admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-21 09:13:07 +08:00
Code Issues Packages Projects Releases Wiki Activity
84 Commits 1 Branch 1 Tag
ad4f9b25045facdc5ed611d46829af25a79c2014
Commit Graph

84 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
h3xduck
ad4f9b2504 Completed phantom shell protocol, added new checksum correctors 2022-05-11 20:27:52 -04:00
h3xduck
28ed530aea Completed the TC Hook and payload enlargment and substitution mechanisms. Only the packet recognition on the client side remains to work 2022-05-11 17:31:38 -04:00
h3xduck
567d8d706c Further completed the phantom shell routine and added more checks in TC, still not finished, payload rewriting remains, but the rest is fully ready 2022-05-10 23:04:19 -04:00
h3xduck
f2c3624e8b Added test on tc clasiffier, added pinned maps, and obtaining the fd from other maps in order to synchronize between programs 2022-05-10 19:09:52 -04:00
h3xduck
4211d0b5d5 Updated all components with phantom shell 2022-05-09 22:06:29 -04:00
h3xduck
5320f35d01 Added new hidden payload stream mode, now triggered using the source port. Fully integrated already, can select between that and seqnum in client. Both launch live encrypted shell via v3 backdoor 2022-05-09 20:16:13 -04:00
h3xduck
ff0f34c6a4 Included new library version with support for tcp src port paylaod injection 2022-05-09 18:57:23 -04:00
h3xduck
ff2868846f Fixed a big bug in previous client terminals, also made the new multi-triggered backdoor to work completely and connect to encrypted session 2022-05-09 17:48:02 -04:00
h3xduck
073e1d3129 Completed new backdoor packet stream parsing for V3 backdoor using hidden payloads in TCP and IP header positions 2022-05-09 16:36:39 -04:00
h3xduck
ba19537ec1 Added new packet stream payload mode in client for V3 backdoor 2022-05-07 20:45:02 -04:00
h3xduck
5746ac5efb Added new hidden packets, commands and rest of structure to activate and deactivate hooks from the backdoor 2022-05-07 19:16:33 -04:00
h3xduck
ce7d36371d Finished encrypted interactive shell and encrypted protocol implementation, V2 rootkit now fully functional 2022-05-07 17:55:27 -04:00
h3xduck
f6a4c1daa0 Finished execve hijacking, added new last checks and discovered why sometimes it fails. New detached process at the userspace. Other fixes 2022-05-07 10:36:46 -04:00
h3xduck
cceca23478 Completed message sharing, starting with protocol now 2022-05-05 22:14:28 -04:00
h3xduck
213e30ba3b Fixed keys of trigger packet V1, added sample servers, fixed client bug 2022-05-05 17:52:58 -04:00
h3xduck
0553ad777f Completed message passing of commands to userspace via ebpf ringbuffer 2022-05-05 13:22:47 -04:00
h3xduck
2deebf1b9e Added V1 command sending via secret trigger on backdoor 2022-05-05 12:59:02 -04:00
h3xduck
ead4a4ca68 Completed checks for V1 trigger 2022-05-04 08:54:21 -04:00
h3xduck
073a911f74 Included new version of custom lib. Added checks for backdoor triggering 2022-05-04 04:40:25 -04:00
h3xduck
25ef3acc5a Updating doc, adding makefile and preparing document 2022-04-27 21:56:37 -04:00
h3xduck
8be536fb6f Added locking mechanism for execve_hijack. Incorporated new library rawtcp with latest version without bug. 2022-04-14 13:24:43 -04:00
h3xduck
a9f0ae17f7 Completed client payload generation 2022-04-14 09:49:08 -04:00
h3xduck
e8abc7415a Advancements on payload recognition. Now proceeding to build protocol 2022-04-14 07:54:21 -04:00
h3xduck
43ccb6cd3d Added packet parsing and bound checking 2022-04-13 20:46:06 -04:00
h3xduck
c3bffb6f84 Completed packet parsing at tc hook 2022-04-13 16:56:17 -04:00
h3xduck
7157729334 Added forked routine to execve_hijack. Improved argv modification and made it work. Working now. 2022-04-13 08:57:33 -04:00
h3xduck
805fa760cf Corrected issues of opening directories without permission in execve helper 2022-02-24 19:53:11 -05:00
h3xduck
b182ac1eeb Added new TC module, updates to the exec hooking system and the userland module 2022-02-20 16:50:15 -05:00
h3xduck
1ec4ed8486 Now the execve hijacker works without needing a canalizer. Removed it. Also some additional tweaks to the c&c launching of the helper 2022-02-19 11:57:32 -05:00
h3xduck
8e97624326 Improved the pricvesc module which used sudo, now correctly working when the user already has sudo with password capabilities. Now the rootkit userspace helper is correctly launching with root permissions 2022-02-19 11:08:56 -05:00
h3xduck
130364e6ab Added support for integrating the execution hijacker via the rootkit. Still some work to do, also changed some config from fs which needs to be reverted 2022-02-18 09:08:54 -05:00
h3xduck
0e022a8385 Completed execution of arbitrary commands sent from the backdoor client 2022-02-18 04:06:18 -05:00
h3xduck
b68e01c057 Finished pseudo-connection between client and rootkit backdoor. Updated library to latest version. 2022-02-18 03:32:07 -05:00
h3xduck
9a47a2b15a Completed client integration with new c&c module. 2022-02-17 06:21:09 -05:00
h3xduck
431a019931 Updated my RawTCPLib library with newest version supporting sniffing for payloads. Also new data in preparation for complete RCE module 2022-02-16 19:38:39 -05:00
h3xduck
2ae705f037 Added new map structure, in preparation for new internal maps storing requested commands via the network backdoor 2022-02-14 20:08:30 -05:00
h3xduck
edbaf09c06 Completed execve hijacking, as with special error cases that arise and that are documented in the code. 2022-02-14 17:45:07 -05:00
h3xduck
044c85f3ff Initial version of the RCE scheme- Added complete execve hook, helper and modifying capabilities for the filename called. Works still needs to be done 2022-02-06 14:15:57 -05:00
h3xduck
05baa8fb8a Added new helper program to be used with the execve hijacking module 2022-02-05 19:00:25 -05:00
h3xduck
41ef733520 Completed faking that an user is in the sudoers file. Now user 'test' can use sudo without being there 2022-02-05 14:10:12 -05:00
h3xduck
643783004a Added new hooks and updated map fields to support new sudo module. 2022-02-05 13:49:20 -05:00
h3xduck
2b50d376a6 Updated function and configurator manager names to the used hook. 2022-01-26 13:04:23 -05:00
Marcos S. Bajo
9b366810b5 Merge pull request #18 from h3xduck/output_modifier 
Basic user memory manipulation + Control over rootkit modules and probes + Basic communication system
 2022-01-16 13:36:12 +01:00
h3xduck
e10f5183b3 Updated readme with new PoC 2022-01-16 07:03:07 -05:00
h3xduck
3832d99af1 Updated file names and directory structure to the new multi-modules rootkit 2022-01-16 06:56:54 -05:00
h3xduck
fc0d30f06f Completed output modification of sys_read. Created a simple PoC 2022-01-16 06:45:45 -05:00
h3xduck
99e9fd4277 FS module now can overwrite the buffer of read syscalls, effectively modifying what is returned as a result. Small PoC included now which modifies any first char in a string to 'O'. Use under discretion, may crash some programs, not enough checks implemented yet. 2022-01-15 16:16:30 -05:00
h3xduck
945e2f2def Added new probe to read the previously extracted params and overwrite user memory. Still now fully working, just a backup 2022-01-14 22:05:08 -05:00
h3xduck
106f141c7e Added new kprobe to the filesystem ebpf section. Now receiving read events, and storing them in a map for later use, along with a reference to the user-space memory buffer 2022-01-14 21:18:51 -05:00
h3xduck
193d9ec28f Fixed the whole header setup, now correctly using the kernel headers instead of normal development ones. Ready to go on with original plan of file system hooking 2022-01-06 13:31:52 -05:00