admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-24 18:33:08 +08:00
Code Issues Packages Projects Releases Wiki Activity
179 Commits 1 Branch 1 Tag
5d6619ce4088eb7dd8e6dcdb2f4bd8b0377ac1c8
Commit Graph

50 Commits

Author SHA1 Message Date
h3xduck
5d6619ce40 Finished section 5. Multiple changes in the code according to the performed tests. 2022-06-19 14:35:19 -04:00
h3xduck
bfcbfcfaf2 Added multiple small changes to client and code, submitting almost finished chapter 5 2022-06-18 10:57:10 -04:00
h3xduck
2b719ff0a5 Completed chapter 4 2022-06-16 20:38:15 -04:00
h3xduck
80f334636a Changed the repository (and the rootkit!) name with TripleCross: https://dictionary.cambridge.org/dictionary/english/double-cross. This is 'triple' because it is a BPF program that betrays you at the userspace, at the kernel, and at the network. 2022-06-15 20:33:07 -04:00
h3xduck
99ad9c5548 New explanation for the injection technique (alternative scanning process) and added flow diagram with full process. 2022-06-13 10:57:32 -04:00
h3xduck
71b093141b Further advanced with the library injection, almost finished. Multiple enhancements 2022-06-12 22:34:50 -04:00
h3xduck
d7a9b0e777 Updated injection module to ensure shellcode fits in code cave. Added simple reverse shell in injection lib 2022-06-11 18:38:48 -04:00
h3xduck
1595caa8d0 Continued with library injection attack 2022-06-09 22:57:25 -04:00
h3xduck
104f4c0355 Added obfuscation for the persistance access using cron 2022-05-16 17:34:21 -04:00
h3xduck
ccd518287a Added new deployer for preparing final files, messed up with the phantom shell, sometimes gives errors, but I don't think we can do much, the shared maps together with multi-hooks on network has some unexpected behaviours 2022-05-16 16:33:12 -04:00
h3xduck
757a480de9 Completed work on deployer, previous to cron persistence 2022-05-16 12:52:25 -04:00
h3xduck
4044d7994c Added sys_openat for the injection module, fully working! 2022-05-16 08:02:38 -04:00
h3xduck
78b3132687 Updated some files for eveything to work now that it is all together. Execve hijacker and clients in particular 2022-05-15 20:47:58 -04:00
h3xduck
4a292f0f7a Merged master and develop, now all changes together. Fully tested and working. 2022-05-15 20:46:35 -04:00
h3xduck
ff0f34c6a4 Included new library version with support for tcp src port paylaod injection 2022-05-09 18:57:23 -04:00
h3xduck
f6a4c1daa0 Finished execve hijacking, added new last checks and discovered why sometimes it fails. New detached process at the userspace. Other fixes 2022-05-07 10:36:46 -04:00
h3xduck
073a911f74 Included new version of custom lib. Added checks for backdoor triggering 2022-05-04 04:40:25 -04:00
h3xduck
25ef3acc5a Updating doc, adding makefile and preparing document 2022-04-27 21:56:37 -04:00
h3xduck
8be536fb6f Added locking mechanism for execve_hijack. Incorporated new library rawtcp with latest version without bug. 2022-04-14 13:24:43 -04:00
h3xduck
c3bffb6f84 Completed packet parsing at tc hook 2022-04-13 16:56:17 -04:00
h3xduck
7157729334 Added forked routine to execve_hijack. Improved argv modification and made it work. Working now. 2022-04-13 08:57:33 -04:00
h3xduck
e881502ffa Now control flow is redirected back to the syscall after running the shared library constructor instead of skipping it 2022-04-09 14:17:09 -04:00
h3xduck
036585371c Added pdf with temporary documentation 2022-04-08 05:30:43 -04:00
h3xduck
621e42e2e8 Changed shellcode to include backup of registers and stuck. Now prevents stack smashing detection via the stack canaries 2022-04-07 19:47:53 -04:00
h3xduck
be5605db5f Introduced shellcode and finished code cave writing and injection. RELRO working 2022-04-07 11:54:24 -04:00
h3xduck
3455b80010 Merge branch 'injection' of https://github.com/h3xduck/TFG into injection. Messed up with branches, clearing up 2022-04-07 07:14:54 -04:00
h3xduck
3438f5846f Finished injection module at userspace using /proc/<pid>/maps, enables to overwrite the GOT section with RELRO activated 2022-04-07 07:11:28 -04:00
h3xduck
e6ddb3373e Finished injection module at userspace using /proc/<pid>/maps, enables to overwrite the GOT section with RELRO activated 2022-04-05 20:21:59 -04:00
h3xduck
96cfda8c1f Finished RELRO adaptation. 2022-04-04 18:04:34 -04:00
h3xduck
748062f464 Adapted memory analysis to larger memory addresses inside the virtual address space. Solved bugs and others, adapting code for RELRO. 2022-04-04 17:07:45 -04:00
h3xduck
8f28c3a883 Updated helpers and added resources to help with lib injection 2022-03-24 15:40:05 -04:00
h3xduck
9dff5e71dc Included offset and extraction of interesting functions 2022-03-17 21:41:40 -04:00
h3xduck
0fbcb8bdf7 Fixed probe not probing correct syscall entry 2022-03-17 19:36:25 -04:00
h3xduck
fcf43ff180 Finished extraction of return address from the stack, and libc syscall adress 2022-03-17 19:32:32 -04:00
h3xduck
9647972531 Finished extraction of stack return address 2022-03-17 13:18:19 -04:00
h3xduck
671e2d671d Added extraction of original jump instruction and opcodes 2022-03-15 18:36:59 -04:00
h3xduck
0c88d5baa9 Successfully added uprobes calculation and hooking at arbitrary function of execve_hijack. 2022-03-03 05:53:51 -05:00
h3xduck
e64839f080 Added new libc symbols extraction 2022-03-02 19:00:50 -05:00
h3xduck
805fa760cf Corrected issues of opening directories without permission in execve helper 2022-02-24 19:53:11 -05:00
h3xduck
b182ac1eeb Added new TC module, updates to the exec hooking system and the userland module 2022-02-20 16:50:15 -05:00
h3xduck
1ec4ed8486 Now the execve hijacker works without needing a canalizer. Removed it. Also some additional tweaks to the c&c launching of the helper 2022-02-19 11:57:32 -05:00
h3xduck
130364e6ab Added support for integrating the execution hijacker via the rootkit. Still some work to do, also changed some config from fs which needs to be reverted 2022-02-18 09:08:54 -05:00
h3xduck
0e022a8385 Completed execution of arbitrary commands sent from the backdoor client 2022-02-18 04:06:18 -05:00
h3xduck
b68e01c057 Finished pseudo-connection between client and rootkit backdoor. Updated library to latest version. 2022-02-18 03:32:07 -05:00
h3xduck
9a47a2b15a Completed client integration with new c&c module. 2022-02-17 06:21:09 -05:00
h3xduck
431a019931 Updated my RawTCPLib library with newest version supporting sniffing for payloads. Also new data in preparation for complete RCE module 2022-02-16 19:38:39 -05:00
h3xduck
2ae705f037 Added new map structure, in preparation for new internal maps storing requested commands via the network backdoor 2022-02-14 20:08:30 -05:00
h3xduck
edbaf09c06 Completed execve hijacking, as with special error cases that arise and that are documented in the code. 2022-02-14 17:45:07 -05:00
h3xduck
044c85f3ff Initial version of the RCE scheme- Added complete execve hook, helper and modifying capabilities for the filename called. Works still needs to be done 2022-02-06 14:15:57 -05:00
h3xduck
05baa8fb8a Added new helper program to be used with the execve hijacking module 2022-02-05 19:00:25 -05:00