admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-24 18:33:08 +08:00
Code Issues Packages Projects Releases Wiki Activity

Added new rootkit overall diagram for architecture section

Browse Source
This commit is contained in:
h3xduck
2022-06-11 22:20:27 -04:00
parent d7a9b0e777
commit c14b407644
11 changed files with 262 additions and 241 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
docs/document.aux
View File

@@ -473,44 +473,47 @@
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {4}Design of a malicious eBPF rootkit}{64}{chapter.4}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {4.1}Library injection attacks}{64}{section.4.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {4.1}Rootkit architecture}{64}{section.4.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {4.2}Library injection attacks}{64}{section.4.2}\protected@file@percent }
\abx@aux@cite{evil_ebpf_p6974}
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
\abx@aux@cite{evil_ebpf_p6974}
\abx@aux@segm{0}{0}{evil_ebpf_p6974}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.1}{\ignorespaces Overview of the rootkit subsystems and components.\relax }}{65}{figure.caption.60}\protected@file@percent }
\newlabel{fig:rootkit}{{4.1}{65}{Overview of the rootkit subsystems and components.\relax }{figure.caption.60}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.1}ROP with eBPF}{65}{subsection.4.2.1}\protected@file@percent }
\newlabel{subsection:rop_ebpf}{{4.2.1}{65}{ROP with eBPF}{subsection.4.2.1}{}}
\abx@aux@cite{glibc}
\abx@aux@segm{0}{0}{glibc}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.1}ROP with eBPF}{65}{subsection.4.1.1}\protected@file@percent }
\newlabel{subsection:rop_ebpf}{{4.1.1}{65}{ROP with eBPF}{subsection.4.1.1}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.1}{\ignorespaces Initial setup for the ROP with eBPF technique.\relax }}{65}{figure.caption.60}\protected@file@percent }
\newlabel{fig:rop_evil_ebpf_1}{{4.1}{65}{Initial setup for the ROP with eBPF technique.\relax }{figure.caption.60}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.2}{\ignorespaces Process memory after syscall exits and ROP code overwrites the stack.\relax }}{66}{figure.caption.61}\protected@file@percent }
\newlabel{fig:rop_evil_ebpf_2}{{4.2}{66}{Process memory after syscall exits and ROP code overwrites the stack.\relax }{figure.caption.61}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.2}{\ignorespaces Initial setup for the ROP with eBPF technique.\relax }}{66}{figure.caption.61}\protected@file@percent }
\newlabel{fig:rop_evil_ebpf_1}{{4.2}{66}{Initial setup for the ROP with eBPF technique.\relax }{figure.caption.61}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.3}{\ignorespaces Process memory after syscall exits and ROP code overwrites the stack.\relax }}{67}{figure.caption.62}\protected@file@percent }
\newlabel{fig:rop_evil_ebpf_2}{{4.3}{67}{Process memory after syscall exits and ROP code overwrites the stack.\relax }{figure.caption.62}{}}
\abx@aux@cite{canary_exploit}
\abx@aux@segm{0}{0}{canary_exploit}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.3}{\ignorespaces Stack data is restored and program continues its execution.\relax }}{67}{figure.caption.62}\protected@file@percent }
\newlabel{fig:rop_evil_ebpf_3}{{4.3}{67}{Stack data is restored and program continues its execution.\relax }{figure.caption.62}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.2}Bypassing hardening features in ELFs}{67}{subsection.4.1.2}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.4}{\ignorespaces Stack data is restored and program continues its execution.\relax }}{68}{figure.caption.63}\protected@file@percent }
\newlabel{fig:rop_evil_ebpf_3}{{4.4}{68}{Stack data is restored and program continues its execution.\relax }{figure.caption.63}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.2}Bypassing hardening features in ELFs}{68}{subsection.4.2.2}\protected@file@percent }
\abx@aux@cite{pie_exploit}
\abx@aux@segm{0}{0}{pie_exploit}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.4}{\ignorespaces Two runs of the same executable using ASLR, showing a library and two symbols.\relax }}{68}{figure.caption.63}\protected@file@percent }
\newlabel{fig:alsr_offset}{{4.4}{68}{Two runs of the same executable using ASLR, showing a library and two symbols.\relax }{figure.caption.63}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.1.3}Library injection via GOT hijacking}{69}{subsection.4.1.3}\protected@file@percent }
\newlabel{subsection:got_attack}{{4.1.3}{69}{Library injection via GOT hijacking}{subsection.4.1.3}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.5}{\ignorespaces Call to the glibc function, using objdump\relax }}{70}{figure.caption.64}\protected@file@percent }
\newlabel{fig:firstcall}{{4.5}{70}{Call to the glibc function, using objdump\relax }{figure.caption.64}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Evaluation}{71}{chapter.5}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.5}{\ignorespaces Two runs of the same executable using ASLR, showing a library and two symbols.\relax }}{69}{figure.caption.64}\protected@file@percent }
\newlabel{fig:alsr_offset}{{4.5}{69}{Two runs of the same executable using ASLR, showing a library and two symbols.\relax }{figure.caption.64}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {subsection}{\numberline {4.2.3}Library injection via GOT hijacking}{70}{subsection.4.2.3}\protected@file@percent }
\newlabel{subsection:got_attack}{{4.2.3}{70}{Library injection via GOT hijacking}{subsection.4.2.3}{}}
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\contentsline {figure}{\numberline {4.6}{\ignorespaces Call to the glibc function, using objdump\relax }}{71}{figure.caption.65}\protected@file@percent }
\newlabel{fig:firstcall}{{4.6}{71}{Call to the glibc function, using objdump\relax }{figure.caption.65}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {5}Evaluation}{72}{chapter.5}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {5.1}Developed capabilities}{71}{section.5.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {5.2}Rootkit use cases}{71}{section.5.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Related work}{72}{chapter.6}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {5.1}Developed capabilities}{72}{section.5.1}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {section}{\numberline {5.2}Rootkit use cases}{72}{section.5.2}\protected@file@percent }
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{\numberline {6}Related work}{73}{chapter.6}\protected@file@percent }
\@writefile{lof}{\defcounter {refsection}{0}\relax }\@writefile{lof}{\addvspace {10\p@ }}
\@writefile{lot}{\defcounter {refsection}{0}\relax }\@writefile{lot}{\addvspace {10\p@ }}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{73}{chapter.6}\protected@file@percent }
\newlabel{annex:bpftool_flags_kernel}{{6}{}{Appendix A - Bpftool commands}{chapter*.66}{}}
\newlabel{annex:readelf_commands}{{6}{}{Appendix B - Readelf commands}{chapter*.67}{}}
\newlabel{annexsec:readelf_sec_headers}{{6}{}{}{chapter*.67}{}}
\@writefile{toc}{\defcounter {refsection}{0}\relax }\@writefile{toc}{\contentsline {chapter}{Bibliography}{74}{chapter.6}\protected@file@percent }
\newlabel{annex:bpftool_flags_kernel}{{6}{}{Appendix A - Bpftool commands}{chapter*.67}{}}
\newlabel{annex:readelf_commands}{{6}{}{Appendix B - Readelf commands}{chapter*.68}{}}
\newlabel{annexsec:readelf_sec_headers}{{6}{}{}{chapter*.68}{}}
\newlabel{code:elf_sections}{{6.1}{}{List of ELF section headers with readelf tool of a program compiled with GCC}{lstlisting.6.1}{}}
\@writefile{lol}{\defcounter {refsection}{0}\relax }\@writefile{lol}{\contentsline {lstlisting}{\numberline {6.1}List of ELF section headers with readelf tool of a program compiled with GCC.}{}{lstlisting.6.1}\protected@file@percent }
\abx@aux@read@bbl@mdfivesum{29EDBEBA551C78783A4E376AB79D67BE}
@@ -605,4 +608,4 @@
\abx@aux@defaultrefcontext{0}{canary_exploit}{none/global//global/global}
\abx@aux@defaultrefcontext{0}{pie_exploit}{none/global//global/global}
\ttl@finishall
\gdef \@abspage@last{100}
\gdef \@abspage@last{101}