admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-25 10:53:09 +08:00
Code Issues Packages Projects Releases Wiki Activity
194 Commits 1 Branch 1 Tag
d9192c06abb4a1237eadfa134a1a9318b248066d
Commit Graph

53 Commits

Author SHA1 Message Date
h3xduck
5d6619ce40 Finished section 5. Multiple changes in the code according to the performed tests. 2022-06-19 14:35:19 -04:00
h3xduck
bfcbfcfaf2 Added multiple small changes to client and code, submitting almost finished chapter 5 2022-06-18 10:57:10 -04:00
h3xduck
d7a9b0e777 Updated injection module to ensure shellcode fits in code cave. Added simple reverse shell in injection lib 2022-06-11 18:38:48 -04:00
h3xduck
2c3648a18a Continued with offensive capabilities, incorporated security features and started with tracing program features 2022-06-02 19:00:10 -04:00
h3xduck
ccd518287a Added new deployer for preparing final files, messed up with the phantom shell, sometimes gives errors, but I don't think we can do much, the shared maps together with multi-hooks on network has some unexpected behaviours 2022-05-16 16:33:12 -04:00
h3xduck
82fa056955 Added hide directory capabilities for the rootkit 2022-05-16 11:24:59 -04:00
h3xduck
4044d7994c Added sys_openat for the injection module, fully working! 2022-05-16 08:02:38 -04:00
h3xduck
78b3132687 Updated some files for eveything to work now that it is all together. Execve hijacker and clients in particular 2022-05-15 20:47:58 -04:00
h3xduck
4a292f0f7a Merged master and develop, now all changes together. Fully tested and working. 2022-05-15 20:46:35 -04:00
h3xduck
57f3edd8fa Fixed bug in client getting local ip 2022-05-15 19:09:04 -04:00
h3xduck
6e76e1ed1a Solved an error in client ip config 2022-05-15 18:08:14 -04:00
h3xduck
ce3b267d01 Fixed phantom shell, added ips for all types of backdoor triggers so that we can use different interfaces 2022-05-15 16:45:47 -04:00
h3xduck
d509f20974 Completed command passing for phantom shell 2022-05-15 14:44:16 -04:00
h3xduck
28ed530aea Completed the TC Hook and payload enlargment and substitution mechanisms. Only the packet recognition on the client side remains to work 2022-05-11 17:31:38 -04:00
h3xduck
567d8d706c Further completed the phantom shell routine and added more checks in TC, still not finished, payload rewriting remains, but the rest is fully ready 2022-05-10 23:04:19 -04:00
h3xduck
f2c3624e8b Added test on tc clasiffier, added pinned maps, and obtaining the fd from other maps in order to synchronize between programs 2022-05-10 19:09:52 -04:00
h3xduck
ff0f34c6a4 Included new library version with support for tcp src port paylaod injection 2022-05-09 18:57:23 -04:00
h3xduck
5746ac5efb Added new hidden packets, commands and rest of structure to activate and deactivate hooks from the backdoor 2022-05-07 19:16:33 -04:00
h3xduck
ce7d36371d Finished encrypted interactive shell and encrypted protocol implementation, V2 rootkit now fully functional 2022-05-07 17:55:27 -04:00
h3xduck
cceca23478 Completed message sharing, starting with protocol now 2022-05-05 22:14:28 -04:00
h3xduck
213e30ba3b Fixed keys of trigger packet V1, added sample servers, fixed client bug 2022-05-05 17:52:58 -04:00
h3xduck
0553ad777f Completed message passing of commands to userspace via ebpf ringbuffer 2022-05-05 13:22:47 -04:00
h3xduck
e881502ffa Now control flow is redirected back to the syscall after running the shared library constructor instead of skipping it 2022-04-09 14:17:09 -04:00
h3xduck
be5605db5f Introduced shellcode and finished code cave writing and injection. RELRO working 2022-04-07 11:54:24 -04:00
h3xduck
3438f5846f Finished injection module at userspace using /proc/<pid>/maps, enables to overwrite the GOT section with RELRO activated 2022-04-07 07:11:28 -04:00
h3xduck
fcf43ff180 Finished extraction of return address from the stack, and libc syscall adress 2022-03-17 19:32:32 -04:00
h3xduck
671e2d671d Added extraction of original jump instruction and opcodes 2022-03-15 18:36:59 -04:00
h3xduck
0c88d5baa9 Successfully added uprobes calculation and hooking at arbitrary function of execve_hijack. 2022-03-03 05:53:51 -05:00
h3xduck
e64839f080 Added new libc symbols extraction 2022-03-02 19:00:50 -05:00
h3xduck
b182ac1eeb Added new TC module, updates to the exec hooking system and the userland module 2022-02-20 16:50:15 -05:00
h3xduck
edbaf09c06 Completed execve hijacking, as with special error cases that arise and that are documented in the code. 2022-02-14 17:45:07 -05:00
h3xduck
044c85f3ff Initial version of the RCE scheme- Added complete execve hook, helper and modifying capabilities for the filename called. Works still needs to be done 2022-02-06 14:15:57 -05:00
h3xduck
643783004a Added new hooks and updated map fields to support new sudo module. 2022-02-05 13:49:20 -05:00
h3xduck
2b50d376a6 Updated function and configurator manager names to the used hook. 2022-01-26 13:04:23 -05:00
h3xduck
3832d99af1 Updated file names and directory structure to the new multi-modules rootkit 2022-01-16 06:56:54 -05:00
h3xduck
945e2f2def Added new probe to read the previously extracted params and overwrite user memory. Still now fully working, just a backup 2022-01-14 22:05:08 -05:00
h3xduck
106f141c7e Added new kprobe to the filesystem ebpf section. Now receiving read events, and storing them in a map for later use, along with a reference to the user-space memory buffer 2022-01-14 21:18:51 -05:00
h3xduck
4882ce790c [BUILD FAILING] Checkpoint for backup, added new hook for file system, tweaked makefile for real kernel header files inclusion, still not working. Commiting for periodic backup 2022-01-05 20:34:53 -05:00
h3xduck
f8774ac9cf [BUILD IS FAILING] Added file system hooks and other improvements. Uploading because of needing to backup 2022-01-04 20:09:59 -05:00
h3xduck
74873dbca5 Completed configuration module which enables to change the running ebpf modules in the rootkit at runtime. Minor changes and updated code structure 2022-01-04 13:26:13 -05:00
h3xduck
40da6b300b Capability of attaching/detaching as many times as we want is finished. Now rootkit is fully cusotmizable from the userland (and thus remotely throught the backdoor) 2022-01-02 16:02:23 -05:00
h3xduck
adaf909781 Completed detachment of probes, enabling to attach and detach at will. Work needs to be done with xdp tho 2022-01-02 06:28:45 -05:00
h3xduck
d18b0aa23c Further improvements in the rootkit configuration by the user 2021-12-31 12:02:35 -05:00
h3xduck
0863566292 Included a global config struct for controlling which hooks and functions of the rootkit should be active. Still work to be done in the bpf side 2021-12-31 09:54:47 -05:00
h3xduck
d9a70f866c Modularized the ebpf program loading and attaching. 2021-12-30 21:09:26 -05:00
h3xduck
d5478ed7a0 Added more communication utils between userspace and kernel: 
* Included maps and kernel ring buffer communication
* Extended the ebpf structure to include more modules
* New utils in both user and kernelspace
* Other changes
* This update precedes a great effort on researching and learning and linux kernel tracing and studing ebpfkit from defcon. More functionalities should come rather quickly now.
 2021-12-29 14:44:09 -05:00
h3xduck
510fc89de0 FIltering the found filepaths now fully working. We can now detect opened file descriptors of all processes 2021-12-24 10:22:23 -05:00
h3xduck
be9cc95daa Adapted makefile for user includes and new source files 2021-12-24 06:59:30 -05:00
h3xduck
745ec4e395 Updated project structure, and added new list for the next incoming feature. 2021-12-21 20:08:49 -05:00
h3xduck
516e98748c Finished adapting the client. Cleaned the user code and added getopt. The filter fully works now. Next step: return data to userspace via a map. 2021-11-22 20:02:47 -05:00