mirror of
https://github.com/h3xduck/TripleCross.git
synced 2025-12-18 15:53:08 +08:00
Further advanced with the library injection, almost finished. Multiple enhancements
This commit is contained in:
h3xduck
@@ -394,36 +394,51 @@
|
||||
\abx@aux@segm{0}{0}{cet_windows}
|
||||
\abx@aux@cite{cet_linux}
|
||||
\abx@aux@segm{0}{0}{cet_linux}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Analysis of offensive capabilities}{50}{chapter.3}\protected@file@percent }
|
||||
\abx@aux@cite{proc_fs}
|
||||
\abx@aux@segm{0}{0}{proc_fs}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {2.10}The proc filesystem}{50}{section.2.10}\protected@file@percent }
|
||||
\newlabel{section:proc_filesystem}{{2.10}{50}{The proc filesystem}{section.2.10}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {2.23}{\ignorespaces Values for \textit {/proc/sys/kernel/yama/ptrace\_scope}.\relax }}{50}{table.caption.57}\protected@file@percent }
|
||||
\newlabel{table:yama_values}{{2.23}{50}{Values for \textit {/proc/sys/kernel/yama/ptrace\_scope}.\relax }{table.caption.57}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.10.1}/proc/<pid>/maps}{50}{subsection.2.10.1}\protected@file@percent }
|
||||
\newlabel{subsection:proc_maps}{{2.10.1}{50}{/proc/<pid>/maps}{subsection.2.10.1}{}}
|
||||
\abx@aux@cite{proc_fs}
|
||||
\abx@aux@segm{0}{0}{proc_fs}
|
||||
\abx@aux@cite{proc_mem_write}
|
||||
\abx@aux@segm{0}{0}{proc_mem_write}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {2.29}{\ignorespaces File /proc/<pid>/maps of a sample program.\relax }}{51}{figure.caption.58}\protected@file@percent }
|
||||
\newlabel{fig:proc_maps_sample}{{2.29}{51}{File /proc/<pid>/maps of a sample program.\relax }{figure.caption.58}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {2.10.2}/proc/<pid>/mem}{51}{subsection.2.10.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {3}Analysis of offensive capabilities}{52}{chapter.3}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
||||
\newlabel{chapter:analysis_offensive_capabilities}{{3}{50}{Analysis of offensive capabilities}{chapter.3}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.1}eBPF maps security}{50}{section.3.1}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.2}Abusing tracing programs}{51}{section.3.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.1}Access to function arguments}{51}{subsection.3.2.1}\protected@file@percent }
|
||||
\newlabel{code:format_kprobe}{{3.1}{51}{Probe function for a kprobe on the kernel function vfs\_write}{lstlisting.3.1}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.1}Probe function for a kprobe on the kernel function vfs\_write.}{51}{lstlisting.3.1}\protected@file@percent }
|
||||
\newlabel{code:format_uprobe}{{3.2}{51}{Probe function for an uprobe, execute\_command is defined from user space}{lstlisting.3.2}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.2}Probe function for an uprobe, execute\_command is defined from user space.}{51}{lstlisting.3.2}\protected@file@percent }
|
||||
\newlabel{code:format_tracepoint}{{3.3}{51}{Probe function for a tracepoint on the start of the syscall sys\_read}{lstlisting.3.3}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.3}Probe function for a tracepoint on the start of the syscall sys\_read.}{51}{lstlisting.3.3}\protected@file@percent }
|
||||
\newlabel{code:format_ptregs}{{3.4}{51}{Format of struct pt\_regs}{lstlisting.3.4}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.4}Format of struct pt\_regs.}{51}{lstlisting.3.4}\protected@file@percent }
|
||||
\newlabel{chapter:analysis_offensive_capabilities}{{3}{52}{Analysis of offensive capabilities}{chapter.3}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.1}eBPF maps security}{52}{section.3.1}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.2}Abusing tracing programs}{53}{section.3.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.1}Access to function arguments}{53}{subsection.3.2.1}\protected@file@percent }
|
||||
\newlabel{code:format_kprobe}{{3.1}{53}{Probe function for a kprobe on the kernel function vfs\_write}{lstlisting.3.1}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.1}Probe function for a kprobe on the kernel function vfs\_write.}{53}{lstlisting.3.1}\protected@file@percent }
|
||||
\newlabel{code:format_uprobe}{{3.2}{53}{Probe function for an uprobe, execute\_command is defined from user space}{lstlisting.3.2}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.2}Probe function for an uprobe, execute\_command is defined from user space.}{53}{lstlisting.3.2}\protected@file@percent }
|
||||
\newlabel{code:format_tracepoint}{{3.3}{53}{Probe function for a tracepoint on the start of the syscall sys\_read}{lstlisting.3.3}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.3}Probe function for a tracepoint on the start of the syscall sys\_read.}{53}{lstlisting.3.3}\protected@file@percent }
|
||||
\newlabel{code:format_ptregs}{{3.4}{53}{Format of struct pt\_regs}{lstlisting.3.4}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.4}Format of struct pt\_regs.}{53}{lstlisting.3.4}\protected@file@percent }
|
||||
\abx@aux@cite{8664_params_abi}
|
||||
\abx@aux@segm{0}{0}{8664_params_abi}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.1}{\ignorespaces Argument passing convention of registers for function calls in user and kernel space respectively.\relax }}{52}{table.caption.57}\protected@file@percent }
|
||||
\newlabel{table:systemv_abi}{{3.1}{52}{Argument passing convention of registers for function calls in user and kernel space respectively.\relax }{table.caption.57}{}}
|
||||
\newlabel{code:sys_enter_read_tp_format}{{3.5}{52}{Format for parameters in sys\_enter\_read specified at the format file}{lstlisting.3.5}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.5}Format for parameters in sys\_enter\_read specified at the format file.}{52}{lstlisting.3.5}\protected@file@percent }
|
||||
\newlabel{code:sys_enter_read_tp}{{3.6}{53}{Format of custom struct sys\_read\_enter\_ctx}{lstlisting.3.6}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.6}Format of custom struct sys\_read\_enter\_ctx.}{53}{lstlisting.3.6}\protected@file@percent }
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {3.1}{\ignorespaces Argument passing convention of registers for function calls in user and kernel space respectively.\relax }}{54}{table.caption.59}\protected@file@percent }
|
||||
\newlabel{table:systemv_abi}{{3.1}{54}{Argument passing convention of registers for function calls in user and kernel space respectively.\relax }{table.caption.59}{}}
|
||||
\newlabel{code:sys_enter_read_tp_format}{{3.5}{54}{Format for parameters in sys\_enter\_read specified at the format file}{lstlisting.3.5}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.5}Format for parameters in sys\_enter\_read specified at the format file.}{54}{lstlisting.3.5}\protected@file@percent }
|
||||
\newlabel{code:sys_enter_read_tp}{{3.6}{55}{Format of custom struct sys\_read\_enter\_ctx}{lstlisting.3.6}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.6}Format of custom struct sys\_read\_enter\_ctx.}{55}{lstlisting.3.6}\protected@file@percent }
|
||||
\abx@aux@cite{ebpf_friends_p15}
|
||||
\abx@aux@segm{0}{0}{ebpf_friends_p15}
|
||||
\abx@aux@cite{ebpf_override_return}
|
||||
\abx@aux@segm{0}{0}{ebpf_override_return}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{54}{subsection.3.2.2}\protected@file@percent }
|
||||
\newlabel{subsection:out_read_bounds}{{3.2.2}{54}{Reading memory out of bounds}{subsection.3.2.2}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.3}Overriding function return values}{54}{subsection.3.2.3}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.2}Reading memory out of bounds}{56}{subsection.3.2.2}\protected@file@percent }
|
||||
\newlabel{subsection:out_read_bounds}{{3.2.2}{56}{Reading memory out of bounds}{subsection.3.2.2}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.3}Overriding function return values}{56}{subsection.3.2.3}\protected@file@percent }
|
||||
\abx@aux@cite{code_kernel_open}
|
||||
\abx@aux@segm{0}{0}{code_kernel_open}
|
||||
\abx@aux@cite{code_kernel_open}
|
||||
@@ -434,19 +449,19 @@
|
||||
\abx@aux@segm{0}{0}{code_kernel_syscall}
|
||||
\abx@aux@cite{fault_injection}
|
||||
\abx@aux@segm{0}{0}{fault_injection}
|
||||
\newlabel{code:override_return_1}{{3.7}{55}{Definition of the syscall sys\_open in the kernel \cite {code_kernel_open}}{lstlisting.3.7}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.7}Definition of the syscall sys\_open in the kernel \cite {code_kernel_open}}{55}{lstlisting.3.7}\protected@file@percent }
|
||||
\newlabel{code:override_return_2}{{3.8}{55}{Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_syscall}}{lstlisting.3.8}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.8}Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_syscall}}{55}{lstlisting.3.8}\protected@file@percent }
|
||||
\newlabel{code:override_return_1}{{3.7}{57}{Definition of the syscall sys\_open in the kernel \cite {code_kernel_open}}{lstlisting.3.7}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.7}Definition of the syscall sys\_open in the kernel \cite {code_kernel_open}}{57}{lstlisting.3.7}\protected@file@percent }
|
||||
\newlabel{code:override_return_2}{{3.8}{57}{Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_syscall}}{lstlisting.3.8}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.8}Definition of the macro for creating syscalls, containing the error injection macro. Only relevant instructions included, complete macro can be found in the kernel \cite {code_kernel_syscall}}{57}{lstlisting.3.8}\protected@file@percent }
|
||||
\abx@aux@cite{ebpf_helpers}
|
||||
\abx@aux@segm{0}{0}{ebpf_helpers}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.4}Sending signals to user programs}{56}{subsection.3.2.4}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.5}Takeaways}{56}{subsection.3.2.5}\protected@file@percent }
|
||||
\newlabel{subsection:tracing_attacks_conclusion}{{3.2.5}{56}{Takeaways}{subsection.3.2.5}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.3}Memory corruption}{56}{section.3.3}\protected@file@percent }
|
||||
\newlabel{section:mem_corruption}{{3.3}{56}{Memory corruption}{section.3.3}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.1}Attacks and limitations of bpf\_probe\_write\_user()}{56}{subsection.3.3.1}\protected@file@percent }
|
||||
\newlabel{subsection:bpf_probe_write_apps}{{3.3.1}{56}{Attacks and limitations of bpf\_probe\_write\_user()}{subsection.3.3.1}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.4}Sending signals to user programs}{58}{subsection.3.2.4}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.2.5}Takeaways}{58}{subsection.3.2.5}\protected@file@percent }
|
||||
\newlabel{subsection:tracing_attacks_conclusion}{{3.2.5}{58}{Takeaways}{subsection.3.2.5}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.3}Memory corruption}{58}{section.3.3}\protected@file@percent }
|
||||
\newlabel{section:mem_corruption}{{3.3}{58}{Memory corruption}{section.3.3}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.1}Attacks and limitations of bpf\_probe\_write\_user()}{58}{subsection.3.3.1}\protected@file@percent }
|
||||
\newlabel{subsection:bpf_probe_write_apps}{{3.3.1}{58}{Attacks and limitations of bpf\_probe\_write\_user()}{subsection.3.3.1}{}}
|
||||
\abx@aux@cite{write_helper_non_fault}
|
||||
\abx@aux@segm{0}{0}{write_helper_non_fault}
|
||||
\abx@aux@cite{code_vfs_read}
|
||||
@@ -455,72 +470,91 @@
|
||||
\abx@aux@segm{0}{0}{code_vfs_read}
|
||||
\abx@aux@cite{evil_ebpf_p6974}
|
||||
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
|
||||
\newlabel{code:vfs_read}{{3.9}{57}{Definition of kernel function vfs\_read. \cite {code_vfs_read}}{lstlisting.3.9}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.9}Definition of kernel function vfs\_read. \cite {code_vfs_read}}{57}{lstlisting.3.9}\protected@file@percent }
|
||||
\newlabel{code:vfs_read}{{3.9}{59}{Definition of kernel function vfs\_read. \cite {code_vfs_read}}{lstlisting.3.9}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.9}Definition of kernel function vfs\_read. \cite {code_vfs_read}}{59}{lstlisting.3.9}\protected@file@percent }
|
||||
\abx@aux@cite{8664_params_abi_p1922}
|
||||
\abx@aux@segm{0}{0}{8664_params_abi_p1922}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.1}{\ignorespaces Overview of stack scanning and writing technique.\relax }}{58}{figure.caption.58}\protected@file@percent }
|
||||
\newlabel{fig:stack_scan_write_tech}{{3.1}{58}{Overview of stack scanning and writing technique.\relax }{figure.caption.58}{}}
|
||||
\newlabel{code:stack_scan_write_tech}{{3.10}{58}{Sample program being executed on figure \ref {fig:stack_scan_write_tech}}{lstlisting.3.10}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.10}Sample program being executed on figure \ref {fig:stack_scan_write_tech}.}{58}{lstlisting.3.10}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.2}Takeaways}{59}{subsection.3.3.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.4}Abusing networking programs}{60}{section.3.4}\protected@file@percent }
|
||||
\newlabel{section:abusing_networking}{{3.4}{60}{Abusing networking programs}{section.3.4}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.1}Attacks and limitations of networking programs}{60}{subsection.3.4.1}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.2}{\ignorespaces Technique to duplicate a packet for exfiltrating data.\relax }}{62}{figure.caption.59}\protected@file@percent }
|
||||
\newlabel{fig:tcp_exfiltrate_retrans}{{3.2}{62}{Technique to duplicate a packet for exfiltrating data.\relax }{figure.caption.59}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.2}Takeaways}{63}{subsection.3.4.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Design of a malicious eBPF rootkit}{64}{chapter.4}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.1}{\ignorespaces Overview of stack scanning and writing technique.\relax }}{60}{figure.caption.60}\protected@file@percent }
|
||||
\newlabel{fig:stack_scan_write_tech}{{3.1}{60}{Overview of stack scanning and writing technique.\relax }{figure.caption.60}{}}
|
||||
\newlabel{code:stack_scan_write_tech}{{3.10}{60}{Sample program being executed on figure \ref {fig:stack_scan_write_tech}}{lstlisting.3.10}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {3.10}Sample program being executed on figure \ref {fig:stack_scan_write_tech}.}{60}{lstlisting.3.10}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.3.2}Takeaways}{61}{subsection.3.3.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {3.4}Abusing networking programs}{62}{section.3.4}\protected@file@percent }
|
||||
\newlabel{section:abusing_networking}{{3.4}{62}{Abusing networking programs}{section.3.4}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.1}Attacks and limitations of networking programs}{62}{subsection.3.4.1}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {3.2}{\ignorespaces Technique to duplicate a packet for exfiltrating data.\relax }}{64}{figure.caption.61}\protected@file@percent }
|
||||
\newlabel{fig:tcp_exfiltrate_retrans}{{3.2}{64}{Technique to duplicate a packet for exfiltrating data.\relax }{figure.caption.61}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {3.4.2}Takeaways}{65}{subsection.3.4.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Design of a malicious eBPF rootkit}{66}{chapter.4}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {4.1}Rootkit architecture}{64}{section.4.1}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.1}{\ignorespaces Overview of the rootkit subsystems and components.\relax }}{65}{figure.caption.60}\protected@file@percent }
|
||||
\newlabel{fig:rootkit}{{4.1}{65}{Overview of the rootkit subsystems and components.\relax }{figure.caption.60}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {4.1}Rootkit architecture}{66}{section.4.1}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.1}{\ignorespaces Overview of the rootkit subsystems and components.\relax }}{67}{figure.caption.62}\protected@file@percent }
|
||||
\newlabel{fig:rootkit}{{4.1}{67}{Overview of the rootkit subsystems and components.\relax }{figure.caption.62}{}}
|
||||
\abx@aux@cite{rawtcp_lib}
|
||||
\abx@aux@segm{0}{0}{rawtcp_lib}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.2}{\ignorespaces Rootkit programs and scripts.\relax }}{67}{figure.caption.61}\protected@file@percent }
|
||||
\newlabel{fig:rootkit_files}{{4.2}{67}{Rootkit programs and scripts.\relax }{figure.caption.61}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.2}{\ignorespaces Rootkit programs and scripts.\relax }}{69}{figure.caption.63}\protected@file@percent }
|
||||
\newlabel{fig:rootkit_files}{{4.2}{69}{Rootkit programs and scripts.\relax }{figure.caption.63}{}}
|
||||
\abx@aux@cite{evil_ebpf_p6974}
|
||||
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
|
||||
\abx@aux@cite{evil_ebpf_p6974}
|
||||
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {4.2}Library injection attacks}{68}{section.4.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.1}ROP with eBPF}{68}{subsection.4.2.1}\protected@file@percent }
|
||||
\newlabel{subsection:rop_ebpf}{{4.2.1}{68}{ROP with eBPF}{subsection.4.2.1}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {4.2}Library injection module}{70}{section.4.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.1}ROP with eBPF}{70}{subsection.4.2.1}\protected@file@percent }
|
||||
\newlabel{subsection:rop_ebpf}{{4.2.1}{70}{ROP with eBPF}{subsection.4.2.1}{}}
|
||||
\abx@aux@cite{glibc}
|
||||
\abx@aux@segm{0}{0}{glibc}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.3}{\ignorespaces Initial setup for the ROP with eBPF technique.\relax }}{69}{figure.caption.62}\protected@file@percent }
|
||||
\newlabel{fig:rop_evil_ebpf_1}{{4.3}{69}{Initial setup for the ROP with eBPF technique.\relax }{figure.caption.62}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.4}{\ignorespaces Process memory after syscall exits and ROP code overwrites the stack.\relax }}{70}{figure.caption.63}\protected@file@percent }
|
||||
\newlabel{fig:rop_evil_ebpf_2}{{4.4}{70}{Process memory after syscall exits and ROP code overwrites the stack.\relax }{figure.caption.63}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.3}{\ignorespaces Initial setup for the ROP with eBPF technique.\relax }}{71}{figure.caption.64}\protected@file@percent }
|
||||
\newlabel{fig:rop_evil_ebpf_1}{{4.3}{71}{Initial setup for the ROP with eBPF technique.\relax }{figure.caption.64}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.4}{\ignorespaces Process memory after syscall exits and ROP code overwrites the stack.\relax }}{72}{figure.caption.65}\protected@file@percent }
|
||||
\newlabel{fig:rop_evil_ebpf_2}{{4.4}{72}{Process memory after syscall exits and ROP code overwrites the stack.\relax }{figure.caption.65}{}}
|
||||
\abx@aux@cite{canary_exploit}
|
||||
\abx@aux@segm{0}{0}{canary_exploit}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.5}{\ignorespaces Stack data is restored and program continues its execution.\relax }}{71}{figure.caption.64}\protected@file@percent }
|
||||
\newlabel{fig:rop_evil_ebpf_3}{{4.5}{71}{Stack data is restored and program continues its execution.\relax }{figure.caption.64}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.2}Bypassing hardening features in ELFs}{71}{subsection.4.2.2}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.5}{\ignorespaces Stack data is restored and program continues its execution.\relax }}{73}{figure.caption.66}\protected@file@percent }
|
||||
\newlabel{fig:rop_evil_ebpf_3}{{4.5}{73}{Stack data is restored and program continues its execution.\relax }{figure.caption.66}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.2}Bypassing hardening features in ELFs}{73}{subsection.4.2.2}\protected@file@percent }
|
||||
\newlabel{subsection:hardening_bypass}{{4.2.2}{73}{Bypassing hardening features in ELFs}{subsection.4.2.2}{}}
|
||||
\abx@aux@cite{pie_exploit}
|
||||
\abx@aux@segm{0}{0}{pie_exploit}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.6}{\ignorespaces Two runs of the same executable using ASLR, showing a library and two symbols.\relax }}{72}{figure.caption.65}\protected@file@percent }
|
||||
\newlabel{fig:alsr_offset}{{4.6}{72}{Two runs of the same executable using ASLR, showing a library and two symbols.\relax }{figure.caption.65}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.3}Library injection via GOT hijacking}{73}{subsection.4.2.3}\protected@file@percent }
|
||||
\newlabel{subsection:got_attack}{{4.2.3}{73}{Library injection via GOT hijacking}{subsection.4.2.3}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.7}{\ignorespaces Call to the glibc function, using objdump\relax }}{74}{figure.caption.66}\protected@file@percent }
|
||||
\newlabel{fig:firstcall}{{4.7}{74}{Call to the glibc function, using objdump\relax }{figure.caption.66}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Evaluation}{75}{chapter.5}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.6}{\ignorespaces Two runs of the same executable using ASLR, showing a library and two symbols.\relax }}{74}{figure.caption.67}\protected@file@percent }
|
||||
\newlabel{fig:alsr_offset}{{4.6}{74}{Two runs of the same executable using ASLR, showing a library and two symbols.\relax }{figure.caption.67}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.3}Library injection via GOT hijacking}{75}{subsection.4.2.3}\protected@file@percent }
|
||||
\newlabel{subsection:got_attack}{{4.2.3}{75}{Library injection via GOT hijacking}{subsection.4.2.3}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.7}{\ignorespaces Overview of jump and return instructions from the program instructions to the syscall at the kernel.\relax }}{76}{figure.caption.68}\protected@file@percent }
|
||||
\newlabel{fig:lib_stage1}{{4.7}{76}{Overview of jump and return instructions from the program instructions to the syscall at the kernel.\relax }{figure.caption.68}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.8}{\ignorespaces Call to the glibc function, using objdump.\relax }}{76}{figure.caption.69}\protected@file@percent }
|
||||
\newlabel{fig:firstcall}{{4.8}{76}{Call to the glibc function, using objdump.\relax }{figure.caption.69}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.9}{\ignorespaces PLT stub generated with gcc compiler, using objdump.\relax }}{76}{figure.caption.70}\protected@file@percent }
|
||||
\newlabel{fig:plt_gcc}{{4.9}{76}{PLT stub generated with gcc compiler, using objdump.\relax }{figure.caption.70}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.10}{\ignorespaces PLT stub generated with clang compiler, using objdump.\relax }}{77}{figure.caption.71}\protected@file@percent }
|
||||
\newlabel{fig:plt_clang}{{4.10}{77}{PLT stub generated with clang compiler, using objdump.\relax }{figure.caption.71}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.11}{\ignorespaces Timerfd\_settime function at glibc, using objdump.\relax }}{77}{figure.caption.72}\protected@file@percent }
|
||||
\newlabel{fig:settime_glibc}{{4.11}{77}{Timerfd\_settime function at glibc, using objdump.\relax }{figure.caption.72}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {4.1}{\ignorespaces Arguments and return value of function \_\_libc\_malloc.\relax }}{77}{table.caption.73}\protected@file@percent }
|
||||
\newlabel{table:libc_malloc}{{4.1}{77}{Arguments and return value of function \_\_libc\_malloc.\relax }{table.caption.73}{}}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\contentsline {table}{\numberline {4.2}{\ignorespaces Arguments of function \_\_libc\_dlopen\_mode.\relax }}{78}{table.caption.74}\protected@file@percent }
|
||||
\newlabel{table:libc_dlopen_mode}{{4.2}{78}{Arguments of function \_\_libc\_dlopen\_mode.\relax }{table.caption.74}{}}
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.12}{\ignorespaces Functions at glibc with ASLR active.\relax }}{78}{figure.caption.75}\protected@file@percent }
|
||||
\newlabel{fig:aslr_bypass_example}{{4.12}{78}{Functions at glibc with ASLR active.\relax }{figure.caption.75}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Evaluation}{81}{chapter.5}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {5.1}Developed capabilities}{75}{section.5.1}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {5.2}Rootkit use cases}{75}{section.5.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Related work}{76}{chapter.6}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {5.1}Developed capabilities}{81}{section.5.1}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {5.2}Rootkit use cases}{81}{section.5.2}\protected@file@percent }
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Related work}{82}{chapter.6}\protected@file@percent }
|
||||
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
|
||||
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{77}{chapter.6}\protected@file@percent }
|
||||
\newlabel{annex:bpftool_flags_kernel}{{6}{}{Appendix A - Bpftool commands}{chapter*.68}{}}
|
||||
\newlabel{annex:readelf_commands}{{6}{}{Appendix B - Readelf commands}{chapter*.69}{}}
|
||||
\newlabel{annexsec:readelf_sec_headers}{{6}{}{}{chapter*.69}{}}
|
||||
\newlabel{chapter:related_work}{{6}{82}{Related work}{chapter.6}{}}
|
||||
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{83}{chapter.6}\protected@file@percent }
|
||||
\newlabel{annex:bpftool_flags_kernel}{{6}{}{Appendix A - Bpftool commands}{chapter*.77}{}}
|
||||
\newlabel{annex:readelf_commands}{{6}{}{Appendix B - Readelf commands}{chapter*.78}{}}
|
||||
\newlabel{annexsec:readelf_sec_headers}{{6}{}{}{chapter*.78}{}}
|
||||
\newlabel{code:elf_sections}{{6.1}{}{List of ELF section headers with readelf tool of a program compiled with GCC}{lstlisting.6.1}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {6.1}List of ELF section headers with readelf tool of a program compiled with GCC.}{}{lstlisting.6.1}\protected@file@percent }
|
||||
\abx@aux@read@bbl@mdfivesum{F3AD89EA79E7C7C7226521F437E57B7C}
|
||||
\newlabel{annex:shellcode}{{6}{}{Appendix C - Library injection shellcode}{chapter*.79}{}}
|
||||
\newlabel{code:shellcode}{{6.2}{}{Shellcode for library injection and its opcodes}{lstlisting.6.2}{}}
|
||||
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {6.2}Shellcode for library injection and its opcodes.}{}{lstlisting.6.2}\protected@file@percent }
|
||||
\abx@aux@read@bbl@mdfivesum{C88931983EB38C795A3D36AB8548A2C9}
|
||||
\abx@aux@refcontextdefaultsdone
|
||||
\abx@aux@defaultrefcontext{0}{ransomware_pwc}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{rootkit_ptsecurity}{none/global//global/global}
|
||||
@@ -598,6 +632,8 @@
|
||||
\abx@aux@defaultrefcontext{0}{relro_redhat}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{cet_windows}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{cet_linux}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{proc_fs}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{proc_mem_write}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{8664_params_abi}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_friends_p15}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{ebpf_override_return}{none/global//global/global}
|
||||
@@ -613,4 +649,4 @@
|
||||
\abx@aux@defaultrefcontext{0}{canary_exploit}{none/global//global/global}
|
||||
\abx@aux@defaultrefcontext{0}{pie_exploit}{none/global//global/global}
|
||||
\ttl@finishall
|
||||
\gdef \@abspage@last{104}
|
||||
\gdef \@abspage@last{112}
|
||||
|
||||
Reference in New Issue
Block a user