one to be written. In this case, we cannot modify the d\_reclen of the previous entry to trick the user into skipping an entry. In order to illustrate this case, we are providing another technique (although this functionality is not available in the rootkit currently). Figure \ref{fig:getdents_firstentry} illustrates this alternative process.
As we can observe in the figure, this technique is based on removing the directory entry completely and overwriting it with all of the subsequent entries. After this change, only the return value of the system call would need to be changed (since now the buffer is shorter).
\begin{figure}[htbp] \begin{figure}[htbp]
\centering \centering
\includegraphics[width=15cm]{getdents_firstentry.png} \includegraphics[width=15cm]{getdents_firstentry.png}
@@ -1477,5 +1479,5 @@ Also, it is of interest to study what would happen if the directory entry to hid
\label{fig:getdents_firstentry} \label{fig:getdents_firstentry}
\end{figure} \end{figure}
As we can observe in the figure, this technique is based on removing the directory entry completely and overwriting it with all of the subsequent entries. After this change, only the return value of the system call would need to be changed (since now the buffer is shorter),

49
docs/document.tex
View File

@@ -47,15 +47,23 @@ hmargin=3cm
\usepackage{fancyhdr} \usepackage{fancyhdr}
\usepackage{tikz} \usepackage{tikz}
% FOOTER % FOOTER
\pagestyle{fancy} \fancypagestyle{fancy}{
\fancyhf{} \fancyhf{}
\renewcommand{\headrulewidth}{1pt} \renewcommand{\headrulewidth}{1pt}
\fancyhead{} \fancyhead{}
\fancyhead[LO]{CHAPTER \thechapter} \fancyhead[LO]{CHAPTER \thechapter}
\fancyhead[RO]{\rightmark} \fancyhead[RO]{\rightmark}
\rfoot{\thepage} \rfoot{\thepage}
\fancypagestyle{plain}{\pagestyle{fancy}} }
\fancypagestyle{plain}{
%\fancyhf{}
\pagestyle{plainnofancy}
%\renewcommand{\headrulewidth}{0pt}
}
\fancypagestyle{plainnofancy}% \fancypagestyle{plainnofancy}%
{% {%
\fancyhf{} \fancyhf{}
@@ -73,6 +81,14 @@ hmargin=3cm
\renewcommand{\footrulewidth}{0pt} \renewcommand{\footrulewidth}{0pt}
} }
%%
\pagestyle{plainnofancy}
% TITLES % TITLES
\usepackage{titlesec} \usepackage{titlesec}
\usepackage{titletoc} \usepackage{titletoc}
@@ -189,7 +205,7 @@ hmargin=3cm
\renewcommand{\lstlistingname}{\uppercase{Code}} \renewcommand{\lstlistingname}{\uppercase{Code}}
% IEEE BIBLIOGRAPHY % IEEE BIBLIOGRAPHY
\usepackage[backend=biber, style=ieee, isbn=false,sortcites, maxbibnames=5, minbibnames=1]{biblatex} \usepackage[backend=biber, style=ieee, isbn=false,sortcites, maxbibnames=5, minbibnames=1 ]{biblatex}
\addbibresource{bibliography/bibliography.bib} \addbibresource{bibliography/bibliography.bib}
@@ -279,9 +295,20 @@ technology also available by default in most distributions. It is intended for b
% DEDICATION % DEDICATION
%---------- %----------
\chapter*{Dedication} \chapter*{Dedication}
\thispagestyle{plainnofancy}
\setcounter{page}{5} \setcounter{page}{5}
\thispagestyle{plainnofancy}
These lines are dedicated to those who have stayed by my side not only during the development of this thesis, but also during these last four years.
I would like to thank my mother, father and sister. Without you any of this would have been ever possible. Thank you for teaching me the value of hard work and continuing to do so every day. Your patience, love and support are undoubtedly invaluable.
Thanks, too, to all with whom I have shared part of this long journey. Brandon, Carlos, Miguel and the rest, it would definitely have been different without you.
Finally, my special appreciation goes to my thesis supervisor Dr. Estévez Tapiador. I could not have had a project I was more excited about. Thank you for trusting me with this opportunity, and thanks for your commitment these months.
\vfill \vfill
\newpage \newpage
@@ -296,9 +323,10 @@ technology also available by default in most distributions. It is intended for b
%-- %--
%General indexes %General indexes
%- %-
\tableofcontents \tableofcontents
\clearpage
%\pagestyle{fancy}
\newpage \newpage
\thispagestyle{empty} \thispagestyle{empty}
@@ -308,7 +336,7 @@ technology also available by default in most distributions. It is intended for b
% List of figures % List of figures
%- %-
\listoffigures \listoffigures
\thispagestyle{fancy}
\newpage \newpage
\thispagestyle{empty} \thispagestyle{empty}
@@ -318,7 +346,6 @@ technology also available by default in most distributions. It is intended for b
% List of tables % List of tables
%- %-
\listoftables \listoftables
\thispagestyle{fancy}
\newpage % página en blanco o de cortesía \newpage % página en blanco o de cortesía
\thispagestyle{empty} \thispagestyle{empty}
@@ -327,9 +354,9 @@ technology also available by default in most distributions. It is intended for b
%---------- %----------
% INTRODUCTION % INTRODUCTION
%---------- %----------
\clearpage \clearpage
\pagenumbering{arabic} \pagenumbering{arabic}
\pagestyle{fancy}
% This prevents the underscores going out of the margins % This prevents the underscores going out of the margins
\renewcommand\_{\textunderscore\allowbreak} \renewcommand\_{\textunderscore\allowbreak}
@@ -356,8 +383,10 @@ technology also available by default in most distributions. It is intended for b
%\nocite{*} % Si quieres que aparezcan en la bibliografía todos los documentos que la componen (también los que no estén citados en el texto) descomenta está lína %\nocite{*} % Si quieres que aparezcan en la bibliografía todos los documentos que la componen (también los que no estén citados en el texto) descomenta está lína
\clearpage \clearpage
\pagestyle{plainnofancy}
\addcontentsline{toc}{chapter}{Bibliography} \addcontentsline{toc}{chapter}{Bibliography}
\sloppy
\printbibliography \printbibliography

6
docs/document.xmpdata Normal file
View File

@@ -0,0 +1,6 @@
\Title{An analysis of offensive capabilities of eBPF and implementation of a rootkit}
\Author{Marcos Sánchez Bajo}
\Copyright{\copyright Marcos Sánchez. Some rights reserved. This document is under terms of Creative Commons license Attribution - Non Commercial - Non Derivatives.}
\CopyrightURL{http://creativecommons.org/licenses/by-nc-nd/3.0/es/}
\Keywords{Backdoor\sep Berkeley Packet Filter\sep Implant\sep Command and Control\sep Linux kernel\sep Malware\sep Computer security}
\Subject{Computer Science}