h3xduck
|
102b72af05
|
Cleaned unnecessary files, new gitignore for previous clones
|
2022-06-25 12:11:04 -04:00 |
|
h3xduck
|
5d6619ce40
|
Finished section 5. Multiple changes in the code according to the performed tests.
|
2022-06-19 14:35:19 -04:00 |
|
h3xduck
|
bfcbfcfaf2
|
Added multiple small changes to client and code, submitting almost finished chapter 5
|
2022-06-18 10:57:10 -04:00 |
|
h3xduck
|
2b719ff0a5
|
Completed chapter 4
|
2022-06-16 20:38:15 -04:00 |
|
h3xduck
|
f98f65429b
|
Forgot to modify one appearance of old name
|
2022-06-15 20:40:18 -04:00 |
|
h3xduck
|
80f334636a
|
Changed the repository (and the rootkit!) name with TripleCross: https://dictionary.cambridge.org/dictionary/english/double-cross. This is 'triple' because it is a BPF program that betrays you at the userspace, at the kernel, and at the network.
|
2022-06-15 20:33:07 -04:00 |
|
h3xduck
|
75e92445e5
|
Modified terminal names in the client
|
2022-06-15 19:09:58 -04:00 |
|
h3xduck
|
bdda5c4269
|
Modified client options once again for screenshots
|
2022-06-15 18:42:31 -04:00 |
|
h3xduck
|
b284581712
|
Further changed some help in the client
|
2022-06-15 17:48:21 -04:00 |
|
h3xduck
|
081a23a44f
|
Modified the help of the client, this is for making some screenshots
|
2022-06-15 17:47:00 -04:00 |
|
h3xduck
|
163f923c55
|
Continued with execve hijacking.
|
2022-06-13 22:16:34 -04:00 |
|
h3xduck
|
99ad9c5548
|
New explanation for the injection technique (alternative scanning process) and added flow diagram with full process.
|
2022-06-13 10:57:32 -04:00 |
|
h3xduck
|
71b093141b
|
Further advanced with the library injection, almost finished. Multiple enhancements
|
2022-06-12 22:34:50 -04:00 |
|
h3xduck
|
d7a9b0e777
|
Updated injection module to ensure shellcode fits in code cave. Added simple reverse shell in injection lib
|
2022-06-11 18:38:48 -04:00 |
|
h3xduck
|
1595caa8d0
|
Continued with library injection attack
|
2022-06-09 22:57:25 -04:00 |
|
h3xduck
|
2c3648a18a
|
Continued with offensive capabilities, incorporated security features and started with tracing program features
|
2022-06-02 19:00:10 -04:00 |
|
h3xduck
|
3ec9175053
|
Continued with the state of the art section
|
2022-05-22 08:19:32 -04:00 |
|
h3xduck
|
3e697dd4cf
|
Fixed a bug where tcpport mode in the multi-packet backdoor did not work if a previous trigger using seqnum mode was made
|
2022-05-18 12:45:35 -04:00 |
|
h3xduck
|
104f4c0355
|
Added obfuscation for the persistance access using cron
|
2022-05-16 17:34:21 -04:00 |
|
h3xduck
|
ccd518287a
|
Added new deployer for preparing final files, messed up with the phantom shell, sometimes gives errors, but I don't think we can do much, the shared maps together with multi-hooks on network has some unexpected behaviours
|
2022-05-16 16:33:12 -04:00 |
|
h3xduck
|
757a480de9
|
Completed work on deployer, previous to cron persistence
|
2022-05-16 12:52:25 -04:00 |
|
h3xduck
|
82fa056955
|
Added hide directory capabilities for the rootkit
|
2022-05-16 11:24:59 -04:00 |
|
h3xduck
|
4044d7994c
|
Added sys_openat for the injection module, fully working!
|
2022-05-16 08:02:38 -04:00 |
|
h3xduck
|
78b3132687
|
Updated some files for eveything to work now that it is all together. Execve hijacker and clients in particular
|
2022-05-15 20:47:58 -04:00 |
|
h3xduck
|
4a292f0f7a
|
Merged master and develop, now all changes together. Fully tested and working.
|
2022-05-15 20:46:35 -04:00 |
|
h3xduck
|
57f3edd8fa
|
Fixed bug in client getting local ip
|
2022-05-15 19:09:04 -04:00 |
|
h3xduck
|
6e76e1ed1a
|
Solved an error in client ip config
|
2022-05-15 18:08:14 -04:00 |
|
h3xduck
|
ce3b267d01
|
Fixed phantom shell, added ips for all types of backdoor triggers so that we can use different interfaces
|
2022-05-15 16:45:47 -04:00 |
|
h3xduck
|
e6cbe7c24a
|
Updated client to work with multiple network interfaces
|
2022-05-15 15:15:43 -04:00 |
|
h3xduck
|
d509f20974
|
Completed command passing for phantom shell
|
2022-05-15 14:44:16 -04:00 |
|
h3xduck
|
ad4f9b2504
|
Completed phantom shell protocol, added new checksum correctors
|
2022-05-11 20:27:52 -04:00 |
|
h3xduck
|
28ed530aea
|
Completed the TC Hook and payload enlargment and substitution mechanisms. Only the packet recognition on the client side remains to work
|
2022-05-11 17:31:38 -04:00 |
|
h3xduck
|
567d8d706c
|
Further completed the phantom shell routine and added more checks in TC, still not finished, payload rewriting remains, but the rest is fully ready
|
2022-05-10 23:04:19 -04:00 |
|
h3xduck
|
f2c3624e8b
|
Added test on tc clasiffier, added pinned maps, and obtaining the fd from other maps in order to synchronize between programs
|
2022-05-10 19:09:52 -04:00 |
|
h3xduck
|
4211d0b5d5
|
Updated all components with phantom shell
|
2022-05-09 22:06:29 -04:00 |
|
h3xduck
|
5320f35d01
|
Added new hidden payload stream mode, now triggered using the source port. Fully integrated already, can select between that and seqnum in client. Both launch live encrypted shell via v3 backdoor
|
2022-05-09 20:16:13 -04:00 |
|
h3xduck
|
ff0f34c6a4
|
Included new library version with support for tcp src port paylaod injection
|
2022-05-09 18:57:23 -04:00 |
|
h3xduck
|
ff2868846f
|
Fixed a big bug in previous client terminals, also made the new multi-triggered backdoor to work completely and connect to encrypted session
|
2022-05-09 17:48:02 -04:00 |
|
h3xduck
|
073e1d3129
|
Completed new backdoor packet stream parsing for V3 backdoor using hidden payloads in TCP and IP header positions
|
2022-05-09 16:36:39 -04:00 |
|
h3xduck
|
ba19537ec1
|
Added new packet stream payload mode in client for V3 backdoor
|
2022-05-07 20:45:02 -04:00 |
|
h3xduck
|
5746ac5efb
|
Added new hidden packets, commands and rest of structure to activate and deactivate hooks from the backdoor
|
2022-05-07 19:16:33 -04:00 |
|
h3xduck
|
ce7d36371d
|
Finished encrypted interactive shell and encrypted protocol implementation, V2 rootkit now fully functional
|
2022-05-07 17:55:27 -04:00 |
|
h3xduck
|
f6a4c1daa0
|
Finished execve hijacking, added new last checks and discovered why sometimes it fails. New detached process at the userspace. Other fixes
|
2022-05-07 10:36:46 -04:00 |
|
h3xduck
|
cceca23478
|
Completed message sharing, starting with protocol now
|
2022-05-05 22:14:28 -04:00 |
|
h3xduck
|
213e30ba3b
|
Fixed keys of trigger packet V1, added sample servers, fixed client bug
|
2022-05-05 17:52:58 -04:00 |
|
h3xduck
|
0553ad777f
|
Completed message passing of commands to userspace via ebpf ringbuffer
|
2022-05-05 13:22:47 -04:00 |
|
h3xduck
|
2deebf1b9e
|
Added V1 command sending via secret trigger on backdoor
|
2022-05-05 12:59:02 -04:00 |
|
h3xduck
|
ead4a4ca68
|
Completed checks for V1 trigger
|
2022-05-04 08:54:21 -04:00 |
|
h3xduck
|
073a911f74
|
Included new version of custom lib. Added checks for backdoor triggering
|
2022-05-04 04:40:25 -04:00 |
|
h3xduck
|
25ef3acc5a
|
Updating doc, adding makefile and preparing document
|
2022-04-27 21:56:37 -04:00 |
|